10 Common Web Application Security Vulnerabilities and How to Prevent Them in 2023

Relevant Founders Podcast

Listen to our podcast in which tech founders reflect on their journey of building a successful startup and reveal their secrets to success.

Web applications are one of the most common targets for hacking because they provide easy access to a wider audience, allowing malicious code to spread faster. But, alas, many companies seriously think about web security only after the incident has already occurred.

Let’s face it; this omission has a price – for example, a data breach in 2022 cost companies $4.35 million. But many of these occasions could have been prevented with the proactive and defensive approach to web security.

We want to save your money and your nerves. Therefore, we at Relevant have prepared an article about the most common web application vulnerabilities and best practices for protecting web applications from malicious attacks and accidental damage.

Why are web applications so vulnerable to attacks?

Web apps can be attacked for various reasons, including system flaws resulting from incorrect coding, misconfigured web servers, application design flaws, or failure to validate forms. Any web application has at least one vulnerability that hackers can exploit at a higher level. 

Such weaknesses or vulnerabilities allow criminals to gain direct and public access to databases that contain valuable information (e.g., financial details or personal data), making them a frequent target of attacks. 

Cloud containers that package application software with the elements needed to run it have recently been found particularly vulnerable when they are not properly secured or contain insecure elements. The use of open source and reliance on application programming interfaces (APIs) also exacerbate security concerns.

Cybercriminals use compromised sites for various purposes: to spread malware; steal sensitive data; implant unauthorized information; commit fraud; to infiltrate a company’s internal infrastructure. All this threatens the organization’s operation and reputation, so web applications must be protected and all weak points eliminated.

OWASP Top 10 Vulnerabilities: General Overview

The open community OWASP aims to make the web the safest for users by creating an overview of the most prevalent web vulnerabilities and providing industry best practices to mitigate them.

OWASP Top 10 is not just a list. It rates each class of weaknesses using the OWASP Risk Rating methodology and provides examples, attack prevention recommendations, and links for each risk. By examining the vulnerabilities in the OWASP Top 10, application developers can take concrete steps to create a more secure application that will help keep users safe when it comes to malicious attacks.

OWASP list is updated every few years based on a combination of security testing data and surveys of professionals within the industry. On the diagram, you can see the changes in this list from 2017 to 2021.

So let’s consider the latest web applications’ vulnerabilities and ways to prevent them in 2023.

Broken Access Control

Access control implements policies preventing users from acting outside their specified permissions. But access vulnerabilities could allow unauthenticated or unwanted users to gain access to sensitive data and processes and user privilege settings.

Examples of access control vulnerabilities are such manipulation as spoofing or reusing a JSON Web Token (JWT) access control token and modifying cookies or hidden fields to elevate privileges or use JWT revocation.

The second example is a violation of the default rejection principle. Administrators should only grant access to certain roles, capabilities, or users, but it is available to everyone. Such errors can make it easier for attackers to access whatever they want.

Affected objects:

Broken access control can lead to compromised data, gaining permissions beyond what is intended for normal users, or account takeover attacks where outsiders take over user accounts and initiate fraudulent transactions.

How to prevent a Broken Access Control 

You can avoid problems with identity or password management by applying safe coding practices and precautions such as disabling administrator accounts and restrictions and setting up multi-factor authentication.

• Apply access control mechanisms only once and reuse them throughout your application to reduce cross-origin resource sharing.
• Domain models should impose certain constraints on business applications.
• Restrict access to APIs and controllers to mitigate the effects of automated attacks.
• Log access control failures with alert administrators as needed.
• Rather than grant users permission to create, view, modify, or delete information, model access controls should give records ownership.

Cryptographic Failures

Formerly known as sensitive data exposure, cryptographic failures rose to position two. This is more of a symptom than the underlying cause; the emphasis here is on cryptographic errors, or lack of them, which often expose sensitive data.

