How To Secure Web Applications

An Introduction On How To Secure Web Applications

Web applications or apps are pieces of software programs designed and created for the purpose of fulfilling certain tasks or meeting the needs of end users. These web apps usually reside in the server and can be accessed using a web browser. Here are some examples of web apps:

  • Facebook, Netflix, YouTube
  • Gmail, Outlook, Thunderbird
  • Google Sheets, Google Docs, Google Play

The question of "how to secure web applications" comes into our minds and we start looking for an answer to this.

In this article, we’ll be discussing the vulnerabilities of web apps and at the same time show you the different ways on how to secure web applications aka best practices for ensuring web application security.

Vulnerabilities Of Web Apps And How To Secure Web Applications

We often use web apps without knowing the dangers that it could lead to. In this section, we’ll list the top ten vulnerabilities found in web apps and show you as well the methods on how to secure web applications.

A non-profit charitable organization called OWASP (Open Web Application Security) has been focusing on the improvement of software security since Sept 24, 2001. The people behind this provide us with standards on how to secure web applications. Below is what you can say an application security best practices checklist as well.

Here are the top 10 vulnerabilities found in web applications:

Vulnerability Name or Term Description Countermeasure
1. Injection This is a type of vulnerability wherein a web form is unable to distinguish or validate malicious user input. The attacker here tries to input commands used in programming languages such as SQL, with the intention to get valuable information like a list of usernames and passwords.
  • How to secure web applications from this vulnerability is by validating user input using server-side whitelisting methods.
  • Implementing a secure coding policy also helps in preventing injection attacks on your web apps.
2. Broken Authentication
  • If your web app permits using weak passwords and no indicator of how strong it is, then it’s vulnerable.
  • If your web application permits brute force attacks, most probably the cybercriminals have compromised your network already.
How to secure web applications from this vulnerability is by implementing a multi-factor authentication method. For example, when you try logging in to your Facebook account, not only will it ask for your username and password, but also it will send you either an SMS message or an email to confirm your identity on the network.
3. Sensitive Data Exposure If your web application’s data is not encrypted or transferred in the open in plain text, chances are that an attacker will get a hold of that sensitive or confidential data. For this scenario, the cybercriminal uses man-in-the-middle attacks. How to secure web applications from this vulnerability is by encrypting your data, using a VPN service, and utilizing a program that will thwart man-in-the-middle attacks.
4. XML External Entities or XXE Your web app is vulnerable if it accepts XML (Extensible Markup Language) directly. The attack here is similar in nature to an injection attack. The cybercriminal injects or puts in XML code in the input fields of the application to trick the system into giving out valuable information.
  • How to secure web applications from this vulnerability is by patching or upgrading all XML processors and libraries used by the app.
  • Since this is similar to an injection attack, we can also implement a server-side whitelisting approach.
5. Broken Access Control Your web app is vulnerable if the end user also has the same privileges, rights or permissions as that of the administrator. For example, a typical user logging into a guest account on a Windows network and that user can install or delete programs, which is a privilege of an administrator account. How to secure web applications from this vulnerability is by reviewing user privileges and restricting access to valuable network resources.
6. Security Misconfiguration Your web app is vulnerable if the default usernames and password are still in place. The attacker will always try this approach by inputting the default username and password for admin accounts. For example, a cybercriminal logging in with username “admin” and password of “123456” which is the default for some operating systems or networks out there. How to secure web applications from this vulnerability is by implementing system audits on the current configuration
7. Cross-Site Scripting (XSS) Your web app is vulnerable to an XSS attack if the attacker is able to input malicious scripts on your web forms that can steal your data or even deface your website. This is similar to XXE and other types of injection attacks but here a script is used such as JavaScript.

XSS attacks also include the following:

  • Session stealing
  • Account takeover
  • Keylogging
  • How to secure web applications from this vulnerability is by preventing users from inputting malicious commands on the web forms.
  • Protect your application from keyloggers
8. Insecure Deserialization

According to Microsoft, “Serialization is the process of converting an object into a stream of bytes to store the object or transmit it to memory, a database, or a file. Its main purpose is to save the state of an object in order to be able to recreate it when needed. The reverse process is called deserialization”

One of the keywords here is “transmit it to memory”, of which an attack could be based like infecting your web app with a memory-scraping malware.

How to secure web applications from this vulnerability is by securing the app with a program that can prevent, detect, and remove memory-scraping malware.
9. Using Components with Known Vulnerabilities To put it short, your web application is vulnerable if it is simply outdated or has a known exploit.
  • How to secure web applications from this vulnerability is by having a good patch management process in place.
  • Always update your operating system as well whether you’re using Windows or Linux so you’ll get the latest patches from your system driver’s manufacturers, upgrades to your operating system features, etc.
10. Insufficient Logging & Monitoring If your application doesn’t log events or monitor any unusual activity, chances are an attacker has already compromised your network as well. How to secure web applications from this vulnerability is by ensuring all activities or events are logged, and alerts or notifications are in place.

How To Secure Web Applications: Conclusion

Now that you know how to secure web applications from vulnerabilities, it is advisable to implement what you’ve learned here. Choose a product that will help you achieve this and always plan ahead. For more info on how to secure web applications, kindly click here.

Request a Demo