2. Why Web Application Security Is Critical
Web applications can have numerous vulnerabilities that hackers may be able
to exploit. The results of such cyberattacks can range from the application being
put out of commission (denial of service); to the loss of customers’ sensitive data
(exfiltration); to a hacker gaining complete control over the app (code injection).
To protect your application and your business, it’s essential to understand some
of the most common threats to web applications and what you can do to prevent
them. Here are some web application security tips to help keep your business
and your customers safe.
3. A particular type of broken access control attack known as an insecure direct
object reference occurs when authorized users change a parameter value to
access a resource they should not be allowed to access. This permits malicious
users to steal or abuse data and functionality that they should not have been
permitted to use, and can have serious impacts on the business.
Broken Access Control
PROBLEM
4. Automated verification can be leveraged to ensure proper authorization is regularly
utilized. Every time a direct reference comes from an untrusted source, it must
include an access control check to confirm the user has access to the resource being
requested. Using indirect object references such as a drop-down list of authorized
resources eliminates the ability of the user to change parameter values.
How To Protect Yourself From Broken
Access Control (Authenticated access)
SOLUTION
5. Request-Flooding Attacks
Also known as distributed denial of service attacks (DDoS), these attacks are
designed to overwhelm an application with thousands of requests generated
by bots, making it impossible for the server to respond to them. These types of
attacks can focus on the server’s Internet connection or a peering point between
the host’s ISP and the client’s ISP. Hackers may also attempt a flooding attack on
a server’s storage, flooding it with zeros that take up all available space and cause
the node to crash. This can cause the application to shut down, taking it offline
and harming productivity.
PROBLEM
6. How To Protect Yourself From
Request-Flooding Attacks
In the case of a flooding attack on server bandwidth, adding more servers with
independent connections will mitigate the bottleneck created by the attack. For
attacks on peering points, moving to another cloud deployment will split traffic
between multiple peering points and relieve the stress. Flooding attacks on
storage can be mitigated with a web application firewall that can easily discard
the superfluous requests that would have overwhelmed the server.
SOLUTION
7. Cross-Site Request Forgery
This attack tricks a victim into submitting a malicious request on a web application
through the use of forged HTTP requests. Through this type of attack, a hacker can
make it appear as if a request is coming from an authorized user without the user’s
consent or knowledge. This can result in potential data loss or other unauthorized
access and activities.
PROBLEM
8. How To Protect Yourself From Cross-Site
Request Forgery
Although many frameworks today include built-in protection against cross-site
request forgery attacks, further protection can be gained through the use of
unpredictable tokens in each HTTP request. A web app can ensure that requests
come only from their own site and not from another. By burying a token unique to
each HTTP request in a hidden field, applications can be protected from hackers
who seek to exploit the predictable nature of application actions.
solution
9. Cross-Site Scripting
Cross-site scripting (XSS) attacks inject malicious code into a web-based app
that activates when a user visits the compromised website. This can allow hackers
to hijack a user’s personal information. This malicious code can be injected on the
server or on the client — with server XSS attacks being much easier to detect than
client XSS attacks.
PROBLEM
10. How To Protect Yourself From
Cross-Site Scripting
Avoiding XSS attacks means separating untrusted data from active browser
content. For server XSS, this means properly escaping untrusted data based on
HTML context, and in the case of client XSS avoiding passing untrusted data to
browser APIs that can generate active content. Auto-sanitization libraries also
offer protection for rich content.
solution
11. SQL Injection Attacks
Structured query language (SQL) is a programming language used to communicate
with databases. Hackers can hijack it with malicious code that forces the database to
perform an unauthorized action. This often includes giving up credit card numbers or
user passwords. Hackers can use almost any injection vector to perpetrate such an
attack, which can even lead to a complete host takeover.
PROBLEM
12. How To Protect Yourself From SQL
Injection Attacks
Utilizing a safe, parameterized API is the best way to protect yourself from an
SQL attack because they avoid the use of interpreters that hackers can exploit.
If using a parameterized API is not feasible, special characters should be escaped
from the interpreter using specific escape syntax. Also, using runtime application
self-protection technology in your production environment can see anomalous
behavior within the application and alert you to the SQL injections that were
hidden in normal traffic.
solution
13. Broken Authentication Management
Hackers who take advantage of these attacks steal account information through
flaws in the authentication process, such as the logout process or the mechanism
for changing a password. If successful, the hacker may gain access to everything
in the application that an authorized user may have access to, and effectively lock
anyone else out.
PROBLEM
14. How To Protect Yourself From Broken
Authentication Management
Applications should have strong protections against XSS attacks that may be
used to steal session IDs. Applications also should be built with a single set of
strong authentication and session management tools that have been tested
thoroughly for flaws and leaks that could be exploited by hackers. Having visibility
into the behavior of the application can alert you to compromised accounts.
solution
15. Sensitive Data Exposure
Despite developers’ best efforts, sensitive data sometimes is left exposed for brief
periods, such as when in transit. Hackers may be able to steal sensitive information
in the moment when it is decrypted for transmission to the user or to the server. This
can give the hacker access to a wide range of highly sensitive information, creating
severe liability and potential damage to a business’s reputation.
PROBLEM
16. How To Protect Yourself From Sensitive
Data Exposure
Strong algorithms and strong key management are crucial to protect sensitive
data, especially for passwords. These should be stored with an algorithm designed
specifically for password protection. Forms that require sensitive data should not
use autocomplete, and any pages containing sensitive data should have caching
disabled. Also, discard any unnecessary sensitive data immediately, rather than
storing it where it could be stolen.
solution