Introduction to Web Application Security
We are now living in the world of Web. Every single day, there is a zillion of transactions that are going in the web in every single field like banking, schools, business, Top Institutions of the World, Research centers. It is extremely important that the data that is being transacted is very safe and the communication is reliable. Hence, there comes the importance of securing the web.
What is Web Application Security?
Web Application security is a branch of information security that deals with the security of Web Applications, Web services and websites. It is a kind of application security that is applied on to web or internet level specifically.
Web security is important as web applications get attacked due to bad coding or improper sanitizing of application inputs and outputs. Common web security attacks are Cross-site scripting(XSS) and SQL Injections.
Apart from XSS, SQL Injections, the other types of web security attacks are Arbitrary code execution, Path Disclosure, Memory corruption, Remote file inclusion, Buffer overflow, local file inclusion, etc. Web security is completely based on people and the processes. Hence it is extremely important that the developers use proper coding standards and sanity check for any such web security threats before making websites go-live.
Security checks, in fact, have to be applied at a very early stage of development and keep applying at every stage in the software development life cycle. Developers need to be well trained in cybersecurity and secure coding practices. One time testing of the application is definitely not effective. Continuous regression for web security attacks needs to be implemented at every stage.
Standardizing Web Security
OWASP(Open Web Application Security Project) is the standards body for web application security. It provides complete documentation, tools, techniques, and methodologies in the field of web app security. OWASP is one of the unbiased sources of information about the best practices in web app security.
OWASP Top Web Security Risks
Below are the top web security risks reported on OWASP.
This is a type of injection attack which makes it possible to execute malicious and improper SQL queries which could control the web server databases. Attackers can use SQL statements to bypass application security measures. They can authenticate or authorize web pages or web sites and get the content of SQL databases bypassing SQL statements. This attack can happen over sites that use SQL, MYSQL, Oracle, etc. as databases. This is the most prevalent and dangerous security attack according to OWASP 2017 documentation.
Cross Site Scripting (XSS):
This enables attackers to inject client-side scripting into web applications and web pages viewed by other users. A cross-site scripting vulnerability can be used to bypass policies such as the same origin policy. As per 2007, XSS accounted for 84% of all the security attacks on the web.
Depending on the sensitiveness of data, XSS could be a minor attack or a major threat to the websites.
Exploiters fold malicious data into the content that is being delivered to the client browser. When data is delivered at the client, it looks like the combined data has come from the trusted server itself and has all the permission sets at the client end. The attacker can now gain elevated access and privileges to the sensitive page content, to session cookies and a variety of other information.
Broken Authentication and Session Management:
This attack allows to either capture or bypasses the authentication on the web page or application.
This is more of a weak standard followed by web site developer that cause the issues like for instance,
- Predictable login credentials.
- Not protecting user login credentials properly when stored.
- Session IDs being exposed in the URL.
- Passwords, session IDs not being sent over encrypted URLs.
- Session values not timing out after a specific amount of time.
To prevent this attacks, the developer should be careful on maintaining the proper standards like protecting passwords and proper hashing of it while being passed, Not exposing Session IDs, timing out the session after a specific amount of time, recreating Session IDs after a successful login attempt.
To Fix Broken Authentication
- Password length should be maintained to at least 8 characters.
- Password should be complex to make the user unable to predict it. This should make use of proper password set rules like alphanumeric, special character and number upper/lower case combinations.
- Authentication failures should never indicate which part of authentication data is incorrect. Error responses should be generic to some extent. Eg: Invalid credentials instead of showing username or password which exactly is incorrect.
This is one of the bad practices that makes the websites vulnerable to attacks. For eg. App server configurations returning full stack trace to the users making the attackers know where the flaw is and accordingly attack the sites. To prevent such cases, it is important that a strong application architecture is implemented and run the security scans periodically.
It is very important that every website follow proper standards, maintain proper coding techniques have robust app architecture, run the scans periodically without fail and try to avoid the web security attacks to a larger extent.
This has been a guide on Web Application Security. Here we have discussed the Introduction, Standardizing, Top Risks of Web Security. You may also look at the following articles to learn more –