Wherever there is user data, sensitive information, or server and network resources, there will also be malicious individuals attempting to take advantage. Web apps have all of these temptations. They gather data to provide tailored services to users. Much of that data is sensitive, especially when financial, medical, and other personal information is involved. Most web applications, even a WordPress site hosted on a low-end shared hosting account, have access to server and networking resources that attackers can turn to their advantage.
All of which means considerable responsibility rests on the shoulders of web developers. They have a duty to protect users and prevent resources being turned against innocent web users and businesses. I’d like to take a look at three of the most common vulnerabilities and their causes.
Injection vulnerabilities occur when attackers are allowed to input executable instructions to an interpreter. The paradigmatic example for web applications is an SQL injection attack. A typical scenario looks like this: an attacker discovers that information entered into a form in a web app is not properly sanitized — the app should check that the data is of the expected type and escape it just in case it isn’t. The attacker submits the code, usually along with some padding data, to the form. When the app attempts to put the data into the database, the unsanitized SQL instructions are executed.
SQL injection attacks account for around 20% of all web vulnerabilities; they’re a serious site of developer error and deserve a proportional amount of attention. SQL injection vulnerabilities can lead to wholesale data breaches, authentication bypasses, and the insertion of damaging information into the database.
The best way to avoid this sort of vulnerability is obvious — never allow user data to be submitted to an application without ensuring it is of the expected type and always sanitize input data to render it harmless.
Cross Site Scripting Vulnerabilities
XSS vulnerabilities are serious, especially if authenticated users with administrative privileges can be tricked into running the code. Code running in the browsers of admin users has the same rights as those users, which means attackers could potentially infect sites with malware or upload sensitive information from the app’s database to a third-party server.
In this case, input data needs to be validated and sanitized to ensure that there is no malicious code, and then escaped, to prevent any code that might slip through from being executable.
It should be noted that both injection and XSS attacks don’t necessarily involve an individual typing into a form; they often take advantage of insecure APIs and other avenues for the scriptable input of data, so the same data validation procedures must be applied to all data input routes.
Vulnerable Software Components
All web apps rely on a software stack that starts at the operating system, incorporates various other applications like programming languages and web servers, and makes use of external libraries. Vulnerabilities in these components can create vulnerabilities in the web application.
The Heartbleed vulnerability is an obvious example of this type of security flaw. Bugs in the OpenSSL library allowed attackers to extract data from arbitrary memory locations on a server, which potentially included highly sensitive data like private keys.
It’s not practically possible for app developers to audit every external component they use in their application, so there is a degree of trust involved. Nevertheless, there are strategies to minimize the risk. All external applications and components should be regularly updated to ensure that security patches are applied and developers should monitor security news sources to keep themselves apprised of any vulnerabilities.
Many vulnerabilities occur because adding functionality takes precedence over security best practices, but developers who take responsibility for user data have a duty to minimize the risk their users face.