As we discussed in our previous article, API security has become a significant cause of concern for many businesses. It is very important to identify possible API attacks as early as possible, and avoid them.
Because it is a topic of great importance, let’s have a look at other most common and crucial web apps security risks, according to OWASP and the ways to avoid them.
The Open Web Application Security Project (OWASP) is a global non-profit organization focused on improving software security.
OWASP attempts to inform developers, designers, architects and entrepreneurs on the dangers associated with the most popular security problems in web application security. OWASP, which promotes both open-source and commercial security products, has become known as a forum where IT professionals are able to network and build expertise.
The company presents a popular Top Ten list illustrating the most hazardous security vulnerabilities in the Web apps in 2019 and is offering guidelines to fix these flaws.
Here are the security risks reported in the OWASP Top 10 report:
Injection attacks occur when anonymous data is sent to a code interpreter through a form input or some other data submission to a web application. An attacker could, for example, enter SQL database code in a manner that expects a username for plain text. If the input of this form is not properly protected, this would result in the execution of SQL code.
The best way to prevent an injection attack is by validating or sanitizing user-submitted data. This is why, a database admin should set controls in order to minimize the amount of data an injection attack can expose.
Authentication (login) system flaws can provide hackers with access to user accounts and give them the ability to compromise a whole system only by using an admin account.
Some strategies to minimize vulnerabilities in authentication require 2-factor authentication and restrict or postpone repeated attempts to login using rate limitation.
Sensitive data exposure
If web applications do not defend confidential data such as financial information and passwords, attackers will be able to access that data and use it for evil purposes. The use of a man-in-the-middle attack is one common method for stealing private information. In this kind of attack, attackers place themselves between two devices (often a web browser and a web server) and intercept or modify communications between the two.
The risk of data leakage can be reduced by encoding all confidential data and removing any sensitive information to be cached. In addition, developers of web applications should be cautious not to store any sensitive data unnecessarily.
XML External Entities – XEE
This is an attack against a web application that parses XML input. This input can refer an external entity (like a hard drive), looking to exploit a vulnerability in the parser. An XML parser can be tricked into transmitting data to an unauthorized external entity that can directly transfer confidential data to an attacker.
The best way to prevent XEE threats is to have web apps that accept a less complex type of data, such as JSON, or at least to fix XML parsers and disable the use of external entities in an XML app.
Broken access control
Access control relates to a system that controls access to data or services. Damaged access controls permit attackers to disable authorization and perform tasks as if they were trusted users like admins. For instance, a web application might allow the users to change which account they are logged into, as simply by removing part of an URL, without any further authentication.
Access controls can be protected by ensuring the use of authorization tokens by a web application and setting strict controls on them.
The most frequent vulnerability in the list is security misconfiguration, which is often the result of using default settings or showing overly verbose errors. For example, an app could show to a user excessively detailed errors which may expose vulnerabilities in the application. This can be mitigated by removing any unused features in the code and ensuring that error messages are more general.
These attacks can be reduced by eliminating any unnecessary software features and allowing more specific error messages.
Cross-site scripting mitigation strategies involve escaping untrusted HTTP requests and validating and/or sanitizing content generated by users. It is well known the fact that certain development frameworks like ReactJS or Ruby can provide some build-in cross-site scripting security.
This potential risk is aimed at some of the web applications that often serialize and deserialize data. Serialization means removing objects from the application code and converting them to a format which can be used for a particular purpose, such as storing or streaming data to a disk. Deserialization is the opposite: transforming serialized data back into objects that can be used by the program.
Basically, an unsafe deserialization exploit is the consequence of deserializing information from unknown sources, and can lead to severe repercussions such as attacks on DDoS and attacks on remote code execution. Restricting deserialization of data from untrusted sources is the only sure way to protect against unsafe deserialization attacks.
Using elements with known vulnerabilities
Nowadays, web developers are using in their web apps elements such as libraries and frameworks. These are software parts that allow them to minimize repetitive work and provide the features they need. Typical examples involve front-end frameworks such as React and smaller libraries that used to add share icons or a / b testing.
Many hackers are searching for weaknesses that can then be used to plan and execute attacks in these components. This is a huge threat, because most of these components are used on so many websites. Just by finding a security hole in one of these components, a hacker can leave hundreds of thousands of sites vulnerable to exploit.
To reduce the risk of operating components with known problems, developers should eliminate outdated components from their projects as well as ensure that components are provided from a trustworthy source and that they are up-to-date.
Insufficient logging and monitoring
Many web applications do not take sufficient measures to detect violations of data. The average amount of time for a breach to be discovered is about 200 days after it happened. This allows hackers plenty of time to cause harm before any solution arises. To ensure that they are vigilant of attacks on their applications, it is recommended to incorporate reporting and tracking plans as well as incident response plans.
You can find more info about the mentioned security threats HERE!