How Safe is Your Web Application?
Vulnerable web applications have always been one of the biggest security weaknesses for many enterprises. Web applications typically contain lots of juicy data and are readily accessible, and as a result are frequent targets for attackers.
A new study has revealed that the cyber-crime economy has grown to $1.5 trillion dollars annually. Attackers hack web applications and use them to carry out malicious activities such as stealing credentials, stealing or corrupting databases, or doing other malicious activities
Once a web application is compromised, attackers frequently pivot to attack the network and oftentimes are successful with the privileges allotted to the application. Because of this, organizations need to understand and implement robust web application security measures.
We intend to outline the major causes of web application security vulnerabilities and how to overcome them efficiently.
Major Web Application Security Vulnerabilities to Watch Out For
There is an array of web application security vulnerabilities that can put your applications at risk of exploitation by attackers.
Even the most experienced web security expert or CIO must stay vigilant and take proper security measures against these weaknesses in their web applications.
Here are some of the most common web application security vulnerabilities that you must watch out for:
1. Cross-Site Scripting (XSS)
Cross-site scripting is a security vulnerability most commonly found in dynamically generated web pages. It is a form of injection that injects malicious scripts into otherwise trusted and benign websites.
XSS occurs when unvalidated and untrusted data (i.e. data from a form, etc.) is written to the web page without encoding, allowing a malicious user to provide code for the victim’s browser to execute.
After the breach, users visiting the webpage might observe the website working in a different manner than usual or asking permission for personal details.
It is also possible that the website may appear just as it did before, but may be executing code in the users’ browser that they are not aware of.
The malicious script injected may access session tokens, cookies, or any other personal information that the browser retains. Such scripts are also capable of rewriting the HTML of the web page and changing its function, which can mislead users.
2. SQL Injection
SQL Injection is a common web application security vulnerability and it is one of the most dangerous ones.
When exploiting a SQL Injection vulnerability, an attacker can query, update, or even delete the application’s database(s). The attacker does this by modifying the SQL statements that are being executed by the application against the database.
Attackers can then modify, update, add, or delete records in the database. For instance, in a financial web application, a hacker may be able to retrieve the credentials of users, alter balances, or transfer money into their accounts.
SQL Injection can lead to data loss, data corruption, denial of access, or lack of accountability. It may even result in a complete database takeover by the attacker.
3. Broken Authentication & Session Management
Broken authentication and session management encompassess all aspects of managing user authentication and handling sessions.
Authentication plays a critical role in the security of web applications, but even the most solid authentication mechanisms can be undermined if flawed credential management functions are used.
An array of account and session management flaws can result in the compromise of system administrators and user accounts.
Development teams often underestimate the importance of designing a strong authentication and session management scheme that protects user identities in all aspects of the application.
Typically, if development teams develop their own authentication schemes, they will likely be flawed. Similarly, if they develop their own session management, there will likely be flaws.
These types of vulnerabilities allow an attacker to capture user credentials (such as passwords, session IDs, and tokens). With this, an attacker can access users’ accounts and impersonate them to do whatever they want with that user’s account.
4. Sensitive Data Exposure
Credit card details, usernames, passwords, and other sensitive user information presents an attractive target to attackers. Protecting this data is always a challenge.
Sensitive Data Exposure issues occur when this data is displayed to the user, transmitted over insecure (non https) channels, or written to log files.
Even if the attacker can’t access these items directly, they might be able to retrieve them using a man-in-the-middle attack, or even simple “shoulder surfing.”
5. Security Misconfiguration
Security misconfiguration issues occur when an application or component is not configured correctly, or has configuration options that present vulnerabilities. These vulnerabilities often occur due to insecure default configurations.
Some common misconfiguration issues include failing to secure the web server with a proper HTTP security header, or allowing default platform functionality which could grant administrative access to a hacker.
Some common security headers that are recommended include a Content Security Policy Header, HSTS (HTTP Strict Transport Security), X-XSS, and more.
If an application is compromised through faulty security configurations, it could allow hackers to access sensitive data or even completely compromise a server.
Best Practices to Ensure Web Application Safety
Securing your web application is of paramount importance and it should be granted the same attention and resources as its intellectual property or user experience.
Neglecting secure practices can often lead to catastrophic consequences.
Here are some of the best practices to ensure web application safety:
1. Prioritize Web Applications based on risk
Organizations can have hundreds of web applications. Many times, they may even have more running than they are even aware of.
