🖥️ A Guide to Web Attack Incident Handling

1. DOS and DDOS

Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks are among the most frightening attacks for modern enterprises.

Denial-of-service (DoS)

A denial-of-service (DoS) attack is designed to shut down a system or network, rendering its resources unavailable to users. DoS attacks do this by flooding the target with traffic, causing it to fail. In this scenario, the DoS attack prevents legitimate users from accessing the service or resource (staff, members, or account holders).

Distributed denial-of-service (DDoS)

Distributed denial-of-service (DDoS) attacks have the same objective as DoS attacks, but they are launched from a larger number of devices and have a more significant impact.

Attack Name Denial of service Distributed Denial of Service
Launched By 1 Computer More than 1 Computer
Cause of Attack Service is disrupted as UDP and TCP packets overload the capabilities of the server. Service is disrupted as UDP and TCP packets overload the capabilities of the Server.
Magnitude Medium High
Goals To render the server unavailable by blocking access to the website or whatever is hosted on the server. To render the server unavailable by blocking access to the website or whatever is hosted on the server.

2. SQL Injection

SQL is a standardized programming language for accessing and manipulating databases to create user-specific representations of data. SQL queries are used to carry out tasks such as data collection, modifications, and information removal.

Example of SQL injection 

You can detect an attack from the presence of the following commands in the URL:  or 1=1;--  , " or 1=1;-- , or any command in which a character is equal to itself.

Such commands produce true statements that will manipulate the database logic. After the comma, we can see the query that the attacker sent to the database, for example: ‘ or abc=abc; drop table notes; -- .

3. Cross-Site Scripting (XSS)

Cross-site scripting, also known as XSS, is an attack that uses a client-side scripting language such as JavaScript to exploit vulnerabilities in web applications.

An XSS attack is a type of injection attack in which malicious code is injected into normally protected websites. An attacker will exploit a vulnerability in a targeted web application to deliver malicious code to an end-user, most commonly using JavaScript.

4. Command Injection

 Command injection, also known as OS Command Injection, is a web attack that allows unauthorized operating system commands to be executed. A command injection occurs when a web application submits unsanitized, unfiltered system commands. 

The attacker usually injects the commands by abusing a vulnerability in the application, such as a lack of input validation. Due to insufficient input validation, an attacker could insert malicious commands.

Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. 

5. Local File Inclusion (LFI)

  1. The attacker discovers a web application with insufficient filtering or validation of user browser input.
  2. The attacker changes the URL string using the "../" directive to ensure path traversal is possible
  3. The attacker uploads a malicious .php file to the host server through a backdoor and attempts to locate the script using the same method as in the previous step.
  4. A request is improperly verified, allowing the attacker to launch a malicious script on the host application.


Name of the Attack   How to detect
DOS and DDOS 1. Logs show a huge spike in traffic, i.e, 10,000 http requests in 5 seconds from one IP address.
2. The server responds with a 503 http response error citing that the service is unavailable and the server cannot handle the request.
SQL Injection   Look for any character that equals itself in the URL. i.e, OR 1=1, OR '1'='1
Error based SQLi Look for any character that equals itself or a true statement with AND in the URL i.e, AND 2>1, AND 1=1
Union Based SQLi Look for the following commands in the URL UNION, UNION SELECT, UNION ALL SELECT
Blind SQLi Look for time-based commands in SQL language in the URL, such as waitfor, delay, sleep, benchmark, etc.
Cross-Site Scripting Look in the URL for terms such as "script" and "JavaScript" combined with additional JavaScript character.
Command Injection Look for the Following commands in the URL:
Linux: whomami, uname-a, ipconfig, netstat,pts- ef.
Windows: whomi, ver, ipconfig/all, netstat-an, or Tasklist.
Local File Inclusion(LFI) Look for the following files in the URI: /etc/issue, /etc/passwd,/etc/shadow, etc/group, /etc/hosts.passwd, or boot.ini

Similar Articles