EITC/IS/WASF Web Applications Security Fundamentals

The Open Web Application Security Project (OWASP) offers resources that are both free and open. A non-profit OWASP Foundation is in charge of it. The 2017 OWASP Top 10 is the outcome of current study based on extensive data gathered from over 40 partner organizations. Approximately 2.3 million vulnerabilities were detected across over 50,000 applications using this data. The top ten most critical online application security concerns, according to the OWASP Top 10 – 2017, are:

• Injection
• Authentication issues
• Exposed sensitive data XML external entities (XXE)
• Access control that isn’t working
• Misconfiguration of security
• Site-to-site scripting (XSS)
• Deserialization that isn’t secure
• Using components that have known flaws
• Logging and monitoring are insufficient.

Hence The practice of defending websites and online services against various security threats that exploit weaknesses in an application’s code is known as web application security. Content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin), and SaaS apps are all common targets for online application assaults.

Web applications are considered high-priority targets by the perpetrators because:

• Because of the intricacy of their source code, unattended vulnerabilities and malicious code modification are more likely.
• High-value rewards, such as sensitive personal information obtained through effective source code tampering.
• Ease of execution, because most assaults can be readily automated and deployed indiscriminately against thousands, tens, or even hundreds of thousands of targets at once.
• Organizations who fail to safeguard their web applications are vulnerable to attack. This can lead to data theft, strained client relationships, cancelled licenses, and legal action, among other things.

Vulnerabilities in websites

Input/output sanitization flaws are common in web applications, and they’re frequently exploited to either change source code or get unauthorized access.

These flaws allow for the exploitation of a variety of attack vectors, including:

• SQL Injection – When a perpetrator manipulates a backend database with malicious SQL code, information is revealed. Illegal list browsing, table deletion, and unauthorized administrator access are among the consequences.
• XSS (Cross-site Scripting) is an injection attack that targets users in order to gain access to accounts, activate Trojans, or change page content. When malicious code is injected directly into an application, this is known as stored XSS. When malicious script is mirrored from an application onto a user’s browser, this is known as reflected XSS.
• Distant File Inclusion – This form of attack allows a hacker to inject a file into a web application server from a remote location. This can lead to dangerous scripts or code being executed within the app, as well as data theft or modification.
• Cross-site Request Forgery (CSRF) – A type of attack that can result in an unintended transfer of cash, password changes, or data theft. It occurs when a malicious web program instructs a user’s browser to conduct an undesired action on a website to which they are logged in.

In theory, effective input/output sanitization might eradicate all vulnerabilities, rendering an application impervious to unauthorized modification.

However, because most programs are in a perpetual state of development, comprehensive sanitization is rarely a viable option. Furthermore, apps are commonly integrated with one another, resulting in a coded environment that is becoming increasingly complex.

To avoid such dangers, web application security solutions and processes, such as PCI Data Security Standard (PCI DSS) certification, should be implemented.

Firewall for web applications (WAF)

WAFs (web application firewalls) are hardware and software solutions that protect applications from security threats. These solutions are designed to inspect incoming traffic in order to detect and block attack attempts, compensating for any code sanitization flaws.

WAF deployment addresses a important criterion for PCI DSS certification by protecting data against theft and modification. All credit and debit cardholder data maintained in a database must be safeguarded, according to Requirement 6.6.

Because it is put ahead of its DMZ at the network’s edge, establishing a WAF usually does not necessitate any changes to an application. It then serves as a gateway for all incoming traffic, filtering out dangerous requests before they can interact with an application.

To assess which traffic is allowed access to an application and which has to be weeded out, WAFs employ a variety of heuristics. They can quickly identify malicious actors and known attack vectors thanks to a regularly updated signature pool.

Almost all WAFs may be tailored to individual use cases and security regulations, as well as combating emerging (also known as zero-day) threats. Finally, to acquire additional insights into incoming visitors, most modern solutions use reputational and behavior data.

In order to build a security perimeter, WAFs are usually combined with additional security solutions. These could include distributed denial-of-service (DDoS) prevention services, which give the extra scalability needed to prevent high-volume attacks.

Checklist for web application security
There are a variety of approaches for safeguarding web apps in addition to WAFs. Any web application security checklist should include the following procedures:

• Collecting data — Go over the application by hand, looking for entry points and client-side codes. Classify content that is hosted by a third party.
• Authorization — Look for path traversals, vertical and horizontal access control issues, missing authorization, and insecure, direct object references when testing the application.
• Secure all data transmissions with cryptography. Has any sensitive information been encrypted? Have you employed any algorithms that aren’t up to snuff? Are there any randomness errors?
• Denial of service — Test for anti-automation, account lockout, HTTP protocol DoS, and SQL wildcard DoS to improve an application’s resilience against denial of service attacks. This does not include security against high-volume DoS and DDoS attacks, which require a mix of filtering technologies and scalable resources to resist.

For further details, one can check the OWASP Web Application Security Testing Cheat Sheet (it’s also a great resource for other security-related topics).

DDoS protection

DDoS assaults, or distributed denial-of-service attacks, are a typical way to interrupt a web application. There are a number of approaches for mitigating DDoS assaults, including discarding volumetric attack traffic at Content Delivery Networks (CDNs) and employing external networks to appropriately route genuine requests without causing a service interruption.

DNSSEC (Domain Name System Security Extensions) protection

The domain name system, or DNS, is the Internet’s phonebook, and it reflects how an Internet tool, such as a web browser, finds the relevant server. DNS cache poisoning, on-path attacks, and other means of interfering with the DNS lookup lifecycle will be used by bad actors to hijack this DNS request process. If DNS is the Internet’s phone book, DNSSEC is unspoofable caller ID. A DNS lookup request can be protected using the DNSSEC technology.