In all the excitement of building and deploying your web applications, is there something you forgot?
Data breaches cost companies $3.92 million in 2019, and many of these incidents could have gotten prevented with the right mindset and a comprehensive audit to ensure web application security vulnerabilities get addressed.
Table of Contents
The Open Web Application Security Project (OWASP) is an open community of engineers and security IT professionals whose goal is to make the web safer for users and other entities.
The OWASP “Top 10” is a set of standards for common vulnerabilities and how to prevent them from becoming breaches for your company and users. Ultimately the OWASP Top 10 is the industry standard and needs to be prioritized when deploying any web or mobile app.
The OWASP Top 10 for web applications includes:
Most of these vulnerabilities revolve around authentication, validation, and user input flaws. Our post will go a little deeper into each vulnerability to give enough information to make the best choices and secure even the largest web application.
Injection flaws are when an attacker uses unfiltered and often malicious data to attack databases or directories connected to your web apps. Two common injection attacks often get used. First, SQL injection gets used to attack your databases. Second, LDAP injection gets used to attack directories.
Injection attacks use input fields that interact with directories and databases to execute against vulnerabilities. These include usernames, passwords, and other areas that interact with the target. These fields are often left vulnerable due to the lack of an input filter when the database or directory’s development.
How to prevent injection flaws:
There are ways we can help to prevent injection attacks. Adding filters to your inputs is the best defense. With SQL databases, we can first use prepared statements that can help prevent attackers from manipulating queries. Second, with LDAP injections, we can use protocols like escape variables to prevent characters used with injection attacks from being passed to manipulate the directory.
Authentication helps apps identify and validate users. Therefore broken authentication can allow attackers to access and have the same permissions as the targeted user, creating severe web app vulnerabilities. Issues with authentication can give an attacker unfettered access to your data and wreak havoc on your web application.
Authentication vulnerabilities can include improperly hashed and salted passwords, leaks involving user account data, improperly set timeouts, brute force attacks, or typical password stuffing like password1 or admin1234.
How to prevent broken authentication vulnerabilities:
Protecting your web application from authentication vulnerabilities can be a simple fix. Using multi-factor authentication can help verify the correct user. Creating strong passwords with periodic password updates can keep from common password use. Finally, properly configuring timeouts and password security within your database will prevent authentication issues.
Sensitive data gets transported or stored without any encryption or other protection, leaving information vulnerable to various attacks.
There are two ways to attack unprotected data. First, while data is transported from the user to the client, attacks as a man-in-the-middle attack can be used to steal data from packets. Second, stored data, while more complicated, can be exposed through encryption keys get stored with data or weak salt/hash or passwords and credentials.
How to prevent sensitive data exposure:
Preventing the exposure of your sensitive data is vital to the security of your app. Due to data vulnerabilities in motion, HTTPS, and perfect forward secrecy (PFS), ciphers need to get implemented for incoming data to your site. Disabling data caching that may store sensitive information is another way to help protect data.
In addition to transported data, stored data is at risk for attacks and exposure as well. Encrypting data stored in your databases while keeping encryption keys stored separately will reduce exposure. Eliminating out-dated data or data that isn’t needed will minimize exposure. If there is no data, there is no risk.
When server-side authorization is misconfigured, broken, or missing, vulnerabilities will occur that can leave your back-end open to attacks.
These attacks often happen with front-end UIs configured with components to give admins access to data or other vital app elements. In this case, most users can’t see the admin function, but those looking to find vulnerabilities will be able to uncover and exploit this flaw with malicious requests.
How to prevent missing function level access control vulnerabilities:
Fixing this flaw is simple. All server-side authentication needs to be active and configured to prevent unwanted access.
Often web applications are misconfigured, leaving an array of vulnerabilities for attackers to capitalize. Security misconfigured vulnerabilities can include unpatched flaws, unused pages, unprotected files or directories, outdated software, and running software in debug mode.
All aspects of your web applications can be affected by security misconfigurations. When a misconfiguration is found, it is vital to run a security audit to check for attacks or breaches.
How to prevent security misconfigurations:
Preventing security configuration vulnerabilities is simple. For instance, using a deployment protocol to continuously develop and deploy updates inside a secure environment or segmented application architecture will help prevent security vulnerabilities. Automatic your deployment will also keep your applications up to date and prevent attacks.
XSS vulnerabilities are common where input is unsanitized. Additionally, XSS can allow attackers to steal cookies from users’ browsers and access browsing history and sensitive information.
How to prevent XSS:
Ultimately XSS vulnerabilities can be fixed by sanitizing input. Sanitizing input will help stop user input from manipulating vulnerabilities and injecting them into websites. Also, validating and escaping user input will help prevent malicious injection.
When database keys or files get exposed to the user, insecure direct object reference vulnerabilities exist. Because of the exposed internal objects, attackers can use enumeration attacks to access those objects and gain data or access to sensitive databases. Often authentication is either non-existent or broken.
Database objects are often vulnerable through URL parameters exposing serialized data keys an attacker can manipulate to access information. Also, static files can be manipulated and changed by an attacker to access sensitive information or other user’s data.
How to prevent insecure direct object references:
Preventing access to sensitive files and databases can be done with server-side input validation. Testing input server-side can help prevent malicious user’s from manipulating URL parameters and file names. Also, access control measures can help determine if the user has permission and can access or change files and databases.
Cross-site request forgeries (CSRF) use social engineering to trick authenticated users into clicking a link, as an example and take control of their sessions. Due to having authenticated sessions, the attacker can perform changes to the state of an app vs. data theft.
Applications without the proper dual authentication or cross-site tokens can be vulnerable to CSRF attacks. Those will little knowledge of social engineering are also at higher risk of their authenticated sessions hijacked.
How to prevent CSRF: There are several preventative measures to help stop CSRF attacks. Using secret tokens or cookies can help with authenticating real requests vs. malicious ones. Also, utilizing POST requests only and eliminating GET requests can help keep the URL information from getting compromised.
Due diligence needs to get done when considering using a third-party code or component in your web application. Many security issues can come with using unfettered code from sources you aren’t familiar with.
Affected objects and how to find them:
To help find what components may be vulnerable, the National Vulnerability Database has a comprehensive list of known third-party vulnerabilities to help make the best choice.
Every aspect of your app can be affected by vulnerabilities in third-party code. For example, backdoors can get added to financial services code allowing attackers access to sensitive data.
How to prevent using components with vulnerabilities:
The best way to prevent using vulnerable code is to know where and who it’s coming from.
Unvalidated redirects and forwards is another input manipulation vulnerability again using parameters like GET requests to execute the attacks.
An example of the vulnerability is an attacker manipulating a URL and redirecting users to a malicious site where information can get stolen using social engineering and links with malicious code or links.
How to prevent unvalidated redirects and forwards:
By eliminating redirects, you can eliminate the issue of redirect attacks. If necessary, keep redirects and forwards static, not allowing users to input URLs.
A security breach with your web app can cost you a lot in damages and tarnish your company’s reputation. App and software development and frameworks are becoming more and more secure; however, attackers find better ways to attack these vulnerabilities. Deployment isn’t the end of the road, and we can help minimize vulnerabilities and keep your apps secure.
We are Relevant, a software development company that has expert cybersecurity expertise. We specialize in SaaS web applications, including fintech solutions, and securing them is our everyday job. If you are ready to take your security to the next level, contact us today to learn more.