Web Application Security Essentials

Photo by Scott Webb on Unsplash

“There’s no patch for human stupidity!”

Web applications are now getting widely available and popular for each business there is a website or online store now. But when it comes to security it is not as fancy as the user interface of modern websites. and There are few things to consider when ensuring the security of the websites.

There is few common attacks a typical web application cause.

1. Injections

To avoid Injection attacks

  • Always checks the output is matched with the requested data, as an example If a request is a telephone number it should go through proper validation and not an entire row of data or an entire table of data.
  • Users are always making mistakes on their end, keeping that in mind every input should be validated against the criteria both in the backend and frontend, and before reaching the input to the backend it has to go through a sanitization process to eliminate unnecessary codes, characters.

2. Cross-Site Scripting (XSS)

To avoid XSS,

  • Both the inputs and output should be validated and sanitized.
  • Almost all the modern browser updates come with enabled user protection for XSS. so it is better to keep an updated modern web browser with recommended security configurations.

3. Broken Authentication

To avoid broken authentication issues,

  • Use strong password rules for the users, this includes proper minimum length avoiding use user data for the password (ex- Name, email). and avoid the same combination for username/email and password.
  • Set a threshold for login, this makes sure that after a certain period of failed login attempts the system will go on an account locking approach or extra verification step.
  • Using reCAPTCHA to avoid automated brute force attacks.

4. Broken Access Control

To avoid Broken Access Control

  • The requirements and the boundaries of the system should be clearly mentioned to identify security requirements clearly.
  • A role-based access method should be followed, this reduces the administrative tasks and the future are easier to do.
  • If the application is layered or has more than different services all the layers and communication between all the services should be secured and access control should be implemented in each of those.
  • User IDs or generated unique IDs for the system should be completely random and it should not sequential, otherwise, it will easy to guess the attacker or calculate the next possible user or current users.

5. Insecure Decentralization

To Avoid Insecure Decentralization

  • Always communicate with the trusted sources.
  • Using security mechanisms like encryption, digital signatures, and validating the data to ensure the data is not modified and coming from the expected sender.
  • Use a type-safe approach when decentralizing the data.

6. Logging and Monitoring Issues

To avoid Logging and Monitoring issues

  • As developers choose what are to log in and what is critical information (username, passwords, Personal Identification Information) to avoid logging.
  • Ensure compliance relevant for certain fields (Example — HIPPA, HL7 for Medical data)
  • Reinforce monitoring and protection.

7. Using Components with the known Vulnerabilities

To avoid the third party component Issues,

  • Before using the third party library follow the documentation, release cycles to check whether is it in an active state, test the third-party system for a while and get to know about the security policies.
  • Always keeps updates on the most recent stable version of third-party software.
  • Only use components from verified parties or minimize the usages of application from untrusted sources.

Other than these issues from the end-users perspective there should be tight security mechanism should be taken into consideration. the most important factor here is the password. How secure the system does not matter weak passwords lead the attackers to infiltration the system, it is important to use strong passwords and 2-Factor-Authentications, This video will help to choose a strong password and some security measurements can take as a user.

From a developer’s perspective, it is important to always take security measurements on each layer of the system. especially when do the data validations both the front-end and the back-end should be considered as the same priority. Nothing on the user’s side is safe, including sessions (sessions can also hijack, modified, and can be injected), cookies.
Every input to the selection should be taken into consideration and check the validity of data.

When storing passwords it is important never to store in the plain format it should be always salted and hashed using proper algorithms.

And always remember to Sanitize too!

Software Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store