Top 3 Security Risks in Web Application

Application SecurityWeb applications are prone to security attack, due to its 24/7 availability. By being always available, anyone can craft an attack any time. While humans as its guardians do need to sleep at least 8 hours a day.

Thankfully, most security risks in a web application is related to input validation. Something that developers caused and can be fixed.

Here are Top 3 Security Risks for Web Applications:

• Cross-site scripting (XSS). If a parameter is not sanitized correctly an attacker may be able to control the content of the vulnerable page. To perform the attack the victim is often tricked into clicking on a malicious link, but this is not always necessary for the attack to be successful.

• SQL injection. Some parameters retrieved from the user’s web browser may be used to perform database queries. If a parameter passed from the user to the database is not correctly filtered, an attacker may attempt to execute arbitrary SQL commands and/or to gain privileges on the web application.

• Remote file inclusion (RFI). By exploiting insecure calls to local files, such as templates, an attacker may attempt to upload arbitrary code on the server. The resulting payload (for example, a shell written in PHP) may be executed with the privileges of the web server.

Source: CERN Computer Newsletter

Basically, those security risks involved inserting a malicious code through user input, made using web forms. In the case of SQL Injection, SQL code is passed through the input form to be executed together with the original SQL code. This is a well known risks and there are many ways to prevent this.

Cross site scripting is a bit tricky. It basically involves running a script outside the original web server. Which then alter the contents of the original page. The contents can be a dummy login page where unsuspecting user will input their username and password. Not knowing that their login page have been compromised, the username and password is recorded by the malicious script running on another web server.

Remote file inclusion is more difficult to implement. Usually the attacker must gain access to the web server. Or he/she can use a file upload form to upload a malicious file. Once inside, the file can do many bad things. Very few web application provide an upload form, so it is quite difficult to implement.

From all three security risks above, all of them are easily prevented by doing a check on user input. So, a web developer must always check if the input is appropriate for the application and blocks invalid input from entering the system.

For more types of security risks, head over to the Open Web Application Security Project website. They maintain a Top 10 Most Critical Web Application Security Risks that you can review.

The OWASP Top 10 provides:

  • A list of the 10 Most Critical Web Application Security Risks

And for each Risk it provides:

  • A description
  • Example vulnerabilities
  • Example attacks
  • Guidance on how to avoid
  • References to OWASP and other related resources

Source: OWASP

So, please make sure your application input is properly sanitized. Let us create safe web application.