4 Common Web App Vulnerabilities and How to Combat Them

For many companies, 2020 was all about switching to remote work in cloud-based enterprise systems, and application security teams had to adapt to a change in usage and a growing number of challenges.

Web application vulnerabilities were the cause of 43% of data breaches in 2019, according to The 2020 Verizon Data Breach Investigations Report. Surprisingly, 79% of organizations intentionally pushed vulnerable code to production, at the same time considering their own application security posture as being higher than 7 out of 10, according to Enterprise Strategy Group research.

With the average cost of data breaches being $3.86 million, application security is certainly not something businesses can ignore. The numbers are going uprising 12% over the last five years.

Compared to other IT assets, web applications are especially vulnerable to attack, because they are exposed to the Internet. Many attack vectors against web applications focus on manipulating user inputs via web forms, and machine inputs via APIs.

In this article, we will discuss web application vulnerabilities and the best practices for protecting web applications against malicious attacks and accidental damage. You can download the Web Application Security Requirements Checklist to secure your web application from all angles.

Web Application Vulnerabilities

Web application vulnerabilities are security weaknesses that allow threat actors to manipulate source code, gain unauthorized access, steal data, or otherwise interfere with the normal operation of the application.

The OWASP Top 10 document lists the most critical security risks to web applications. Let’s overview a few commonly known attack vectors:

1. SQL Injection—occurs when attackers use malicious SQL code to manipulate backend databases. The result can include unauthorized data listing, dropping (deletion) of tables, and unauthorized administrative access.
   
2. Cross-Site Scripting (XSS)—an attack targeting users of an application. It can be used to access user accounts, inject Trojans, or change page content to deceive users or deface a website. Another, more dangerous variant is stored XSS when malicious code is injected persistently into the application. Reflected XSS is when malicious scripts are reflected from the application to the user’s browser.
   
3. Remote File Inclusion (RFI)—remote injection of files into a web application server. This can lead to malicious script and code execution in applications, compromise of the web server, and data theft.
   
4. Cross-Site Request Forgery (CSRF)—an attack that can lead to unwanted transfers of funds, password changes, or data theft. Involves an attacker leveraging a user’s open session, causing the user’s browser to unknowingly perform actions on a site the user is logged into.

Sanitizing application inputs and outputs, and adopting secure coding practices, can protect applications against most vulnerabilities. However, this is not enough. Web applications are under constant development, and security testing must be incorporated into every stage of the development lifecycle, to identify and fix vulnerable code early on.

In addition, most web applications use third-party open source components, which may themselves be vulnerable, and must be scanned on an ongoing basis.

Expert’s Advice: Most of the modern web frameworks provide out of the box security techniques to prevent common vulnerabilities like SQL Injection, XSS, CSRF.

Web Application Security Techniques and Tools

The most powerful security technique in web development is to think about security in all, even smallest, details. Web application security is about not just the code base, but also about project processes, data storing, company policies, etc. In the end, it doesn’t matter how good and protected your code is, if you have your API documentation publicly available, or the super admin password written on a whiteboard in the office.

-Sergey Ivanov, Head of Quality Assurance at MobiDev

So, first things first—security in applications comes from security in the project itself. But when all processes are perfect—what’s next?

To gain information about web application security, generally, there are two main approaches. We are talking about static and dynamic security testing. They don’t exclude one another but should instead complement one another.

Here are a few technologies you can use to protect your web applications against vulnerabilities, as well as respond to attacks if they happen.

SAST

Static Application Security Testing (SAST) solutions scan your source code for vulnerabilities and security risks. Many web applications integrate code scanning in multiple stages of development—mainly when committing new code to the codebase, and during a build.

SAST is typically rule-based, and scan results typically include false positives, so you’ll need to carefully analyze and filter the results to identify real security issues.

Expert Advice: We use the SonarQube static analysis tool to monitor security issues that may be introduced during development. It is recommended to integrate it with CI/CD pipeline so it will scan every commit/merge commit. SonarQube has good visual representation and checks not only security aspects, but also maintainability and reliability of the code base. It supports 20+ different programming languages, so it works for most frontend and backend frameworks.

DAST

Dynamic Application Security Testing (DAST), involves testing deployed or running code to find vulnerabilities. It can be performed both manually and automatically, using special tools.

Manual testing revolves around working with application API with tools like Burp Suite, Fiddler, Postman. Automation DAST tools send a large number of requests to application code, including unexpected and malicious inputs, looking for vulnerabilities. It analyzes the results and identifies security weaknesses.

Expert Advice: After thoughtful manual security analysis, we use OwaspZap, an open-source web application security scanner, to speed up regression testing. Scanners can’t replace humans in terms of creativity, root cause analysis, or ability to think out of the box, but they can handle routine tasks at a much faster rate and volume.

PENETRATION TESTING

Penetration testing is a security technique that combines dynamic scanning tools and with human's expertise in security to find gaps in a web application’s security posture.

Pentesters act like real threat actors—exploiting vulnerabilities, gaining unauthorized access, stealing data, and disrupting services. However, they do so under contract with the web application’s owner, under an agreed scope, and without causing real damage to the organization.

Compared to SAST and DAST, this technique is more complex to carry out but can identify additional risks that automated tools can miss.

XDR

eXtended detection and response (XDR) solutions are a new generation of security platforms that give security teams one interface that allows them to detect and respond to threats wherever they exist in the IT environment.

