The Most Common Website Security Risks 2017

//The Most Common Website Security Risks 2017

The Most Common Website Security Risks 2017

Website security is a major issue in today’s information age. When you’re launching a startup and coding a product from scratch, the focus is often on iterating through as many features in as short a timeframe as possible, with security left by the roadside. Here is my look at the most common issues affecting web applications – use it as a starting point to help you and your team add best practice security to your web application.

Website Security Risks

I’ve compile a list of the top security risks that every web programmer must be intimately familiar with. It is based on the OWASP Top Ten Cheat Sheet – easily the best resource when it comes to web security.

If you’re a programmer and are not intimately familiar with these concepts, go and study them now!

If you’re a startup CTO make sure that security becomes part of the technical planning process.

If you’re a non-tech founder, discuss security with your tech team and ask them to explain to you how their technical choices mitigate the risks from the OWASP list.

A note about coding frameworks

Many modern web frameworks guard against these attack methods. However you are only safe if you are clear on how such attacks are carried out and what measures your chosen framework is using to protect against them. Don’t rely blindly on code someone else has written!

The Top Three Most Common Attack Methods

1. Injection Attacks

Injection flaws occur when an application directly uses untrusted data. Essentially an attacker is sending specially crafted data into your application, in order to break it.

Injection flaws are very common, especially in older code.  Injection flaws are easy to discover when examining code, but frequently hard to discover via testing.

The most well known type of injection attacks are SQL injections – but there are many other types as well. Wherever you handle user input in your application you are vulnerable to an injection attack.

Further reading

Sitepoint: How to protect against SQL Injection attacks

2. XSS Attacks

XSS stands for ‘Cross site scripting’ – it allows attackers to inject harmful content into your website, for other users to come across. A common attack method are blog comments and other user generated content. Wherever you output user-generated content you are vulnerable to an XSS attack.

Further reading

How to protect against XSS attacks

3. Cross Site Request Forgery Attacks

Cross Site Request Forger (CSRF) is an attack that forces a user to execute unwanted actions on a web application that they are currently logged in to. With a little help of social engineering (like sending a link via email or chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing. A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application.

Most common web application frameworks now protect against CSRF via CSRF tokens, however you need to implement this functionality correctly to be protected.

Further Reading

Do Your Anti-CSRF Tokens Really Protect Your Web Apps from CSRF Attacks?

Other Website Security Risks

4. Weak authentication and session management

Most web applications allow users to register and to login. How safe such access controls actually are depends largely on the implementation. When access is not controlled enough or authentication is not handled correctly, an attacker could gain access to additional functionality or could be able to control other users’ account.

Further Reading

University of Pennsylvania: Broken Authentication and Session Management

5. Insecure Direct Object References

Similar in nature to an injection attack, an insecure direct object reference stems from using user input to give access to ‘objects’ stored on your server. Imagine, for example, allowing users to type in the filename of an image they want to see. Or allowing users to enter the ID of a database record they want to edit or delete.

A common version of this type of attack is a directory-traversal attack, allowing an attacker to access unprotected files on your server, with the possibility of gaining complete control over your system.

Further reading

How to protect against directory traversal attacks in PHP and WordPress

6. Security Misconfiguration

Ensure web servers and application servers are hardened and configured securely. Depending on your hosting setup, the web hosting company might take responsibility for this step. When you’re hosting on a VPS, such as Digital Ocean or Vultr or Amazon, this becomes your own responsibility.

Further reading

10 Best Practices To Secure and Harden Your Apache Web Server

7. Sensitive Data Exposure

When your web application stores personal information, customer details, perhaps payment or patient information or financial records, you need to make sure that data is stored and transmitted safely. This ranges from encrypting data stored in your database and working with secure third-party providers (for example for payment handling), right down to the nitty gritty of correctly configuring your SSL certificates.

Start by looking at what kind of data you are storing. Where is it stored? How and where is it transmitted? What are the security implications of each step? Is the configuration correct? Are the measures adequate?

Further Reading

Test your SSL certificate
Testing for Sensitive information sent via unencrypted channels

8. Missing Function Level Access Control

When users are able to log in to your web application, you might use their logged-in status or their user roles to control access to different functionality. These control mechanisms only work if configured correctly and used consistently throughout your web app. Any errors in implementation will open you up to unauthorised use of functionality or unauthorised access to specific data.

Further Reading

Implement Access Control in NodeJS
ACL (Access Control List) Authorization in Laravel 5.1

Essentially search for ACL functionality in your chosen web framework.

9. Using Components with Known Vulnerabilities

Whenever you use third party components or libraries in your code you potentially open yourself up to vulnerabilities. Make sure you keep all third party libraries updated. Subscribe to mailing lists for the components that you use, follow their Twitter accounts and check/follow their issue trackers.

On a related note, operating system vulnerabilities and programming language vulnerabilities also come into play here – so make sure you keep your infrastructure up to date with regular maintenance.

10. Unvalidated Redirects and Forwards

Also called an ‘open redirect’ attack, unvalidated redirects can send website visitors to a malicious website controlled by an attacker. Essentially this form of an attack relies on user input being used without validation or sanitising. Imagine a URL like this for example:

http://your-own-site.com/redirect?q=http://malicious.site.com

With an open redirect in place, the user could be redirected straight to the malicious site, even though they are ostensibly clicking on a link to your own site, which they trust. The answer, as is often the case: always validate and sanitise user input.

This vulnerability is difficult to test for without going through the source code directly.

Further Reading

OWASP: Testing for Client Side URL Redirect 

Conclusion

When it comes to protecting your web application and your application’s users (and their data), it’s important to consider potential security issues from the start. Make it a priority and a point of discussion throughout your organisation. By sharing the list of most common web application security issues, you can start to educate your team and identify areas that need further scrutiny.

 
By | 2017-02-14T12:11:36+00:00 February 14th, 2017|Tech Hugs|0 Comments