SlideShare a Scribd company logo

Web Application Security Service.pdf

Briskinfosec Technology and Consulting
Briskinfosec Technology and Consulting

Web application security is the idea of building websites to function as expected, even when they are under attack. The concept involves a collection of security controls engineered into a Web application to protect its assets from potentially malicious agents.

Technology
1 of 8
Download to read offline
https://www.briskinfosec.com Briskinfosec Technology and Consulting Pvt Ltd Mobile: 8608634123 https://www.briskinfosec.com https://www.facebook.com/briskinfosec https://twitter.com/briskinfosec Web Application Security Service
https://www.briskinfosec.com Web Application Protection Most web applications are vulnerable to hackers. Many people remember the sensational cases of hacking politicians' Twitter accounts. When communicating at the client-server level, when a user from a PC or mobile device accesses the server hosting the application, information is exchanged. At the same time, modern methods of ensuring information security are not always applied. Web application Security becomes a task for both developers and users. If a few years ago, protection measures were limited to setting up a web server, thoroughly cleaning the hard drive of unnecessary and obsolete files and codes, and regularly monitoring the invariance of files, then as hackers become more active and DDoS attacks become more frequent, more serious security measures are needed. Concept A web application is a technical solution with the help of which a client (user) communicates with a server in real time, for example, through a personal account in an electronic bank or a page on a social network. In the format of web applications, they work: ✓ Social networks, ✓ Search engines, ✓ Mail clients, ✓ Online programs for business, built according to the “client-server” model (Bitrix-24 CRM system and analogues), ✓ online shopping. Based on the technical characteristics and operation model, applications are divided into the following types:
https://www.briskinfosec.com 1. Back end. This term refers to the server part of the software product installed on a server located at any distance from the user. The program is written in any popular programming language - PHP, Python, Ruby, C#. 2. Front-end. This type of application runs in the user's browser. The program is written in JavaScript and differs from the back end in that user data is not stored for more than one session. This option includes photo editors and games. 3.Single - page application. This option combines the client and server versions. The type of application determines the threat model against which it should be protected. Main Threats Attackers are interested in ways to hack web applications for various purposes. Account hacking helps to get a valuable resource without payment, kidnap someone else's player in a popular game, change the Twitter content of a well-known politician, use an account as a member of a botnet. For a hacker, the personal data of the person whose account is hacked usually does not matter, he is only interested in the fact of access to the resource. The peculiarity of resource hacking is that it is not personalized, but automated, mass-produced using special programs. The information obtained is sold or used for the purposes of the hacker. The owner of a resource that works with clients according to the web application model must be able to protect the site from the most common hacking methods. Popular protection methods Simple methods for protecting an application from hackers do not require serious financial investments and are available to most owners of online stores and similar resources. Among them the most popular:
https://www.briskinfosec.com ✓ Audit (preventive measure), ✓ Use of secure data transfer protocols, ✓ Use of security software. All methods must be used in combination. Checking the site for vulnerabilities Before developing a technique for protecting a web application from potential threats, the site should be checked for vulnerabilities. The check is conducted manually or automatically. Programs available in paid and free versions will test the application for the main risks. Such software products exist in two versions: Black hat, which simulates the actions of crackers, and White hat, which systematically reveals all system flaws by scanning. Among the most effective free tool-applications are: ✓ OpenVAS scans local networks for vulnerabilities, ✓ BRISKINFOSEC Exotic XSS Exploit Framework checks the site for XSS vulnerability, the possibility of injecting malicious code into a web page that steals user account data and other information. The code is injected through vulnerabilities on the user's server or device, ✓ Approof by Positive Technologies examines the configuration of a web application and finds re- dundant or malicious code, Also, free online services will cope with the audit: ✓ SecurityHeaders.io will analyzed server responses to requests and identify vulnerabilities, ✓ Observatory by Mozilla is a free and open-source service for identifying security holes. Can in- volve resources of other security check services and add their data to the report. Assesses the
