There are many potential web threats that can severely affect a website’s functionality. It is a shame that for every ‘good’ web application a developer builds, there is some attacker out there who is trying to take it down; no code is (completely) secure.
Thus, web security solutions must be proactive and defensive.
This article will aim to be a ‘checklist’ for a web developer to check certain vulnerabilities within the website, in order to remain secure.
Web security solutions usually rely on these 2 key definitions:
Authentication: method of verifying that a user is a known user to the software, having entered the correct security credentials
Authorisation: the confirmation that a specific user is granted permission to a resource/perform an action
1. Filter any input from untrusted sources
A hacker or an attacker can have malicious software within any input into the website, and therefore the web developer must filter all the inputs and determine whether it can be trusted. The challenge remains in filtering all the data – because out of 100,000 cases even if 99,999 cases are filtered – there is a risk that the 1 case left could be malicious. Attackers are not even looking for multiple vulnerabilities in the application – all they need is one.
2. Broken Authentication
This is a fundamental flaw because it allows hackers/attackers to take advantage of weak security firewalls – so they can get past the passwords or session keys (e.g. by using a brute-force method). This means they have access to a known user’s account which also gives them authorisation to perform particular actions. In this way, two-factor authentication is very important to prevent this from happening.
3. Confidential data Exposure
Certain web applications do not protect confidential and sensitive information such as financial records, healthcare records or personal information (mobile numbers, addresses etc.). If the developer has not encrypted all the data – attackers can access this data fairly easily, without even needing to gain complete access into the web application.
4. Cross-site Scripting (XSS)
Cross-site scripting is a vulnerability which allows the hacker to ‘inject’ malicious code into the content from the trusted website, which compromises the interaction that a user has with the application/website. This simply means that when a user thinks they are browsing a ‘safe & secure’ website, they are actually browsing the infected website with the malicious code. To prevent this from happening, a developer validates all input into the web application, ensuring that no malicious code is being entered into the website.
5. Inadequate logging and monitoring
Most attackers plan their attack over a long time, by trying to gain access gradually each day – until they have complete access. If the web application does not have regular logging and monitoring, the hacker is given a lot of chance to attack, without being noticed. It also allows the attackers to brute-force passwords, and keep trying until they get the right one. To simplify this, one can imagine a jewellery store which does not have any regular CCTV footage in place, which means that any robbers can keep checking their plan each day and developing an entrance/exit strategy to rob the store. Therefore, this attack is not predicted by anyone until the damage is done! If logs and monitors are in place, then any upcoming attack can be predicted and stopped before the damage is done, for example by monitoring too many failed password attempts, a developer can see whether an attacker is trying to compromise their application.
6. SQL Injection
SQL stands for Structured Query Language. This web attack is when the attacker inserts malicious code into the web server that stores the SQL (database). This means that the web server is releasing this infected data out to all the users – which would have thought they are using a trusted website.
7. (Distributed) Denial of Service Attack
A (D)DoS attack is when an attacker overloads a web server with huge amounts of malicious traffic – so that the website can no longer handle it, and crashes with an error “Service unavailable”. This means that any visitor who wishes to visit the website (e.g. buy a new product online) they cannot access the website – meaning that the website loses a lot of demand for its product. A DoS attack is performed by only one computer – which floods the website with large amounts of traffic. However, in recent times, a DDoS attack has been more common and forceful – because the attack is launched from not 1 machine, but multiple computers – which means that a higher volume of traffic can be targeted towards the website.
8. Phishing
Phishing is the attempt to gain personal and sensitive data from a user (e.g. passwords, financial records, healthcare information) for a malicious purpose. The attacker sends out a legitimate-looking email in the hope of gaining the sensitive information from the user. The spoof email leads to the user thinking that the trusted company is asking for certain information, meaning that they click on a link which leads them to a bogus website (fake) which will be infected with malware. This is a method of social engineering because it cons the customers themselves to reveal the personal information.
9. Pharming
Pharming is a scam where malicious code redirects a user to a fake website without their knowledge. This occurs when the code is downloaded onto the hard drive of a user’s computer – which means that by visiting a trusted, legitimate website – the user can still be affected, because the malicious code redirects them to a bogus website (by telling the web browser to look for a different IP address than the one the trusted website uses). This leads to fraudulent behaviour such as the loss of personal data, resulting in identity theft.
10. Rootkit
Rootkit is a wide collection of software tools that work together to allow a hacker to gain remote control over a network. This is very dangerous because it allows the attacker to perform particular malicious actions to the users of the web application, such as keylogging (meaning they can find passwords and sensitive information), and antivirus disablers.
References
- https://blog.securityinnovation.com/a-simple-explanation-of-cross-site-scripting
- https://securitytrails.com/blog/top-10-common-network-security-threats-explained
- https://onlinedegrees.und.edu/blog/types-of-cyber-security-threats/
- https://www.commonplaces.com/blog/6-common-website-security-vulnerabilities/
- https://www.alten.com/web-application-security-what-every-developer-should-know/
- https://owasp.org/www-project-top-ten/
- https://howtocreateapps.com/cybersecurity-threats-web-developer/
- https://betterprogramming.pub/the-top-10-security-risks-in-web-applications-412847f01904
- https://www.toptal.com/security/10-most-common-web-security-vulnerabilities