Web Application Security

With the rise of modern Web 2.0 and user-generated content applications, there is a lot of our data flowing through the different systems.
Such advancements have also attracted hackers and scammers, who are looking up for new attack vectors because right now, data is worth more than oil.
This article briefly explains potential vectors of attacks and suggests how to protect your system against them.

  • XSS (cross site scripting) - XSS is kind of vulnerability that allows an attacker to inject malicious client-side (JavaScript) scripts into the webpage so they can access private information.
  • SQL injection - SQL injection is a method used when an attacker wants to exploits the database by executing search queries prepared just for that. This way attacker can fetch unauthorized information from the database, such as personal information (e-mail address, full name, phone numbers, passwords), create a new user with administrative permissions or destroy the content of the database.
  • DoS and DDoS - attackers are able to overload targeted servers with enormous traffic making servers unable to process incoming requests and making website unusable.
  • CSRF (cross-site request forgery) - clue of this kind of the attack is tricking a user into making a request that uses their authorization. Most common targets are administrators and executives account due to their scope of access.

How to protect your application?

WAF (web application firewall)

What  is WAF?

It's a dedicated tool to protect your web application, for example as web server module (ModSecurity, NAXSI) that can control traffic going to and from your web app using predefined rules.
NAXSI checks arguments from GET requests, full URI, body for POST requests, and HTTP headers; then it compares it against blacklist from categories like SQL injections, RFI (Remote File Inclusion), XSS, evasion tricks, etc.

DDoS mitigation

DDoS attacks are extremely hard to fight as it takes very good infrastructure and tools to do anything about it.

How would I describe mitigating a DDoS attack is to divide it into 4 stages:

  • Detection - a website needs to be able to distinguish malicious traffic from normal traffic, so regular users are still able to use the website
  • Response - network should drop traffic generated by bots, filter it using WAF or do filtration on L3/L4 levels
  • Routing - intelligently routed traffic should break malicious traffic from regular traffic
  • Adaptation - traffic captured during an incident should be analyzed so in the future anti-DDoS tools can check for patterns that suggests incoming attack

While it's extremely hard to do such stuff on your own, I highly recommend using Cloudflare

DNSSEC

DNSSEC (Domain Name System Security Extensions) is a suite of specifications for securing certain kinds of information provided by DNS.
It was designed to protect DNS systems from DNS cache poisoning.
Answers from DNSSEC protected zones are signed digitally. DNSSEC can protect any data published in the DNS including TXT and MX records.

HTTPS

HTTPS is HTTP with encryption, which means the data exchanged between you and the website is encrypted, so attackers can't steal data. It also confirms that a website server is who it say it is.
Chrome and other browsers mark all HTTP websites as "not secure".
It's not expensive anymore to obtain HTTPS certificate as there is Let's Encrypt - certificate authority that provides certificates for free.

Uploads

Another danger in  a web application are files uploaded to them. Whether it's file-sharing app, ticketing system, messaging tool, or any other application that allows people to upload files there, it's potential way to spread viruses and other malicious files. Check out our tool, FileScan that can be integrated with such applications using REST API to check all files going through your system.


Photo by Jon Moore / Unsplash

Show Comments