The Open Web Application Security Project (OWASP) will soon release a list of 10 Web Application Security Vulnerabilities this year. This list is not much different from last year, indicating that the person in charge of application design and development still fails to solve the previous obvious mistakes. Many of the most common Web application vulnerabilities still exist widely. Many malware search and attack these vulnerabilities, which can be easily implemented by new hackers.
This article describes the five most common Web application vulnerabilities and how enterprises can fix their primary problems and defend against these attacks.
Injection attacks and cross-site scripting attacks
Web applications have two common serious defects. The first is various forms of injection attacks, including SQL, operating system, email, and LDAP injection. These attacks are carried with malicious data in commands or queries sent to applications. Data with ulterior motives allows applications to execute malicious commands or access unauthorized data. If the website uses user data to generate SQL queries without checking the validity of user data, attackers may execute SQL injection. In this way, attackers can directly submit malicious SQL query and transmission commands to the database. For example, Sony's PlayStation database has suffered SQL injection attacks and embedded unauthorized code.
Cross-site scripting (XSS) attacks inject client script code (such as JavaScript) into the Web application output to attack the application's users. The Browser executes code to allow attackers to hijack user sessions, redirect users to a malicious site, or damage the page display effect. XSS attacks are likely to occur in dynamically generated page content. Generally, applications accept user-supplied data without correct verification or transcoding.
To defend against injection and XSS attacks, the application should be configured to assume that all data, whether from a form, URL, Cookie, or application database, is an untrusted source. Check all the code that processes the data provided by the user to ensure that it is valid. To verify the function, you need to clear all characters or strings that may have malicious effects, and then pass them to scripts and databases. Check the type, length, format, and range of the input data. Developers should use existing security control libraries, such as OWASP's enterprise security API or Microsoft's anti-cross-site scripting attack library, rather than writing verification code on their own. In addition, you must check all values accepted from the client for filtering and encoding, and then return them to the user.
Authentication and session management are broken
The Web application must process user authentication and establish a session to track each user request, because HTTP itself does not have this function. Unless all authentication information and session identity are encrypted at any time to prevent attacks with other defects (such as XSS), attackers may hijack an Active session, disguised as the identity of a user. If an attacker finds a session that the original user has not logged out (a passing attack), all account management functions and transactions must be re-verified, even if the user has a valid session ID. In addition, two-factor authentication should be considered in important transactions.
To detect authentication and session management problems, enterprises must perform code checks and penetration tests. Developers can use automated code and vulnerability scanning programs to discover potential security problems. In some cases, you must pay special attention to session identity processing methods and user modification methods. If you do not have a budget to buy a commercial version, you can also use many open-source and simplified version software, which can find code or processes that require more careful checks.
Insecure direct object reference
This is another defect caused by improper application design. Its root cause is the incorrect assumption that users always follow the rules of the application. For example, if a user's account ID is displayed in the URL or hidden domain of the page, a malicious user may guess the ID of another user and then submit a request to access their data again, especially when the ID value can be guessed. The best way to prevent this vulnerability is to use random and unpredictable IDs, file names, and object names without exposing the real names of objects. Common Errors are exposed to URLs and hyperlinks, hidden form fields, unprotected view status of ASP. NET, direct list box, JavaScript code, and client objects (such as Java Applet ). Each time you access a sensitive file or content, you must verify that the user accessing the data has been authorized.
Improper security configuration
The infrastructure that supports Web applications includes a wide range of devices and software-servers, firewalls, databases, operating systems, and application software. All these elements must be correctly configured and secured. applications only run on the minimum permission configuration, but many systems are not secure. One major cause of improper system management is that Web application managers and infrastructure support staff have never received the necessary training.
Adequate training and resources are provided for personnel performing routine network application management, which is an important condition for ensuring security and confidentiality at all stages of the development process. Finally, a penetration test should be arranged for the Web application to process all sensitive data. This is a method to actively evaluate the application's ability to defend against attacks and detect system vulnerabilities before being attacked.
Conclusion
These five common Web application vulnerabilities have always been a pain point for IT security. They are not new vulnerabilities, but they are not resolved. Before people have a sufficient understanding of Web Application Security, attackers will still try their best to exploit these defects to initiate theft, deception, cyber espionage, and other attacks.