Topics In Demand
Notification
New

No notification found.

Top 6 common flaws in web application security and their resolution
Top 6 common flaws in web application security and their resolution

229

0

Web applications are increasingly becoming more feature rich, powerful, and complex. This complexity in web applications is a result of the rising technological demands of the customers. To meet their customers’ demands, organizations are consistently releasing new versions of their web applications. While Software Development and Operations teams provide faster release cycles, it becomes difficult to scale web security.

According to a research by F5 Labs, web and applications’ attacks are the biggest causes of security breaches (30%), and the average cost is close to $8 M per breach.

Based on the various vulnerability reports, web applications are found to be both a feasible attack point for hackers and a low barrier point for their entry.  We are already seeing a large amount of data leaking every year.

According to a new report from IBM and the Ponemon Institutethe average total cost of the data breach was $3.86 million in 2020, globally.

The data breaches in web applications are dangerous for many reasons:

  1. Public breaches damage a company’s brand and reputation.
  2. Attacks on clients remain a threat.
  3. Regulatory agencies may impose fines and penalties.
  4. Loss of customer trust.

Therefore, cybersecurity experts are routinely exploiting vulnerabilities and looking for ways to strengthen their systems. To better protect web applications, organizations must set up security directed culture during the application’s development stage itself. Unfortunately, most developers miss thinking about security while developing an app.

Below we have listed some common web application security flaws faced by businesses.

Common Web Application Security Flaws

1. Remote Code Execution (RCE)

Remote Code Execution is generally the most dangerous vulnerability in a web application.

In this type of flaw, attackers can run their own code within a web application that possesses some defect or weakness. Once the application is compromised, attackers can get the right to access the server where all the important information exists like a database with client-related information.

The most dangerous thing here is not just the real threat of data theft and other risks related to running malicious code on the server, but also the difficulty in detection of this fault. However, some methods like penetration testing might help in discovering these defects and must be adopted in the case of web applications that handle critical information.

2. SQL Injection (SQLi)

SQL Injection is a vulnerability in which an attacker inserts malicious SQL statements to the web application that makes insecure SQL query to a database server (for example, MySQL). The attacker exploits a web application’s weaknesses that are usually the result of poor development practices.

Hackers can use SQL injection to send SQL commands to the database server, and in return get access to data or the entire database server. The main purpose is to steal the data, however, on further access, an attacker can delete valuable records from the system, causing a Denial-of-Service attack. Other than this, hackers can also insert malicious files in the system which can allow the attacker to get access into other systems as well.

SQL injections are one of the most common and dangerous web application security flaws. Since these attacks destroy the SQL database of web applications, all types of web applications need to seriously pay attention to it.

3. Cross-site Scripting (XSS)

Regardless of the variation in this category, all cases of cross-site scripting follow almost the same pattern. In cross-site scripting type of vulnerability, the attackers inject client-side scripts into the websites viewed by other users. They may take place anywhere a web application allows input from a user without validating it.

The common objective of an attacker is to make a victim execute a malicious script (also referred as the payload) to an unknowing user. This script runs on a trusted web application. The prime focus is to steal the data of users or modify it to threaten to get access to the sensitive information.

There are mainly two types of cross-site scripting flaws:

  • Persistent (stored): The persistent cross-site scripting occurs when the data provided by the attacker is stored on the server. And then, this malicious script is returned to any user who tries to access the web page having that script.
  • Non-Persistent (reflected): The non-persistent cross-site scripting is the most common type of web vulnerability. In this, the malicious code is not saved in the database. Instead, the application provides input directly as a part of the page’s response.

4. Path Traversal

A path traversal attack (or directory traversal) is made to get access to files and directories that appear outside root folder of the web application. Path or directory traversal attacks typically manipulate the variables or its variations to access server file system folders.

Since these files contain critical information like access tokens, passwords, or backups, a successful attack may allow a hacker to further exploit other vulnerable applications as well.

Path traversal flaw may not be as common as Cross-site Scripting and SQL Injection flaws but still pose a major risk to the web application security.

5. Source Code Disclosure

Web application

This type of vulnerability is more common and could provide sensitive information of a web application to an attacker. Hence, it is important that a source code is kept safe, away from the attacker’s eyes, especially if the web application is not open source.

In source code disclosure, a weak server can be exploited to read arbitrary files. Further, this can be used to get access to the source code of web application files and configuration files. Disclosure of source code can leak sensitive information such as passwords, database queries, or input validation filters.  

6. Weak Passwords

Weak passwords always play an important role in a hack. To make it easy, sometimes, applications allow simple passwords without complexity, such as Admin123, Password@123, 12345, etc. Such passwords can be easily guessed allowing an attacker to easily login to the server.

In some cases, an attacker cracks a weak password using a dictionary attack. In a dictionary attack, common dictionary words and names or common passwords are used to guess the password. Most of the times, weak passwords are just default usernames and passwords such as admin or admin12345.

web application

Once an attacker gets access to the administrative portal, they can perform actions like configuration changes, view client related information, upload or modify files or make other changes to execute their attack.

 

Final thoughts

You should consider best practices for cybersecurity while planning the development of your web applications. Now is the time for developers to learn from the vulnerabilities and help build a more secure web with robust applications.

Originally Published in ZNetLive


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


ZNet Technologies Private Limited, incorporated in 2009, is a cloud services provider offering cloud infrastructure and managed services to partners and end customers across the globe with a primary focus on India. We empower 90k+ websites.

© Copyright nasscom. All Rights Reserved.