5 Min read
The area of Web Application security is a growing concern for enterprise organizations. Half of all attacks are directed at web applications and that rate is increasing.
Factors such as the rise of cloud computing, use of open source technologies, the increase in data processing requirements, complexity of web applications and an increase in the overall sophistication level of attackers has led to an extremely challenging environment for IT security leadership.
Web application security is a central component of any web-based business. The global nature of the Internet exposes web properties to attack from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications and web services such as APIs.
Web application security is the process of protecting websites and online services against different security threats that exploit vulnerabilities in an application’s code. Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin) and SaaS applications.
In this article we analyze most common web application vulnerabilities and how to mitigate them.
Web application vulnerabilities
A web application is basically software accessible via a web browser. Although like traditional software, it is also hosted on a server; users do not need to install it on their computer to use it. It is enough to access your pre-determined browser to access through an Internet network or intranet, to the functions the application offers.
Web application vulnerabilities are typically the result of a lack of input/output sanitization, which are often exploited to either manipulate source code or gain unauthorized access.
Such vulnerabilities enable the use of different attack vectors, including:
- SQL Injection – Occurs when a perpetrator uses malicious SQL code to manipulate a backend database so it reveals information. Consequences include the unauthorized viewing of lists, deletion of tables and unauthorized administrative access.
- Cross-site Scripting (XSS) – XSS is an injection attack targeting users in order to access accounts, activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly into an application. Reflected XSS takes place when malicious script is reflected off of an application onto a user’s browser.
- Remote File Inclusion – A hacker uses this type of attack to remotely inject a file onto a web application server. This can result in the execution of malicious scripts or code within the application, as well as data theft or manipulation.
- Cross-site Request Forgery (CSRF) – An attack that could result in an unsolicited transfer of funds, changed passwords or data theft. It’s caused when a malicious web application makes a user’s browser perform an unwanted action in a site to which a user is logged on.
There are several negative consequences that this type of attacks can bring to companies, such as:
- Significant financial losses
- Theft of sensitive data
- A negative perception of the brand
- Customer distrust
Web application security best practices
Important steps in protecting web apps from exploitation include using up-to-date encryption, requiring proper authentication, continuously patching discovered vulnerabilities, and having good software development hygiene. The reality is that clever attackers may be able to find vulnerabilities even in a fairly robust security environment, and a holistic security strategy is recommended.
Web application security aims to address and fulfill the four conditions of security, also referred to as principles of security:
- Confidentiality: States that the sensitive data stored in the Web application should not be exposed under any circumstances.
- Integrity: States that the data contained in the Web application is consistent and is not modified by an unauthorized user.
- Availability: States that the Web application should be accessible to the genuine user within a specified period of time depending on the request.
- Nonrepudiation: States that the genuine user cannot deny modifying the data contained in the Web application and that the Web application can prove its identity to the genuine user.
The process of security analysis runs parallel with Web application development. The group of programmers and developers who are responsible for code development are also responsible for the execution of various strategies, post-risk analysis, mitigation and monitoring.
Web application security can be improved by protecting against DDoS, Application Layer and DNS attacks.
Web application firewall (WAF)
A web application firewall or WAF helps protect a web application against malicious HTTP traffic. By placing a filtration barrier between the targeted server and the attacker, the WAF is able to protect against attacks like cross site forgery, cross site scripting and SQL injection.
A regular web application firewall (WAF) provides security by operating through an application or service, blocking service calls, inputs and outputs that do not meet the policy of a firewall, i.e. set of rules to a HTTP conversation. WAFs do not require modification of application source code.
WAF is a filter that sits in front of your application inspecting incoming traffic for potential threats and malicious activity. It is one of the most common means of protecting against attacks at the application layer.
WAFS have advanced detection capabilities that protect against major attacks, including the OWASP Top 10. For example, they protect against attacks that bypass traditional firewalls such as:
- SQL injection attacks, which manipulate data input to inject SQL code directly into a web server’s input stream and is then passed directly to the database. This code could retrieve sensitive data directly from the database.
- Cross-site Scripting (XSS) attacks inject malicious scripts that do not properly encode the input. The scripts would be executed by the client browser.
DDoS mitigation
A commonly used method for disrupting a web application is the use of distributed denial-of-service or DDoS attacks. DDoS mitigation refers to the process of successfully protecting a targeted server or network from a distributed denial-of-service (DDoS) attack. By utilizing specially designed network equipment or a cloud-based protection service, a targeted victim is able to mitigate the incoming threat.
DNS Security
The domain name system or DNS is the phonebook of the Internet and represents the way in which an Internet tool such as a web browser looks up the correct server. Bad actors will attempt to hijack this DNS request process through DNS cache poisoning, man-in-the-middle attacks and other methods of interfering with the DNS lookup lifecycle.
Conclusion
Factors such as the rise of cloud computing, use of open source technologies, the increase in data processing requirements, complexity of web applications and an increase in the overall sophistication level of attackers has led to an extremely challenging environment for IT security leadership.
If you have any questions about how to effectively protect your web applications, or how to optimize your cloud performance and reduce costs, contact us today to help you out with your performance and security needs.