https://www.briskinfosec.com degree of safety on a scale from A to F, where F is the lowest level. In 2016, 91% of reviewed sites were at level F, ✓ One button scan is responsible for scanning such server elements as DNS, HTTP headers, SSL, checks the services used for vulnerabilities, ✓ SSL Server Test checks for SSL vulnerabilities, ✓ Sync will check for vulnerabilities in JavaScript, Ruby and Java applications, and fix security flaws on its own. Successfully works together with the GitHub repository. Paid resources will give more opportunities to check the service for vulnerabilities, they are updated faster as the structure and nature of threats change. According to the results of the audit, an IT specialist may experience a shock - so many threats will be identified, but not all of them are equally important or implementable, hackers use the simplest methods of hacking. After fixing serious vulnerabilities, the scan should be repeated. After completing the automatic check, you can organize the hacking of the web application manually. To do this, you need to change the meaning of POST requests (sending data to a resource) and GET requests (requesting data from a resource) to HTTP. It is better to use a proxy server that intercepts HTTP requests. It is also necessary to bypass data validation (checking that the request meets the specified requirements) and inject an SSL infection onto the site that intercepts user data. If monitoring systems show significant vulnerabilities, it is necessary to increase protection in the identified areas. Using paid or free security monitoring resources, you need to check the hypothetical ability of a hacker to bypass the mandatory authentication requirements provided for some pages of a web application. To
https://www.briskinfosec.com do this, you need to use such traditional hacking methods as changing URL parameters (in particular, the user ID) or changing Cookies. HTTPS The second most trendy way to protect user data after identification is to use the secure HTTPS data transfer protocol. Hyper Text Transfer Protocol Secure protects web application user information by encrypting traffic. It ensures the confidentiality and integrity of information is preserved, preventing data leakage or substitution. Most of the resources have been using technology for a long time, it has become a good tone, confirming the readiness of their owners to protect the interests of clients. The Google search engine raises sites using this technology in the issuance. HTTPS is required if users provide the service with information such as: ✓ Credit card numbers, ✓ Personal data, ✓ URLs of the pages they visit. When generating a request from the authorization form, cookies are used, they must be sent to the server with each request. With weak web application protection, nothing prevents an attacker from intercepting files and forging a request by gaining user rights. Using HTTPS for every page on your site will reduce this risk. Solving the problem is easy, you will need the following steps: ✓ Generate an SSL certificate, on some resources this is done for free, ✓ Obtain and install a certificate, ✓ Enable HTTPS support for the web application.
https://www.briskinfosec.com An additional feature after configuring HTTPS will be the use of Hyper Strict Transport Security (HSTS). This is an option to force the use of HTTPS even if the server does not support it. However, secure protocols will not save a web application if the software itself is outdated. Software Update The application owner must keep abreast of software updates. Hackers test all updates and find vulnerabilities in them, sometimes earlier than developers. Operating systems, HTTP management technologies, and content management systems (CMS) are especially actively hacked. In a situation where the service is installed on someone else's hosting, the task of timely replacement of the operating system falls on the shoulders of the provider. If the hosting is your own, the OS needs to be changed immediately after the updates are released. The site may run on an operating system designed for this type of web application (engine), a third-party manufacturer, especially for online stores. It is necessary to keep track of all software updates and install an updated version as soon as it is released. The developers will notify the owner of the resource by mailing, and the most popular authors of the engines, WordPress and Umbraco, report updates at the time of entering the site control panel. Web sites often have dependent components (content management software modules). Package managers such as Composer, NPM or Ruby Gems are used to manage them. They also need to be monitored for updates to avoid security issues. SQL injection protection
https://www.briskinfosec.com The security of a web application depends on how effectively the owner can avoid SQL injections. This hack looks like a request to the site and its database using a form field or a URL parameter. If the resource was constructed using Transact SQL, malicious code is inserted into the query, easily changing, or destroying the data contained in the tables. You can avoid the risk if you use parameterized queries that involve several programming languages. Additional Security Options Working with web services requires the use of a wide range of security tools. In addition to the main listed methods, the following are often used: ✓ Password encryption, ✓ Avoid cross-site scripting, ✓ Control of uploading files to the server. The combined use of all available solutions will provide security at the highest possible level.

