Web application security is the idea of building websites to function as expected, even when they are under attack. The concept involves a collection of security controls engineered into a Web application to protect its assets from potentially malicious agents.
2. https://www.briskinfosec.com
Web Application Protection
Most web applications are vulnerable to hackers. Many people remember the sensational cases of
hacking politicians' Twitter accounts. When communicating at the client-server level, when a user from
a PC or mobile device accesses the server hosting the application, information is exchanged. At the same
time, modern methods of ensuring information security are not always applied.
Web application Security becomes a task for both developers and users. If a few years ago, protection
measures were limited to setting up a web server, thoroughly cleaning the hard drive of unnecessary
and obsolete files and codes, and regularly monitoring the invariance of files, then as hackers become
more active and DDoS attacks become more frequent, more serious security measures are needed.
Concept
A web application is a technical solution with the help of which a client (user) communicates with a
server in real time, for example, through a personal account in an electronic bank or a page on a social
network.
In the format of web applications, they work:
✓ Social networks,
✓ Search engines,
✓ Mail clients,
✓ Online programs for business, built according to the “client-server” model (Bitrix-24 CRM system
and analogues),
✓ online shopping.
Based on the technical characteristics and operation model, applications are divided into the following
types:
3. https://www.briskinfosec.com
1. Back end. This term refers to the server part of the software product installed on a server located at
any distance from the user. The program is written in any popular programming language - PHP, Python,
Ruby, C#.
2. Front-end. This type of application runs in the user's browser. The program is written in JavaScript
and differs from the back end in that user data is not stored for more than one session. This option
includes photo editors and games.
3.Single - page application. This option combines the client and server versions.
The type of application determines the threat model against which it should be protected.
Main Threats
Attackers are interested in ways to hack web applications for various purposes. Account hacking helps to
get a valuable resource without payment, kidnap someone else's player in a popular game, change the
Twitter content of a well-known politician, use an account as a member of a botnet. For a hacker, the
personal data of the person whose account is hacked usually does not matter, he is only interested in
the fact of access to the resource.
The peculiarity of resource hacking is that it is not personalized, but automated, mass-produced using
special programs. The information obtained is sold or used for the purposes of the hacker. The owner of
a resource that works with clients according to the web application model must be able to protect the
site from the most common hacking methods.
Popular protection methods
Simple methods for protecting an application from hackers do not require serious financial investments
and are available to most owners of online stores and similar resources.
Among them the most popular:
4. https://www.briskinfosec.com
✓ Audit (preventive measure),
✓ Use of secure data transfer protocols,
✓ Use of security software.
All methods must be used in combination.
Checking the site for vulnerabilities
Before developing a technique for protecting a web application from potential threats, the site should
be checked for vulnerabilities. The check is conducted manually or automatically. Programs available in
paid and free versions will test the application for the main risks. Such software products exist in two
versions: Black hat, which simulates the actions of crackers, and White hat, which systematically reveals
all system flaws by scanning.
Among the most effective free tool-applications are:
✓ OpenVAS scans local networks for vulnerabilities,
✓ BRISKINFOSEC Exotic XSS Exploit Framework checks the site for XSS vulnerability, the possibility
of injecting malicious code into a web page that steals user account data and other information.
The code is injected through vulnerabilities on the user's server or device,
✓ Approof by Positive Technologies examines the configuration of a web application and finds re-
dundant or malicious code,
Also, free online services will cope with the audit:
✓ SecurityHeaders.io will analyzed server responses to requests and identify vulnerabilities,
✓ Observatory by Mozilla is a free and open-source service for identifying security holes. Can in-
volve resources of other security check services and add their data to the report. Assesses the
5. https://www.briskinfosec.com
degree of safety on a scale from A to F, where F is the lowest level. In 2016, 91% of reviewed
sites were at level F,
✓ One button scan is responsible for scanning such server elements as DNS, HTTP headers, SSL,
checks the services used for vulnerabilities,
✓ SSL Server Test checks for SSL vulnerabilities,
✓ Sync will check for vulnerabilities in JavaScript, Ruby and Java applications, and fix security flaws
on its own. Successfully works together with the GitHub repository.
