DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Why Target the Application Layer?

Why the application layer protocol is a juicy target for hackers looking to intercept communications between systems.

Mike Milner user avatar by
Mike Milner
·
Feb. 15, 17 · Opinion
Like (0)
Save
Tweet
Share
4.23K Views

Join the DZone community and get the full member experience.

Join For Free

When most of us think of applications, we think of the various programs we have downloaded to our smartphones. We interact and make requests of these programs to perform whatever function we need. These requests often, if not always, require the application to communicate with another Why Target the Application Layer.png
application through an API (Application Program Interface). For the most part, we don’t think about the protocols needed to make this communication possible, unless something goes wrong. Communication between applications takes place across an IP network, typically using an OSI (Open Systems Interconnection) model, which provides standardized steps that occur at seven distinct layers. The seventh layer, and only layer that users interact with, is the application layer.

For one application to communicate with another application, computer, or data source, the request travels through seven layers of protocols:

7: Application Layer
6: Presentation Layer
5: Session Layer
4: Transport Layer
3: Network Layer
2: Data Link Layer
1: Physical Layer

Each layer performs a function that enables the next layer to perform its function. Once at the physical layer, the request or information is transmitted back up the stack through the same protocols to its own application layer to be communicated with the original application.

What makes the application layer so valuable to users is the information it accesses. If you go onto your mobile banking application and provide your username and password, you expect to be able to view your balance, transfer funds, deposit money, and more. In order to do this, the application on your phone needs to communicate with and receive data that is stored by your bank. The information stored by your bank travels through the seven layers, from the physical layer to the application layer, making it consumable and transferable to you on your personal device. If your banking app could only give you a static view of your balance, it would still be a little useful, but not as valuable to you as it is with all of the other information and actions it provides. The application layer facilitates the free exchange of information between the user and some other entity.

While this exchange of information is what makes the application layer so valuable to users, it is also what makes it a target to hackers. Finding and exploiting vulnerable code at the application layer means that hackers can easily access or redirect the information the legitimate user requests to themselves. This is done through common, yet prolific, vulnerabilities such as Cross-Site Scripting or SQL Injection, or completely unknown zero-day vulnerabilities. In addition to hacking the application layer via vulnerable code, hackers might also launch account takeover attacks using stolen user credentials, brute force attacks, or session farming techniques to steal data.

By design, the application layer has privileged access to information. By compromising an application, hackers have a direct route to the bounty they are seeking: information in a consumable format, which explains why so many attacks are carried out at this level. In order to protect this sensitive information, it is important to have security infrastructure embedded within the application that can detect and block such attacks in real time when they occur. To learn more about building a comprehensive application security program, check out this eBook: You've Been Hacked: Why Web Application Security Should Start with RASP.

mobile app

Published at DZone with permission of Mike Milner, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Create a Real-Time Scalable Streaming App Using Apache NiFi, Apache Pulsar, and Apache Flink SQL
  • Kubernetes vs Docker: Differences Explained
  • How Observability Is Redefining Developer Roles
  • A Brief Overview of the Spring Cloud Framework

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: