Technology has been at the epicenter of shaping our present and the future for everyone. However, no matter how much technology served our advantage, the dark side of technology will remain there, parallel and hand in hand with the good side. Since technology is manmade, there will always be backdoors and loopholes that hackers and perpetrators use to achieve unlawful gains and damage our trust in technology.
There are numerous web security vulnerabilities that we face, whether we’re using certain online services, applications on either laptop or mobile, or even while casually surfing the internet. In this article, we will learn about the different and most common web security vulnerabilities, and those less common, just to be on the safe side, as well as what you can do to help prevent these loopholes and protect yourself on the World Wide Web!
Most Common Web Security Vulnerabilities and How to Prevent Them
1. Access Control Breakage:
Access controls are the tools defining and controlling the method users are able to view and interact with data. When an access control is broken, it means users have the ability to interact with data in a method that they shouldn’t be able to use. An example of an access control is the method a user can access their bank statements online. If the user can edit or alter those bank statements, this means an access control is broken.
This one of the common web security vulnerabilities; broken access control is how hackers are able to gain access to networks, systems and software. Some of the most common objectives behind using this method is to give wider access to the user ID within the system, eventually leading to damaging results to the integrity, transparency and confidentiality of the organization.
- Continuous testing and inspection of the access control.
- Denying any access by default, where everyone can only access the resources when they are made publicly accessible.
- Limiting the usage of CORS, since if the protocol for CORS is misconfigured, it can allow the perpetrator to control the web application’s domain, through which it can access the user’s domain.
- Using role-based access control, where users are given access according to the roles they perform, such as assigning several users to one group of roles.
- Using permission-based access control, where the system checks if the user has the proper permission to access the data they’re requesting.
- Using mandatory access control, to restrict access to sensitive data.
2. Authentication Breakage:
This one of the common web security vulnerabilities targets user data used for authentication, such as the passwords, pins and security codes that aim to confirm the identity of the user. While broken authentication targets the user data, it normally takes place because of the lack of secure methods set by organizations to verify the identities of their users, hence giving the perpetrators unauthorised access to systems, software and networks.
- All requirements for authentication and session management should be in conformity with the OWASP standards for the Application Security Verification.
- Credentials must never be exposed in either logs or URLs.
- Preventing XSS flaws as much as possible, since they could be used in stealing session IDs.
3. CRLF (Carriage Return and Line Feed) Injection:
Each line of code has a beginning and an end, the beginning is known as Carriage Return and is indicated as \r, while the end is known as Line Feed and is indicated as \n. Each application and software uses a different set of both carriage returns and line feeds. This is one of the most common web security vulnerabilities that if the perpetrator is able to conduct a CRLF injection, they can use the code to alter the way through which the web responds to commands by the user, eventually leading to writing and executing different codes or disclose sensitive information that otherwise should be protected.
- All the data supplied by the users must be sanitized and neutralized.
- Make sure to encode output in HTTP headers, to ensure that the output isn’t visible to the users.
- Do not trust user input.
4. The Vulnerability of Cipher Transformation:
Cipher stands for the math of the processes of encryption and decryption of data. While Transformation denotes the commands performed on a certain input aiming to get a particular output. So, Cipher Transformation stands for the commands that turn unreadable encrypted data to readable decrypted data.
The Vulnerability of Cipher Transformation as one of the common web security vulnerabilities means that the algorithm of data encryption is not complex and is easy to break, which negates the purpose behind encrypting the data in the first place. The easy decryption of data gives the perpetrator access to sensitive information.
- Do not use self-designed encryption algorithms.
- Use strong and difficult to crack encryption algorithms, to ensure the safety of the saved data.
5. Other Components that have Known Vulnerabilities
There are several components onto which every web application relies, some of these components have known vulnerabilities, such as the unpatched server you’re running the application on, the server is the factor which has known vulnerabilities. There’s a list called CVE or the list of Common Vulnerabilities and Exposures that lists all the known common web security vulnerabilities.
Perpetrators know of the CVE list so they’re always on the lookout for any component that’s missing security patches or updates, and all they need is to gain access to one component to be able to gain access to the data of the application as well.
- Be attentive to the vulnerabilities on the CVE list and work to fix and, or prevent the occurrence of such vulnerabilities.
6. Managing Credentials:
Credentials are the information a user uses to gain access to a certain application or to use a certain service, these consist of an ID and a password. When the user inputs these credentials into the login page, the server compares them to those saved on the organization’s server, if the credentials are a match, the user is then granted access to their stored information.
However, it’s not uncommon that organizations use either weak encryption algorithms or even have the data stored in plain text; it can be easily read and this creates one of the most common web security vulnerabilities; if the credentials set by the user are not strong ones and hard to guess, the perpetrator can gain access easily to the user’s data and from there access the web application.
- Usage of multi-factor authentication, to ensure the user credentials are not stolen.
- Encrypting all user data that’s stored on the servers, having back-ups of the data as well but stored separately from the original files.
- Users are urged to change default usernames and passwords, and using strong passwords is a must.
7. Indexing of the Directory:
The designated method through which web servers store data is by listing them on a single directory. When a user is trying to find a certain file from the stored data, they will usually search for it using the name of the file. If such an identical file does not exist, the application will instead project a list of all the other files, to give the user the opportunity to choose a different file.
Since files are automatically indexed by web servers, the perpetrator can exploit the directory index and the listing of all indexed files by the application. The way of how one of the most common web security vulnerabilities is created, is the perpetrator can learn more about the system and access further information about the stored files. For example, the files listed can contain user accounts that can help the perpetrator to steal credentials of such users.
- The best way to avoid a directory indexing vulnerability is by disabling this feature from the web server itself, which is the safest way to handle this problem.
8. Directory Climbing:
Also known as Directory Traversal, backtracking attack and dot-dot-slash, this vulnerability depends on the way the application obtains the data from the server. What are known as Access Control Lists or ACL, are responsible for restricting user access to a number of files in the root directory. If you don’t have the information required to access a specific root folder, then you won’t be able to access the data stored in this folder.
This is the same way web applications follow to store information, and what happens in a directory climbing or traversal attack is that the perpetrator found out the structure of URL order used by the application to request files, which creates one of the most common web security vulnerabilities.
- Validation of any user input before processing it in the application, such as using a white list of values and comparing the user input to the list.
- If using a white list of values isn’t possible, then input can be validated through ensuring it only contains the permitted content.
Encapsulation sheds light on the weaknesses or the demerits found in the method through which the coder designed the application. In this sense, encapsulation refers to the collection of data and the set of actions that can be executed upon this data in a single unit, and protects this data through hiding specific information regarding the way the code works. This helps in creating a better user interface, since users aren’t interested in knowing how the application provides them with data, they just want to use it.
If the developer didn’t clarify the lines between stored data and possible actions on the application, this leads to an encapsulation vulnerability. The method the perpetrator uses is through sending an order into the application that will result in an error message. Through this error message they are able to configure how the application words and they can prepare for another types of attacks such as Denial of Service attacks.
- Having a back-up of the data stored on the application or organization servers is a must.
- All code must be checked for encapsulation vulnerabilities.
- All code must be tested for different uses and in different environments.
- All application sessions must be protected from any leakage of data.
10. Handling Errors:
One of the most common error messages received by users is the “404 not found” error, which appears when the user tries to access a certain website. Although errors might indicate problems, they are a great way for companies and organizations to fix application problems or perhaps even developing a better version of the application.
The way the web application responds to requests gives the perpetrators information about how the application works. Since error messages can reveal too much information about the application, the perpetrator will send a request to the network, knowing beforehand it will result in an error message, in order to illegally gain the information coming back.
Perpetrators resort to gathering information from error messages during what’s known as reconnaissance phase, which gives them a wider opportunity to explore possible vulnerabilities in the system, to further exploit.
- It’s important to verify that the pages of the web application are in fact displaying a proper error or warning message.
- Instead of displaying the error message to the user, the web application should be configured in a way that logs errors to a file.
11. Failure in Restricting URL Access:
Applications use access control rights to determine which users can access certain data on their application, where every button that can be clicked will direct to a certain URL. These URL restrictions are the way applications use to give access to privileged data only to privileged users, such as data that requires subscription in order to access it.
The failure in restricting URL access vulnerability means that even though clicking on a certain button in the application might prevent unauthorised access, using the URL name in the web browser will open the web page. This is called “forced browsing” and it happens when an application fails to restrict URL access.
- Implementing strong checking methods on access controls.
- Restricting access to URLs that aren’t supposed to be accessed.
- Implementing authentication and authorisation methods that depend on authenticating and authorising each user separately.
12. Injection Flaws:
Injections flaws are a gateway for many cyberattack methods. The most applications that can have an injection flaw are those that allow their users to shell command, update a certain database or even use operating system calling.
In the computing world, what’s called an “interpreter” is a program that translates commands into the instructions required to perform a certain action inside the application. What the perpetrator does is he uses an injection flaw to alter the commands, which ultimately leads to a different set of actions within the application. While using this vulnerability, the perpetrator can read, edit, delete, update or even create new data.
- All input must be validated, in order to ensure that the data entered is not malformed. Input validation is preferred to take place right when the data is received.
- The web application needs to only run using the privileges necessary for its functioning.
- If there’s a necessity to use an external command, all input data must be thoroughly checked. Hence, the organisation must have the proper mechanisms installed to handle possible errors, blockages or timeouts during the call.
- External interpreters should be avoided, to avoid shell commands as much as possible.
13. Insecurity of Cryptographic Storage:
Encrypting stored data is the best way to keep this data secure from unauthorised access or usage of this data to obtain unlawful gains. What encryption does is taking data that’s in a readable format, such as plain text, and scrambles the data using mathematical algorithms to render the data unreadable. The key to the encryption and decryption of data is called an encryption key, which holds the algorithm used for both encrypting the data and decrypting it. Hence if you don’t have the encryption key you can’t unscramble the data and read it.
If the perpetrator finds the encryption key, then your data is no longer protected. The vulnerability of insecure cryptographic storage denotes problems with one of the following: not all sensitive data was encrypted, the encryption algorithm is easy to crack, using an algorithm that’s been internally designed by the organizations and has not been fully tested or the improper management or storage of the encryption key.
- Organisatons must not create their own cryptographic algorithms.
- Using publicly approved algorithms such as SHA-256 and RSA public-key cryptography.
- Using proper standard strong cryptographic algorithms.
- Offsite back-ups must be encrypted, and the encryption keys are all both managed and backed-up separately from each other.
14. The Insecurity of Deserialisation:
This one of the most common web security vulnerabilities is one of the most dangerous to any web application; where the perpetrator messes the logic of data and is then able to remotely execute the code. To understand deserialisation, we must first under what serialisation is.
Serialisation is the method used to breaking down a certain structure into simpler commands that can be easily followed and stored then puts the commands into a single file that includes all the commands relating to the structure.
A simple example can be the steps required to make a sandwich, serialisation is the process used to break down the process of making the sandwich into easy and direct steps to follow, labelled under one file called “Making a sandwich”, which saves time and storage space.
Deserialisation is the process of putting all the divided steps back together in order to go back to the original structure, so when you open the file labelled “Making a sandwich” you will get all the steps required to make the sandwich.
- Using a white list approach, where only the objects on the list will be deserialised.
- Using a black list approach, where objects from certain classes only will be forbidden.
