Security Risks to Watch Out For in Your Web Application

Gaurav Verma Software Security Leave a Comment

This article deals with top known vulnerabilities that exists in systems. These are regularly published as OWASP (https://www.owasp.org) top 10. This article does not claim to be an original research work but essentially discusses the known top vulnerabilities from a programmer point of view.

 

 

OWASP or Open Web Application Security Project is a worldwide not-for-profit charitable organization focused on improving the security of software that regularly publishes top security holes across applications and suggestions on fixing the same. This article heavily borrows material from OWASP and presents the same from developer point of view.

The major cause of security issues is that security is an afterthought and approach towards solving security is patching, while security should be backed into design of the application. This article would provide inputs to provide a good security design.

The upcoming sections provide an overview of the vulnerability and point reader to detailed resources. We also describe possible technologies that are used and mark if they are a potential risk.

Injection

 

 

An injection attack occurs when user input by end user is entered such that executing code provides undesired data. This happens when user input is not validated and filtered. Such vulnerabilities have famously been in SQL injection but can also be applied to noSQL, ORM, LDAP. To prevent the same all sources of input data must be validated such as cookies, user form input, JSON fields, headers etc.

Consider the example of Login being implemented with the query

Select * From Users Where username = ? and password = ?;

What if a user enters in

user name ; Select * From Users;

This would evaluate and actually print all the users depending upon how code is written but filtering of code would ensure protection.

Learn More

Insufficient Logging & Monitoring

Monitoring and alerts are a primary tools to find and take immediate corrective actions, When an attack does take place logs and alerts are the primary tool for alert and later a postmortem. Excellent logging not only helps prevention and circumvention of the attack but also informs of security problems that may be fixed.

Excellent tools such as Splunk, ELK, logstash and others may be employed to actively respond to attacks.

Learn More

Broken Authentication

Broken authentication is exploited by one the many techniques such as brute force attack on known usernames and password databases, session hijacking. Simple mechanisms allow fixing broken authentication such as enforcing strong passwords, Single sign on, use of ssl, two factor authentication etc.

Learn More

Sensitive Data Exposure

The idea here is if and when a data is intercepted it should not be usable. Man in the middle attack should be stopped. This requires sensitive data to be salted and or encrypted when in motion or rest. Data when shared such as credit cards in a DB table or data on FTP files all must be encrypted and be shared over TSL/SSL. Algorithms, keys etc must be strong.

Learn More

XML External Entities

XML and JSON parsers can have vulnerabilities that may allow execution of unwanted code over unwanted data. In morder dynamic languages code script may be embedded in data which might be executed on server.

Learn More

Broken Access Control

While authentication allows who is allowed access, however it does not inform what kind of access is allowed. With broken authentication unwanted and damaging features may be exposed to unprivileged users. It is a poor practice to have UI define access control and not implementing the same on api or business layer. Frameworks that allow claims based authorization or role based frameworks can greatly help develop secure against such attacks.

Learn More

Security Misconfiguration

A number of vulnerabilities exist in system due to poor hardening, sometimes these items are let go in development environment for efficient debugging but on production these include things like running process in minimal required security and not as root, accessing DB not as root, not exposing stack trace, giving proper directory privileges and so on. Once these are patched the surface area for an attack is greatly reduced.

Learn More

Cross Site Scripting

Cross site scripting is a form of attack in which javascript may be embedded in user input and stored in database. The said input may then be executed on victim’s computer transmitting vital information or redirecting users to other websites.  Anti XSS filters may be employed on an incoming http stream to filter the same.

Learn More

Insecure Deserialization

This attack occurs when serialized input when deserialized may exploit a underlying issues such as buffer overflow. This is a complex issue because it is difficult to contain in a disconnected world where inputs are received from unknown sources.

Strict type checks and deserialization in known entities allows safety against this issue. However issues like these are harder to manage in dynamic languages.

Learn More

Using Components with Known Vulnerabilities

New issues and software and abilities are found in applications and libraries. It is imperative to patch them as and when available. Attackers bank on long cycles for issues being patched and fixed.

Learn More

 



About the Author

Gaurav Verma

With over 16 years of experience, Gaurav has worked on immensely complex projects in a wide gamut of industries & technologies, having worked with organizations like Sapient & Grapecity among others. A graduate from the Delhi University and Indraprasth University with degrees in electronics and computers, he is currently fascinated by & working on projects involving AI and Machine Learning.

Share this Post

Popular Right Now

Leave a Reply

Your email address will not be published. Required fields are marked *