The tremendous growth in web application deployments has gone hand in hand with concerns around security.
Web application security must be addressed at every stage of the software development life cycle (SDLC) and even after an application has been deployed to the production environment.
Every three years, the Open Web Application Security Project (OWASP) publishes its report on the top 10 vulnerabilities in web applications.
Organizations are encouraged to submit data to the project by July 20, 2016. The goal of this project is to raise awareness and encourage you to improve the security of web applications within your SDLC.
Here are 10 tips on how to improve the security of your web application security.
Injection flaws such as SQL or LDAP are a common form of a security breach in web application security.
This type of attack attempts to trick input validation into revealing data or executing a command by the hacker without user authorization.
To prevent this type of attack:
- Use a parameterized API
- Run the application with least privileges
- Whitelist only allowed characters but requires parameterized API and application to run with least privilege
- Sanitize your supplies. Use SQL parameters in conjunction with the appropriate permissions configured on the SQL server to avoid entries in input fields such as 100 or 1 = 1.
Tests can be performed to validate the parameters, cookies, headers, and path. Security issues should be detected early in the SDLC to minimize costs.
Broken authentication or authorization
Allows a hacker to bypass the authentication or authorization of the web application. The most used authorization is the username and password. Once the user enters their credentials, they are assigned a session ID.
To improve authentication or authorization:
- Encrypt the connections used to send passwords or session IDs
- Force users to use strong passwords
- Invalidate session ID when users log out or session times out
- Hash or encrypt stored usernames and passwords
Cross-site scripting (XSS)
This is the most common vulnerability exploited by hackers. Users are exposed if their data is not properly validated or escaped.
There are two types of XSS defects. One type is where the injected code is stored on a server.
The other, a mirrored attack is delivered to the user via a malicious link in an email or embedded in a website.
Take a strategic approach to preventing XSS:
- Assume that all data from external sources is malicious
- Make sure all data is escaped correctly based on HTML context
- Use a built-in library or framework
Insecure direct object references
The hacker obtains data from the server by modifying the value of a parameter that refers to one object to gain access to another.
To mitigate this vulnerability, you must use an associated array to map the objects. Additionally, checks must be performed to validate that the user is authorized to access a particular object.
Security configuration errors can occur on the server or in the application itself.
Preventive measures include:
- A robust process to implement in development, QA, staging and production environments
- Strong passwords used in each environment
- A process for implementing software or patches.
- Regular audits to ensure the latest patches or detect configuration errors
Exposure of sensitive data
Exposing sensitive data is the lack of encryption used in transport or at rest. This includes weak techniques used in algorithms or hashing passwords.
Do the following:
- Encrypt all sensitive data during transport and at rest
- Secure information in transit over HTTPS
- Don’t store sensitive data
- Make sure to run modern encryption
- Use robust algorithms
- Disable autocomplete in forms that collect data
- Disable caching in forms that collect data
Function level access control missing
A hacker with access to the system can make changes to a URL to gain higher privilege functionality.
- Deny access by default
- Don’t just rely on the user interface, make sure there’s protection on the back at the function level
- Check each URL to control access
Cross-site Request Forgery (CSRF)
Hackers will combine CSRF with social engineering to make users take actions without knowing it.
To prevent this from happening, use a unique token in a hidden field or URL. Users can be required to re-authenticate or prove that they are real users.
Use of components with known vulnerabilities
This specifically pertains to unpatched third-party components. Hackers will take advantage of old tools that are not patched because the flaws were posted.
This includes open-source libraries. The solution is to fix the software in the next version.
Also, this applies to popular CMS like WordPress. Plugins are often vulnerable to vulnerabilities and are frequently patched.
To help keep your CMS-based site safe, make sure you are up to date with the latest version of the plugin.
Unvalidated redirects and forwards
Hackers will use phishing to trick users into a malicious site. To avoid this, use user data to determine redirection and have the target parameter use a mapping value.
Staying aware of web application security will be an ongoing challenge. Being aware and using best practices will help mitigate attacks.
It is surprising how many options exist to improve the security of web applications. Our web application security checklist is a great place to start. Do you know of another great way to improve web application security or some tips that we didn’t mention? Tell us in the comment.