SlideShare a Scribd company logo

Web Application Security Tips

T
tcellsn

7 problems and solutions to keep your web applications secure

Technology
1 of 17
Download to read offline
Cloud Security: Myths Vs. Facts Web Application Security Tips For Cyber Attacks
Why Web Application Security Is Critical Web applications can have numerous vulnerabilities that hackers may be able to exploit. The results of such cyberattacks can range from the application being put out of commission (denial of service); to the loss of customers’ sensitive data (exfiltration); to a hacker gaining complete control over the app (code injection). To protect your application and your business, it’s essential to understand some of the most common threats to web applications and what you can do to prevent them. Here are some web application security tips to help keep your business and your customers safe.
A particular type of broken access control attack known as an insecure direct object reference occurs when authorized users change a parameter value to access a resource they should not be allowed to access. This permits malicious users to steal or abuse data and functionality that they should not have been permitted to use, and can have serious impacts on the business. Broken Access Control PROBLEM
Automated verification can be leveraged to ensure proper authorization is regularly utilized. Every time a direct reference comes from an untrusted source, it must include an access control check to confirm the user has access to the resource being requested. Using indirect object references such as a drop-down list of authorized resources eliminates the ability of the user to change parameter values. How To Protect Yourself From Broken Access Control (Authenticated access) SOLUTION
Request-Flooding Attacks Also known as distributed denial of service attacks (DDoS), these attacks are designed to overwhelm an application with thousands of requests generated by bots, making it impossible for the server to respond to them. These types of attacks can focus on the server’s Internet connection or a peering point between the host’s ISP and the client’s ISP. Hackers may also attempt a flooding attack on a server’s storage, flooding it with zeros that take up all available space and cause the node to crash. This can cause the application to shut down, taking it offline and harming productivity. PROBLEM
How To Protect Yourself From Request-Flooding Attacks In the case of a flooding attack on server bandwidth, adding more servers with independent connections will mitigate the bottleneck created by the attack. For attacks on peering points, moving to another cloud deployment will split traffic between multiple peering points and relieve the stress. Flooding attacks on storage can be mitigated with a web application firewall that can easily discard the superfluous requests that would have overwhelmed the server. SOLUTION
Cross-Site Request Forgery This attack tricks a victim into submitting a malicious request on a web application through the use of forged HTTP requests. Through this type of attack, a hacker can make it appear as if a request is coming from an authorized user without the user’s consent or knowledge. This can result in potential data loss or other unauthorized access and activities. PROBLEM
How To Protect Yourself From Cross-Site Request Forgery Although many frameworks today include built-in protection against cross-site request forgery attacks, further protection can be gained through the use of unpredictable tokens in each HTTP request. A web app can ensure that requests come only from their own site and not from another. By burying a token unique to each HTTP request in a hidden field, applications can be protected from hackers who seek to exploit the predictable nature of application actions. solution
Cross-Site Scripting Cross-site scripting (XSS) attacks inject malicious code into a web-based app that activates when a user visits the compromised website. This can allow hackers to hijack a user’s personal information. This malicious code can be injected on the server or on the client — with server XSS attacks being much easier to detect than client XSS attacks. PROBLEM
How To Protect Yourself From Cross-Site Scripting Avoiding XSS attacks means separating untrusted data from active browser content. For server XSS, this means properly escaping untrusted data based on HTML context, and in the case of client XSS avoiding passing untrusted data to browser APIs that can generate active content. Auto-sanitization libraries also offer protection for rich content. solution
SQL Injection Attacks Structured query language (SQL) is a programming language used to communicate with databases. Hackers can hijack it with malicious code that forces the database to perform an unauthorized action. This often includes giving up credit card numbers or user passwords. Hackers can use almost any injection vector to perpetrate such an attack, which can even lead to a complete host takeover. PROBLEM
How To Protect Yourself From SQL Injection Attacks Utilizing a safe, parameterized API is the best way to protect yourself from an SQL attack because they avoid the use of interpreters that hackers can exploit. If using a parameterized API is not feasible, special characters should be escaped from the interpreter using specific escape syntax. Also, using runtime application self-protection technology in your production environment can see anomalous behavior within the application and alert you to the SQL injections that were hidden in normal traffic. solution
Broken Authentication Management Hackers who take advantage of these attacks steal account information through flaws in the authentication process, such as the logout process or the mechanism for changing a password. If successful, the hacker may gain access to everything in the application that an authorized user may have access to, and effectively lock anyone else out. PROBLEM
How To Protect Yourself From Broken Authentication Management Applications should have strong protections against XSS attacks that may be used to steal session IDs. Applications also should be built with a single set of strong authentication and session management tools that have been tested thoroughly for flaws and leaks that could be exploited by hackers. Having visibility into the behavior of the application can alert you to compromised accounts. solution
Sensitive Data Exposure Despite developers’ best efforts, sensitive data sometimes is left exposed for brief periods, such as when in transit. Hackers may be able to steal sensitive information in the moment when it is decrypted for transmission to the user or to the server. This can give the hacker access to a wide range of highly sensitive information, creating severe liability and potential damage to a business’s reputation. PROBLEM
How To Protect Yourself From Sensitive Data Exposure Strong algorithms and strong key management are crucial to protect sensitive data, especially for passwords. These should be stored with an algorithm designed specifically for password protection. Forms that require sensitive data should not use autocomplete, and any pages containing sensitive data should have caching disabled. Also, discard any unnecessary sensitive data immediately, rather than storing it where it could be stolen. solution
www.tcell.io