15. Malicious Code:
Malicious code is any code used with the intention of causing harm, such as the usage of malware, ransomware or viruses and it’s no secret it’s one of the most common web security vulnerabilities. What can also be called malicious code is when code is used to open a backdoor to a certain application and giving them unauthorised access to a remote computer connected through that application.
The lack of secure coding is what opens these backdoors through applications, and while they aren’t intentional, they make the web application more vulnerable to malicious code. More recently, web applications have been copying code from one another, which means that the same vulnerability is copied into another application. This means that one malicious code can be used to open a backdoor into multiple applications at the same time.
- When designing a web application, it’s preferable to use original code, not code that’s copied from another application, to avoid any code loopholes.
- Antiviruses must be installed and software must always be up to date.
- Pop-up ads must be blocked.
- If you think your computer has been compromised, change your passwords, even those that were saved or cached in your browser.
- Always back up your data.
- Disable auto-run or auto-play features, so media or video won’t automatically play and possibly infect your computer.
- Enable a firewall and anti-spyware features.
- Keep an eye on your accounts, if you notice any suspicious transactions or behaviour, immediately change your passwords and notify your organisations, especially banking accounts.
16. Operating System Command Injection:
The way web applications connect to operating systems is through using calls, in order to communicate with the hardware or the OS. Some of these calls are like:
- File Management: the OS gives the application access in order to interact with the files.
- Process Control: the monitoring of the application’s processes and providing means of termination of the process.
- Device Management: includes the managing of hardware such as processing power.
- Information Maintenance: keeping the database up to date through maintaining the information or managing it.
- Inter-process Communication: the coordination of process to reach effective operation.
When an OS command call is compromised, it results in the users supplying unvalidated information. Meaning that the perpetrator can intercept the OS command call, insert a query notation of their own and through it they can gain more information about the application and how to exploit it, hence creating one of the most common web security vulnerabilities.
- The safest way is to avoid calling OS commands from a code level, in most cases there are alternative ways to implement the wanted functions using APIs of safer platforms.
- If calling OS commands must be used with user input, then validation is also a must. Validation can be through a white list denoting permitted values, input is in numbers and is only in alphanumeric characters.
17. Remote Code Execution (RCE):
This type of the most common web security vulnerabilities is related to mistakes in the coding that give the perpetrator the chance to input malicious code no matter where they are. The RCE vulnerability is considered a wider category of web vulnerabilities where the perpetrator inserts his own code into an application that doesn’t verify inputs by users, meaning that the application reads this malicious code as a legitimate one. The perpetrator will look to benefit from the common vulnerabilities to insert their code into a certain application.
- Allow access to information based on roles, so restrict access to team members or have data be read only, and give full access to the administrators.
- Monitor your network for any malicious activity and run detection systems.
- Don’t broadcast any default server information.
18. Remote File Inclusion (RFI):
When using a certain web application, the application might need to pull a certain piece of information from a specified database. Developers here use something called “include” command where they don’t need to code the application in a way to pull every file, they use the “include” command where the application connects to a specified database or directory to use all information needed that’s stored on it.
An RFI vulnerability as one of the most common web security vulnerabilities means that the perpetrator can use the application to upload malicious malware, or any malicious code onto the website, database or server, hence obtaining information illegally.
- Using a filtre to scan input for the possibility of any file inclusions.
- Build a thorough white list of approved actions.
- When you receive a literal file that includes a request, do not use arbitrary data input.
19. Misconfiguration of Application Security:
Security misconfiguration is more common than you think, since it’s so easy to take place. This vulnerability happens when the organization doesn’t change the default security settings provided by the company that provided them with software. Since the majority of such software usually comes with a set ID and password, the organization needs to change these to provide more protection for its system and data, failure to do so, is called a security misconfiguration.
There are other forms of security misconfiguration as one of the most common web security vulnerabilities, such as:
- Using default IDs and passwords, provided by the seller.
- There’s no secure password policy.
- Software that’s unpatched.
- Failure to complete the configuration of files and directories.
