Posts Tagged Web Application Security

Web Application Vulnerabilities: Securing Online Applications

Web application vulnerabilities are system flaws that can arise due to improper validation or sanitization of form inputs, misconfigured web servers, or application design flaws. Such vulnerabilities can be exploited by cybercriminals to compromise the application’s security and gain access to use the application as a breeding ground for malware.

Common security vulnerabilities that affect web applications.

  • Injection: This happens when an interpreter receives a compromised query or command. Examples of injection flaws include SQL, LDAP, and OS. The best way to stay protected against injection flaws is to avoid accessing external interpreters. Language specific libraries can be used to perform functions for system calls or shell commands as they don’t use shell interpreter of the Operating System. If a call must be employed (such as calls made to backend database), make sure to validate the data carefully.
  • Cross Site Scripting (XSS): XSS attacks occur when a web application sends data to a client browser without thorough validation. XSS vulnerabilities allow intruders to run malicious scripts on victim browser which spy on user sessions and redirect users to malicious websites in some cases. In order to avoid XSS, applications should be designed to perform vigorous checks against defined specifications. It is recommended to adopt a positive security policy which defines only what should be allowed.
  • Broken Authentication & Session Management: If these functions aren’t properly configured, attackers can compromise user identities and exploit a vulnerability to steal session tokens, keys, and passwords. This type of attack can be avoided by using custom authentication and session management mechanisms. Some session management criteria that should be incorporated include password change requests, password strength checks, session ID protection, browser caching, trust, backend authentication, etc.
  • Cross Site Request Forgery (CSRF): In this case, the attacker forces the victim to send requests that the server will consider to be legitimate. The requests are sent in the form of forged HTTP requests including session cookie of victim and other identification information. To prevent this, applications should use custom tokens in addition to tokens received from browsers because custom tokens are not remembered by browsers to initiate a CSRF attack.
  • Security Misconfiguration: It is important for applications to have a secure application environment. Application developers need to consider guidelines pertaining security mechanisms configuration, turning off unused devices, logs & alerts, etc.

Centex Technologies offers web application development and cybersecurity solutions to its clients. For more details on how to make your web application secure, contact Centex Technologies at (254) 213 – 4740.

, , ,

No Comments

Application Security Tips For Developers

27 February, 2017

Mobile applications play an integral part in our daily lives. Right from online shopping, banking, gaming to controlling IoT devices and tracking fitness level, there is an app for almost every task that we perform regularly. Considering the extensive usage of apps, hackers are continually looking for vulnerabilities that can be exploited to initiate an online attack. Therefore, developers need to follow stringent testing procedures to ensure that the mobile apps are secure and do not provide a backdoor to the hackers.

Listed below are some useful application security tips for developers:

Create A Secure Code

There are a lot of vulnerabilities in an application’s source code that can provide an easy access to the hackers. You must make sure that the code you write is absolutely confidential. If possible, encrypt the code so that it cannot be read by anyone who doesn’t have the decryption key. Perform constant source code scanning to test for any vulnerabilities right from the beginning of the app development process.

Secure The Network Connections At The Back End

The web servers accessed by your application programming interface (API) should also have proper security measures in place. Sensitive information transmitted between the app’s server and the user must be protected against eavesdropping. You can consider carrying out vulnerability scan and penetration test to ensure that the data is secure.

Input Data Validations

Input validation is the first line of defense from attacks against your application. In order to design a secure application, you should always test and retest the input entered by the users. It is important to ensure that the data entered is consistent to what the specific form field is designed for. If the data does not match the expected set of value, such as a number in place of alphabets, it may hamper the proper functionality of the application.

Actively Deny Bad Requests

You should be familiar with the types of data and programs accessed by your application. User requests that can potentially jeopardize the security of your app must be actively blocked. Unsupported headers, excessively long URLs, unusual characters and other unlikely requests can be eliminated by using an application firewall.

We, at Centex Technologies, provide complete network security services to the business firms in Central Texas. For more tips to secure your web applications, feel free to call us at (855) 375 – 9654.

,

No Comments

What Are Web App Attacks?

April 29, 2015

Web app attacks are among the most common types of data breaches posing serious threat to a business’ cyber security. These attacks can jeopardize the functioning of your website, inhibit its performance and in most cases, crash the website completely. As most web applications run in the browser, any potential security flaw can permit hackers to exploit the vulnerabilities in the apps and damage the business website.

Common Web App Attacks:

  • Cross-Site Scripting (XSS): These attacks use a vulnerable web application to send malicious client side code to be executed by the end user. Once this is done, the hacker can have access to browser’s session tokens, cookies and other sensitive data.
  • SQL Injections: This type of attack manipulates the vulnerabilities in the web apps in order to gain access to the databases and other information that they hold. These may include things such as email addresses, names, telephone numbers, postal addresses, bank account information, credit card details etc.
  • Cookie Poisoning/Hijacking: A number of web applications use cookies to save and retrieve user information like login id, password and email address. Cookie poisoning allows the hacker to access unauthorized information about the user to create new accounts or penetrate the existing account.
  • Directory Traversal: It is a form of HTTP attack in which the cybercriminal installs malicious software on the web server. If the attempt is successful, the hacker can have access to the restricted directories and execute commands that are outside of the server’s root directory.
  • Remote Command Execution: This allows the hacker to execute remote and random commands on the host computer through a vulnerable web application. These attacks are largely possible due to insufficient input validation.

Counter Measures Against Web App Attacks

  • Set Safe Permissions: Most often, the web apps are attacked due to the preventable vulnerabilities present in them. Make sure you set safe permissions for your files so that they can be written or executed only by the web server.
  • Scan For Vulnerabilities: This is extremely important to identify the potential vulnerabilities in your application that may make it open to cyber-attacks.
  • Use Application Firewall: Installing and regularly updating firewall can also provide an added layer of defense against web app attacks.
  • Restrict Unauthorized Users: Make sure that the write access to your files should be given to a limited number of users. This is applicable both for the server side and web app backend.

We, at Centex Technologies can help you evaluate and implement web app security measures in your organization. For more information, you can call us at (855) 375 – 9654.

, ,

No Comments