it

Why web security is so important?

Why should developers care about web security?

Due To COVID-19 Pandemic Cybercrime Rise Up 600%. Between 2020 and 2021 number of malicious web applications grew to 88%. Broken access control and injection attacks represented more than 75% of web application attacks. As it has been pointed out writing secure applications is becoming more and more important, in this article, I will explore the most common attacks and how to prevent them.

Common web app security vulnerabilities

  • Cross site scripting (XSS)
  • SQL injection (SQi)
  • Memory leak
  • Cross-site request forgery (CSRF)
  • Broken Authentication
  • Sensitive Data Exposure

Cross site scripting (XSS)

XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy.

What is the impact:

  • Account compromise
  • Page content replacement
  • Inject keylogger into browser

How to prevent:

  • Filter input on arrival: Filter user input as strictly as possible based on what is expected or valid input.
  • Encode data on output: Filter output by changing the crucial HTML opening and closing tags form example: < --> < > --> > " --> " ' --> '
  • Use appropriate response headers: Use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.

SQL injection (SQi)

SQi is a web security vulnerability that allows attackers to insert malicious SQL statements into an insecure entry field for execution.

What is the impact:

  • Identity spoof
  • Data tampering
  • Hijack administrator privileges
  • Database breach

How to prevent:

  • Use input validation
  • Parameterize queries including prepared statements

Memory leak

A memory leak occurs when a location in memory is unintentionally modified or a variable is accidentally created in the wrong scope resulting in the potential for unexpected behavior in the software.

What is the impact:

  • The attacker might be able to launch a denial of service attack

How to prevent:

  • Precise timers and event handlers
  • Reduce use of global variables: Global variables are never disposed of by the garbage collector
  • Avoid creating multiple references to the same object and object mutation. Make a copy of the object instead

Cross-site request forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a bit of help from social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

What is the impact:

  • The attacker may be able to change the email address on the victim's account, change the victim's password, or make a funds transfer

How to prevent:

  • For stateful software use the synchronizer token pattern
  • For stateless software use double submit cookies
  • Use the SameSite Flag in Cookies

Broken Authentication

Broken authentication lets someone log in to an account they’re not supposed to have access to, in general, refers to weaknesses in two areas: session management and credential management. In both cases, an attacker can use hijacked session IDs or stolen login credentials.

What is the impact:

  • Session hijacking: The attacker may take over one or more accounts giving the attacker the same privileges as the attacked user

How to prevent:

  • Implement multi-factor authentication (MFA)
  • Use weak-password checks by forcing users to create strong passwords
  • Place a limit on failed login attempts

Sensitive Data Exposure

Sensitive Data Exposure occurs when an individual or organization unintentionally reveals personal data such as user account/passwords, banking information, health information, personal information, etc.

What is the impact:

  • Financial loss
  • Identity hijacking
  • Decreased brand trust

How to prevent:

  • Encrypt data during transport
  • Use encryption algorithms
  • Use HTTPS protocol
  • Disable data caching that may store sensitive information

So why web security is important?

Web security is important regardless of project size, every developer should be aware of the tools that can help make applications be safe.

An ounce of prevention is worth a pound of cure.

– Benjamin Franklin.

sources: https://www.radware.com/2021-2022-global-threat-analysis-report/ https://owasp.org/

Basic – 7 (1).png

avatar
Tomasz Mlyczyński
20/05/2022
ebook