Web applications have become one of the hottest trends online for businesses and regular users. New apps cover everything from computer backup, security, and monitoring, to customer management, photos, and diary entries. They’re extremely helpful, convenient, and provide an extra level of security because everything is stored on a different server. But that doesn’t mean they’re without risks.
In fact, the OWASP (Open Web Application Security Project) released a list of the top ten risks associated with web applications (PDF).
1- Injection Flaws
Injection attacks occur when an attacker (human or programmed) send malicious code through a web application through scripts in various programming languages. Attacks can affect a single site, or entire host, and can cause numerous problems including lost or corrupted data, accountability issues, or eliminate access.
This could cause all sorts of symptoms and issues for site owners. For many, the data they collect about their customers and clients is the basis of their business. Without it, it’s not possible to continue or even rebuild. Financial problems, reputation issues, and other problems that arise just complicate matters.
2- Cross-Site Scripting (XSS) Flaws
XSS attacks occur when a script, which was created with malicious intent, is sent to a trusted website through a web application. There are three main types, but all three are based on the concept that a user’s browser can’t tell the malicious script from a friendly one. These kinds of cross scripting vulnerabilities allow scripts to access all kinds of in-browser information that’s has been stored for the purpose of using a trusted site.
These types of attacks make it possible for offenders to add and alter content, redirect users, execute malware and much more. Again, the effects of these attacks can be deadly for websites and businesses, and cause thousands, millions, or even billions of dollars in damage.
3- Broken Authentication and Session Management
Login and signup processes are pretty standard features. Unfortunately, the processes created to add security to the site can often be the main source of security flaws and weaknesses. Attacks that use authentication and session management flaws exploit basic features such as password systems, logout features, secret questions, timeouts, account updating, ‘remember me’ features, and many more.
The biggest problem with these kinds of attacks is that they can affect most or all accounts in a short amount of time. This makes administrator accounts and those with the most access prime targets.
4- Insecure Direct Object References
This form of attack occurs when an application fails to verify the authorization of the user for the object it’s attempting to access. The attacker changes a system object’s parameter value to another object and gains access. Once this occurs, the attacker can access all of the data of that type.
This becomes dangerous not only because that data can be used for any number of purposes, but it’s the sheer amount of information the attacker can access. For instance, if the attacker gains access to login information, that person can gather all login information, rather than just the information for one account.
5- Cross-Site Request Forgery (CSRF)
CSRF attacks use prediction to create malicious pages that create forged requests. Then, the victim submits them to the site. If the site authenticates the user, the attacker gains full access to a user’s account where they can change data and perform any functions the affected user could.
It may sound harmless, but consider the sites and feeds users access during any given week. It’s virtually impossible to tell if it’s the registered user making changes or the attacker. Data can become completely unusable, along with the site itself, if the attack becomes widespread.
6- Security Misconfiguration Flaws
Attacks that target security misconfiguration provide access to everything from default accounts and unprotected files and website segments, to unused pages. This supplies attackers with access to the site, as well as providing them additional information about how the system works.
While these attacks can endanger an entire system, they’re usually limited to data and functionality access. Unfortunately, these attacks can still be extremely dangerous because the changes occur over time, rather than all at once, and repairing the site and recovering the data can come with extremely high costs.
7- Insecure Cryptographic Storage Flaws
Cryptographic storage flaws can be difficult to pull off, but they’re also extremely hard to detect and can do huge amounts of damage because this form of attack targets the most sensitive data. To get information such as health and financial records, the attacker first has to gain access to the system. Then, keys, cleartext copies, or channels are used to view the data unencrypted.
It happens mostly because the data wasn’t encrypted in the first place, or uses a weak security system to store and generate keys, algorithms, and passwords. Once hackers have accessed this information, however, it’s already too late — the attacker already has the information he or she was looking for, and the financial, social, and personal ramifications of this can be immense.
8- Failure to Restrict URL Access
If your system is not configured to properly manage page requests, it’s leaving important pages unprotected. An attacker can gain authorization for the system, and then simply change the site URL to one for a page you thought was protected. This leaves the system open and the attacker can perform functions he or she would otherwise be unauthorized for.
9- Insufficient Transport Layer Protection
Anyone who can monitor traffic on your network and knows how users access the system can take advantage of transport layer protection flaws. Attackers simply monitor traffic, and they can intercept everything from data to session IDs. This puts users at risk and gives attackers full access to their accounts and all of the privileges that users has, which is why administration accounts are popular targets.
To prevent this kind of attack, SSL/TLS absolutely must be set up and configured correctly.
10 – Unvalidated Redirects and Forwards
To exploit this type of flaw, attackers trick a target into clicking a ‘tainted’ link. This link sends the victim through an unvalidated redirect. Once this is done, the victim is tricked into installing malicious software or reveals sensitive information. Unsafe forwards, on the other hand, allow attackers to completely avoid security checks and controls normally in place.
This leaves the site open and gives attackers access to important information, internal processes, and vulnerable data. Invalidated redirects and forwards can spread quickly because the requests come from a site the user already trusts, but this also makes them easy for site owners to detect.
This isn’t a comprehensive or complete list of flaws and attacks, but it does cover some of the most common. Stay up to date on the latest techniques and vulnerabilities, check to ensure security measures are properly implemented, and be sure to keep software updated. If you hope to keep your site safe, the only solution is to be diligent and run checks frequently.
Author Bio:- Fergal is the primary outreach specialist and director of product marketing for Veracode where they specialize in ldap injection and penetration testing. Fergal has been working in the field of internet security and software development for the past 10 years.