The night is dark and full of terrors. And so is the web. Unknown to us, the naive users, there is a whole lot happening within the deep layers of the web. If left unnoticed, they can cause permanent damage to your website and the business that is dependent on it.
Symantec’s Security Report 2017 revealed some startling facts that has made cyber security analysts sleepless. Cyber security attacks have become bold enough to target even government agencies which were once considered to be the most secure digital organizations.
The count of common web security vulnerabilities is also steadily increasing. Add to that the lax attitude of users to protect themselves with hack-proof measures, we have a recipe for a digital disaster of great proportions. The recent breakout of WannaCry, Bad Rabbit, Petya, NotPetya are all classic examples of web security weakening power.
OWASP’s List of security vulnerabilities
OWASP – Organization for Web Application Security Project is a not-for-profit organization which is working towards improving the security measures of web-based software applications.
OWASP has prioritized these vulnerabilities based on 3 major factors:
- Exploitability – The platform needed for exploitation and how easily they are available
- Detectability – The level of difficulty in detecting the threat
- Impact or Damage – The potential damage if the exploitation happens
The organization has compiled a list of web security vulnerabilities that every website owner must gain protection against.
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure To Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
Input fields in websites and various URLs that interact with the website’s database are the primary targets of SQL injection. A hacker might attempt to exploit this common vulnerability by altering the back-end SQL statements that collect data from the user. This might help the hacker steal sensitive user data like login credentials or even gain access to the application without having proper login credentials.
How to Fix SQL Injection?
Use Parameterized queries which will prevent the hacker from using SQL commands to force inject inputs. Use PHO Data Objects (PDO) to access databases. It uses only parameterized queries and hence closes the door shut for the hackers to peddle with MySQL or MySQLi extensions that PHP developers use to access databases.
In this form of vulnerability, the hacker uses invalidated sessions IDs and cookie data to steal user data. Imagine working on a cyber cafe computer and closing the window abruptly without proper logging out. The cookies in the system can be used by the hacker to gain access to user information.
How to fix Broken Authentication?
Ensure that your web security protocol is in alignment with OWASP’s Application Security Verification Standard. If you are a public network user, ensure you log off and also clear cookies after every use.
Loopholes and mistakes in web security configuration for server side systems, databases, application server, frameworks, etc. can be exploited by shrewd hackers to their benefit. They make use of vulnerabilities found in input forms, URLs and form fields to mis configure security settings to their advantage.
How to prevent security misconfiguration?
Use a web application architecture. Ensure that all directory listings are disabled to prevent unauthorized tampering. Change default usernames and passwords to customized ones.
Insecure Cryptographic Storage
Information stored on application databases are often left unguarded. For example, passwords which are shown as ‘3’ ‘*’ when the user inputs them are cryptographic in nature. Unguarded cryptographic information is an easy way in for hackers to make away with critical user information like profile information, location, credit card information, user credentials, banking information and much more.
How to secure Cryptographic Storage?
Deploy encryption like AES, SHA-256, RSA public key cryptography all of which are proven to protect cryptographic information.
Failure To Restrict URL Access
URL access ensures that visitors to a website are granted access only to information that they are rightfully allowed to access. Failing to restrict URL access by strict protocols might let in a hacker or even a shrewd user to access information on the website that they are not allowed to see. To cite an example, an online paid subscription magazine restricted for premium members.
How to restrict URL Access?
Set up role-based access controls that will prevent ordinary users from accessing content. Implement two-factor authentication and password protection to keep users from accessing unwanted URLs.
Lacking use of Transport Layer Protection
Data like bank account details, credit card information, login credentials, etc. sent over a network securely needs Transport Layer Security (TLS). Data exchanged between browser and server need to be protected using TLS. Without TLS, there is a fat chance that hackers can find such information and expose them leading to a security mishap.
How to establish Transport Layer Protection?
If you are using a HTTP:// website, install SSL certificate and upgrade it to HTTPS. HTTPS is the secured version of HTTP which ensures that attackers cannot get their hands on information that is being exchanged over the Internet. This is primarily useful in preventing cyber security attack models like Man-In-The-Middle attacks.
Unvalidated Redirects and Forwards
Remember being landed on a totally strange (and dangerous) looking website by clicking on a link by mistake? That is unvalidated redirects and forwards at work. Hackers use this mechanism to make naive users visit phishing forms or malware infested websites.
How to save yourself from unvalidated redirects and forwards?
Avoid setting redirects within the website. If at all there are any redirects or forwards, ensure that they are authorized and secure for the user.
With every passing day, cyber security threats are taking new shapes and forms. Website owners can no longer have a good night’s sleep hoping that they will left alone by hackers. Hackers are going behind every inch of the web where they can exploit vulnerabilities.
Know web security vulnerabilities and if your website has any of them then fix them right away.