The web is continuously effecting various vulnerabilities time to time. We can take some time to identify and understand the top ten web security issues. The issues as follows, with each one dedicated to a specific type of security hole or issue.


Injection (Sqli -> SQL Injection)

SQL injection attacks occur when databases and other systems are vulnerable to the point where an attacker can send or “inject” malicious or untrusted data through the system. This data can then filter down to clients and end users, potentially infecting them with viruses, malware, Trojan horses and other security problems.

There are many different types of SQL injections and vulnerabilities depending on the type of database system, the programming language being used and so forth. Because of the sheer variety of sources, it can be difficult for system administrators and software developers to pinpoint the cause of the injection.

With this in mind, it’s crucial to hire security experts who understand and can devise a plan of action and a solution to detecting, reporting and patching vulnerabilities that can lead to an SQL injection.

Injection Flaws include, but are not limited to:

  • LDAP Queries
  • SQL Queries
  • XPath Queries
  • Program Arguments
  • OS Commands

A successful injection can cause loss of data, loss of goodwill and credibility, the loss of sensitive client information and much more.

SQL Impact on Businesses and Websites:

Any business affected by an SQL Injection would need to take steps quickly to rectify the issue. The loss of personal data, financial information and other aspects can cause a great deal to harm a company’s reputation. That is why it’s crucial to be forewarned and protected against such threats before they occur.


Broken Authentication & Session Management
Broken Authentication and Session Management attacks are anonymous attacks generated to try and retrieve passwords, user IDs, account details and other information. For example, a webmaster running an online forum or participating in a social network is extremely prone to these types of incidents.These attacks normally begin when the attacker impersonates the target by relying on information they’ve gathered from other users on the same platform. By doing so, the attacker can ask for (and often receive) valuable information which can in turn lead to account hijacking, identity theft and other critical issues.

There are numerous steps that developers can take to help prevent these attacks, including session expiration, login expiration and various other strategies that can help safeguard the user. However, it should be pointed out that not every website employs these types of protective measures and a variety of security breaches can still occur.


 

XSS (Cross Site Scripting)
Cross Site Scripting (XSS) is a type of vulnerability which takes advantage of security vulnerabilities in the browser or other type of interpreter, rather than the site itself. Much like an SQL injection, it is difficult to trace an XSS issue to a single source. Any time there is a browser vulnerability or security hole, this can be used as the launch-pad for an attack.
When information is sent to web service providers such as banks or online stores, webmasters, or website owners, an attacker can interrupt the transfer process and extract this valuable information. This can all be done seamlessly without either the website owner/provider or the client having knowledge of the attack.
The three main types of XSS flows are:
  • Stored
  • DOM Based XSS
  • Reflected

Oftentimes, XSS vulnerabilities start by a malicious script in the victim’s browser. Other examples include malicious content or misleading data (known as “spoofs”) which attempt to trick the user into revealing their password, paying to get rid of what they believe to be a virus, or other vital information. In all cases, the user and the website owner’s security are at stake.

XSS Impacts on Businesses and Websites:
Data loss, misleading content and other issues cause massive amounts of damage to a company’s reputation and can severely ruin the brand if left untreated.

Insecure Direct Object Reference
This type of security vulnerability typically occurs when authentication levels are not sufficiently checked and users gain administrative access to system data. In many cases this happens upon logging in to a particular system and taking advantage of system flaws to enable incorrect levels of access.
An online vulnerability detector can track down and notify developers, administrators and webmasters of such flaws. In detailed cases, it’s a good idea to have a code analysis and evaluation performed to determine any potential authentication holes where unscrupulous users can slip through and gain access.

Security Misconfiguration
Attackers who want to disguise their true identity or other personal information will often leverage security misconfigurations. These strategies involve sniffing out accounts which use default or common credentials, unprotected website directories or unused pages to gain access to a system. Common issues include default usernames such as admin, and passwords, such as “password” or “123”. Various unattended web pages can also serve as the springboard for these types of accounts.

When this type of vulnerability is found, it is imperative that network administrators and vulnerability experts work together to revise frameworks, incorporate custom code and take other security measures to prevent such misconfiguration abuses.


 

Sensitive Data Exposure

Sensitive Data exposure related attacks occur after well-planned strategies. The attacker does not revert to brutal tactics; he or she will analyze your website, either directly or through a middleman and then proceed afterwards.
Upon a successful Sensitive Data Exposure attack execution, your website’s privacy, terms and conditions or any other sensitive mode of business will be compromised. There could be credit card identity theft scenario, which would eventually pose a threat to your legit clients. People will not feel comfortable dealing with you, thinking that you are the “perpetrator”.

Steps to Ensure Security Against Sensitive Data Exposure Vulnerabilities:

  1. Get a good online security company to run an in-depth analysis of your website. 
  2. Assess your website data sensitivity against different levels of security. Which data is more sensitive and which aspect of your website requires extra protection?
  3. Make sure that after adequate steps are taken, the data is present in encrypted format. 
  4. For effective cryptography, even the website root URLs are supposed to be coated/ masked. 
  5. Strong algorithms are an added bonus against Sensitive Data Exposure attackers.

