Website security is a major issue in today’s information age. When you’re launching a startup and coding a product from scratch, the focus is often on iterating through as many features in as short a timeframe as possible, with security left by the roadside. Here is my look at the most common issues affecting web applications – use it as a starting point to help you and your team add best practice security to your web application.
Website Security Risks
I’ve compile a list of the top security risks that every web programmer must be intimately familiar with. It is based on the OWASP Top Ten Cheat Sheet – easily the best resource when it comes to web security.
If you’re a programmer and are not intimately familiar with these concepts, go and study them now!
If you’re a startup CTO make sure that security becomes part of the technical planning process.
If you’re a non-tech founder, discuss security with your tech team and ask them to explain to you how their technical choices mitigate the risks from the OWASP list.
A note about coding frameworks
Many modern web frameworks guard against these attack methods. However you are only safe if you are clear on how such attacks are carried out and what measures your chosen framework is using to protect against them. Don’t rely blindly on code someone else has written!
The Top Three Most Common Attack Methods
1. Injection Attacks
Injection flaws occur when an application directly uses untrusted data. Essentially an attacker is sending specially crafted data into your application, in order to break it.
Injection flaws are very common, especially in older code. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing.
The most well known type of injection attacks are SQL injections – but there are many other types as well. Wherever you handle user input in your application you are vulnerable to an injection attack.
2. XSS Attacks
XSS stands for ‘Cross site scripting’ – it allows attackers to inject harmful content into your website, for other users to come across. A common attack method are blog comments and other user generated content. Wherever you output user-generated content you are vulnerable to an XSS attack.
3. Cross Site Request Forgery Attacks
Cross Site Request Forger (CSRF) is an attack that forces a user to execute unwanted actions on a web application that they are currently logged in to. With a little help of social engineering (like sending a link via email or chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing. A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application.
Most common web application frameworks now protect against CSRF via CSRF tokens, however you need to implement this functionality correctly to be protected.
Other Website Security Risks
4. Weak authentication and session management
Most web applications allow users to register and to login. How safe such access controls actually are depends largely on the implementation. When access is not controlled enough or authentication is not handled correctly, an attacker could gain access to additional functionality or could be able to control other users’ account.
5. Insecure Direct Object References
Similar in nature to an injection attack, an insecure direct object reference stems from using user input to give access to ‘objects’ stored on your server. Imagine, for example, allowing users to type in the filename of an image they want to see. Or allowing users to enter the ID of a database record they want to edit or delete.
A common version of this type of attack is a directory-traversal attack, allowing an attacker to access unprotected files on your server, with the possibility of gaining complete control over your system.
6. Security Misconfiguration
Ensure web servers and application servers are hardened and configured securely. Depending on your hosting setup, the web hosting company might take responsibility for this step. When you’re hosting on a VPS, such as Digital Ocean or Vultr or Amazon, this becomes your own responsibility.
7. Sensitive Data Exposure
When your web application stores personal information, customer details, perhaps payment or patient information or financial records, you need to make sure that data is stored and transmitted safely. This ranges from encrypting data stored in your database and working with secure third-party providers (for example for payment handling), right down to the nitty gritty of correctly configuring your SSL certificates.
Start by looking at what kind of data you are storing. Where is it stored? How and where is it transmitted? What are the security implications of each step? Is the configuration correct? Are the measures adequate?
8. Missing Function Level Access Control
When users are able to log in to your web application, you might use their logged-in status or their user roles to control access to different functionality. These control mechanisms only work if configured correctly and used consistently throughout your web app. Any errors in implementation will open you up to unauthorised use of functionality or unauthorised access to specific data.
Essentially search for ACL functionality in your chosen web framework.
9. Using Components with Known Vulnerabilities
Whenever you use third party components or libraries in your code you potentially open yourself up to vulnerabilities. Make sure you keep all third party libraries updated. Subscribe to mailing lists for the components that you use, follow their Twitter accounts and check/follow their issue trackers.
On a related note, operating system vulnerabilities and programming language vulnerabilities also come into play here – so make sure you keep your infrastructure up to date with regular maintenance.
10. Unvalidated Redirects and Forwards
Also called an ‘open redirect’ attack, unvalidated redirects can send website visitors to a malicious website controlled by an attacker. Essentially this form of an attack relies on user input being used without validation or sanitising. Imagine a URL like this for example:
With an open redirect in place, the user could be redirected straight to the malicious site, even though they are ostensibly clicking on a link to your own site, which they trust. The answer, as is often the case: always validate and sanitise user input.
This vulnerability is difficult to test for without going through the source code directly.
When it comes to protecting your web application and your application’s users (and their data), it’s important to consider potential security issues from the start. Make it a priority and a point of discussion throughout your organisation. By sharing the list of most common web application security issues, you can start to educate your team and identify areas that need further scrutiny.