Recommended

Web Sec Auditor
Web Sec AuditorWeb Sec Auditor
Web Sec AuditorAung Khant
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographicCMR WORLD TECH
 
Top 10 web server security flaws
Top 10 web server security flawsTop 10 web server security flaws
Top 10 web server security flawstobybear30
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site SecuritySteven Cahill
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
OWASP Evening #10
OWASP Evening #10OWASP Evening #10
OWASP Evening #10Predrag Cujanović
 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 OverviewPiTechnologies
 

Recommended

Web Sec Auditor
Web Sec AuditorWeb Sec Auditor
Web Sec AuditorAung Khant
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographicCMR WORLD TECH
 
Top 10 web server security flaws
Top 10 web server security flawsTop 10 web server security flaws
Top 10 web server security flawstobybear30
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site SecuritySteven Cahill
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
OWASP Evening #10
OWASP Evening #10OWASP Evening #10
OWASP Evening #10Predrag Cujanović
 
OWASP Top 10 Overview
OWASP Top 10 OverviewOWASP Top 10 Overview
OWASP Top 10 OverviewPiTechnologies
 
Security 101
Security 101Security 101
Security 101George V. Reilly
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Sar writingv2
Sar writingv2Sar writingv2
Sar writingv2Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Url filtration
Url filtrationUrl filtration
Url filtrationronpoul
 
OWASP
OWASPOWASP
OWASPgehad hamdy
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Root conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbmRoot conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbmArjun BM
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NRNARESH GUMMAGUTTA
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.vivatechijri
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Phishing Detection using Machine Learning
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine LearningArjun BM
 
Secure coding checklist
Secure coding checklistSecure coding checklist
Secure coding checklistPrabhanshu Saraswat
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challengesMartins Chibuike Onuoha
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefoxReza Nurfachmi
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 

More Related Content

What's hot

Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Url filtration
Url filtrationUrl filtration
Url filtrationronpoul
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Root conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbmRoot conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbmArjun BM
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.vivatechijri
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Phishing Detection using Machine Learning
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine LearningArjun BM
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 

What's hot (20)

Security 101
Security 101Security 101
Security 101
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Sar writingv2
Sar writingv2Sar writingv2
Sar writingv2
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Url filtration
Url filtrationUrl filtration
Url filtration
 
