Web Application Security Essentials
“There’s no patch for human stupidity!”
Web applications are now getting widely available and popular for each business there is a website or online store now. But when it comes to security it is not as fancy as the user interface of modern websites. and There are few things to consider when ensuring the security of the websites.
There is few common attacks a typical web application cause.
1. Injections
Attackers try to inject valid syntax codes for the malicious purpose to subvert the application from its original purpose. Most of the injections happen through input fields or forms provided for the users. The most popular injection attacks are SQL injections and LDAP injections.
To avoid Injection attacks
- Always checks the output is matched with the requested data, as an example If a request is a telephone number it should go through proper validation and not an entire row of data or an entire table of data.
- Users are always making mistakes on their end, keeping that in mind every input should be validated against the criteria both in the backend and frontend, and before reaching the input to the backend it has to go through a sanitization process to eliminate unnecessary codes, characters.
2. Cross-Site Scripting (XSS)
This is another type of injection, in XSS attackers, inject malicious scripts mostly through the front end of the application to the site and waiting for the victims to trigger the attacker’s code, and send the credentials and other data to the third party.
To avoid XSS,
- Both the inputs and output should be validated and sanitized.
- Almost all the modern browser updates come with enabled user protection for XSS. so it is better to keep an updated modern web browser with recommended security configurations.
3. Broken Authentication
This is a type of design issue, this issue cause to access all the user’s information by just gaining access to a single account. This issue is mostly caused by not enforcing password requirements and not setting limitations for the incorrect login attempts for a single account.
To avoid broken authentication issues,
- Use strong password rules for the users, this includes proper minimum length avoiding use user data for the password (ex- Name, email). and avoid the same combination for username/email and password.
- Set a threshold for login, this makes sure that after a certain period of failed login attempts the system will go on an account locking approach or extra verification step.
- Using reCAPTCHA to avoid automated brute force attacks.
4. Broken Access Control
Broken access control results in the implementation of the system. Broken access control defines a misuse of the user privileges, this is mostly happening because of the configuration and not identifying the proper security boundaries for each user. Then the attackers can gain access to the ordinary account but performed administrative tasks and tasks which should not usually be exposed to that user.
To avoid Broken Access Control
- The requirements and the boundaries of the system should be clearly mentioned to identify security requirements clearly.
- A role-based access method should be followed, this reduces the administrative tasks and the future are easier to do.
- If the application is layered or has more than different services all the layers and communication between all the services should be secured and access control should be implemented in each of those.
- User IDs or generated unique IDs for the system should be completely random and it should not sequential, otherwise, it will easy to guess the attacker or calculate the next possible user or current users.
5. Insecure Deserialization
Deserialization is converting the stream of data to the appropriate objects in the application. if the attacker can alter the content and send it back to the system with the malicious codes embedded into it attacker can execute that code in the system to gain access or cause any other harm.
To Avoid Insecure Deserialization
- Always communicate with trusted sources.
- Using security mechanisms like encryption, digital signatures, and validating the data to ensure the data is not modified and coming from the expected sender.
- Use a type-safe approach when decentralizing the data.
6. Logging and Monitoring Issues
Logging helps to keep track of the application behavior which is a great help for monitoring and identifying issues in the system even when it runs on the production, but “too much of anything is good for nothing” Too many logging details will expose even sensitive data about the application, and a small amount of logging is hard to observe attacks and issues. the log file is a common target of attackers to gain more information about the application
To avoid Logging and Monitoring issues
- As developers choose what are to log in and what is critical information (username, passwords, Personal Identification Information) to avoid logging.
- Ensure compliance relevant for certain fields (Example — HIPPA, HL7 for Medical data)
- Reinforce monitoring and protection.
7. Using Components with the known Vulnerabilities
When the development of a web application developers are always put the main priority for the business requirement and deliver the software as soon as possible without reinventing the wheel for this reason for certain functionalities and workloads it is normal to have third-party libraries and software to get the work done. But some software might have components inside it that contain malicious codes or maybe an old version of components with security issues that can leads to Zero Day attacks through the third-party component to the application and the attacker can gain control.
To avoid the third party component Issues,
- Before using the third party library follow the documentation, release cycles to check whether is it in an active state, test the third-party system for a while and get to know about the security policies.
- Always keeps updates on the most recent stable version of third-party software.
- Only use components from verified parties or minimize the usages of application from untrusted sources.
Other than these issues from the end-users perspective there should be tight security mechanism should be taken into consideration. the most important factor here is the password. How secure the system does not matter weak passwords lead the attackers to infiltration the system, it is important to use strong passwords and 2-Factor-Authentications, This video will help to choose a strong password and some security measurements can take as a user.
From a developer’s perspective, it is important to always take security measurements on each layer of the system. especially when do the data validations both the front-end and the back-end should be considered as the same priority. Nothing on the user’s side is safe, including sessions (sessions can also hijack, modified, and can be injected), cookies.
Every input to the selection should be taken into consideration and check the validity of data.
When storing passwords it is important never to store in the plain format it should be always salted and hashed using proper algorithms.
And always remember to Sanitize too!
