Before we begin with the vulnerabilities in web applications, it is good to know there are several open communities like OWASP that are always looking out for vulnerabilities and are dedicated to resolving these vulnerabilities. Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain web applications and APIs that can be trusted.

Vulnerabilities in Web applications and solution

Now let us check the top 10 vulnerabilities in web applications and how to tackle these vulnerabilities.

1) Cross-Site Scripting (XSS)

It is a very common application-layer web attack. XSS targets scripts embedded in webpages that are executed on the client side (i.e., the scripts run on the user’s web browser). XSS is a threat for client-side scripting languages like HTML & JavaScript. It works by controlling the client side to work as desired by the attacker. Such an attack may, for example, use a script to run every time page reloads or on any other events.

XSS is mainly used for tampering and stealing user sensitive data. XSS usually targets the user and not the application.

We can prevent XSS by separating untrusted data from active browser content. We can also use frameworks like React JS or Ruby on Rails that automatically escape XSS by design.

2) SQL Injection

It’s an application security weakness that allows the attackers to alter the data in the database or just read confidential data such as a password. The vulnerability occurs when we enter untrusted data to the database from web forms or when it is part of a SQL query.

Web applications use SQL query to communicate with the database. SQL injections occur when the application fails to validate the data in a SQL query (from web forms) and hence, an attacker can trick the database to execute unexpected commands.

Using LIMIT and other SQL controls within queries are a way of tackling injections.

3) LDAP Injection

This is similar to SQL injection. Here also, the attacker place codes in user input fields to gain unlimited access. It may lead to information theft, browser or session hijacking, defacement of the website or even other problems.

LDAP (Lightweight Directory Access Protocol) injections work by inserting harmful codes to client provided data in LDAP statements. If a web application does not properly validate the input fields, attackers can construct LDAP statements which execute with user permission. Such queries can modify or delete anything in the LDAP tree and cause disastrous results.

To handle these injections, it is advised to use safe API, that avoids interpreter entirely and provides a parameterized interface, migrates to use Object Relational Mapping Tools (ORMs).

4) Cross-Site Request Forgery (CSRF)

Usually, a website sends an application a request that a user is authenticated from another website. An attacker can use this to access data and functionalities of the web application as the browser is already authenticated using the user’s credentials. Attackers may use XSS to defeat CSRF defence the application might employ. So, avoiding XSS will prevent these types of attack to some extent.

5) Insecure cryptographic storage

It occurs when sensitive data is not stored securely. Make sure all sensitive data are encrypted while storing & secured key management must be adopted.

Use a good encryption algorithm.

Make sure you do not use cryptography of your own since you can never predict whether it is secure or not. Do not ship or deploy with any default credentials, particularly for admin users.

6) Broken Authentication

Broken authentication happens when application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

Practice implementing multi-factor authentication for web applications to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

7) Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data such as financial, healthcare, and PII (Personally Identifiable Information). Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection such as encryption at rest or in transit and requires special precautions when exchanged between browser and server.

We can prevent such situations by applying controls as per classification. Classify data stored processed and transmitted by an application.

Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Remember, data that is not retained cannot be stolen.

8) XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Points to keep in mind are, whenever possible, use less complex data formats such as JSON and avoid serialization of sensitive data.

Also, patch or upgrade all XML processors and libraries in use by web applications or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.

9) Broken Access Control

Restrictions on the privileges of authenticated users are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

The possible solution to overcome this problem is to implement access control mechanisms once and reuse them throughout the application. Also, Minimize the use of CORS.

10) Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only all operating systems, frameworks, libraries, and applications should be securely configured but also, they must be patched and upgraded in a timely fashion.

We can avoid this by checking none of the default accounts credentials is the same.

The aim of this article is to give a good insight into common flaws that can lead to modern data breaches and could make web applications vulnerable to various attacks.

As the saying goes “Prevention is better than cure”, proactive and defensive security steps must be adopted beforehand than making it a practice only after a security breach.

- Bharath Varma