Security Flaws in Web Application and its Mitigation

The inability to identify vulnerabilities in a web application can leave it unprotected against potential attackers, resulting in the most severe consequences. Web application vulnerabilities include a system weakness or flaw in a web-based application that leaves you susceptible to security attacks, risking the loss of valuable company or customer data.The inherent complexity of a web application’s source code increases the possibility of malicious code manipulation and unattended vulnerabilities. High-value rewards such as sensitive private data obtained by successful source code manipulation have made web applications a high-priority target for attackers. This makes it essential to thoroughly understand web security vulnerabilities and how to prevent them.

Types of Web Application Vulnerabilities

Common Web Application Vulnerabilities | EC-Council University Official Blog

Web application vulnerabilities are caused due to misconfigured web servers, application design flaws or not validating or sanitizing form inputs. They are prioritized based on their detectability, exploitability and impact on software. So, here is a list of some of the most critical web security risks according to the Open Web Application Security Project (OWASP):

  1. Injection: Injection flaws, including SQL, OS, LDAP and NoSQL injection, take place when a query or command with untrusted data is received by an interpreter. The hostile data by an attacker can trick the interpreter into accessing data without authorization or executing unintended commands. This can lead to the unauthorized viewing of lists, unauthorized administrative access and deletion of tables.

 

  1. Broken Authentication: This occurs when application functions related to session and authentication management are implemented incorrectly. It allows attackers to not only easily compromise passwords, session tokens or keys but also assume the identities of other users temporarily or permanently.

 

  1. Sensitive Data Exposure: Sensitive data can easily be compromised if special precautions are not taken when exchanged with the browser or some extra protection, like encryption at rest or in transit, is not implemented. Many web applications are unable to protect sensitive data properly, which allows attackers to steal or modify it, resulting in credit card fraud, identity theft and a number of other crimes.

 

  1. XML External Entities: Attackers can exploit poorly configured XML processors to access confidential data, inject additional data, create remote tunnels and execute applications. This vulnerability can also lead to Server Side Request Forgery (SSRF), denial of service attacks and remote code execution.

How to Execute an XML External Entity Injection (XXE) | Cobalt | Cobalt.io

 

  1. Broken Access Control: With access control, you can manage the sections of a website and application data accessible to different visitors. If these restrictions are not enforced properly, attackers can easily take advantage of these flaws to get access to unauthorized data or functionality. This can enable these attackers to access the accounts of other users, view sensitive files, change access rights and modify the data of other users.

 

  1. Security Misconfiguration: Counted amongst the most critical web application security vulnerabilities, it offers attackers an easy way into your website. Attackers can exploit unsecure default configurations, open cloud storage, incomplete or ad hoc configurations, verbose error messages with sensitive information and misconfigured HTTP headers. All operating systems, libraries, frameworks and applications can be susceptible to security misconfigurations.

 

  1. Cross-Site Scripting: This vulnerability occurs when untrusted data is included in a web page without validation. It injects malicious code into the web application and executes it on the client-side. It helps attackers execute scripts in a user’s browser to hijack user sessions, redirect the user to malicious sites or deface websites.

 

  1. Insecure Deserialization: Often resulting in remote code execution, deserialization flaws allow cybercriminals to perform a variety of attacks including injection attacks, privilege escalation attacks and replay attacks.

 

  1. Use of Components with Known Vulnerabilities: Various components such as frameworks and libraries run with the same privileges as the web application. Even if a single vulnerable component is attacked, it can cause server takeover and serious data loss. For this reason, a web application that uses components with known vulnerabilities can seriously compromise its defences, leaving it open to attack.

 

  1. Insufficient Monitoring and Logging: Insufficient logging and monitoring along with ineffective or missing integration of incident response can cause another major vulnerability. It can help attackers further attack systems, tamper, destroy or extract data and maintain persistence, pivot to more systems. According to security studies, it often takes more than 200 days to detect a breach. And it is usually detected by an external party instead of internal monitoring or processes.

 

How to Prevent Web Application Vulnerabilities?

How to prevent top 7 Web Application Vulnerabilities?