OWASP
OWASPOWASP
OWASP
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
 
Root conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbmRoot conf digitalskimming-v4_arjunbm
Root conf digitalskimming-v4_arjunbm
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
 
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
Phishing Detection using Machine Learning
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine Learning
 
Secure coding checklist
Secure coding checklistSecure coding checklist
Secure coding checklist
 
Web server security challenges
Web server security challengesWeb server security challenges
Web server security challenges
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 

Similar to Web Application Security Tips

Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxInfosectrain3
 
Application-security-Javascript.pptx
Application-security-Javascript.pptxApplication-security-Javascript.pptx
Application-security-Javascript.pptxDBALLIANCE Ltd UK
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
cryptography .pptx
cryptography .pptxcryptography .pptx
cryptography .pptxRRamyaDevi
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3vhimsikal
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network securitySreerag Gopinath
 
The most Common Website Security Threats
The most Common Website Security ThreatsThe most Common Website Security Threats
The most Common Website Security ThreatsHTS Hosting
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 

Similar to Web Application Security Tips (20)

Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
Recent cyber Attacks
Recent cyber AttacksRecent cyber Attacks
Recent cyber Attacks
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptx
 
AW-Infs201101067.pptx
AW-Infs201101067.pptxAW-Infs201101067.pptx
AW-Infs201101067.pptx
 
Application-security-Javascript.pptx
Application-security-Javascript.pptxApplication-security-Javascript.pptx
Application-security-Javascript.pptx
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 
Website Security: A Guide to Defending Your Website
Website Security: A Guide to Defending Your WebsiteWebsite Security: A Guide to Defending Your Website
Website Security: A Guide to Defending Your Website
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
cryptography .pptx
cryptography .pptxcryptography .pptx
cryptography .pptx
 
C01461422
C01461422C01461422
C01461422
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Injection attacks
Injection attacksInjection attacks
Injection attacks
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
T04505103106
T04505103106T04505103106
T04505103106
 
The most Common Website Security Threats
The most Common Website Security ThreatsThe most Common Website Security Threats
The most Common Website Security Threats
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

