Web Application Security
Web application security is the process of protecting websites and online services against different security threats that exploit vulnerabilities in an application’s code.
Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin) and SaaS applications.
Perpetrators consider web applications high-priority targets due to:
- The inherent complexity of their source code, which increases the likelihood of unattended vulnerabilities and malicious code manipulation.
- High value rewards, including sensitive private data collected from successful source code manipulation.
- Ease of execution, as most attacks can be easily automated and launched indiscriminately against thousands, or even tens or hundreds of thousands of targets at a time.
Organizations failing to secure their web applications run the risk of being attacked. Among other consequences, this can result in information theft, damaged client relationships, revoked licenses and legal proceedings.
Web application vulnerabilities
Web application vulnerabilities are typically the result of a lack of input/output sanitization, which are often exploited to either manipulate source code or gain unauthorized access.
Such vulnerabilities enable the use of different attack vectors, including:
- SQL Injection – Occurs when a perpetrator uses malicious SQL code to manipulate a backend database so it reveals information. Consequences include the unauthorized viewing of lists, deletion of tables and unauthorized administrative access.
- Cross-site Scripting (XSS) – XSS is an injection attack targeting users in order to access accounts, activate Trojans or modify page content. Stored XSS occurs when malicious code is injected directly into an application. Reflected XSStakes place when malicious script is reflected off of an application onto a user’s browser.
- Remote File Inclusion – A hacker uses this type of attack to remotely inject a file onto a web application server. This can result in the execution of malicious scripts or code within the application, as well as data theft or manipulation.
- Cross-site Request Forgery (CSRF) – An attack that could result in an unsolicited transfer of funds, changed passwords or data theft. It’s caused when a malicious web application makes a user’s browser perform an unwanted action in a site to which a user is logged on.
In theory, thorough input/output sanitization could eliminate all vulnerabilities, making an application immune to unlawful manipulation.
However, complete sanitization usually isn’t a practical option, since most applications exist in a constant development state. Moreover, applications are also frequently integrated with each other to create an increasingly complex coded environment.
Web application security solutions and enforced security procedures, such as PCI Data Security Standard (PCI DSS) certification, should be deployed to avoid such threats.