As our laptops and mobile devices get more and more connective features, we also create additional loopholes for data and attacks to slip through. And as ever, new technologies are being created faster than security practices protecting users from exploitative use of those technologies.
Cybercrime incidents cost the world economy more than US$1 trillion in 2020. However, cybercrime is not all about hackers forcing their way into your network, it is also about how users – legitimate and otherwise – interact with and gain access to your system and your apps. This is why securing web applications is just as critical as securing your back-end systems.
In this article, we will go through a quick definition of what a web application is, detail the risks they can carry and show you what you can do to mitigate them.
What do we define as a “Web Application”?
When browsing a website, there are numerous technologies involved in returning what users see in their web browsers. In the early days, simple websites were made up of just HTML & CSS. However, as websites needed to become more complex to allow users greater levels of interactivity, website development and the tools involved ballooned rapidly.
As the need for more complex user interactivity arose, several technologies came about, among them:
- Server-side Programming allows developers to write code and create experiences based upon user interactions running on the servers our websites are hosted on.
- Databases – These are where we store and interact with complex data allowing our server-side code to access persistent information which can be used to enhance user experiences.
- Cookies – Cookies let us store data on a user’s device, which allows us to identify the same user between requests to a web server.
The above technologies and many others put together make up our web applications. Without these innovations, we wouldn’t be able to create rich experiences for the users.
However, interconnected technologies inevitably create security issues. If there are errors in the code or the databases or infrastructure were not set up in the correct way, people can exploit them for their own malicious purposes.
So without further ado, let’s dive into the 9 most common web application vulnerabilities we see today:
1. Broken access control
Access control imposes policies, keeping users from acting outside their explicit permissions. That’s why broken access control often leads to unauthorized information exposure and modifications or damage to data.
Almost every web application is reported to be susceptible to some forms of access control vulnerability. Depending on the types of data the attackers can get their hands on, the impact of a successful attack exploiting this kind of vulnerability could be severely detrimental to your business.
Some common access control vulnerabilities include:
- Bypassing access control checks by modifying the URL or API requests, HTML page or internal application state.
- Violations of the principle of least privilege, where access should only be granted for specific capabilities and roles, but is available to anyone.
- Escalation of privilege, which may allow acting as an admin when logged in as a user, or acting as a user without being logged in.
2. Cryptographic failure
We rely on cryptographic algorithms and protocols for secure communication on the Internet. You are safe to make your bank transactions and send that private message online because your data is encrypted before being sent to the recipient for decryption. Thanks to cryptography, your information is protected in cyberspace.
A cryptographic failure might be a weakness in a code, cipher, cryptographic protocol, or key management scheme, which leads to sensitive data being disclosed or systems being compromised. This may result in the exposure of passwords, credit card numbers, health records or business secrets.
An injection attack is a type of attack that injects malicious code into the application to perform an exploit/attack of some sort. Some of the most common types of injections are SQL, NoSQL, OS command, and Cross-site scripting.
For example, a SQL injection attack occurs when an attacker is able to inject custom SQL commands into the application, making it possible to perform actions with the database that were not intended. These SQL commands can give the attackers the ability to view sensitive data, change information, or delete data stored in the SQL database. At worst, this could end up causing a major security leak, comparable to cases where customer usernames and passwords were leaked online, resulting in lots of media coverage.
Security misconfiguration vulnerabilities occur when there is a misconfiguration or insecure configuration issue, making a component in the web application susceptible to attacks.
Attacks like buffer overflow, XSS or brute force/credential stuffing may target misconfiguration vulnerabilities.
Some of the risks for security misconfigurations include:
- Missing appropriate security hardening across any part of the application stack or using inappropriately configured permissions on cloud services.
- For upgraded systems, the latest security features are disabled or not configured securely.
- The software is out of date.
5.Vulnerable and outdated components
When was the last time you downloaded something for free on the Internet?
With the increase in third-party components that are available for free online to use in application development, there is an increasing risk of them becoming outdated and filled with security flaws, yet never get updated in the solution.
Some of the causes for vulnerable/outdated components you might encounter:
- Software is out of date or vulnerable, including the OS, web server, database management system, APIs, etc.
- You don’t scan for vulnerabilities regularly and don’t subscribe to security bulletins related to the components you use in development.
- You don’t upgrade the underlying platform, frameworks, and dependencies in a timely, risk-based fashion.
6. Identification and authentication failures
Identification and authentication attacks attempt to exploit the authentication process that a website uses to verify the identity of a user, service or application. Some authentication-related attacks are credential stuffing, password attacks, brute force or other automated attacks.
An application is prone to authentication weaknesses if it:
- Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
- Permits weak passwords such as “123456”, “password”, or “abc123”.
- Uses ineffective credential recovery/ forgotten-password processes such as “knowledge-based answers”.
- Uses plain-text, encrypted, or weakly hashed password data stores.
- Has missing or ineffective multi-factor authentication.
7. Software and data integrity failures
Software and data integrity failures are related to code and infrastructure that don’t protect against integrity violations. One example is of application that has auto-update functionality, where updates are downloaded without adequate integrity verification but applied to the formerly trusted application. Ergo, attackers could upload their own updates for the distribution and operation on all installations.
8. Security logging and monitoring failures
Security logging and monitoring is a process that performs electronic audit logs for signs that help detect unauthorized security-related actions on a framework or an application that transmits or stores data. Insufficient logging and monitoring vulnerabilities occur when the security-critical event is not logged or monitored properly, which makes malicious activities harder to detect and escalate.
Without logging and monitoring, breaches can’t be detected. This can affect visibility, accountability, incident alerting and forensics. Insufficient logging, detection and monitoring include:
- Auditable events (logins, failed logins, high-value transactions) are not logged.
- Warnings and errors generate inadequate, unclear, or no log messages.
- The application can’t detect or alert for active attacks in real time or near real time.
9. Server-side request forgery (SSRF)
SSRF refers to an attack that lets an attacker send crafted requests from the back-end server of a vulnerable web application, allowing the attacker to manipulate the information in the realm of that server. It is commonly used by attackers targeting the internal networks that are behind firewalls or VPNs and can’t be reached from the external network. A common example is when an attacker can get control of a third-party service URL to which the web application makes a request.
Mitigating application vulnerability risks
In the modern web landscape, web applications can contain sensitive data such as usernames, passwords, personal data, credit cards and much more. Therefore, it is critical that every level of the applications is audited for and protected against attacks in cyberspace.
As the types of cyberattacks are continually getting more sophisticated, it’s essential that you use well-secured and monitored applications that follow the OWASP Top 10 guidelines.
Optimizely's platform is designed, reviewed, and tested using OWASP application standards. The software developed by the organization is continually monitored and tested using processes that can proactively identify and remediate vulnerabilities.
The company also has technical measures in place to protect Optimizely applications. Among them are access control measures including secure authentication and session management, network and transmission controls, data confidentiality as well as security in engineering.
The Optimizely Digital Experience Platform also has an always-enabled Web Application Firewall (WAF) to constantly monitor website traffic and filter out malicious traffic at the web application layer. The WAF also examines HTTP requests to your website, so malware, SQL injections or any illegitimate traffic can be challenged and either blocked or stopped.
Having been an Optimizely partner for over a decade and boasting the largest number of Optimizely certified developers of any partner in the world, we know the platform like the backs of our hands. And at Niteco, we know that mitigating threats to a web application requires much-needed focus on the end-user. That’s why our 24/7 Proactive Response service actively monitors security and performs incident management around the clock to give you peace of mind.
If you want to know more about our security practices and standards, get in touch so we can talk more about how we can help to protect your user data.