Game Changing Mobility

knowledge engineering blog

Month: May 2019

Top 10 vulnerabilities in web applications and how to tackle them

Before we begin with the vulnerabilities in web applications, it is good to know there are several open communities like OWASP that are always looking out for vulnerabilities and are dedicated to resolving these vulnerabilities. Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain web applications and APIs that can be trusted.

Vulnerabilities in Web applications and solution

Now let us check the top 10 vulnerabilities in web applications and how to tackle these vulnerabilities.

1) Cross-Site Scripting (XSS)

It is a very common application-layer web attack. XSS targets scripts embedded in webpages that are executed on the client side (i.e., the scripts run on the user’s web browser). XSS is a threat for client-side scripting languages like HTML & JavaScript. It works by controlling the client side to work as desired by the attacker. Such an attack may, for example, use a script to run every time page reloads or on any other events.

XSS is mainly used for tampering and stealing user sensitive data. XSS usually targets the user and not the application.

We can prevent XSS by separating untrusted data from active browser content. We can also use frameworks like React JS or Ruby on Rails that automatically escape XSS by design.

2) SQL Injection

It’s an application security weakness that allows the attackers to alter the data in the database or just read confidential data such as a password. The vulnerability occurs when we enter untrusted data to the database from web forms or when it is part of a SQL query.

Web applications use SQL query to communicate with the database. SQL injections occur when the application fails to validate the data in a SQL query (from web forms) and hence, an attacker can trick the database to execute unexpected commands.

Using LIMIT and other SQL controls within queries are a way of tackling injections.

3) LDAP Injection

This is similar to SQL injection. Here also, the attacker place codes in user input fields to gain unlimited access. It may lead to information theft, browser or session hijacking, defacement of the website or even other problems.

LDAP (Lightweight Directory Access Protocol) injections work by inserting harmful codes to client provided data in LDAP statements. If a web application does not properly validate the input fields, attackers can construct LDAP statements which execute with user permission. Such queries can modify or delete anything in the LDAP tree and cause disastrous results.

To handle these injections, it is advised to use safe API, that avoids interpreter entirely and provides a parameterized interface, migrates to use Object Relational Mapping Tools (ORMs).

4) Cross-Site Request Forgery (CSRF)

Usually, a website sends an application a request that a user is authenticated from another website. An attacker can use this to access data and functionalities of the web application as the browser is already authenticated using the user’s credentials. Attackers may use XSS to defeat CSRF defence the application might employ. So, avoiding XSS will prevent these types of attack to some extent.

5) Insecure cryptographic storage

It occurs when sensitive data is not stored securely. Make sure all sensitive data are encrypted while storing & secured key management must be adopted.

Use a good encryption algorithm.

Make sure you do not use cryptography of your own since you can never predict whether it is secure or not. Do not ship or deploy with any default credentials, particularly for admin users.

6) Broken Authentication

Broken authentication happens when application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

Practice implementing multi-factor authentication for web applications to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

7) Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data such as financial, healthcare, and PII (Personally Identifiable Information). Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection such as encryption at rest or in transit and requires special precautions when exchanged between browser and server.

We can prevent such situations by applying controls as per classification. Classify data stored processed and transmitted by an application.

Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Remember, data that is not retained cannot be stolen.

8) XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Points to keep in mind are, whenever possible, use less complex data formats such as JSON and avoid serialization of sensitive data.

Also, patch or upgrade all XML processors and libraries in use by web applications or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.

9) Broken Access Control

Restrictions on the privileges of authenticated users are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

The possible solution to overcome this problem is to implement access control mechanisms once and reuse them throughout the application. Also, Minimize the use of CORS.

10) Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only all operating systems, frameworks, libraries, and applications should be securely configured but also, they must be patched and upgraded in a timely fashion.

We can avoid this by checking none of the default accounts credentials is the same.

The aim of this article is to give a good insight into common flaws that can lead to modern data breaches and could make web applications vulnerable to various attacks.

As the saying goes “Prevention is better than cure”, proactive and defensive security steps must be adopted beforehand than making it a practice only after a security breach.

- Bharath Varma

AlignMinds Technologies Recognized in Clutch’s Research of Indian App Developers

AlignMinds rating on ClutchMost of the successful mobile applications have a lot in common. They are popular, profitable, sustainable and provide greater satisfaction and usability to the end user. This is why the best developing firms in the industry are treating application development as a comprehensive solution rather than writing a few sets of code.

Our years of experience working as an enterprising technological partner for various industry leaders has helped us to recognise this fact a long time ago.

We chose to have an integrated approach to every problem in hand. It has enabled us to offer solutions to all type of projects suitable for businesses from small startups to the largest enterprise corporations. We use the latest technologies to create a ​tailored user experience​ for all the application development needs.

It is nothing but our confidence in our ability that helped us to reach where we are now.

Our main focus is on creating the best apps out there. We pride ourselves on our best-in-class mobile app development team. They always come up with innovative solutions that are disruptive to the industry.

EMS2GO

EMS2GO is  a pickup and delivery app developed by our team for the Postal Corporation of Kenya

With that said, we are very excited to announce that Clutch, a top B2B ratings and reviews platform, highlighted our firm in their in-depth analysis of industry leaders! Clutch evaluates companies using different parameters like client satisfaction rates, overall ability to deliver service, and brand strength.

We are also featured among the top ​IT outsourcing companies in India based on these strict criteria.

Clutch has done excellent work for us in gathering and documenting in-depth customer reviews.  They helped us to receive a perfect 5 out of 5 stars review recently on Clutch!

AlignMinds on Clutch

More than the ratings it is the result of such collaboration that led to the success of the business for our clients that is making us feel fulfilled.

A part of the reasons for our success is that we always dive headfirst into every project, establishing goals and timelines in real-time with hands-on experiences that allow us to solve issues quicker. The above review is proof that our unique way of offering solutions to a problem is really helping our clients by turning their business into a success. It has also helped us to be one of the best outsourcing companies in India.

We also try to stay ahead of the competition by being dedicated to each project, providing front-end, back-end, and in-house developers on sight, ready to create the user experience best suited for our clients. It is our goal to showcase our entire repertoire of skills so that our clients know that we have their best interest at heart.

In addition to our feature with Clutch, we have also been profiled on their sister site The Manifest, as one of the ​top cloud consulting companies in India in 2019. The Manifest is a business news and how-to-website that compiles and analyzes practical business wisdom for innovators, entrepreneurs, and small and mid-market businesses.

We have also been featured as one of the top​ web developers on Visual Objects, which is an online portfolio website that helps firms expand their reach.

We like how Clutch is helping us by accelerating the pace of our growth. Through their continual acknowledgement and recognition of our services, they are helping us to solidify our spot as a top mobile app developer in India.

We cannot express enough how proud we are to be named as one of the top Indian development companies for the year 2019.

This is truly inspiring for a firm whose goal is to continue to grow and expand as the year continues.