XDR collects security data from all layers of the security stack, including web applications, networks, private and public clouds, and endpoints. It applies advanced analytics and automation to analyze, triage, and detect both known and unknown threats. Most importantly, it directly integrates with security tools and can automatically respond to threats in real-time.

Web Application Security Best Practices in 2021

Here are a few best practices you can use to improve the security of your web applications.

AUTHENTICATION AND ACCESS CONTROL

While it may seem obvious, many web applications do not implement basic access control measures. Make sure you follow these principles:

• Enforce strong passwords—use secure password recovery, set sensible password expiration and rotation policies, and preferably, use multi-factor authentication.
• Force re-authentication when accessing sensitive capabilities or performing transactions.
• Use the principle of least privilege (POLP), and give each user only the privileges they need to perform their role in the system.
• Use SSL and encryption and ensure passwords and credentials are always encrypted, both at rest and in transit.
• Monitor user accounts and lock out users or request a change of password if you detect suspicious activity.

Expert Advice: For businesses, which must additionally provide data security and strict legal compliance with such acts as GDPR or HIPAA, an advanced solution is needed. Read more about Attribute Based Access Control, which enables dynamic and context-specific access to resources that can be adapted to different access control policies.

AVOID SECURITY MISCONFIGURATIONS

Whatever CMS or web development framework you are using, there are many possibilities for misconfiguration. Watch for the following issues:

• Always set strong administrator passwords and change default usernames
• Protect files and directories with configuration or sensitive content
• Do not leave ports open if you don’t need them to be open unnecessarily
• Regularly update to the latest stable version for all software libraries, plugins, and the framework itself
• Scan all your packages regularly for security vulnerabilities
• Stay tuned for security vulnerabilities and updates affecting your software and infrastructure
• Use secure communication and networking protocols
• Ensure digital certificates are up to date

Expert Advice: We use Local PHP Security Checker after each PHP composer update. It helps us to prevent using libraries with known vulnerabilities. Usually regular updates to the latest stable version solve many security issues.

The use of open-source libraries and components in software development is almost ubiquitous, with some 99% of applications having at least one open-source component, according to the 2020 Open Source Security and Risk Analysis Report.

Some industries, such as Retail, Healthcare, and Education saw exponential growth in revenue during the year 2020, largely due to consumer behavior and social interaction changes during COVID. As these industries used more open source in their applications, they had the largest number of vulnerabilities and high-risk vulnerabilities. Determining which open-source components are secure should be a primary concern for any application security group.

EXCEPTION MANAGEMENT

Exceptions are a commonly overlooked aspect of web application security. It is common to see exceptions or errors displaying long stack traces to the user—this information is extremely valuable to attackers. You should never display anything to a user other than an error message that explains what went wrong and what they can do to resolve it.

Ensure you plan your web application for both “happy” and “unhappy” scenarios of every user operation. Anticipate all possible errors and handle them with meaningful exceptions. This will prevent attackers from exploiting edge cases to cause unexpected behavior.

MANAGE CONTAINERS CAREFULLY

Many web applications run on containers, using Docker. Containers can create major security issues if not managed correctly. Take note of the following security guidelines:

• Trusted images—when creating a container, always use trusted base images, and scan images for vulnerabilities (even your own images) before using them.
• Use secrets—it is a very bad practice to save credentials or other sensitive information directly in a container image because it will be openly available on any container created from that image. Instead, use the secrets mechanism in Docker or Kubernetes to store sensitive info.
• Never grant root access—a container that has root access on a system will also grant root access to an attacker, in the event the container is compromised. Always define a user in your images, and avoid using options like “privileged container” in Kubernetes.
• Network segmentation—ensure that containers can only access other systems if they really need to. Run containers in a protected subnet and avoid exposing them to the Internet unless absolutely necessary.

Expert Advice: Amazon Elastic Container Registry (ECR) service provides security scans for Docker images. It is quite a useful feature to understand what potential security issues you have in your private Docker images.

QUALITY ASSURANCE AND TESTING

Security testing is essential for web application security. Follow these best practices:

• Use static and dynamic scanning—scan your source code for vulnerabilities during development using Static Application Security Testing (SAST) and in production using Dynamic Application Security Testing (DAST).
• Use penetration testing—you can use lightweight penetration testing as a service (PTaaS) solutions, or for large-scale applications, and a periodic full-scale penetration test by a certified ethical hacker.
• Adopt CI/CD—whenever you update your application, run your code through an automated testing process, and deploy it automatically, to ensure you do not introduce security risks due to installation issues.
• Take compliance into account—most organizations in the world are subject to the European Union’s GDPR regulation. Applications that process credit card data are subject to the PCI/DSS standard. Check if there are additional compliance standards or regulations that affect your application, and implement the necessary measures.

In most cases, our usual deployment process in CI/CD includes the following 5 steps:

1. Scan source code for code style violations
2. Scan used 3rd party libraries for security issues
3. Run unit test
4. Prepare new source code for deployment.
5. Create and deploy new Docker images to a selected environment. All sensitive credentials required to run your web application are stored in the secure storage of the CI/CD.

The deployment will be stopped if any of these steps fail. This guarantees stable updates and a stable, safe environment.

How MobiDev ensures web application security

Applications remain a top cause of external breaches, and the prevalence of open source, API, and containers only adds complexity to the security team. Happily, companies have started to recognize the importance of embedding security more tightly into the development phase.

The author - Anton Logvinenko, Web Team Leader at MobiDev