Internet applications face the constant threat of attack from numerous sources using an ever increasing number of methods to exploit vulnerabilities in the application or underlying infrastructure. Application and service providers need to be ever more vigilant in order to keep up. The following are the top ten methods used (not in order) and some suggestions to help counteract them.
1. Injection: When hostile data is sent to the interpreter as part of a command, an injection is said to have occurred. SQL, OS, and LDAP injection are common occurrences in this regard. The hostile data can trick the interpreter by performing commands intended by the attacker and can result in data leakage.
SQL Inject Me is a tool that can help to minimize the risk of injection.
2. Cross Site Scripting: When an application takes hostile data and sends it to a web browser without authorization, Cross Site Scripting (XSS) takes place. The damage done can result in the user being directed to malicious websites and the user sessions being hijacked.
ZAP is a highly recommended tool to minimize the risk of XSS.
3. Broken Authentication: Broken authentication is a common security risk that can result in identity theft. If the web application functions that deal with user authentication and session management are not implemented properly, precious user data including their passwords and credit card information can be sent to an attacker.
Hackbar deals proficiently with broken authentication security risk.
4. Insecure Direct Object References: These can occur if an object is under exposure of an insecure reference. If security measures are not implemented, hackers can easily control the reference in order to get their hands on data.
Burp Suite can be used to test web applications for insecure direct object references.
5. Cross Site Request Forgery: As the name suggests, in this kind of security breach, the attackers can forge requests from an unaware logged on victim. The web application receiving the requests has no way of authenticating whether the requests are sent by the original user or by the attacker.
Tamper Data is a commonly used tool to modify “HTTP\HTTPS” headers and POST parameters. However, the tool has recently run into some compatibility issues with Google accelerator.
6. Security Misconfiguration: Security misconfiguration occurs when the code libraries being used by the application are not up to date and secure configurations for all frameworks, platforms, and servers are not defined.
Microsoft baseline security analyzer can be used to test the security configuration. Watabo is also a good tool in this regard.
7. Insecure Cryptographic Storage: Web applications must store sensitive data such as credit card information, passwords, SSNs, and other similar data entries by using proper encryption. If such data is weakly protected, attackers can easily gain access to it.
Developers must ensure that the correct data is being encrypted, must avoid known bad algorithms, and must ensure that the key storage is adequate.
Furthermore, the developers must be able to identify sensitive data and take steps to moved this data from memory as soon as it is not required.
8. Failure to Restrict URL Access: Most web applications check for URL security access when protected pages are being accessed, but do not perform these checks each time. As a result, attackers can easily forge URLs and access sensitive data and hidden pages.
Veracode’s static code analysis tool is a good solution to find URL access vulnerabilities in your application code.
9. Insufficient Transport Layer Protection: Through transport layer protection, web applications can assure the users that their interaction with the website is happening in a secure environment and their data is secure from attackers. When there is insufficient TLS, the user can be prompted with a warning about the low protection. Without transport layer protection user confidentiality and sensitive data are at risk. Implementing SSL (secure Socket Layer) is currently the most common way to provide this protection and the SSL implementation need to be check to ensure that it is correctly implemented.
Calomel SSL Validation is a helpful add-on in this regard.
10. Unvalidated Redirects and Forwards: Web applications sometimes direct users to different pages and links without any validation. These unvalidated redirects can result in the user landing on malicious pages and websites.
Veracode’s static code analysis tool or Codeplex’s Watcher can be used to find and eradicate this security risk in your coding.
In conclusion, no web application can ever truly be 100% secure, but with consistent security analysis applications can be improved to protect the users from most attackers.