Organizations that do not properly secure their web applications are more susceptible to malicious attacks, resulting in information theft, revoked licenses, damaged client relationships and legal proceedings. There are several measures that you can take for securing your web applications:

  1. Web application firewalls (WAFs): WAFs are hardware and software solutions designed to examine and monitor incoming traffic for blocking any attack attempts. They offer the best way of compensating for any code sanitization deficiencies.

 

  1. Information gathering: Classify third-party hosted content and review the application manually to identify client-side codes and entry points.

 

  1. Authorization: Test your application thoroughly for path traversals, missing authorization, insecure, direct object references and horizontal and vertical access control issues.

 

  1. Cryptography: Secure all data transmissions, encrypt specific data, check for randomness errors and avoid using weak algorithms.

 

  1. Denial of service: Test for anti-automation, HTTP protocol DoS, account lockout and SQL wildcard DoS for improving your application’s resilience against denial of service threats. Use a combination of scalable resources and filtering solutions for protection against high-volume DDoS and DoS attacks.

Apart from the above measures, running a periodic Vulnerability Assessment and Penetration Testing is essential too. VAPT looks for possible and common vulnerabilities related to the platform, technology framework APIs, etc., and runs exploits on the web application to evaluate its security loopholes. It provides the organizations with reports on discovered vulnerabilities, the nature of the vulnerability, threat level, its impact and measures to eliminate it.

 

What’s in Store with Android O: Here ye, Android Developers!

Google team has announced the preview release of Android O, here are some changes for the developer with documentation and API differences.

  1. In new API changes, each page which is returned by the Content provider will be counted as a single Cursor object.
  2. Android O will allow you to customize the pairing request dialog when trying to pair with companion devices over Bluetooth, BLE, and Wi-Fi.
  3. There is a specific disk space for each app for caching data. You can get it using-getCacheQuotaBytes(File).
  4. Introduced OpenJDK Java language features in Android.

Here Comes the Android O : Everything About Upcoming Android OS. - Wildnet

Fonts using XML file

You can now use fonts as resources as it is a new feature introduced in Android O. There is no need to keep all fonts in assets. You can access these fonts with the help of newly introduced type, font.

Adaptive Icons

There is this new feature of adaptive launcher icon in Android O that supports visual effects and can display a variety of shapes across different device models. For example– you can configure launcher icon circular on one device and square on another device, it’s totally up to you.

Autosizing TextViews

Android O allows you to let the size of the text expand and contract automatically based on the boundaries of the TextView.

You can set up the TextView auto sizing via code or XML. The two types can be setup like:

  1. Granularity- By using this, you can set up the minimum and maximum range of the text size.
  2. Preset Size- By using this, you can auto size the TextView from the list of predefined sizes.

Generic findViewById

Say goodbye to casting views after findViewById().

Snoozing of Notifications

You can now snooze the notifications and can see later. Developers can also get all the snoozed notifications using- getSnoozedNotifications().

setToolTipText

Set the text on the tooltip that will be displayed in a small popup window. The tooltip will be displayed:

  1. On Long Click, unless is not handled otherwise.
  2. On hover, after a brief delay since the pointer has stopped moving

Android O may release on August 21 | Lifestyle News – India TV

Progress Dialog is no longer there, it’s deprecated now

Progress Dialog is now deprecated in Android O. It uses a progress indicator such as ProgressBar inline inside of an activity rather than using this modal dialog.

A dialog shows a progress indicator and an optional text message or view. Only a text message or a view can be used at the same time. The progress range is 0 to max and cancelable on the back press.

Notification.Builder() is now deprecated

Now we have to use Notification.Builder (context, channelId). ChannelId is a string value and mandatory for all posted notifications.

It’s time to remove BroadCast Receiver from the Manifest

In Android O, they have set the limit on the background executions. You should remove all implicit broadcast that is for intents. If you keep them in place then it will not crash your app but will be of no use when your app will run on Android O.

Autofill Framework

Autofill will save user’s time to fill the information in forms, like details such as credit card or personal account in their devices. The Autofill Framework manages the communication between the app and autofill service.

Developers can start using Android O by setting up the compileSdkVersion as ‘android-O’, targetSdkVersion as ‘O’ and buildToolsVersion as ‘26.0.0-rc1’.
You must set the support dependency as-

dependencies {
compile ‘com.android.support:appcompat-v7:26.0.0-alpha1’
}

error: Content is protected !!