Over a million developers have joined DZone.

Why Target the Application Layer?

DZone's Guide to

Why Target the Application Layer?

Why the application layer protocol is a juicy target for hackers looking to intercept communications between systems.

· Security Zone
Free Resource

Learning by doing is more effective than learning by watching - that’s why Codebashing offers a hands-on interactive training platform in 10 major programming languages. Learn more about AppSec training for enterprise developers.

When most of us think of applications, we think of the various programs we have downloaded to our smartphones. We interact and make requests of these programs to perform whatever function we need. These requests often, if not always, require the application to communicate with another Why Target the Application Layer.png
application through an API (Application Program Interface). For the most part, we don’t think about the protocols needed to make this communication possible, unless something goes wrong. Communication between applications takes place across an IP network, typically using an OSI (Open Systems Interconnection) model, which provides standardized steps that occur at seven distinct layers. The seventh layer, and only layer that users interact with, is the application layer.

For one application to communicate with another application, computer, or data source, the request travels through seven layers of protocols:

7: Application Layer
6: Presentation Layer
5: Session Layer
4: Transport Layer
3: Network Layer
2: Data Link Layer
1: Physical Layer

Each layer performs a function that enables the next layer to perform its function. Once at the physical layer, the request or information is transmitted back up the stack through the same protocols to its own application layer to be communicated with the original application.

What makes the application layer so valuable to users is the information it accesses. If you go onto your mobile banking application and provide your username and password, you expect to be able to view your balance, transfer funds, deposit money, and more. In order to do this, the application on your phone needs to communicate with and receive data that is stored by your bank. The information stored by your bank travels through the seven layers, from the physical layer to the application layer, making it consumable and transferable to you on your personal device. If your banking app could only give you a static view of your balance, it would still be a little useful, but not as valuable to you as it is with all of the other information and actions it provides. The application layer facilitates the free exchange of information between the user and some other entity.

While this exchange of information is what makes the application layer so valuable to users, it is also what makes it a target to hackers. Finding and exploiting vulnerable code at the application layer means that hackers can easily access or redirect the information the legitimate user requests to themselves. This is done through common, yet prolific, vulnerabilities such as Cross-Site Scripting or SQL Injection, or completely unknown zero-day vulnerabilities. In addition to hacking the application layer via vulnerable code, hackers might also launch account takeover attacks using stolen user credentials, brute force attacks, or session farming techniques to steal data.

By design, the application layer has privileged access to information. By compromising an application, hackers have a direct route to the bounty they are seeking: information in a consumable format, which explains why so many attacks are carried out at this level. In order to protect this sensitive information, it is important to have security infrastructure embedded within the application that can detect and block such attacks in real time when they occur. To learn more about building a comprehensive application security program, check out this eBook: You've Been Hacked: Why Web Application Security Should Start with RASP.

Find out how CxSAST can help you scan uncompiled and unbuilt code while identifying hundreds of security vulnerabilities in the most prevalent coding languages.

security ,api ,application layer ,cross-site scripting

Published at DZone with permission of Mike Milner, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}