- Leaving unused components and features without removing them.
- Not completing the encryption of data.
- Lack of strong firewall policies.
- Incorporating the separation between the components of the application when building it, to ensure better security.
- Defaults IDs and passwords must be changed.
- Using strong passwords.
- Implementing checks on all access controls, instead of using directory listings.
20. Exposure of Sensitive Data:
This is one of the most common web security vulnerabilities there is. While a data breach indicates illegal activity by the perpetrator to obtain sensitive data, exposure of sensitive data indicates that this sensitive data has been left visible to the public, not intentionally but through several actions or lack of actions thereof. Actions that could lead to an exposure of sensitive data vulnerability include:
- Lack of data encryption and storing most of it in plain text.
- The misconfigurations of the cloud storage settings and locations.
- The transmission of data in clear text.
- Using encryption algorithms that aren’t sophisticated enough or out of date.
- Not changing the cryptography keys or using weak ones.
- Not using Secure Sockets Layer or SSL which is responsible for the authentication and encryption of data.
- Ensuring proper encryption of data, especially sensitive data.
- Referring from storing data in plain text.
- Ensuring the encryption of data before transmission.
- Referring from using default encryption keys and using sophisticated one.
- Adding an additional step into the authentication and encryption of data by using an SSL.
21. The Leakage of Session ID:
A session ID is the unique method of identifying and authenticating the user of the application and tracks their activity while using the web application. There are a couple of instances which might result in a leakage of session ID vulnerability, these being:
- The storage of the session ID in a part of the URL known as the query string, this is the part responsible for giving the application commands to retrieve information stored in the database. By storing the session ID in that part of the URL, it allows the recipient of the application, be it the real user or the perpetrator, to access the same session again, without re-authentication.
- The storage of the session ID in what’s called the HTTP cookies, these small files of data are the files responsible for the web server remembering the web browser. HTTP session protocol is not encrypted, and using it to store the session ID gives the perpetrator an easy way to stealing the session ID to assume the personality of the user.
- Applying a method of time-out, after which the session expires and re-authentication is required.
- Reducing dependency on storing the session ID in the HTTP cookies will help in eliminating this one of the most common web security vulnerabilities.
22. Structured Query Language (SQL) Injection:
SQL is one of many programming languages, and it allows the programmers to easily retrieve and, or manipulate data for the relational databases. SQL injection vulnerability is categorised as one of the unvalidated user inputs’ vulnerabilities and one of the most common web security vulnerabilities. The way the perpetrator is able to access the system is through sending a false request that they know will give an error message as a response. Through this error message the perpetrator is able to understand how the database is protected and organised.
- When building the code for displaying error messages in the webserver, the coders must be aware what information such error messages share with the perpetrator, and work on limiting them.
- Using a method of listing the input fields, to restrict the user input.
23. Unlimited File Upload:
Many web applications allow you to upload files with certain methods to authenticate and authorise the uploaded data, such as uploading a CSV file that contains masses of information. The vulnerability of unlimited file upload can refer to the lack of both authentication and, or authorisation while uploading the data file. This means the application’s failure in verifying the user, hence giving the perpetrator the opportunity to upload compromising files.
Another form of this vulnerability is the failure to remove malicious factors from the files before completing the upload; macros can carry malware that hides inside the data files, whether this data is being uploaded by the original user, but it’s infected data, or it is uploaded by the perpetrator, hence paving the way for one of the most common web security vulnerabilities.
There are several other forms of the unlimited file upload vulnerability, including:
- Allowing all file formats for uploading.
- The failure of authenticating and authorising users.
- Failure to scan the proposed data to validate the suitability of the file type.
- Storing files in a directory that’s accessible to the public.
- Giving the webserver the permission of obtaining and fetching files.
- Installing additional tools to scan the user’s data before allowing the upload, if malicious actors were found in the data, the upload is refused until the data is secure.
