Thu, 13 Aug, 2020

College

A Brief Introduction on Web Vulnerabilities

20-Jan-2020

By Bijina Regmi

Image Courtesy: Forbes

Web security is the critical component which is used to protect websites and web server. Web security is also known as “Cybersecurity”. They are used in safeguarding both the end-users and the business from a potential malicious attack vector. What we need to remember being an end-user is that no one is 100% secure, our security depends upon ourselves and as a web developer, a single layer of protection is not enough.

Web security is really important. It helps us to protect ourselves from being a victim of cybercrime, identity theft or data loss. It prevents / discourages cybercriminals and black hat hackers from accessing sensitive information.

According to an online survey conducted by Harris Paul, nearly 60 million Americans have been impacted by identity theft. 

There are different types of web vulnerabilities. The first one is the brute force attack. This requires successive repetition of various passwords to break into any website. It requires a lot of computing power and yet it is the simplest method to gain access to a site or server. Hence, it is essential to have an additional layer of security in order to detect and reflect any password breaching attempt.

For example, normally, 8 is the standard number for the length of a password which includes alphabets, alphanumeric, and some special characters too because it adds complexity in the password which makes it more secure. The precautionary measure for brute force attack is two-factor authentication, using captcha, limiting login attempt, cloud flare, etc.

Similarly, another vulnerability is SQL injection, which is one of the most common web hacking techniques which places malicious code in SQL statements to destroy databases. The precautionary measures for SQL injection are object-relational mapping and parameterized SQL queries.

Next, we have XSS, Cross-Site Scripting. Client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. By leveraging XSS, an attacker does not forget a victim directly. Instead, an attacker would exploit a vulnerability within a website of a web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser.

Likewise, cross-site request forgery( CSRF) which is also known as Sea Surf or session riding.  CSRF can cause different damages like unauthorized fund transfer, changed passwords and data theft, including stolen session cookies. It is executed using fraudulent websites, links, and emails. To prevent cross-site request forgery, we can use CSRF token, we can avoid simultaneously browsing while logged into an application. Another precautionary measure is not following browsers to remember passwords and logging-off web applications when not in use.

Another web vulnerability is remote code execution. It is a vulnerability that can be exploited if user input is injected into a file or a string. It can be executed or evaluated by the programming language’s parser.  An attacker who is able to execute such a flaw is usually able to execute commands with the privileges of the programming language or the web server. In many languages, s/he can issue system commands, write, delete or read files or connect to databases.

As a rule of thumb, you should avoid using user input inside the evaluated code. The best option would be to not use functions such as eval at all.

Interesting Fact: Mathematically, for 8 character passwords, the possible combination is 218 trillion i.e. if a person tries to break it, it will take 7000-year. But if it is done with the supercomputer, it will just take 22 seconds.

References:

0 Comments