Securing the Web Application

Here we assess the web application to determine any flaws or weaknesses in security pertaining but not limited to confidentiality, availability, and integrity

Common Types of Web Application Vulnerabilities

SQL Injection

SQL Injection allows for individuals to obtain information from some or all of your databases, including database categories such as usernames and passwords, which makes this vulnerability especially critical.

An SQL injection vulnerability exists when there is no proper input sanitization for fields to be filled by users who fill out any sort of input on your web application. The malicious individual can write a prepared statement that will trick the written code into returning database information. For example:

The following code is vulnerable to SQL injection because the user input is concatenated directly into the query:

String query = "SELECT * FROM products WHERE category = '"+ input + "'"; Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery(query);

This code can be easily rewritten in a way that prevents the user input from interfering with the query structure:

PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE category = ?"); statement.setString(1, input); ResultSet resultSet = statement.executeQuery();

Cross Site Scripting

Cross-site scripting is a type of security vulnerability which enables attackers to inject client-side scripts into web pages viewed by other users.

Unlike some who believe that this can be prevented simply by sanitizing the input from clients we have also found XSS in the HTTP header in cookies, host fields to name a few. An attacker can even use a file upload to trigger the XSS. Hence, the horizon of XSS vulnerabilities is very wide.

Cryptographic Weaknesses

Cryptographic weaknesses are involved with issues pertaining to confidentiality. Is critical or sensitive data transmitted in clear text, including identification and authentication data? Are any older, vulnerable cryptographic algorithms utilized? Are any older, vulnerable hash functions such as MD4, MD5, or SHA1 in use?

File upload

File upload functionality is must to have these days and if not put in place proper security measure can be dangerous. An attacker can upload a malicious file in order to plant a payload on the server and retrieve/modify/delete information for example.

XML external entity (XXE)

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

It can also facilitate the server-side request forgery (SSRF) attacks.

Broken Access control

Access should ideality only be granted for needed permissions or rights in order to fulfil duties. The principle of least privilege, which states that a user must obtain the least possible privileges to operate within all their required tasks, should be upheld. There should also be bypassing access control checks, so modification of URL parameters does not become a possible attack vector.

Insecure direct object references revolve around providing unique identifiers and being able to view or edit someone else’s account

Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.

Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

Identification and Authentication Failures

Identification and authentication revolve around the claim that a person is really who he or she claims to be. There must be preventions against automated attacks such as credential stuffing, where an attacker can utilize software to automatically input a list of various usernames and passwords hoping that a valid login is generated. Default passwords for any part of the application infrastructure should also be changed.

Insufficient Logging and Monitoring

There must be robust logging and monitoring corresponding to the organizational security policy. Events such as logins, failed logins, and high value transactions must be logged. Sensitive warnings and errors should also generate log messages. Logs should be stored locally and ideally have a backup in another location to take into account disaster recovery. The application should also be able to detect, alert, or escalate attacks in real-time or as close as possible.

© 2022 SafeKeep.