For many businesses, it’s not until after they suffer from a security breach that web security becomes a priority. An effective web security approach must be defensive and proactive. Let’s look at 5 most common web security vulnerabilities and how you can prevent them.
Table of Contents
Injection Flaws
A SQL server (SQL Injection) flaw occurs when a website fails to filter untrusted input. It can also happen if one passes unfiltered data. The result is that the attacker is able to inject commands within the database.
It is preferable to filter anything your application receives from an untrusted source according to a whitelist. It is not recommended to use a blacklist since they are usually easier to bypass and getting them right is not easy. This is the reason why many antivirus software programs typically fail with blacklists.
Missing Function-Level Access Control
This is an authorisation failure. This means that whenever you call a function on a server, authorisation does not perform as securely as it should. . Attackers can forge a request to the hidden functionality. The fact that it is not displayed in the UI does not stop a determined hacker.
To prevent this, authorisation must always be conducted on the server side.
Cross-Site Scripting (XSS)
This vulnerability allows attackers to compromise user interactions via a vulnerable application. They input JavaScript to the application via input and the user’s browser executes it. The attacker can hence carry out any operations that the user can perform, and also access their data. In case the user has privileged access, the attacker can also gain full control over the application.
A simple preventive measure is to not return html tags to the client. This also has added advantage to defend against html injections. It is also imperative to filter user input validity as you receive it.
Insecure Direct Object Reference
A direct object reference means a user can access an internal file that they shouldn’t be able to. Thus, it’s important to conduct access control checks consistently and properly.
Security Misconfiguration
Server and application misconfiguration are very common. For instance, one may have a directory listing enabled on the server which can leak sensitive data, running outdated software, not changing default passwords and keys and running the app with debug enabled in production. Some of these can be avoided by utilising an automated “build and deploy” method which runs tests on deployment.
Aardwolf Security provide many different penetration testing options, get it touch with us for a web Application pen test quote.