logo
logo

Web Security: Is Your Site at Risk?

avatar
Heeweisiong
img

Security rarely becomes a concern for businesses until after a breach has happened. By definition, a proactive and defensive strategy for IT security is necessary. This article focuses on five key and common web-related IT security mistakes and offers advice on preventing them.



Too many businesses don't prioritise online security best practices until after a security breach has occurred. I've seen time and time again in my years of work as an IT security specialist how mysterious the world of web development security issues can be to so many of my fellow programmers. 



A proactive and defensive strategy must be used to combat web security threats. To that end, this piece hopes to instil a healthy degree of paranoia in the reader by encouraging a security mindset.



This guide focuses on five common and essential web security problems and prevention tips. The Open Web Application Security Project (OWASP), a global, non-profit organisation whose mission is to enhance software security worldwide, has identified the Top 10 Web Vulnerabilities that are the subject of this article.



Cyber security: authentication and permission 



We frequently encounter misunderstandings about the difference between authorization and authentication while conversing with other programmers and IT specialists. Of course, the fact that the acronym "auth" is frequently used for both contributes to this widespread misunderstanding. This misunderstanding is so frequent that it may qualify as "Common Web Vulnerability Zero" for this piece.



So let's define the difference between these two concepts first before moving on: 



Authentication: Confirming that a person is (or at least seems to be) a particular user since they have correctly entered their security information (password, answers to security questions, fingerprint scan, etc.). 



Authorization: Confirming that a given user has permission to access a specific resource or perform a particular operation. 



Put another way, permission is the knowledge of a particular entity's capabilities, whereas authentication is the knowledge of who an entity is. With this in mind, let's move on to the top 10 internet security concerns.



Common Web Security Mistake #1: Injection flaws



A classic inability to filter untrusted input leads to injection problems. It can occur when you send unfiltered data to the LDAP server, the browser, the SQL server, or any other location. We'll cover XSS in more detail later. This issue is that the attacker can send commands to these entities, causing data loss and browser hijacking for the clients. 



Your programme must filter everything it receives from unauthorised sources, preferably using an allowlist. Blocklists should never be used since they are challenging to get right and frequently simple to get around. Most antivirus software solutions offer excellent illustrations of malfunctioning blocklists. Pattern matching is ineffective.



Prevention: 


The good news is that preventing injection requires only "simply" filtering input correctly and considering whether one can trust information. The bad news is that, unless anything can be charged without a doubt (although in this case, "never say never" comes to mind), all input needs to be thoroughly screened.



For instance, in a system with 1,000 inputs, correctly filtering 999 of them is insufficient because this still leaves one field that could act as your system's fatal flaw. Additionally, you might believe that using a SQL query result in another query is a brilliant idea since you can trust the database, but if the perimeter is not secure, the input could come from individuals who have malicious intent. If you're curious, this is known as Second Order SQL Injection.


Since filtering is difficult to accomplish correctly (much like cryptography), I suggest relying on your framework's filtering capabilities because they have been thoroughly tested and have a track record of success. If you don't use frameworks, you should consider if doing so makes sense in the context of server security. In 99% of cases, it doesn't.



Common Web Security Mistake #2: Broken Authentication



This collection of several issues could arise due to flawed authentication. However, they are not all related. 


I strongly discourage anyone from rolling their authentication code in 2014 (what are you thinking?). The following are only a few examples of the numerous potential hazards and how difficult it is to get it right:


  • The referer header in the URL could expose the session id to another party. 
  • It's possible that the passwords aren't encrypted during storage or transmission. 
  • The session ids might be predictable, making accessing the system simple. 
  • Possible is session fixation. 
  • Potential issues include session hijacking, improperly implemented timeouts, HTTP (without SSL security), etc.


Prevention: 


A framework is the most straightforward approach to get around this web security flaw. You might be able to execute this correctly, but the first option is considerably more detailed. If you decide to write your code, be exceedingly cautious and familiarise yourself with the potential risks. There are a lot of them.



Common Web Security Mistake #3: Cross Site Scripting (XSS)



This is a relatively common input sanitization failure (a particular instance of error #1). On input, an attacker adds JavaScript tags to your web application. The user's browser will execute this input if it is returned to them in an unclean state. It can include creating a link and convincing someone to click it, or it might involve something much more malicious. The script starts when the website loads and can be used, for instance, to send the attacker your cookies.


Prevention: 


There is a simple web security Malaysia solution. Do not return HTML tags to the client. This has the added benefit of defending against HTML injection, a similar attack in which an attacker inserts plain HTML content (such as an image or a noisy hidden Flash player). It's not very effective, but it's certainly annoying ("Don't stop!"). The workaround usually converts all HTML entities so that Deleted is returned as Deleted. Another commonly used cleaning method is to use regular expressions to remove HTML tags that contain regular expressions. However, this is dangerous because many browsers easily interpret heavily corrupted HTML. It is recommended to change all characters to escaped characters.



Common Web Security Mistakes # 4: Insecure Direct Object References

 


This is typical of trusting user input and paying for the resulting security holes. A direct object reference means the user is exposed to internal objects such as files and database keys. The problem with this is that if an attacker can provide that reference and the authorization is not enforced (or broken), the attacker can ban access or do what should be excluded. 

For example, the code has a download.php module that reads a file, and the user can download the file by specifying the file name using the CGI parameter (e.g. download.php? File = something.txt). The developer has omitted authentication from the code by mistake or by laziness. An attacker can use it to download system files accessed by a user running PHP, such as the application code itself or other data on the server, such as backups. 


Another typical example of a vulnerability is the password reset feature, which relies on user input to determine which password to reset. An attacker could click on a valid URL and then change the username field in the URL to say something like "admin". 


Prevention: 


Performs user authentication and allowlist selection correctly and consistently. However, in most cases, you can avoid the entire problem by storing the data internally and not relying on the data passed by the client via CGI parameters. Session variables in most frameworks are suitable for this purpose.



Common Web Security Mistake #5: Security misconfiguration


In my experience, improperly set up web servers and apps are far more typical than those set up correctly. Perhaps this is due to the abundance of opportunities for error. Some instances: 


  • Use the programme while in production with debug turned on. 
  • Enabling directory listing on the server, which exposes sensitive data. 
  • Use outmoded software (think WordPress plugins, old PhpMyAdmin). 
  • Executing on the computer unneeded services. 
  • Without altering the default passwords and keys. (Occurs far more frequently than you may think!) 
  • Giving the attackers access to information about error handling, such as stack traces.



Prevention: 


A robust "build and deploy" process can perform tests while deploying, especially automated ones. Post-commit hooks are the working man's answer to security misconfiguration, preventing the code from being released with development or default passwords preinstalled.



Security is an important aspect of our lives, both online and off. Unfortunately, many people don’t take the necessary precautions to protect themselves and their data. In this post, we’ve outlined some of the most common web security mistakes people make and how you can avoid them. They also provide a few tips for keeping your information safe when browsing the internet. If you have any questions about web security or want help implementing these measures on your website, contact Spectrum Edge today.



Last but not least, if you found this article useful, kindly share it to your friends who might interested on this topic. Don't stop your exploring on other fascinating articles at Zupyak ! Enjoy your reading !


collect
0
avatar
Heeweisiong
guide
Zupyak is the world’s largest content marketing community, with over 300 000 members and 3 million articles. Explore and get your content discovered.