Thanks to the cloud, more organizations are building their own Web-based applications. Developers need to know what flaws in their applications an attacker is likely to exploit. The Open Web Application Security Project (OWASP) Top 10 Web Application Security Risks list provides a good starting point to prevent Network Security issues.
During an injection attack, hackers send malicious data to an interpreter in the guise of a command or a query. Private data can then be accessed without authorization, or hackers can run unauthorized commands. To prevent injection, use trusted APIs that either avoid going through an interpreter or deliver a parameterized interface.
2. Broken Authentication and Session Management
Vulnerableauthentication and session-management tools allow unauthorized users to compromise keys, session tokens and passwords. To maintain strong session management and authentication controls, developers should be provided with a simple interface. They should also check that authentication and session-management protocols meet OWASP’s Application Security Verification Standards (ASVS).
3. Cross-Site Scripting (XSS)
When an application takes untrusted data, fails to validate or escape it and then sends it to a user’s Web browser, attackers can point the browser to malicious sites, hijack user sessions and use XSS to deface websites. Prevention strategies include whitelisting certain inputs and making sure to escape all suspicious data based on HTML context components like JavaScript, URL, CSS, attribute and body.
4. Insecure Direct Object References
Developers sometimes expose objects like files, database keys or directories. Attackers then use these objects to access off-limits data. To prevent this type of attack, applications should use access control to make sure only authorized users access designated direct-object references. Alternatively, developers can use random access or sequential maps instead of using direct-object references in the first place.
5. Security Misconfiguration
Out-of-date software, unnecessary features, overly informative error messages and default accounts with unchanged passwords are all examples of security misconfiguration. To prevent these problems, developers should come up with a standard process for deploying identically configured development, production and QA environments. Also, periodic audits and a simple subscription to a security provider’s automatic updates list can prevent many misconfiguration issues.
6. Sensitive Data Exposure
Most hackers steal data in transit or from a user’s browser. They may also employ man-in-the-middle attacks or steal database keys. Prevention steps include encrypting data in transit, discarding unnecessary data, good key management and password-protection algorithms. Additionally, disable auto complete and caching on any form that collects sensitive data.
7. Missing Function-Level Access Control
Authorized users can gain access to unauthorized areas by making something as simple as a change in a URL. To protect unauthorized access, make sure that access can be managed easily without changes to code. All access should be denied by default until given according to specific organizational roles. Also, in workflows, conditions should be in the right state to enable access.
8. Cross-Site Request Forgery (CSRF)
With a CSRF attack, hackers use a logged-in browser to send a forged HTTP request. This request can be accompanied by session cookies or by the user’s authentication information. A vulnerable Web application interprets these requests as legitimate, allowing the hackers to do things like make changes to protected accounts. Every HTTP request, therefore, should include a unique token that isn’t visible in the URL.
9. Using Components With Known Vulnerabilities
Many application components like frameworks and libraries run with full privileges. Vulnerable components can mean data loss or server takeover. A lot of companies fix these vulnerabilities in new versions of their applications instead of providing patches. Upgrading, even if it’s expensive, can be a smart long-term choice. Also, have IT staffers monitor public databases, security mailing lists and project mailing lists to stay informed of known component vulnerabilities.
10. Unvalidated Redirects and Forwards
A redirect to a malicious website could install malware on your server. It could also use phishing to obtain passwords or other sensitive data from employees. Try getting into the code and auditing URLs in redirect or forward parameter values. Periodic audits can ensure these redirects remain legit. If possible, avoid using redirects and forwards at all.
Remember that this list isn’t a panacea; it’s a starting point. For more in-depth security evaluation, ask your developers to evaluate their application security against the ASVS framework.
About the Author:Melissa Cromwell is a content curator in the tech industry. She writes on such subjects as cyber security, targeted attacks, cyber warfare, data center infrastructure, cloud security and cloud service providers.