10 Common Web Application Vulnerabilities and How to Prevent Them

Web security issues have become a common concern of modern business. The number of cybercrimes has significantly increased in the past few years. In 2017 the damage from cyberattacks was estimated at $1,4 billion, while in 2020, the loss reached $4,2 billion.

Web applications are among the most popular targets of hacker attacks since they provide easy access to a larger audience allowing for faster malicious code spread.

In this article, we will look into the most common web application vulnerabilities and possible solutions to prevent them.

Understanding the Common Web Application Vulnerabilities

Although web applications provide companies with many advantages, they often cause concerns arising from a lack of developers’ security expertise. In 2017 OWASP, a non-profitable organization that is trying to improve global software security made a list of top 10 security vulnerabilities in web applications. Although 4 years have passed since then, these pitfalls are still widespread and cause substantial damage to companies. Here are the most important web application vulnerabilities to be aware of to provide your clients with robust and secure custom web apps.

1. Injection

An injection is a process when untrusted or unfiltered data penetrates a server or browser as a part of a query. Injections can be of different kinds: SQL, NoSQL, LDAP, OS, and others. However, SQL queries are the most common target of mal-intent. By sending unfiltered data through the SQL query, attackers get access to the important application data. As a result, they can perform administration operations, access user private information, credit cards, passwords, etc.

Prevention

1. Validation of the inputs. Input validation prevents improperly formed data from entering the system. Thus, trying to prevent injections, it’s crucial to validate all the input.
2. Prepared statements with parameterized queries. It is an effective way to forestall SQL injections. Some of the parameters are not specified when creating a statement but added during the execution process. Thus, hackers can’t modify the query even if the command itself was theirs.
3. Limited user rights. There is no need to connect to the database always using accounts with admin privileges. To reduce the chances of injection, database users should have the most essential rights. For example, it’s better to provide them with access only to a particular database without the possibility to create or alter information in the tables.

2. Broken Authentication

Authentication is a process that verifies the user identity by affiliating incoming information with a set of credentials such as biometrical data, password, and others. Broken authentication, in contrast, implies that session ID or user credentials were hijacked.

Broken authentication can stem from insufficient protection of user credentials, weak password and login, passing the session ID as a URL, and other reasons.

Prevention

1. Multi-factor authentication (MFA). Different ways of authentication solve verification issues and help identify the true user.
2. Rejection of weak passwords. The application should have a set of requirements for the password’s length and complexity. In case the password doesn’t comply with one of the requirements the user should improve it until it conforms to the whole set. Moreover, it’s reasonable to limit the password life cycle to a short period without giving users the ability to change it for previously used ones.
3. Session length. The web application should be able to close the session. Nowadays, however, this practice is popular only in the banking sphere.
4. Security alerts. To keep customers’ information secure, you can apply security alerts that will notify users if there are any important or suspicious activities in their accounts such as signing in from a new device or sending a huge number of emails.

3. Sensitive Data Exposure

This type of web application security issues relates to the revealing of customers’ sensitive information such as phone numbers, account info, credit card numbers, etc. Data exposure vulnerability is a wake-up call for the companies since it may lead to more serious consequences such as broken authentication, injection, man-in-the-middle, or other types of attacks.

Prevention

1. Enhanced data protection. It’s crucial to encrypt both stored and transmitted data by using modern encryption techniques.
2. Security protocols. All the incoming information should come through advanced security protocols such as HTTPS, SSL, and TSL.

4. XML External Entities (XXE)

XXE attacks aim at web applications that process XML input. They usually happen due to the old or poorly configured XML processors. By taking advantage of this vulnerability hackers can access the back-end and external systems to execute server-side request forgery (SSRF).

Prevention

1. Disabling DTD. It is one of the most efficient ways to prevent XXE attacks. If it’s impossible to disable all the DTDs, it’s necessary to disable each DTD according to a specific parser.

5. Broken Access Control

Broken access control is a type of web application vulnerability when users can execute some actions they should not have access to. Developers with malicious intentions can use it to connect to other user accounts, change information inside them, view sensitive data, and, in the worst-case scenario, get full control over the application. Access control vulnerabilities usually stem from poor functional testing and the lack of automated detection.

Prevention

1. Improved access control. Access control should operate on the server-side applying Access Control List