Introduction to Web Application Security
Several times in a year does your personal or work computer ask you to update its security features despite the worldwide spending on information security standing around $80 billion in 2015. World Wide Web has become a vulnerable place, the more it saw a lot of sophistications and developments in the recent past. A lot of our fortunes are being invested in protecting our web applications but the threat of data breach and cyber attacks seem never ending. With the advent of mobile technology, our responsibility to secure consumer information and their digital assets has become greater.
Web applications give one of easiest possible ways to breach the firewall of your security system and gain information for hackers. In other words, not all web applications but those that are poorly coded without keeping in mind the security perspectives.
There has been a misconception in our methodology of securing web applications. As explained by Sullivan and Vincent, it is not about building security features for an application but building every component secure in an application. Through this, the hackers cannot make use of the loopholes in the application and make it use like a genie that fulfils every wish of the master.
A major portion of the IT budget is spent towards firewalls. Even though firewalls are very important for securing your e-commerce portal, it cannot completely insulate your applications from attacks. There are several open ports through which your application communicates with the world. These ports are the gateways through which the hackers communicate under disguise as a genuine user and fetch valuable information using the insecure codes deployed in building the application. At least, if not every, most the attacks happen this way. Hence, focusing on firewalls alone bring no better results in the long run. Think and act beyond firewalls to keep your web application safe.
Threats facing E-commerce Applications
E-commerce applications are one of the hot targets for hackers as the information they gain by compromising the loopholes in the application are precious. Credit card information, contact numbers and other valuable information that will earn them a good fortune in the black market.
There are no attacks that are meant only for e-commerce web applications. If that is the case, protecting them would have been much easier. But, there are a number of attacks that can be carried against any web application and e-commerce applications being a hot target are preferred by the hackers for the bounty involved in it.
Cyber attacks are many and as long as the web world exists there will be attacks targeting it. Indeed, a bitter pill to swallow yet you cannot deny it. As long as technology evolves, the ways in which it gets attacked will also evolve.
Open Web Application Security Project (OWASP) is an open-source project that aims at strengthening web application security. Periodically, it lists down the top ten vulnerabilities for web applications. The first list was created in 2004 and then updated in 2007 and 2010. By today’s date (on which the article is written), the following are the top 10 vulnerabilities according to its latest update in 2013.
This kind of attack is a nightmare for the developers and under its purview are a number of attacks including SQL injection, UI Redress, Full Path Disclosure, Log injection, Header injection. This is a form of cyber attack in which a malicious code is inserted into a web application that is understood by the interpreter as a genuine command or query and hence it serves the command only to hand over precious data to the hackers’ hands.
2. Broken Authentication and Session Management
Whenever you are using an application an HTTP message is sent by your browser to the application that responds to the message. The application generates and attaches a session ID to the request while returning the requested information. This session ID will be unique for every user. If the user copies the URL and shares it with his friends, he ends up giving his session ID to other users, although unintentionally. The vulnerability is in the way session IDs are generated by the application. Their generation should be very random and not incremental or any other pattern attached to it, so that it can be easily replicated by a hacker. Through this hackers can easily get into another user’s session and their information.
3. XSS (Cross-site Scripting)
4. Insecure Direct Object References
These attacks happen when internal implementation objects are exposed to the user in the URL. For example, displaying ‘datafile’ parameter in the URL will eventually help hackers gain access to all the datafiles present in the application. This can be prevented by being prudent in the development stage by restricting such sensitive information available out there in the broad daylight. These objects include filenames, directories, external URLs, internal URLs, database keys etc. Indirect reference mapping can save developers’ lives in avoiding such attacks.
5. Security Misconfiguration
If the security configurations of a web application are compiled in an incorrect manner, it allows hackers to breach in and steal data over a long period of time. The loss arising due to security misconfigurations are too hefty to afford. Modern day applications are very complex with a number of layers. There could be holes left in any part of the application like web server, application server, database etc and hence the surface area of vulnerability is more that makes this attack one among the most hazardous. It is not just the developers, but also the network administrators who play a major role in preventing such attacks by configuring the security systems of the web application at its best leaving no room for any such attacks.
6. Sensitive data exposure
Any organization will have business sensitive protected data that are meant to be handled by a selected group of people. Unlike public data, protected data cannot reach any public user as it contains a lot of confidential information that is pivotal for the business. Strong encryption algorithms are normally deployed to prevent such data points from reaching the hands of the attackers. Despite encryption, your sensitive data can be accessed unauthorized if the encryption algorithm is not strong enough to do so.
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
This attack tricks the browser of a user who is already logged in on a site to send her unsolicited links that contain codes executing undesired functions. Normally the sites involved are the ones that trust the user’s identity. Web applications that don’t require user to authenticate a particular action but only rely on the inputs of an authenticated user are at huge risk of being a victim to CSRF.
9. Using Components with Known Vulnerabilities
Web or mobile applications make use of external third-party libraries to incorporate best features and functionalities to give their users a better experience. But, when importing these external pieces of software, the probabilities of bringing in bugs and other vulnerabilities are also high. It becomes easier for the hacker if the vulnerable component is at the top layer of the application and not deeper. It is very much crucial to understand the external client libraries and other frameworks for their susceptible functions
10. Unvalidated redirects and forwards
Web applications normally redirect or forward users to different web pages for various reasons like to make an online payment, redirecting after a successful payment etc. An attacker can create a malicious URL that redirects the user to a malicious web page. Attackers can also get unauthorized access to important areas in the website like administrative functions through this method. It normally involves a parameter for the web pages to decide the next destination of the user. These parameters are URLs or a part of the URL that makes it easy for the attackers to breach in. One of the best practices to avoid these attacks is by making the parameter value authorized for every user.