Paid resources will give more opportunities to check the service for vulnerabilities, they are updated
faster as the structure and nature of threats change.
According to the results of the audit, an IT specialist may experience a shock - so many threats will be
identified, but not all of them are equally important or implementable, hackers use the simplest
methods of hacking.
After fixing serious vulnerabilities, the scan should be repeated. After completing the automatic check,
you can organize the hacking of the web application manually. To do this, you need to change the
meaning of POST requests (sending data to a resource) and GET requests (requesting data from a
resource) to HTTP. It is better to use a proxy server that intercepts HTTP requests. It is also necessary to
bypass data validation (checking that the request meets the specified requirements) and inject an SSL
infection onto the site that intercepts user data. If monitoring systems show significant vulnerabilities, it
is necessary to increase protection in the identified areas.
Using paid or free security monitoring resources, you need to check the hypothetical ability of a hacker
to bypass the mandatory authentication requirements provided for some pages of a web application. To
6. https://www.briskinfosec.com
do this, you need to use such traditional hacking methods as changing URL parameters (in particular, the
user ID) or changing Cookies.
HTTPS
The second most trendy way to protect user data after identification is to use the secure HTTPS data
transfer protocol. Hyper Text Transfer Protocol Secure protects web application user information by
encrypting traffic. It ensures the confidentiality and integrity of information is preserved, preventing
data leakage or substitution.
Most of the resources have been using technology for a long time, it has become a good tone,
confirming the readiness of their owners to protect the interests of clients. The Google search engine
raises sites using this technology in the issuance.
HTTPS is required if users provide the service with information such as:
✓ Credit card numbers,
✓ Personal data,
✓ URLs of the pages they visit.
When generating a request from the authorization form, cookies are used, they must be sent to the
server with each request. With weak web application protection, nothing prevents an attacker from
intercepting files and forging a request by gaining user rights. Using HTTPS for every page on your site
will reduce this risk.
Solving the problem is easy, you will need the following steps:
✓ Generate an SSL certificate, on some resources this is done for free,
✓ Obtain and install a certificate,
✓ Enable HTTPS support for the web application.
7. https://www.briskinfosec.com
An additional feature after configuring HTTPS will be the use of Hyper Strict Transport Security (HSTS).
This is an option to force the use of HTTPS even if the server does not support it. However, secure
protocols will not save a web application if the software itself is outdated.
Software Update
The application owner must keep abreast of software updates. Hackers test all updates and find
vulnerabilities in them, sometimes earlier than developers. Operating systems, HTTP management
technologies, and content management systems (CMS) are especially actively hacked.
In a situation where the service is installed on someone else's hosting, the task of timely replacement of
the operating system falls on the shoulders of the provider. If the hosting is your own, the OS needs to
be changed immediately after the updates are released. The site may run on an operating system
designed for this type of web application (engine), a third-party manufacturer, especially for online
stores. It is necessary to keep track of all software updates and install an updated version as soon as it is
released. The developers will notify the owner of the resource by mailing, and the most popular authors
of the engines, WordPress and Umbraco, report updates at the time of entering the site control panel.
Web sites often have dependent components (content management software modules). Package
managers such as Composer, NPM or Ruby Gems are used to manage them. They also need to be
monitored for updates to avoid security issues.
SQL injection protection
8. https://www.briskinfosec.com
The security of a web application depends on how effectively the owner can avoid SQL injections. This
hack looks like a request to the site and its database using a form field or a URL parameter. If the
resource was constructed using Transact SQL, malicious code is inserted into the query, easily changing,
or destroying the data contained in the tables.
You can avoid the risk if you use parameterized queries that involve several programming languages.
Additional Security Options
Working with web services requires the use of a wide range of security tools. In addition to the main
listed methods, the following are often used:
✓ Password encryption,
✓ Avoid cross-site scripting,
✓ Control of uploading files to the server.
The combined use of all available solutions will provide security at the highest possible level.