Affected objects:

Those can be passwords, email addresses, patient health records, business secrets, credit card information, or other personal user information. For example, an application can securely encrypt credit card information using automatic database encryption. Unfortunately, when this information is accessed, it is immediately decrypted, allowing the SQL injection failure to extract the credit card information in plaintext, which an attacker can exploit.

How to prevent cryptographic failures

• Use strong, salted, and adaptive hashing algorithms with delay factors to store passwords like Script or PBKDF2.
• Avoid outdated protocols, such as Simple Mail Transfer Protocol (SMTP) or File Transfer Protocol (FTP), when transferring sensitive data. 
• Use authenticated encryption instead of simple encryption.
• Generate and store cryptographically random keys as arrays of bytes. If passwords are used, replace them with a key using a password-based key generation algorithm.

Injection

A vulnerability known as an injection flaw enables an attacker to transmit malicious code through an application to another system. Injections typically comprise SQL injections, command injections, CRLF injections, LDAP injections, etc. That can cover compromising backend systems and other clients connected to the vulnerable app.

Affected objects:

Attackers conduct injection attacks to get permission to protected areas and sensitive data, camouflaged as trusted users. Vulnerable objects can be Input Fields and URLs interacting with the database.

How to prevent injection:

Some useful techniques include: 

• Prevent injection attacks by validating or sanitizing the data submitted by the user. (Validation refers to rejecting suspicious-looking data, while cleaning refers to cleaning up suspicious parts of data.)
• Employ an API that eschews the interpreter, offers a parameterized API, or translocates to object-relational mapping instruments.
• Apply positive server-side validation input. 
• Use LIMIT and other SQL constraints inside queries to avoid massive data exposure in a SQL injection.
• Avoid displaying detailed error messages useful to an attacker.

Insecure Design

This new category for the OWASP Top Ten focuses on application design and architectural flaws leading to increased security threats. When an application is inherently designed insecurely, the perfect implementation of security controls and risks cannot compensate for these design flaws. Sophisticated attackers will eventually find and exploit design flaws.

How to prevent design weaknesses:

Secure specialists can prevent these threats using the following methods:

• Set up a secure development lifecycle with Relevant experts to assess and create security and privacy controls.
• Use threat modeling for access control, critical testing, application logic, and core flows.
• Include security terminology and controls in user stories.

Identification and Authentication Failures

Identification and authentication errors can occur when user identification, authentication, or session management functions are not implemented correctly or sufficiently secured by the app.

Affected objects: 

Authentication vulnerabilities can include brute force attacks, improperly hashed and salted passwords, leaks involving user account data, improperly set timeouts, or typical password stuffing like password1 or admin1234.

How to prevent authentication vulnerabilities: 

You can protect your web application from authentication vulnerabilities by:

• Multi-factor authentication for user verification.
• Creating strong passwords with periodic updates.
• Correct setting of timeouts and password security in your database.

Software and Data Integrity Failures

When apps use modules, extensions, or repositories from Content Delivery Networks or unauthorized sources, a lack of verification of the integrity of these sources introduces the risk of malicious code, unauthorized access, and compromise.

Affected objects:

Modern software delivery pipelines include auto-update functionality that streamlines the lifecycles by downloading updates and applying them without inherent permissions. Attackers can exploit such functionalities by performing a Man-in-the-Middle attack to inject malicious code into the pipeline during the update process. This results in corrupted payloads being deployed and executed outright on app installations.

Prevention methods include:

• Measures such as digital signatures can be used to verify that data or software comes from the expected sources without any interference.
• The CI/CD workflow must have the necessary segmentation, access control, and parameterization to protect code integrity during configuration and deployment operations.
• Compilation data that is not signed or encrypted should only be sent to untrusted clients if an integrity check or digital signature is performed to detect alteration or duplication of the data.

Security Logging and Monitoring Failures

Logging and monitoring help to provide security accountability, visibility into events, incident alerting, and forensics. When there are failures in these capabilities, your company’s ability to detect and respond to app breaches becomes severely compromised. 

