Hello Everyone,
Hope Everyone is Safe and Secure. Today we are discussing Introduction to Web Application Security.
Web security is a critical aspect of web applications. Web Application Security is the real issue associated with the Internet. It is expressed as the principle framework for the worldwide data society. Web applications provide an attractive interface for a client through a web page. The web page script gets executed on the client’s browser.
Design patterns:
Design Patterns are the reusable solutions to commonly occurring problems in the design phase. Design pattern within the field of software development provides experts’ knowledge and experience in the form of a design template. These templates are implemented in the software development life cycle (SDLC) to avoid the recurrence of specific issues in software applications.
The experience and knowledge of the developers during the course of development has been captured and modeled as an answer to specific problem named as a design pattern. The developers in future can use these patterns which can reduce their task for developing the applications. An equivalent idea of designed patterns when defined to resolve the security problems within the software applications called as security design patterns or Web Application Security.. The utilization of those security patterns then resolves the security issues within the applications.
Security Pattern:
Security design pattern applies the experts’ knowledge and experience in the form of proven solutions to recurring security problems. Generally security is disregarded due to lack of security aspects within the life cycle. Only the threat analysis within the viewpoint of an attacker reveals the vulnerabilities within the application and identifying the threats within the later stage requires an excellent deal of effort. Therefore the presence of an efficient security design pattern enables to bridge the gap between developer and security experts by reducing the vulnerabilities. Security patterns attempt to provide constructive assistance in the form of worked solutions and the guidance to use them properly. A significant amount of research has already been performed within the field of security patterns.
Developers can also follow catalog consisting a set of designs and implementation guidelines highlighting the programmers viewpoint for writing secure programs. These guidelines are pragmatically collected from actual programming experiences.
Researchers have designed set of patterns to satisfy security requirements of the application , but the growing risks within the web and therefore the new threats has put a challenge and has provides a new dimension to research in security patterns.
Logic Implementation
The business logic defines the functionality of the web application, which is specified to every application. Such functionality is manifested as an intended application control flow and is typically integrated with the navigation links of web applications. For instance, authentication and authorization are a standard part of the controlled flow in many web applications, through which a web application restricts its sensitive information and privileged operations from unauthorized users. This task must be performed through a decent collaboration of two approaches. the primary approach, which is practiced by most web applications, is interface hiding, where only accessible resources and actions of the web applications are presented as web links and exposed to users. The secondary approach requires explicit checks of the application state, which is maintained by session variables (or persistent objects within the database), before sensitive information and operations might be accessed.
TOP WEB APPLICATION VULNERABILITIES
Injection: Injection weakness like SQL Injections, NoSQL Injections, LDAP Active Directory injection, happens when non-trusted information is delivered from one place to other in form of command or query.
Broken Authentication:
Application functions associated with authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, session tokens and exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Sensitive Data Exposure: Web Application Security. and APIs may not play vital role to protect sensitive data, like financial, healthcare, and PII. Hacker steal or modify such weakly protected data to conduct credit card fraud, steel sensitive info or other crimes. Sensitive data could also be compromised without using extra protection, like encryption.
XML External Entities (XXE): Many Poorly and older configured XML processors evaluates the external entity references within XML documents. Attacker discloses the internal files, perform remote code execution, internal file shares, internal port scanning, and DOS attacks.
Broken Access Control: Restrictions are not properly enforced. Attackers take advantage of this flaws to access unauthorized functionality and access data of other users.
Security Misconfiguration: Security misconfiguration is a commonly seen issue. Website showing verbose error messages containing sensitive information and misconfiguration of HTTP header. So Upgrade Operating systems, frameworks, libraries, and applications during a timely fashion.
Cross-Site Scripting (XSS): It happens whenever an application take untrusted data in a web page without proper validation or escaping, or updates an existing web page with user supplied data Using browser which can create HTML or JavaScript. Attacker executes the malicious script in the victim’s browser and hijack user sessions, and redirect the user to malicious sites.
Insecure De-serialization: It happens when user-controllable data is deserialized by site. This vulnerability potentially enables an attacker to control serialized objects as to pass harmful data into application code.
Using Components with Known Vulnerabilities:
Using vulnerable version of Applications and API enable various attacks and impacts. Attacker steel data if it not patched.
AUTHOR:
MOSIN KHAN
Web Application Security Intern