- Using additional methods of authenticating users and authorising them is a latter step to authentication.
- Encrypting and storing data in a directory that needs specific authorisation to access, hence it can be accessed only by those who have permission.
24. Unvalidated Redirects and Forwards:
Redirects and forwards are a result of the user submitting a form to obtain something from the website. Such as the case where the user needs to fill and submit a form to download a whitepaper from your website, the next page that will appear that the user is directed or forwarded to is a “thank you” page for example. This is called a redirect or forward action.
The way in for the perpetrator is through hacking into the URLs of the redirect or forward page, through which they can steal the user’s information. This vulnerability of unvalidated redirects and forwards, which is one of the most common web security vulnerabilities, is generally a characteristic of many websites that:
- Include way too much destination pages.
- Don’t store the full URL.
- Don’t use identifiers for the redirects and forwards.
- Don’t filter untrusted inputs into URLs.
- If possible, using redirects and forwards should be avoided entirely.
- If using redirects and forwards cannot be avoided, it’s best not to include any user parameters in the calculation of the destination.
- If there’s no other way but to use user parameters, it’s best to limit them to a certain value that is both valid, and authorised for the user only.
25. Cross-Site Request Forgery (CSRF):
An attack using CSRF is one that depends on the methods of social engineering to force the user the change their information, such as the user ID and password in a certain application for example. There are two requirements for a successful CSRF attack, the first being that the user must be logged into the application, and the second being that the application uses what’s known as session cookies to track the sessions or validates the requests of the user.
When the user takes the action, the perpetrator can then access the browser to help them complete the attack, they can even transfer money from the user to their own accounts without the user realising what happened. A common example of a CSRF attack is when a customer uses the “buy now” offer on a retailer’s website. The cookies stored on the browser save the payment data of the customer, which the perpetrator can exploit to finish their attack. It needs no mention that this is one of the most common web security vulnerabilities.
- Specify the actions a user can take while taking sensitive actions that might involve sensitive data.
- Implementing bot-checking mechanisms such as Re-Authentication, CAPTCHA and what’s known as Unique Request Tokens.
26. Cross-Site Scripting (XSS):
While the one of the requirements for an CSRF attack is that the user must be logged in and performs a certain action, an XSS attack is where the perpetrator inserts code in one of the elements of the web page, such as an image for example. As soon as the user opens the web page, the malicious code is downloaded into the browser and starts to mine data. A simple example of this malicious code is where it can direct users from the legitimate website to a malicious one, which is one of the most common web security vulnerabilities.
- The encoding of both input and output actions.
- Using white listing when it comes to input fields.
27. Insecurity of Direct Object References (IDOR):
URLs can be used in revealing the format and, or the pattern that directs the users to the backend locations of storage, such as the format of a record identifier of a certain storage system, like the file system or database.
IDOR vulnerabilities might not pose a great risk on their own, but when they’re coupled with a failed access control vulnerability, they open a door for the perpetrator to execute a enumeration attack, constituting two of the most common web security vulnerabilities.
- The implementation of access control checks.
- Using verification of authorisation for all reference objects.
- Object references must not be revealed in URLs.
28. Insufficient Transport Layer Protection:
Computer applications use a language called Transport Layer Security or TLS, to talk to each other over the internet. Despite this, there are some applications that only use this language during for the authentication process, which leads to leaving data as well as session IDs exposed online, during usage of the application.
The perpetrator can then intercept the data as it’s transmitted to and from the user’s device and the web application and unfortunately this is one of the most common web security vulnerabilities.
- The application should enable secure HTTP.
- Credentials must be transferred only through HTTP.
- While using the application, make sure that your certificate is still valid and hasn’t expired.
It’s imperative that while using the internet, that you obtain a good anti-virus software, that you keep up to date all the time. Run periodic security scans, always use strong passwords and if you have any doubt that your computer has been compromised, it’s better to immediately scan for malware or ransomware. Keep yourself secured online!