Affected objects:

Insufficient monitoring, logging, or reporting makes your app susceptible to attacks that target any part of the application stack.

How to prevent Security Logging and Monitoring Failures

Measures to prevent security logging and monitoring failures include 

• All authentication, access security, and server-side data validation issues must be logged with sufficient user information to detect suspicious or fraudulent accounts and kept for a while enough to allow a pending full investigation.
• Assure that logs are generated in the formats used by log management systems.
• Employ a recovery and incident response strategy, such as NIST 800-61r2 or later.
• Establish effective monitoring and alerting to detect and respond to suspicious activities quickly.
• Ensure the log data is properly encrypted to avoid intrusions or cyber threats to monitoring systems.

Server-Side Request Forgery (SSRF)

Server Side Request Forgery is a web security vulnerability that allows an attacker to trick an application into sending a fake request to an unwanted location, even if VPNs, firewalls, or a network access control list protect it.

Affected objects:

In a typical SSRF attack, a hacker can force a server to establish a connection to internal services in an organization’s infrastructure. In other cases, they can cause the server to connect to arbitrary external systems, which can leak sensitive data such as login credentials.

How to prevent SSRF

With this in mind, you can avoid such attacks by using the following prevention methods:

• To limit the impact of SSRF, you should separate the remote access functionality into separate networks.
• Set firewall settings to “deny by default” or network access control rules to block all web traffic except necessary internal traffic.
• It’s useful to be mindful of the accuracy of the URL to protect against attacks such as DNS redirection and “time to check, time to use” situations.

Security Misconfiguration

This occurs when basic security settings are either not implemented or have errors. Such bugs create dangerous security holes that leave the application and its data (and, therefore, the organization itself) open to cyberattack or hacking.

Affected objects: 

These can include unpatched flaws, unused pages, unprotected files or directories, outdated software, and running software in debug mode. When a misconfiguration is found, it is vital to run a security audit to check for attacks or breaches.

How to prevent security misconfigurations: 

To avoid configuration complications, you must use secure installation methods, including:

• The development, operational, and QA environment should be the same, with different user privileges. The automatic deployment will also keep your applications up to date and prevent attacks
• Unused features and frameworks should be removed or not installed.
• A core platform with no unnecessary features, components, documentation, or demos reduces the chance of configuration vulnerabilities.

Vulnerable and Outdated Components

Most online applications are built using third-party frameworks. Unknown application codes can lead to unwanted results and situations such as accent control violations, SQL injections, etc.

Affected objects:

If the program is insecure, unsupported, or outdated, there may be dangers associated with vulnerabilities. The package includes the application/web server, operating system, applications, database management system (DBMS), APIs, other elements, libraries, and runtimes.

How to prevent risks from vulnerable and outdated components

Based on our experience in software development, we strongly recommend the following: 

• Purchase components from official sources through secure channels.
• Watch out for modules and items that don’t work or don’t provide security updates for older versions. If patching is impossible, consider developing virtual patches to observe, identify, or protect against a discovered vulnerability.
• Remove any excessive requirements, functionality, items, folders, or documentation.

While the OWASP Top Ten is useful for improving web application security, it is not the be-all and end-all. There is a strong focus on securing the server side, but many of today’s attacks focus on the client side. In other words, it’s important to look in all directions. Сonsider the OWASP Top 10 as a starting point and complement it with practices tailored to your needs.

Let Relevant Secure Your Web Application

Although application software development and frameworks are becoming more and more secure, attackers find new ways to attack their weak points. Deployment isn’t the end of the road – security experts need to find and fix all possible vulnerabilities. Whether this is done correctly depends on their awareness of cyber threats and applying strong security practices.

If you lack sufficient resources to defend your web application against cyber attacks, you can outsource it to managed security service providers like Relevant. Our experience in cybersecurity – from architecture and design to delivery and operations, has enabled us to protect apps, infrastructure, and processes for clients from various industries, including fintech, SaaS, and IoT. Contact us if you are searching for a reliable security partner to empower your digital world.

FAQ