How Someone Can Compromise your Website Security?

As per the Sensitive Data Exposure scenario, a good example could be an online ecommerce business. Your website will be storing your clients’ credit card information at a remote location. Normally it is a database. If the data is being encrypted automatically, which is the usual case; it would mean an automatic decryption upon retrieval.

Therefore, an SSL security loophole exists. To counter SSL loopholes, keep your certificates up to date and use public keys to encrypt credit card information. Data should be ideally decrypted only through back end private keys upon retrieval and client’s consent.

Do not store sensitive data permanently. Discard it as soon as possible.


 

Missing Function Level Access Control
Attacks covered under Missing Function Level Access Control category range over a series of moderate impacts. This vulnerability exists in case of websites with hierarchal or tier level user access accounts. Depending on the account’s restrictions and privileges, the user will be able to access a certain level of applications.Upon access request, the application sends an approval token to user as soon as verification is through. However, in case of untrusted, new and anonymous users, administrative functions become targets as they are prone to unauthorized functionality.

How to Ensure Protection against Missing Function Level Access Control?

  1. Get an online security services company to critically analyze your website against Missing Function Level Access Control. They will look for user moderation levels and back end user access to any possible areas that grant or navigate to unauthorized parts of the website.
  2. When was the last time your online business had a complete user account authentication check?
  3. Are these checks performed automatically? If the answer is yes, revert to manual mode or a custom coded scanner for specific capabilities to detect Missing Function Level Access Control vulnerabilities.

Cross Site Request Forgery (CSRF Or XSRF)
One of the most prevalent attacks from online scammers and spammers is the CSRF, where users are manipulated into providing sensitive information through a forged website. Attackers typically warn the user that their account has been suspended, their password has changed or that other vital information has been compromised. In these cases, the user is panicked and submits their information through the forged site.The attacker typically tricks the victim into

  • Changing password
  • Adding a Secondary Email ID
  • Various other Techniques

For them, the ideal situation involves a full-on CSRF strategy wherein weak websites and apps are used as puppets to perform and gather specific details (such as entering a password, revealing answers to security questions, inputting credit card details, bank account information, etc.)

When a secondary email ID is called for, an attacker can take advantage of this opening by using their own information in place of the user’s email, and changing the password – effectively locking them out of their own account so that the attacker can then drain it or take other malicious actions.

CSRF Impacts on Businesses and Websites:

CSRF is a severe error that impacts not only the website and customers being served, but also gives the impression that the business itself or brand was somehow involved in the deceitful activity, giving users plenty of reason to take legal or other action if they feel your site was to blame for the problem.


Using Components with known Vulnerabilities
When certain components of your website, such as framework, libraries, specific URL redirect functions and etc. are vulnerable, the attacker could use those components, either individually or collectively to incur mass scale damage.Component related weaknesses are very hard to identify. These weaknesses exist in almost every online company or website’s infrastructure. In other words, given that a framework library is lacking at your website, it can lead to SSL injection, XSS attacks, and remote attacks – so on and so forth. In severe cases, a complete host takeover can occur.

How to Ensure Your Website Component Strength?

  1. Security analysts can be requested to run personalized scans against all your website components. The entire process will take time, but it is worth it. 
  2. For website data libraries, consider performing an upgrade if they are plugin based. Otherwise, ask developers for an updated version for better security.
  3. Components form various parts of the website – therefore it is an obstacle to check them against various security protocols. Whenever a scan is scheduled, whether automated or manual, ask for in depth security reports. 
  4. Have a software process at disposal to coordinate with your online security team for customized update deployment and installation.

Example Scenario of Component Vulnerabilities:

These two components were individually compromised over 22 million times since year 2011.

  • Apache Server/ Website CXF Failed Authentication: Authentication protocols were bypassed after attackers invoked identity token thefts. 
  • Spring Remote Code Execution: Expression Language implementation in Spring is abused and/or exploited by attackers. This is a server side attack, hence impacting the online business or website on all upfronts equally.

Unvalidated Redirect & Forwards
Attackers who have detailed knowledge of how to trick users into giving up their personal information can use unvalidated redirects and forwards to completely mimic an existing site (such as PayPal or Facebook) and trick users into inputting their personal details into these faked sites, storing them for future use or completely draining the account (in the case of financial exploits).These types of attacks have a severe impact on businesses and websites, particularly when user information is entered and malware is then installed on the end user’s computer. This can lead to a whole host of tangled problems in instilling goodwill and taking steps to rectify the issue and its after-effects.

Impact on Businesses and Websites:

  •  Lack of End User Trust
  •  Lack of Credibility 
  •  Malware Installation
  •  Worm Infections

All these are the Top ten web security issues noted by the Open Web Applications Security Project