CCB/U4 Topic 4 Web Application Security
Web application security is the process of protecting websites and online services against different security threats that exploit vulnerabilities in an application’s code. Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin) and SaaS applications.
Perpetrators consider web applications high-priority targets due to:
- The inherent complexity of their source code, which increases the likelihood of unattended vulnerabilities and malicious code manipulation.
- High value rewards, including sensitive private data collected from successful source code manipulation.
- Ease of execution, as most attacks can be easily automated and launched indiscriminately against thousands, or even tens or hundreds of thousands of targets at a time.
Organizations failing to secure their web applications run the risk of being attacked. Among other consequences, this can result in information theft, damaged client relationships, revoked licenses and legal proceedings.
Web application vulnerabilities
Web application vulnerabilities are typically the result of a lack of input/output sanitization, which are often exploited to either manipulate source code or gain unauthorized access.
Such vulnerabilities enable the use of different attack vectors, including:
- SQL Injection: Occurs when a perpetrator uses malicious SQL code to manipulate a backend database so it reveals information. Consequences include the unauthorized viewing of lists, deletion of tables and unauthorized administrative access.
- Cross-site Scripting (XSS): XSS is an injection attack targeting users in order to access accounts, activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly into an application. Reflected XSS takes place when malicious script is reflected off of an application onto a user’s browser.
- Remote File Inclusion: A hacker uses this type of attack to remotely inject a file onto a web application server. This can result in the execution of malicious scripts or code within the application, as well as data theft or manipulation.
- Cross-site Request Forgery (CSRF): An attack that could result in an unsolicited transfer of funds, changed passwords or data theft. It’s caused when a malicious web application makes a user’s browser perform an unwanted action in a site to which a user is logged on.
In theory, thorough input/output sanitization could eliminate all vulnerabilities, making an application immune to unlawful manipulation.
However, complete sanitization usually isn’t a practical option, since most applications exist in a constant development state. Moreover, applications are also frequently integrated with each other to create an increasingly complex coded environment.
Web application security solutions and enforced security procedures, such as PCI Data Security Standard (PCI DSS) certification, should be deployed to avoid such threats.
Web application firewall (WAF)
Web application firewalls (WAFs) are hardware and software solutions used for protection from application security threats. These solutions are designed to examine incoming traffic to block attack attempts, thereby compensating for any code sanitization deficiencies.
By securing data from theft and manipulation, WAF deployment meets a key criteria for PCI DSS certification. Requirement 6.6 states that all credit and debit cardholder data held in a database must be protected.
Generally, deploying a WAF doesn’t require making any changes to an application, as it is placed ahead of its DMZ at the edge of a network. From there, it acts as a gateway for all incoming traffic, blocking malicious requests before they have a chance to interact with an application.
WAFs use several different heuristics to determine which traffic is given access to an application and which needs to be weeded out. A constantly-updated signature pool enables them to instantly identify bad actors and known attack vectors.
Almost all WAFs can be custom-configured for specific use cases and security policies, and to combat emerging (a.k.a., zero-day) threats. Finally, most modern solutions leverage reputational and behavior data to gain additional insights into incoming traffic.
WAFs are typically integrated with other security solutions to form a security perimeter. These may include distributed denial of service (DDoS) protection services that provide additional scalability required to block high-volume attacks.
Web application security checklist
In addition to WAFs, there are a number of methods for securing web applications. The following processes should be part of any web application security checklist:
- Information gathering: Manually review the application, identifying entry points and client-side codes. Classify third-party hosted content.
- Authorization: Test the application for path traversals; vertical and horizontal access control issues; missing authorization and insecure, direct object references.
- Cryptography: Secure all data transmissions. Has specific data been encrypted? Have weak algorithms been used? Do randomness errors exist?
- Denial of service: Improve an application’s resilience against denial of service threats by testing for anti-automation, account lockout, HTTP protocol DoS and SQL wildcard DoS. This doesn’t cover protection from high-volume DoS and DDoS attacks, which are best countered by a combination of filtering solutions and scalable resources.
Refer to the OWASP Web Application Security Testing Cheat Sheet for additional information; it’s also a valuable resource for other security-related matters.