The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.
All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.
Disclaimer
The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.
For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.
Web applications are increasingly becoming more feature rich, powerful, and complex. This complexity in web applications is a result of the rising technological demands of the customers. To meet their customers’ demands, organizations are consistently releasing new versions of their web applications. While Software Development and Operations teams provide faster release cycles, it becomes difficult to scale web security.
According to a research by F5 Labs, web and applications’ attacks are the biggest causes of security breaches (30%), and the average cost is close to $8 M per breach.
Based on the various vulnerability reports, web applications are found to be both a feasible attack point for hackers and a low barrier point for their entry. We are already seeing a large amount of data leaking every year.
According to a new report from IBM and the Ponemon Institute, the average total cost of the data breach was $3.86 million in 2020, globally.
The data breaches in web applications are dangerous for many reasons:
Public breaches damage a company’s brand and reputation.
Attacks on clients remain a threat.
Regulatory agencies may impose fines and penalties.
Loss of customer trust.
Therefore, cybersecurity experts are routinely exploiting vulnerabilities and looking for ways to strengthen their systems. To better protect web applications, organizations must set up security directed culture during the application’s development stage itself. Unfortunately, most developers miss thinking about security while developing an app.
Below we have listed some common web application security flaws faced by businesses.
Common Web Application Security Flaws
1. Remote Code Execution (RCE)
Remote Code Execution is generally the most dangerous vulnerability in a web application.
In this type of flaw, attackers can run their own code within a web application that possesses some defect or weakness. Once the application is compromised, attackers can get the right to access the server where all the important information exists like a database with client-related information.
The most dangerous thing here is not just the real threat of data theft and other risks related to running malicious code on the server, but also the difficulty in detection of this fault. However, some methods like penetration testing might help in discovering these defects and must be adopted in the case of web applications that handle critical information.
How to prevent these attacks?
● Regularly patch your systems with the latest security updates.
● Have a plan to patch holes that allow an attacker to gain access.
2. SQL Injection (SQLi)
SQL Injection is a vulnerability in which an attacker inserts malicious SQL statements to the web application that makes insecure SQL query to a database server (for example, MySQL). The attacker exploits a web application’s weaknesses that are usually the result of poor development practices.
Hackers can use SQL injection to send SQL commands to the database server, and in return get access to data or the entire database server. The main purpose is to steal the data, however, on further access, an attacker can delete valuable records from the system, causing a Denial-of-Service attack. Other than this, hackers can also insert malicious files in the system which can allow the attacker to get access into other systems as well.
SQL injections are one of the most common and dangerous web application security flaws. Since these attacks destroy the SQL database of web applications, all types of web applications need to seriously pay attention to it.
How to prevent these attacks?
● Keep your sensitive data separate from commands and queries.
● Use a secure API that provides a parameterized interface and avoids the use of an interpreter.
● Apply all input validation.
3. Cross-site Scripting (XSS)
Regardless of the variation in this category, all cases of cross-site scripting follow almost the same pattern. In cross-site scripting type of vulnerability, the attackers inject client-side scripts into the websites viewed by other users. They may take place anywhere a web application allows input from a user without validating it.
The common objective of an attacker is to make a victim execute a malicious script (also referred as the payload) to an unknowing user. This script runs on a trusted web application. The prime focus is to steal the data of users or modify it to threaten to get access to the sensitive information.
There are mainly two types of cross-site scripting flaws:
Persistent (stored): The persistent cross-site scripting occurs when the data provided by the attacker is stored on the server. And then, this malicious script is returned to any user who tries to access the web page having that script.
Non-Persistent (reflected): The non-persistent cross-site scripting is the most common type of web vulnerability. In this, the malicious code is not saved in the database. Instead, the application provides input directly as a part of the page’s response.
How to prevent these attacks?
● Check input data against both grammatical and semantic criteria.
● Check output data and ensure that only trusted data is passed to an HTML document.
● Sanitize client and server-side data.
● Use a Content Security Policy (CSP) that can detect and mitigate these attacks.
4. Path Traversal
A path traversal attack (or directory traversal) is made to get access to files and directories that appear outside root folder of the web application. Path or directory traversal attacks typically manipulate the variables or its variations to access server file system folders.
Since these files contain critical information like access tokens, passwords, or backups, a successful attack may allow a hacker to further exploit other vulnerable applications as well.
Path traversal flaw may not be as common as Cross-site Scripting and SQL Injection flaws but still pose a major risk to the web application security.
How to prevent these attacks?
● Take care of the web application code and web server configuration.
● Validate user input.
● Do not store critical configuration files inside the web root.
5. Source Code Disclosure
This type of vulnerability is more common and could provide sensitive information of a web application to an attacker. Hence, it is important that a source code is kept safe, away from the attacker’s eyes, especially if the web application is not open source.
In source code disclosure, a weak server can be exploited to read arbitrary files. Further, this can be used to get access to the source code of web application files and configuration files. Disclosure of source code can leak sensitive information such as passwords, database queries, or input validation filters.
How to prevent these attacks?
● Keep a check on what aspects of the source code are exposed.
● Any file that is being used must be checked and restricted to prevent public users from accessing it.
● Ensure that your server has all the security patches applied.
● Remove any unnecessary files from the system.
6. Weak Passwords
Weak passwords always play an important role in a hack. To make it easy, sometimes, applications allow simple passwords without complexity, such as Admin123, Password@123, 12345, etc. Such passwords can be easily guessed allowing an attacker to easily login to the server.
In some cases, an attacker cracks a weak password using a dictionary attack. In a dictionary attack, common dictionary words and names or common passwords are used to guess the password. Most of the times, weak passwords are just default usernames and passwords such as admin or admin12345.
Once an attacker gets access to the administrative portal, they can perform actions like configuration changes, view client related information, upload or modify files or make other changes to execute their attack.
How to prevent these attacks?
● Use a complex password.Enable Multi-Factor Authentication (MFA).
● Do not use dictionary words in a password.
● Apply lock account feature on multiple failed attempts.
● Regularly change passwords.
That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.
ZNet Technologies Private Limited, incorporated in 2009, is a cloud services provider offering cloud infrastructure and managed services to partners and end customers across the globe with a primary focus on India. We empower 90k+ websites.
Monolithic applications have been the backbone of web development and offered a simple way to build applications for years. However, as features piled on, monolithic codebases became a nightmare to maintain, slowed deployments, and limited…
In recent years, artificial intelligence (AI) has emerged as a transformative force across various industries, and healthcare is no exception. AI-driven healthcare apps are revolutionizing the way patients interact with healthcare services,…
PHP, a server-side language, is used for web development in many sought-after business applications. By using this language, businesses have revolutionized their offerings with a touch of incredible web technology.
Simultaneously, its longevity…
In the ever-evolving landscape of mobile app development, innovations continue to shape user experiences and interactions. One such innovation that has gained significant traction in recent years is voice recognition technology. From virtual…
Authored by: Tanvi Manglick, Senior UX Designer
User Experience (UX) has become the driving force behind revolutionary digital products, applications, and interfaces. In the era of near-constant human-machine interaction, mastering UX involves…
In today's mobile-first world, enterprise mobile applications are no longer a luxury, but a necessity. They empower businesses to improve efficiency, boost productivity, and gain a competitive edge.
Imagine your sales team closing deals on the go,…