Today, with the popularization of the Internet and the rapid evolution of Web technology, online security is facing increasingly severe challenges. With the increase in the availability of online information and services, as well as the growth of attacks and damages on the basic sub-Web, security risks have reached an unprecedented level. As many security tasks focus on the network itself, Web applications are almost forgotten. Maybe this is because the application used to run an independent program on a computer. If the computer is secure, the application is secure. Today, the situation is quite different. Web applications run on different machines: clients, Web servers, database servers, and application servers. In addition, because they can be used by all people, these applications become the backend bypass of many attack activities.
The Web server provides several different ways to forward requests to the application server, and sends modified or new Web pages back to the end user, which makes it easier to break into the network illegally.
Moreover, many programmers do not know how to develop secure applications. Their experience may be the development of stand-alone applications or Intranet Web applications that do not consider catastrophic consequences when security defects are exploited.
Second, many Web applications are vulnerable to attacks through servers, applications, and internally developed code. These attacks directly pass the Perimeter Firewall security measures, because port 80 or 443 (SSL, secure socket protocol layer) must be open for normal operation of applications. Web application attacks include DoS attacks on applications, changes to Web content, and theft of key enterprise information or user information.
In short, Web application attacks are different from other attacks because they are difficult to discover and may come from any online users, or even verified users. So far, this aspect has not been taken seriously, because enterprise users mainly use firewalls and intrusion detection solutions to protect their network security, while firewall and intrusion detection solutions cannot detect Web attacks.
Common Web Application Security Vulnerabilities
The following describes a series of common security vulnerabilities and briefly explains how these vulnerabilities are generated.
Known vulnerabilities and error configurations
Known vulnerabilities include operating systems used by Web applications and all program errors or vulnerabilities that can be exploited in third-party applications. This problem also involves incorrect configurations, including insecure default settings or applications that the Administrator has not configured for security. A good example is that your Web server is configured to allow any user to pass through any directory path on the system, which may cause leakage of some sensitive information stored on the Web server, such as passwords, source code, or customer information.
Hide Fields
In many applications, hidden HTML fields are used to save system passwords or product prices. Despite its name, these fields are not very concealed and can be seen by anyone who executes "view source code" on the webpage. Many Web applications allow malicious users to modify these fields in HTML source files, providing them with the opportunity to purchase products at minimal cost or no cost. These attacks are successful because most applications do not validate the returned webpage. On the contrary, they think that the input data is the same as the output data.
Backdoor and debugging Vulnerabilities
Developers often establish backdoors and rely on debugging to eliminate application faults. This can be done during development, but these security vulnerabilities are often left in some final applications on the Internet. Some common backdoors allow users to log on without a password or access special URLs that are allowed to be directly configured by the application.
Cross-Site Scripting
In general, writing scripts across sites is a process of inserting code into a webpage sent from another source. One way to use cross-site scripting is to post information to the announcement board in HTML format, which is a good example of cross-site scripting. Malicious users will post malicious JavaScript code on the bulletin board. When you view the bulletin board, the server sends HTML to display it together with the malicious user code. The browser on the client executes the code because it considers it a valid code from the Web server. Parameter tampering
Parameter tampering includes manipulating URL strings to retrieve information that users cannot obtain in other ways. The backend databases that access Web applications are often called by SQL statements contained in URLs. Malicious users can manipulate SQL code to retrieve a list of all users, passwords, and credit card numbers or any other data stored in the database in the future.
Change cookie
Changing a cookie refers to modifying the data stored in the cookie. Websites often store cookies, including user IDs, passwords, and accounts, on the user system. By changing these values, malicious users can access accounts that do not belong to them. Attackers can also steal users' cookies and access users' accounts without entering IDs and passwords or performing other authentication.
Input information control
The input information check includes the ability to run system commands by controlling the input information in HTML format processed by CGI scripts. For example, Using CGI scripts to send messages to another user can be controlled by attackers to mail server password files to malicious users or delete all files in the system.
Buffer Overflow
Buffer overflow is a typical attack that allows malicious users to send a large amount of data to the server to paralyze the system. The system includes a preset buffer for storing the data. If the received data volume is greater than the buffer, some data will overflow into the stack. If the data is code, the system will then execute any code that overflows to the stack. A typical example of a Web application buffer overflow attack also involves HTML files. If the data in a field in an HTML file is large enough, it can create a buffer overflow condition.
Direct access to browsing
Direct access to browsing refers to directly accessing the web page that should be verified. Web applications without proper configuration can allow malicious users to directly access URLs containing sensitive information or make the companies that provide paid Web pages lose revenue.
Two steps for Web Application Security
Web application attacks can cause significant damage to enterprises' assets, resources, and reputation. Although Web applications increase the risk of enterprises being attacked, there are many ways to help mitigate this risk. First, you must educate developers about the security coding method. This step eliminates the security issues of most Web applications. Second, keep up with the latest security patches from all vendors. If you do not fix known defects, like a Trojan horse, attackers can easily use your Web application to access Web servers, database servers, and application servers through the firewall. Combining these two steps will greatly reduce the risk of Web application attacks. At the same time, management personnel must take strict measures to prevent anything from slipping through them.