OUR BLOG

TOP 5 Security risks in Web Application




Web applications are applications that users access via some form of network: over the Internet - a public network based on the TCP (Transmission Control Protocol) / IP (Internet Protocol) protocol, or intranet - a private / internal network of an institution or company in wich TCP / IP protocol is also used for data. Also, a web application can be understood as software that is located on a web server and accessed through a web browser. The ability to, with just a few lines of code, steal a large sum of money from someone’s bank account, or come into possession of valuable and confidential information, has led hackers to develop a host of malicious tools and strategies. Numerous communities and companies are making efforts to increase the security of web applications and web sites. The international online organization OWASP (Open Web Application Security Project), which deals with the security aspects of web and mobile applications, publishes a list of 10 most common vulnerabilities once every three or four years. Vulnerability is considered a weakness in the design, implementation, use and management of the information system. The TOP 5 Security Risks in Web Applications according to the OWASP model are the following vulnerabilities: Injection This category of vulnerabilities refers to the insertion of malicious code into a web application code. The type of SQL injection attack is most often mentioned when talking about this class of attacks. However there are many other types of code injection attacks like, code injection, with subtypes PHP injection, javascript injection. Cross site scripting is also a type of injection attack, as malicious HTML code is inserted into the website code. It is possible to insert operating system commands, which is one of the most difficult forms of this class of attack, because it gives the attacker control over the operating system and the computer itself. The severity of the attack can vary, from harmless to very dangerous depending on what is allowed to the user. SQL injection is especially dangerous because the attacker is able to control the database, and thus change or delete data. With SQL injection, there are also several types of attacks such as blind SQL injection, DOM based SQL injection, etc. PHP or server side code injection is also one of the more serious failures, as it allows the insertion of code that is executed on the server and that can manage all data. During this attack, codes from external pages can be inserted or redirected from one web site to another, with theft of a session or cookies. Solving code insertion (injection) problems depends on the type of vulnerability in the web application. Generally, special characters need to be filtered to prevent code execution. It is necessary to pay attention to prevent skipping these characters with a special sign and thus bypassing the protection. The user entry must always be checked, on the client and server side, for validity and content of malicious code, filtered or rejected before any further processing.

 

Broken Authentication 2 It is often the case that software development teams implement their own way of authenticating or managing a session. Poor implementation of secure authentication mechanisms is a common vulnerability of web applications. In such applications, the attacker may be able to use reverse engineering to find out how the algorithm works and manage to find a way to gain possession of other people's sessions and identities. Finding such errors can be difficult, as it depends on each implemen[1]tation, but not impossible. Such errors are often found in the functions for logout, password memory, timeout management, etc. For the processes of authentication management and securing sessions, it is always recommended to use verified and proven frameworks and algorithms for data encryption.

 

Sensitive Data Exposure Protection of sensitive data, such as passwords, credit card numbers, etc. using cryptography has become a key element of a large number of web applications. There is no software framework for creating web applications that is resistant to the use of insecure cryptographic storage. When transporting sensitive data, many cryptographic algorithms are used which, in case the data is compromised, make it difficult for the attacker to misuse it. Data such as passwords should not be stored in the basic form in the database. Since they are used only for user authentication, it is much safer to use significantly more reliable hash algorithms, which create strings of meaningless characters from the data, which cannot be returned to their original form.

 

XXE (XML External Entity) Often referred to as XML injection, XML injection is an attack directed at web applications that process XML data types. With this type of attack, the useful content of the XML message changes as much as it can cause interruption of the availability of web service functions (typically Denial-of-Service), or cause execution malicious code, both on the application server and on the end system with which the web service communicates. Failures of this type are relatively successfully resolved by restricting access to entities trustworthy. A good practice is to combine additional techniques to limit the eventual Man-in-the-Middle attacks, both on the application layer and on other layers of OSI (Open System Interconnection) models, where possible.

 

Broken Access Control Access control mechanisms are necessary and key elements in designing the security of any Web applications. In order to ensure adequate access control, it is necessary to centralize everything necessary access control mechanisms and have a very clearly developed policy for accessing web application resources as well as very clearly defined user roles in the system. Access control refers to how access to Web resources is controlled, including restrictions based on factors such as time of day, IP address, browser HTTP client, domain, type of encryption which the HTTP client can support, the number of authentications of a given user that day, the possession of a particular one the number of hardware / software tokens, or some derived variable that can be easily processed. Poorly implemented access control mechanisms can enable potential attackers access to other people's user accounts, sensitive files, as well as changing users' access rights.


Recent Posts


The first step towards business security - risk identification and assessment
Cyber Hygiene: Preserve Digital Health
Cybersecurity Based on Artificial Intelligence: A New Frontline of Cyber Defense
Enhance the Security of Your Business with CybSafe!
5 Reasons Why Companies Need Cybersecurity
EDR (Endpoint Detection and Response) - Next-Generation Antivirus Solution
GDPR and Personal Data Protection Law
2023 IT Security Trends
How do you measure cybersecurity in your company?
CISO as a service: why does outsourcing pay off?
Syndemic of cyber crime
Global Incident Response - Threat Report
5 biggest GDPR fines ever
Explosive growth in the number of cyber attacks is destroying the economy
How to protect web applications
Pandemic continues to pave the way for cyber attacks
Cyber security and insurance
What is the cost of a data breach?
Hackers target
Security of business information systems
Cyber crime in 2021
Target: Covid-19 vaccine
Effective information systems security is one of the key pillars of a successful business
Is our information system protected?
The hacker hook was cast!
Working from home? How to be cyber protected and run your business smoothly
Cyber criminal is causing more damage than bad weather?
Remote Work: A security challenge or an ideal opportunity for hackers
The biggest threats to information security in 2020
3 REASONS WHY YOUR COMPANY SHOULD INVEST IN CYBER SECURITY
WHAT IS THE DIFFERENCE BETWEEN CYBER SECURITY AND INFORMATION SECURITY?


About Us




Sky Express is an exclusive distributor of advanced cybersecurity solutions and services in the field of information security, covering SEE market.


Sky Express offers a very selective range of complemental, compatibile.


Learn more
QUICK LINKS
About us
Why us?
News
Blog
Careers
Office locations
PRODUCTS
VMware Carbon Black
DF Labs
Logpoint
Onapsis
Open Systems
Eperi
Avast
Security Scorecard
Kerio
Panaseer
Sky Express d.o.o.

Work hours:

Monday - Friday

09:00 - 17:00


Terms & Conditions Privacy Policy Cookie Policy
Copyright 2024 Sky Express d.o.o. All right reserved
website developed

CONTACT US

Get In Touch

We look forward to
hearing from you.

CONTACT US

KONTAKT

Kontakt

Rado ćemo odgovoriti na vaša pitanja!

KONTAKTIRAJTE NAS
x
Sky Express koristi kolačiće (cookies) koji služe poboljšanju funkcionalnosti sajta i ne sadrže lične podatke. Više o kolačićima pročitajte u Politici privatnosti.
x
Sky Express uses cookies to improve the functionality of the site and do not contain personal information. Read more about cookies in our Privacy Policy.