10 Common Web Application Security Vulnerabilities and How to Prevent Them
Web security issues have become a common concern of modern business. The number of cybercrimes has significantly increased in the past few years. In 2017 the damage from cyberattacks was estimated at $1,4 billion, while in 2020, the loss reached $4,2 billion.
Web applications are among the most popular targets of hacker attacks since they provide easy access to a larger audience allowing for faster malicious code spread.
In this article, we will look into the most common vulnerabilities in web applications and possible solutions to prevent them.
Understanding the Common Web Application Vulnerabilities
Although web applications provide companies with many advantages, they often cause concerns arising from a lack of developers’ security expertise. In 2017 OWASP, a non-profitable organization that is trying to improve global software security made a list of top 10 security issues in web applications. Although 4 years have passed since then, these pitfalls are still widespread and cause substantial damage to companies. Here are the most important vulnerabilities to be aware of to provide your clients with robust and secure custom web apps.
An injection is a process when untrusted or unfiltered data penetrates a server or browser as a part of a query. Injections can be of different kinds: SQL, NoSQL, LDAP, OS, and others. However, SQL queries are the most common target of mal-intent. By sending unfiltered data through the SQL query, attackers get access to the important application data. As a result, they can perform administration operations, access user private information, credit cards, passwords, etc.
- Validation of the inputs. Input validation prevents improperly formed data from entering the system. Thus, trying to prevent injections, it’s crucial to validate all the input.
- Prepared statements with parameterized queries. It is an effective way to forestall SQL injections. Some of the parameters are not specified when creating a statement but added during the execution process. Thus, hackers can’t modify the query even if the command itself was theirs.
- Limited user rights. There is no need to connect to the database always using accounts with admin privileges. To reduce the chances of injection, database users should have the most essential rights. For example, it’s better to provide them with access only to a particular database without the possibility to create or alter information in the tables.
2. Broken Authentication
Authentication is a process that verifies the user identity by affiliating incoming information with a set of credentials such as biometrical data, password, and others. Broken authentication, in contrast, implies that session ID or user credentials were hijacked.
Broken authentication can stem from insufficient protection of user credentials, weak password and login, passing the session ID as a URL, and other reasons.
- Multi-factor authentication (MFA). Different ways of authentication solve verification issues and help identify the true user.
- Rejection of weak passwords. The application should have a set of requirements for the password’s length and complexity. In case the password doesn’t comply with one of the requirements the user should improve it until it conforms to the whole set. Moreover, it’s reasonable to limit the password life cycle to a short period without giving users the ability to change it for previously used ones.
- Session length. The web application should be able to close the session. Nowadays, however, this practice is popular only in the banking sphere.
- Security alerts. To keep customers’ information secure, you can apply security alerts that will notify users if there are any important or suspicious activities in their accounts such as signing in from a new device or sending a huge number of emails.
3. Sensitive Data Exposure
This type of web application security issues relates to the revealing of customers’ sensitive information such as phone numbers, account info, credit card numbers, etc. Data exposure vulnerability is a wake-up call for the companies since it may lead to more serious consequences such as broken authentication, injection, man-in-the-middle, or other types of attacks.
- Enhanced data protection. It’s crucial to encrypt both stored and transmitted data by using modern encryption techniques.
- Security protocols. All the incoming information should come through advanced security protocols such as HTTPS, SSL, and TSL.
4. XML External Entities (XXE)
XXE attacks aim at web applications that process XML input. They usually happen due to the old or poorly configured XML processors. By taking advantage of this vulnerability hackers can access the back-end and external systems to execute server-side request forgery (SSRF).
- Disabling DTD. It is one of the most efficient ways to prevent XXE attacks. If it’s impossible to disable all the DTDs, it’s necessary to disable each DTD according to a specific parser.
5. Broken Access Control
Broken access control is a type of web application vulnerability when users can execute some actions they should not have access to. Developers with malicious intentions can use it to connect to other user accounts, change information inside them, view sensitive data, and, in the worst-case scenario, get full control over the application. Access control vulnerabilities usually stem from poor functional testing and the lack of automated detection.
