Application layer is the most vulnerable layer of any application and is the hardest to defend since it has to remain exposed through the publicly accessible avenues. Any consumer facing web application has to made itself over either port 80 (for http requests) or port 443 (for https requests) or the both in order to remain accessible over the internet. Even in presence of several shields like firewall, intrusion filters a person with required time, energy and intelligence always has a open path to reach the web server. Most of the vulnerabilities left in proprietary source codes (zero day vulnerability) remain unknown for the network defense system and can be identified by an intelligent intruder. Using opensource components and plug-ins and libraries with known vulnerabilities is another common base of insecure web applications.
According to Open Web Application Security Project (OWASP) report 2017, here are the top 10 risks your web application might be exposed to –
Here all sort of injection techniques including but not limited to SQL Injection, NoSQL Injection, OS Injection and LDAP Injection commonly being referred as injection , used to attack data-driven applications, in which malicious statements/data are inserted into an appropriate entry field for interpretation in an attempt to executed unintended commands or data access without proper authorization.
An injection attacks may allow offenders to temper or destroy data, perform unintended redirection, execute functions which otherwise would not be executed, dump complete system database or even to be administrator or the system with privilege to do a numerous other harms.
2. Broken Authentication
Broken authentication of application occurs mostly due to incorrect handling of application features accessibility and mismanagement of authenticated user seasons allowing hackers to compromise season tokens to gain access to the secure application features which otherwise could not be accessed without proper permission. This enables an attacker to exploit the temporary privilege to gather secure information about user accounts, execute transactions on behalf of the users or sometime to gain a greater or permanent access by reading or changing the password.
3. Sensitive Data Exposure
Sensitive Data Exposure is one of the most commonly found vulnerability in web application where sensitive information (disclosure of which may cause a significant damage to the associated individuals and the business) are kept unprotected in the database or while in transit. Since the breach of database server security and in transit interceptions of data is common affairs for an web applications, existence of unencrypted /easily decheapable sensitive information create a massive risk for the application. Survey shows that developers mostly fails to understand the importance of a particular piece of information due to the lack of communication and domain knowledge even when maintaining top level security compliancy such as HIPPA and PCI. This results in the particular piece of information get allowed to be transmitted without encryption.
4. XML External Entities
XML External Entity (XEE) attack occurs when a XML input containing reference to an external entity is parsed and processed by an incorrectly configured XML purser. In XML 1.0 Standard, external entities are allowed to access local or remote content through declared system identifier. The system identifier (which is basically an URI) replaces the occurrences of the external entity by the content referred by the system identifier. By referring malicious contents by the system identifier the XML processor can be forced to disclose secure information to the attacker. The damage may not be only limited to discloser of information but may include discloser of local files containing source code, configurations, authentication credentials etc and may also trigger denial of service(DoS) by initiating local recursive functions to engage system resources
5. Broken Access Control
Broken access control vulnerability arise because of improper declaration or enforcement of accessibility of authenticated users (or each set of users for complicated web applications with multiple user levels with limited accessibility). This vulnerability can be exploited by attackers by gaining unauthorized access restricted information/programs which otherwise would remain inaccessible for the particular access season. Resultant damage may be discloser or information and giving away higher level privileges which can be further exploited for a deeper penetration.
6. Security Misconfiguration
Security misconfiguration is the most commonly observed vulnerability with a completely open ended definition. This may be result of incorrect handling of security settings and attributes for the operating system, the application itself or the database such as insecure default configuration, incomplete configuration, insecure cloud storage, misconfigured HTTP header or untapped error message with sensitive information and many more.
7. Cross-Site Scripting
Cross-Site scripting or XXS vulnerability occurs when an web application includes untrusted and invalidated data into a web page or update an existing webpage using user supplied data using browser API which creates and includes Java Scripts, HTML. XSS allows attackers to inject client side scripts into web pages which visualized and executed by browsers. XSS attack effects may vary in range from petty nuisance (such as defacing an webpage to significant security risks like season hijacking, improper or malicious redirection or invalidated input prompt for SQL injection or malicious code injection.
8. Insecure Deserialization
Malformed or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized. Insecure deserialization can trigger remote code execution which which may open avenue for various other type of intrusions by compromising both server & client side system security. Even if remote code execution is prevented by a Firewall (at server side) or an antivirus program (at client side) deserialization of untrusted data may allow attackers to temper deserialization logic to create recursive data sets and dynamic objects (tables, charts etc) to engage system resources which may result in denial of service.
8. Using Components With Known Vulnerabilities
Using components (mostly opensource in practical scenario) like plugins, frameworks, libraries with known open security issues in an web application exposes the application to thousands of attackers with prior understanding of the vulnerability. Depending on the seriousness of the vulnerabilities and the intelligence of the attacker, this may cause massive disclosure or loss of information as well as privilege takeover to cause further damage to the application or even to the other applications being served from the same server.
10. Insufficient Logging & Monitoring
Proper logging and monitoring protocol allows quick mitigation of intrusions. Insufficient logging in association with no or insufficient damage response mechanism allow the attackers to maintain persistency over exploitation attempts which creates scope for deeper penetration and usually results in massive data loss/disclosure, control take over and even business logic manipulation. Most security breach study survey shows that the average detection period for intrusion is over 200 days and mostly such detection is done by external parties rather than internal logging and monitoring process.