How to Protect E-commerce Applications
Success of any e-commerce business hinges completely on its web application and hence it is of paramount importance to make the application performance optimal at any cost with due diligence in keeping it safe from attacks. An e-commerce application is a meatball with sausages for a hacker with rich information and data that are worth a lot. Thus, an e-commerce application with an iron curtain to hackers, but appeals pleasing to the users with a seamless experience is what is optimal to be built.
Before taking measures to insulate your e-commerce application, it is mandatory to have a security policy in place that needs to be reviewed and updated regularly. The rest of the things would fall in place once there is a security policy.
You are not leaving the web application once it is built. There will be a lot of upgrades and reconfigurations of servers, operating systems, network equipments, modems, firewalls etc. These changes are to be updated and the security policy needs to be kept robust and well alive.
As soon as a new vulnerability is discovered or any changes are made to your web application, the security policy needs to be reviewed against them and updated. Most of the companies fail to create an effective security policy and review them.
Web server configuration
One of the foremost things about e-commerce application security is the Web server configuration. There are always two options available get your server up and running. One is hosting it on a cloud or on your premises. Considering the importance of data stored it is always safe to have your server on-premises with strong encryption rather than going for a hosting service provider as it will have one or more external parties involved in the configuration and maintenance of your server. Meanwhile, the cost of building your own data center and the resources to manage it would be higher.
The National Security Agency and Center for Internet Security offer tools that can scan your web server configuration for any holes. These tools remain updated with every vulnerability discovered.
WAF (Web Application Firewall)
As discussed already, firewall alone cannot make your e-commerce web application secure but its integral function in the security of your infrastructure cannot be ignored. There are many factors that decide if a Web Application Firewall (WAF) is fit for your e-commerce business. But the manner the Web Application Firewall treats SSL is also important as you will be dealing with a great amount of encryption and decryption of data during the transactions.
A WAF should be capable of understanding all the request, commands and responses coming in or leaving the server. Henceforth, it will be able to identify any malicious requests and respond in a way to prevent any loss. The WAF could terminate and block the session, the user or the IP address from generating more requests.
In a blacklist approach, the WAF can identify and avoid any form of SQL Injection or XSS attacks. It is important to keep the blacklist updated with every possible vulnerability so that the WAF can identify them.
On the other hand, a whitelist approach defines beforehand what sort of requests are acceptable and can be allowed. This will include a lot of work before its implementation and is a more effective way to configure a WAF than a blacklist approach in which the WAF should be aware of the attacks to prevent it.
The choice of approach is entirely dependent on the business or other resource requirements but the WAF should be easily configurable in either of the approaches easily.
Being in use for over a decade WAF is no more the best security agent for web applications. One of the major drawbacks of WAF is whenever there is a change in the application code, it needs to configure a solution every time. This may result in higher Denial of Service (DoS) or False Positives (FPs) if the settings are not updated.
RASP (Run-time Application Self-Protection)
RASP (Run-time Application Self-Protection) is the next generation WAF. RASP doesn’t require any human intervention but automatically reconfigures in real-time while responding to any form of attacks. RASP monitors every request the application receives, the response of the application and its context to identify any suspicious activity. It monitors all the junctions where users interact with the application. RASP is considered to be the most required application security technology for any e-commerce, banking, or health applications.
A penetration testing can be done manually or automatically to identify how weak your e-commerce application is for the hacker to break-in. In fact, during pen test, the data points are identified and breached to a depth it can move deeper and the results are reported. This test would help you get an idea of how vulnerable your application is and come up with a strategy or remedy to close those gaps.
Two Cardinals of Web Application Security
Sticking to the basics will help a lot in preventing any malicious attacks against your e-commerce or any other web application. On those lines, the following two are the most basic ideas that you should always stick to if you want to reduce the maximum risk of being a victim to security attacks.
- Do not trust your user
- Reduce the number of data entry and exit points
Validate your user
Not trusting your users may sound very harsh, but remember a hacker visits your application in the form of a user. For the sake of millions of genuine users visiting your application, there is no harm done in making a hypothetical statement – Do not trust the users.
Always follow an input validation method to allow only genuine users access and interact with your application. The approaches can be of many types but the most common types are, as discussed under WAF:
- Blacklist approach
- Whitelist approach
Blacklist approach says that if the inputs follow a certain pattern, it shouldn’t be accepted. This is a complex approach in which you have to list down all the possible attacks and their methods to prevent them. You may have to think like a hacker about the possible ways and inputs in order to invalidate them.
On the other hand, whitelist approach does just the opposite by defining the required fields of genuine information. These input validation techniques need to be performed both at the client and the server ends. And, any form of information should be validated. Do not leave any stone unturned.
Reduce Attack Surface
There is no software that is completely secure from attacks. The moment t is available on the network it becomes vulnerable of being attacked. But, by being prudent, you may always reduce the probability of getting attacked.
The points at which your application communicates with the external world should be kept strictly as what is required. Developers should make sure that there are no open ports available that don’t serve a function.
Do not provide the users any extraneous capability to carry out an irrelevant function on your application. Keep the interface simple and equipped with all necessary functions to meet the requirements of any user without any damage done to the user experience.
These two security principles can make you stay afloat backed-up by other strong security measures.
Points we have covered:
- Why Web Application security?
- OWASP Top 10 vulnerabilities
- Protecting E-commerce applications
- Security Policy
- Web server configuration
- Web Application Firewall
- Penetration Testing
- Two cardinals for Application Security
- Input Validation
- Attack surface reduction