- Improved access control. Access control should operate on the server-side applying Access Control Lists (ACL) and role-based authentication.
- Deny access to functionality by default. Users should not be able to execute any actions with functionalities, fields, pages, etc. that they should not have access to.
6. Security Misconfiguration
Security misconfiguration is one of the common issues with web applications. It is a problem related to the lack of security control implementation or issues caused by security errors. The majority of applications have this vulnerability due to incomplete configurations, default configurations that have stayed unaltered for long, unencrypted files, unnecessary running services, etc. Security misconfiguration can lead to grave data breaches that tarnish company reputation and cause significant financial losses.
Nissan North American is one of the recent victims of the hacker attack caused by misconfiguration vulnerability. A serious data leak stemmed from a misconfigured company Git server that was secured with default credentials (username and password) of admin/admin.
- Consistent vulnerability scanning. To avoid security misconfigurations it’s crucial to conduct a regular scan of your system to detect any flaws that can become an easy target.
- Updates. The web application requires regular updates to eliminate cyber threats and protect customer information.
7. Cross-Site Scripting (XSS)
XSS vulnerability lets hackers perform malicious scripts in the user’s browser. They can be executed through the inserted link. If the user clicks on it the attacker can get access to important functionalities (web camera, location, etc.), hijack the session, redirect the user to dangerous websites, etc.
- Escaping. All the input should be escaped before rendering it in the browser. It helps to reduce the risk that incoming data will be interpreted maliciously.
- Validating. This process ensures that the web app is rendering the correct data. Whitelists commonly used for injection prevention can also be handy in this case.
8. Insecure Deserialization
When it comes to insecure deserialization, untrusted data inflicts damage on the web application by remotely executing harmful code, bypassing authentication, and altering app logic.
- Monitoring. It’s necessary to monitor and reject serialized objects from unknown sources.
- Deserialization with limited access. If the deserialization code can be executed only having special access rights, harmful deserialized objects will be easily identified.
9. Using Components With Known Vulnerabilities
The difficulty of spotting vulnerabilities lies in the complexity of the web application. Modern web app development relies much on various frameworks, libraries, APIs, etc. which, in their turn, consist of other elements that can become a target for the hacker attack as well as the app itself.
Recently, there has been much buzz around the bug hunter, Alex Birsan, who managed to hack Apple, Microsoft, and other major tech giants by exploiting a vulnerability “dependency confusion”. He found out that many companies use both private and public dependencies. So, he supposed that malicious code could be uploaded to the public dependency but under the name of a private one. He also realized that in case there is both private and public dependency, the latter one will be given priority. This way, he has achieved to spread his malicious code successfully. Fortunately, he had good intentions and warned companies of their weaknesses.
- Removing unnecessary features. A clear understanding of your app structure and a reduced number of unused files, features, and documentation will help to cut the risk of the attack and foster efficient application maintenance.
- Accept only trusted code. When building new dependencies, the code should be taken only from trustful sources through a secure connection.
- Continuous security testing. As an alternative to penetration testing, continuous testing is a practice of checking and optimizing application security throughout the development process. This proactive approach allows companies to identify vulnerabilities faster and reduce the possibilities of attacks.
10. Insufficient Logging and Monitoring
Insufficient logging and monitoring let attackers stay undetected while trying to achieve their harmful goals. This vulnerability is the most common reason why companies can’t resolve data breaches. What is more, insufficient logging and monitoring may result in further penetrations into the system and massive losses.
- Monitoring. It’s necessary to make an overview of your application and establish more efficient monitoring that will be able to send alerts in case of suspicious activities.
- Logging. Ensure that your logs are collected and aggregated to the central platform, where they can more easily be analyzed. Moreover, to prevent data leaks, keep sensitive information out of logs.
Security is the key feature of modern web app development. To stay competitive in the market, companies have to come up with new security solutions to confront hackers and provide their customers with robust and safe applications.
However, much of the web app security depends on the developers’ awareness of cyber threats and scheduled monitoring of the application activities. Thus, ensuring that your software engineers have sufficient knowledge about the most common web application security vulnerabilities will help you to protect your web app and build a better company image.