The Highest Web Application Risks
The three headed web application Threats that can cause major problems for your web application and become a nightmare.
- Cross-Site Scripting (XSS)
- SQL Injection
- Denial of Service (Dos)
For me these are the big three, for other security professionals it could be a mix of others. I choose these three because they occur so often.
Cross-Site Scripting (XSS)
Using the special characters below attackers can compromise your web application and steal its data with cross site scripting.
< >" ' % ; () & + \ # { } | ^ - [ ]
Filter the input andoutput of the characters mentioned above is the common method of safeguarding against cross-site scripting attacks.
Impact of Cross-Site Scripting
Hackers can successfully exploit XSS vulnerabilities in a web application by inserting a script allows them to have full control over that gives end users' account credentials. Then are able to perform many malicious activities, such as:
- Hijack an account
- Spread web worms
- Access browser history and clipboard contents
- Control the browser remotely
- Scan and exploit intranet appliances and applications
SQL Injection
SQL Injection is input of data that can have unintended results while executing a database query. The input of the data will contain other characters that change the intended SQL string data query.
Mitigation:
- Have all SQL statements be built within a stored procedure instead of the application.
- Filter key SQL elements from the data before executing your inquiry.
Denial of Service (DoS)
Denial of Service attacks are caused by an attacker who sends sufficient traffic volume to your web application; typically using free tools available on the internet, which cause the web service to stop responding or become unavailable to answer legitimate web traffic requests. Leaving legitimate users unable to access your web site or application.
Diagnosis:
- Unusually slow network performance (opening files or accessing websites)
- Unavailability of a particular website
- Inability to access any website
- A dramatic increase in the number of spam emails received
Mitigation:
Have a business continuity plan that utilizes alternate web server resources and IP addresses that can be easily configured to allow legitimate web traffic of customers so they can access the site.
Turn on and review log files to determine if the web application is under a DoS attack; sometimes a DoS attack may not be one at all, but something configured incorectly or something polling your website by mistake.
Their are also cloud services available that can absorb a DoS attack for your web site and only pass legitimate traffic to your site.
And for safety's sake; Encrypt The Data!
The only weakness that the mythical three headed dog Cerberus had was that it fell to the mighty strength of Hercules.
Use the mighty strength of encryption to protect your data!
All three of the above threats put your data at risk. Anytime your data is at rest (stored), or in transit make sure it is encrypted.
Enjoy,
Julius