So the first step is to inventory your web applications. What applications do you have up and running? Who owns them? Who is maintaining them? What data is in the system? What is that data’s sensitivity level? How exposed is each application (e.g., is it open to the internet or just internal users)?
Once you have inventoried all of your applications and you understand some basic information about the data being used/stored and the business purposes of the application, you can sort the applications into three risk categories:
Critical applications are typically those that contain customer information and are externally facing. These applications should be placed as top priorities as they are prone to vulnerabilities and malicious attacks by hackers.
Important applications may be internal or external and may contain sensitive data. Normal applications may be apps that do not directly interact with the user and have far less exposure to threats. However, it is essential to entail normal apps in your web app security model as well.
2. Conduct Basic Web Application Security Training for Your Development Team and QA Team
Software developers have strong knowledge about the technical functions of the application. However, to ensure the early detection of errors or potential vulnerabilities, developers should also be given basic web application security training.
They should embrace and practice a score of security coding techniques that can prevent vulnerabilities and strengthen the application’s overall security.
Additionally, the QA team should also be well-versed with security testing models that can help enhance the web application’s security (e.g., by running basic security tests as part of their automated regression testing). This is often helpful as it can facilitate the early detection of basic security issues.
Both your developers and quality analysis team should work cohesively to ensure a strong security model that firmly protects your web applications. Web app security training helps your teams understand basic knowledge about security breaches and how to overcome them.
3. Establish a Secure Software Development Lifecycle
Efficient methodologies such as Agile and DevOps encourage better implementation of security models by creating a closely-knit working environment.
Development teams and QA teams are constantly working together in such environments. This not just helps in the early detection of vulnerabilities but also reduces the cost and time invested in debugging errors at a later stage.
“Test early and test often,” is a much-acclaimed quote in the world of SDLC.
It encourages frequent security testing of web applications that emphasizes incorporating security through all parts of the lifecycle.
Each phase of an SDLC should be mapped with security activities such as:
- Setting up phase gates
- Risk assessment
- Threat modeling
- Architecture & Design Security Reviews
- Coding Best Practices
- Perform Static Analysis
- Vulnerability Assessment
- Server and network configuration review
4. Perform Automated and Manual Security Testing (SAST/DAST)
Perform automated and manual security testing throughout the software development life-cycle to ensure the early detection of threats.
SAST, or Static Application Security Testing, is also popularly known as “White Box Testing.” It enables developers to identify security vulnerabilities in the source code of the application as the code is being written for.
SAST can also ensures conformance with coding standards and guidelines without actually executing the underlying code.
DAST or, Dynamic Application Security Testing, on the other hand, is widely known as “Black Box Testing.” It can find threats in a running web application.
It uses fault injection in the application to feed the software with malicious data and identify common security threats such as cross-site scripting, and SQL Injection.
Once vulnerabilities are identified, you can feed them back to the development team as the SDLC progresses. Following both automation and manual processes, along with implementing white box and black box testing will empower you to strengthen your web application security.
5. Create and Maintain a Culture Focused on Security
Businesses should develop an integrated cybersecurity strategy that encourages participation from the various departments involved in a project. Leaders should instill a culture of making security the responsibility of everyone across the organization.
Whether it is top tier management decisions or back-office functions, companies should involve the security team in every aspect. Integrating security staff within business units promotes better communication and cross-collaboration.
Creating a security-first culture should be introduced to employees in such a way that security becomes an integral part of their job roles. Employees, (be it be a developer, an agile leader, or a QA engineer), should know and acknowledge that they all are accountable for security.
Maintaining the security of web applications is a team effort. It has to begin with business leaders and involve the documentation team, software developers, and the QA team.
There are certain practices that you can immediately implement, which can help you quickly enhance the security of your web application. However, as applications progress with time, it becomes more cumbersome to keep track of their security.
You should embed security testing as a key component from the beginning phase of the SDLC model. Putting the best web application security measures in place, as outlined above, will ensure that your applications remain safe for everyone to use.
Aaron Cure is the Principal Security Consultant at Cypress Data Defense and an instructor and contributing author for the Dev544 Secure Coding in .NET course.
After 10 years in the U.S. Army, I decided to switch my focus to developing security tools and performing secure code reviews, penetration testing, static source code analysis, and security research.