Web Application Security Tips

  • 1. Cloud Security: Myths Vs. Facts Web Application Security Tips For Cyber Attacks
  • 2. Why Web Application Security Is Critical Web applications can have numerous vulnerabilities that hackers may be able to exploit. The results of such cyberattacks can range from the application being put out of commission (denial of service); to the loss of customers’ sensitive data (exfiltration); to a hacker gaining complete control over the app (code injection). To protect your application and your business, it’s essential to understand some of the most common threats to web applications and what you can do to prevent them. Here are some web application security tips to help keep your business and your customers safe.
  • 3. A particular type of broken access control attack known as an insecure direct object reference occurs when authorized users change a parameter value to access a resource they should not be allowed to access. This permits malicious users to steal or abuse data and functionality that they should not have been permitted to use, and can have serious impacts on the business. Broken Access Control PROBLEM
  • 4. Automated verification can be leveraged to ensure proper authorization is regularly utilized. Every time a direct reference comes from an untrusted source, it must include an access control check to confirm the user has access to the resource being requested. Using indirect object references such as a drop-down list of authorized resources eliminates the ability of the user to change parameter values. How To Protect Yourself From Broken Access Control (Authenticated access) SOLUTION
  • 5. Request-Flooding Attacks Also known as distributed denial of service attacks (DDoS), these attacks are designed to overwhelm an application with thousands of requests generated by bots, making it impossible for the server to respond to them. These types of attacks can focus on the server’s Internet connection or a peering point between the host’s ISP and the client’s ISP. Hackers may also attempt a flooding attack on a server’s storage, flooding it with zeros that take up all available space and cause the node to crash. This can cause the application to shut down, taking it offline and harming productivity. PROBLEM
  • 6. How To Protect Yourself From Request-Flooding Attacks In the case of a flooding attack on server bandwidth, adding more servers with independent connections will mitigate the bottleneck created by the attack. For attacks on peering points, moving to another cloud deployment will split traffic between multiple peering points and relieve the stress. Flooding attacks on storage can be mitigated with a web application firewall that can easily discard the superfluous requests that would have overwhelmed the server. SOLUTION
  • 7. Cross-Site Request Forgery This attack tricks a victim into submitting a malicious request on a web application through the use of forged HTTP requests. Through this type of attack, a hacker can make it appear as if a request is coming from an authorized user without the user’s consent or knowledge. This can result in potential data loss or other unauthorized access and activities. PROBLEM
  • 8. How To Protect Yourself From Cross-Site Request Forgery Although many frameworks today include built-in protection against cross-site request forgery attacks, further protection can be gained through the use of unpredictable tokens in each HTTP request. A web app can ensure that requests come only from their own site and not from another. By burying a token unique to each HTTP request in a hidden field, applications can be protected from hackers who seek to exploit the predictable nature of application actions. solution
  • 9. Cross-Site Scripting Cross-site scripting (XSS) attacks inject malicious code into a web-based app that activates when a user visits the compromised website. This can allow hackers to hijack a user’s personal information. This malicious code can be injected on the server or on the client — with server XSS attacks being much easier to detect than client XSS attacks. PROBLEM
  • 10. How To Protect Yourself From Cross-Site Scripting Avoiding XSS attacks means separating untrusted data from active browser content. For server XSS, this means properly escaping untrusted data based on HTML context, and in the case of client XSS avoiding passing untrusted data to browser APIs that can generate active content. Auto-sanitization libraries also offer protection for rich content. solution
  • 11. SQL Injection Attacks Structured query language (SQL) is a programming language used to communicate with databases. Hackers can hijack it with malicious code that forces the database to perform an unauthorized action. This often includes giving up credit card numbers or user passwords. Hackers can use almost any injection vector to perpetrate such an attack, which can even lead to a complete host takeover. PROBLEM
  • 12. How To Protect Yourself From SQL Injection Attacks Utilizing a safe, parameterized API is the best way to protect yourself from an SQL attack because they avoid the use of interpreters that hackers can exploit. If using a parameterized API is not feasible, special characters should be escaped from the interpreter using specific escape syntax. Also, using runtime application self-protection technology in your production environment can see anomalous behavior within the application and alert you to the SQL injections that were hidden in normal traffic. solution
  • 13. Broken Authentication Management Hackers who take advantage of these attacks steal account information through flaws in the authentication process, such as the logout process or the mechanism for changing a password. If successful, the hacker may gain access to everything in the application that an authorized user may have access to, and effectively lock anyone else out. PROBLEM
  • 14. How To Protect Yourself From Broken Authentication Management Applications should have strong protections against XSS attacks that may be used to steal session IDs. Applications also should be built with a single set of strong authentication and session management tools that have been tested thoroughly for flaws and leaks that could be exploited by hackers. Having visibility into the behavior of the application can alert you to compromised accounts. solution
  • 15. Sensitive Data Exposure Despite developers’ best efforts, sensitive data sometimes is left exposed for brief periods, such as when in transit. Hackers may be able to steal sensitive information in the moment when it is decrypted for transmission to the user or to the server. This can give the hacker access to a wide range of highly sensitive information, creating severe liability and potential damage to a business’s reputation. PROBLEM
  • 16. How To Protect Yourself From Sensitive Data Exposure Strong algorithms and strong key management are crucial to protect sensitive data, especially for passwords. These should be stored with an algorithm designed specifically for password protection. Forms that require sensitive data should not use autocomplete, and any pages containing sensitive data should have caching disabled. Also, discard any unnecessary sensitive data immediately, rather than storing it where it could be stolen. solution