Recommended

Web Application Penetration Testing.pdf
Web Application Penetration Testing.pdfWeb Application Penetration Testing.pdf
Web Application Penetration Testing.pdf
Briskinfosec Technology and Consulting
 
Website Penetration Testing Services.pdf
Website Penetration Testing Services.pdfWebsite Penetration Testing Services.pdf
Website Penetration Testing Services.pdf
Briskinfosec Technology and Consulting
 
Mobile Application Security Service.pdf
Mobile Application Security Service.pdfMobile Application Security Service.pdf
Mobile Application Security Service.pdf
Briskinfosec Technology and Consulting
 
Website Security Service.pdf
Website Security Service.pdfWebsite Security Service.pdf
Website Security Service.pdf
Briskinfosec Technology and Consulting
 
Cloud Application Security Service
Cloud Application Security ServiceCloud Application Security Service
Cloud Application Security Service
Briskinfosec Technology and Consulting
 
Web Application Security.pdf
Web Application Security.pdfWeb Application Security.pdf
Web Application Security.pdf
Briskinfosec Technology and Consulting
 
Threatsploit Adversary Report November
Threatsploit Adversary Report NovemberThreatsploit Adversary Report November
Threatsploit Adversary Report November
Briskinfosec Technology and Consulting
 
The Future Is Blockchain Era
The Future Is Blockchain EraThe Future Is Blockchain Era
The Future Is Blockchain Era
Briskinfosec Technology and Consulting
 

Recommended

Web Application Penetration Testing.pdf
Web Application Penetration Testing.pdfWeb Application Penetration Testing.pdf
Web Application Penetration Testing.pdf
Briskinfosec Technology and Consulting
 
Website Penetration Testing Services.pdf
Website Penetration Testing Services.pdfWebsite Penetration Testing Services.pdf
Website Penetration Testing Services.pdf
Briskinfosec Technology and Consulting
 
Mobile Application Security Service.pdf
Mobile Application Security Service.pdfMobile Application Security Service.pdf
Mobile Application Security Service.pdf
Briskinfosec Technology and Consulting
 
Website Security Service.pdf
Website Security Service.pdfWebsite Security Service.pdf
Website Security Service.pdf
Briskinfosec Technology and Consulting
 
Cloud Application Security Service
Cloud Application Security ServiceCloud Application Security Service
Cloud Application Security Service
Briskinfosec Technology and Consulting
 
Web Application Security.pdf
Web Application Security.pdfWeb Application Security.pdf
Web Application Security.pdf
Briskinfosec Technology and Consulting
 
Threatsploit Adversary Report November
Threatsploit Adversary Report NovemberThreatsploit Adversary Report November
Threatsploit Adversary Report November
Briskinfosec Technology and Consulting
 
The Future Is Blockchain Era
The Future Is Blockchain EraThe Future Is Blockchain Era
The Future Is Blockchain Era
Briskinfosec Technology and Consulting
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 

More Related Content

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Web Application Security Service.pdf

