Why Target the Application Layer?

When most of us think of applications, we think of the various programs we have downloaded to our smartphones. We interact and make requests of these programs to perform whatever function we need. These requests often, if not always, require the application to communicate with another 
application through an API (Application Program Interface). For the most part, we don’t think about the protocols needed to make this communication possible, unless something goes wrong. Communication between applications takes place across an IP network, typically using an OSI (Open Systems Interconnection) model, which provides standardized steps that occur at seven distinct layers. The seventh layer, and only layer that users interact with, is the application layer.

For one application to communicate with another application, computer, or data source, the request travels through seven layers of protocols:

7: Application Layer
6: Presentation Layer
5: Session Layer
4: Transport Layer
3: Network Layer
2: Data Link Layer
1: Physical Layer

Each layer performs a function that enables the next layer to perform its function. Once at the physical layer, the request or information is transmitted back up the stack through the same protocols to its own application layer to be communicated with the original application.

What makes the application layer so valuable to users is the information it accesses. If you go onto your mobile banking application and provide your username and password, you expect to be able to view your balance, transfer funds, deposit money, and more. In order to do this, the application on your phone needs to communicate with and receive data that is stored by your bank. The information stored by your bank travels through the seven layers, from the physical layer to the application layer, making it consumable and transferable to you on your personal device. If your banking app could only give you a static view of your balance, it would still be a little useful, but not as valuable to you as it is with all of the other information and actions it provides. The application layer facilitates the free exchange of information between the user and some other entity.

While this exchange of information is what makes the application layer so valuable to users, it is also what makes it a target to hackers. Finding and exploiting vulnerable code at the application layer means that hackers can easily access or redirect the information the legitimate user requests to themselves. This is done through common, yet prolific, vulnerabilities such as Cross-Site Scripting or SQL Injection, or completely unknown zero-day vulnerabilities. In addition to hacking the application layer via vulnerable code, hackers might also launch account takeover attacks using stolen user credentials, brute force attacks, or session farming techniques to steal data.

By design, the application layer has privileged access to information. By compromising an application, hackers have a direct route to the bounty they are seeking: information in a consumable format, which explains why so many attacks are carried out at this level. In order to protect this sensitive information, it is important to have security infrastructure embedded within the application that can detect and block such attacks in real time when they occur. To learn more about building a comprehensive application security program, check out this eBook: You've Been Hacked: Why Web Application Security Should Start with RASP.