  • 1. https://www.briskinfosec.com Briskinfosec Technology and Consulting Pvt Ltd Mobile: 8608634123 https://www.briskinfosec.com https://www.facebook.com/briskinfosec https://twitter.com/briskinfosec Web Application Security Service
  • 2. https://www.briskinfosec.com Web Application Protection Most web applications are vulnerable to hackers. Many people remember the sensational cases of hacking politicians' Twitter accounts. When communicating at the client-server level, when a user from a PC or mobile device accesses the server hosting the application, information is exchanged. At the same time, modern methods of ensuring information security are not always applied. Web application Security becomes a task for both developers and users. If a few years ago, protection measures were limited to setting up a web server, thoroughly cleaning the hard drive of unnecessary and obsolete files and codes, and regularly monitoring the invariance of files, then as hackers become more active and DDoS attacks become more frequent, more serious security measures are needed. Concept A web application is a technical solution with the help of which a client (user) communicates with a server in real time, for example, through a personal account in an electronic bank or a page on a social network. In the format of web applications, they work: ✓ Social networks, ✓ Search engines, ✓ Mail clients, ✓ Online programs for business, built according to the “client-server” model (Bitrix-24 CRM system and analogues), ✓ online shopping. Based on the technical characteristics and operation model, applications are divided into the following types:
  • 3. https://www.briskinfosec.com 1. Back end. This term refers to the server part of the software product installed on a server located at any distance from the user. The program is written in any popular programming language - PHP, Python, Ruby, C#. 2. Front-end. This type of application runs in the user's browser. The program is written in JavaScript and differs from the back end in that user data is not stored for more than one session. This option includes photo editors and games. 3.Single - page application. This option combines the client and server versions. The type of application determines the threat model against which it should be protected. Main Threats Attackers are interested in ways to hack web applications for various purposes. Account hacking helps to get a valuable resource without payment, kidnap someone else's player in a popular game, change the Twitter content of a well-known politician, use an account as a member of a botnet. For a hacker, the personal data of the person whose account is hacked usually does not matter, he is only interested in the fact of access to the resource. The peculiarity of resource hacking is that it is not personalized, but automated, mass-produced using special programs. The information obtained is sold or used for the purposes of the hacker. The owner of a resource that works with clients according to the web application model must be able to protect the site from the most common hacking methods. Popular protection methods Simple methods for protecting an application from hackers do not require serious financial investments and are available to most owners of online stores and similar resources. Among them the most popular:
  • 4. https://www.briskinfosec.com ✓ Audit (preventive measure), ✓ Use of secure data transfer protocols, ✓ Use of security software. All methods must be used in combination. Checking the site for vulnerabilities Before developing a technique for protecting a web application from potential threats, the site should be checked for vulnerabilities. The check is conducted manually or automatically. Programs available in paid and free versions will test the application for the main risks. Such software products exist in two versions: Black hat, which simulates the actions of crackers, and White hat, which systematically reveals all system flaws by scanning. Among the most effective free tool-applications are: ✓ OpenVAS scans local networks for vulnerabilities, ✓ BRISKINFOSEC Exotic XSS Exploit Framework checks the site for XSS vulnerability, the possibility of injecting malicious code into a web page that steals user account data and other information. The code is injected through vulnerabilities on the user's server or device, ✓ Approof by Positive Technologies examines the configuration of a web application and finds re- dundant or malicious code, Also, free online services will cope with the audit: ✓ SecurityHeaders.io will analyzed server responses to requests and identify vulnerabilities, ✓ Observatory by Mozilla is a free and open-source service for identifying security holes. Can in- volve resources of other security check services and add their data to the report. Assesses the
  • 5. https://www.briskinfosec.com degree of safety on a scale from A to F, where F is the lowest level. In 2016, 91% of reviewed sites were at level F, ✓ One button scan is responsible for scanning such server elements as DNS, HTTP headers, SSL, checks the services used for vulnerabilities, ✓ SSL Server Test checks for SSL vulnerabilities, ✓ Sync will check for vulnerabilities in JavaScript, Ruby and Java applications, and fix security flaws on its own. Successfully works together with the GitHub repository. Paid resources will give more opportunities to check the service for vulnerabilities, they are updated faster as the structure and nature of threats change. According to the results of the audit, an IT specialist may experience a shock - so many threats will be identified, but not all of them are equally important or implementable, hackers use the simplest methods of hacking. After fixing serious vulnerabilities, the scan should be repeated. After completing the automatic check, you can organize the hacking of the web application manually. To do this, you need to change the meaning of POST requests (sending data to a resource) and GET requests (requesting data from a resource) to HTTP. It is better to use a proxy server that intercepts HTTP requests. It is also necessary to bypass data validation (checking that the request meets the specified requirements) and inject an SSL infection onto the site that intercepts user data. If monitoring systems show significant vulnerabilities, it is necessary to increase protection in the identified areas. Using paid or free security monitoring resources, you need to check the hypothetical ability of a hacker to bypass the mandatory authentication requirements provided for some pages of a web application. To
  • 6. https://www.briskinfosec.com do this, you need to use such traditional hacking methods as changing URL parameters (in particular, the user ID) or changing Cookies. HTTPS The second most trendy way to protect user data after identification is to use the secure HTTPS data transfer protocol. Hyper Text Transfer Protocol Secure protects web application user information by encrypting traffic. It ensures the confidentiality and integrity of information is preserved, preventing data leakage or substitution. Most of the resources have been using technology for a long time, it has become a good tone, confirming the readiness of their owners to protect the interests of clients. The Google search engine raises sites using this technology in the issuance. HTTPS is required if users provide the service with information such as: ✓ Credit card numbers, ✓ Personal data, ✓ URLs of the pages they visit. When generating a request from the authorization form, cookies are used, they must be sent to the server with each request. With weak web application protection, nothing prevents an attacker from intercepting files and forging a request by gaining user rights. Using HTTPS for every page on your site will reduce this risk. Solving the problem is easy, you will need the following steps: ✓ Generate an SSL certificate, on some resources this is done for free, ✓ Obtain and install a certificate, ✓ Enable HTTPS support for the web application.
  • 7. https://www.briskinfosec.com An additional feature after configuring HTTPS will be the use of Hyper Strict Transport Security (HSTS). This is an option to force the use of HTTPS even if the server does not support it. However, secure protocols will not save a web application if the software itself is outdated. Software Update The application owner must keep abreast of software updates. Hackers test all updates and find vulnerabilities in them, sometimes earlier than developers. Operating systems, HTTP management technologies, and content management systems (CMS) are especially actively hacked. In a situation where the service is installed on someone else's hosting, the task of timely replacement of the operating system falls on the shoulders of the provider. If the hosting is your own, the OS needs to be changed immediately after the updates are released. The site may run on an operating system designed for this type of web application (engine), a third-party manufacturer, especially for online stores. It is necessary to keep track of all software updates and install an updated version as soon as it is released. The developers will notify the owner of the resource by mailing, and the most popular authors of the engines, WordPress and Umbraco, report updates at the time of entering the site control panel. Web sites often have dependent components (content management software modules). Package managers such as Composer, NPM or Ruby Gems are used to manage them. They also need to be monitored for updates to avoid security issues. SQL injection protection
  • 8. https://www.briskinfosec.com The security of a web application depends on how effectively the owner can avoid SQL injections. This hack looks like a request to the site and its database using a form field or a URL parameter. If the resource was constructed using Transact SQL, malicious code is inserted into the query, easily changing, or destroying the data contained in the tables. You can avoid the risk if you use parameterized queries that involve several programming languages. Additional Security Options Working with web services requires the use of a wide range of security tools. In addition to the main listed methods, the following are often used: ✓ Password encryption, ✓ Avoid cross-site scripting, ✓ Control of uploading files to the server. The combined use of all available solutions will provide security at the highest possible level.