Common Web Security Vulnerabilities and Ways to Prevent Them

Technology has been at the epicentre of shaping everyone’s present and future. However, no matter how much technology serves our advantage, the dark side of technology will remain there, parallel and hand in hand with the good side. Since technology is manmade, there will always be backdoors and loopholes that hackers and perpetrators use to achieve unlawful gains and damage our trust in technology.

We face numerous web security vulnerabilities, whether we’re using certain online services or applications on either laptop or mobile or while casually surfing the internet. The OWASP Top 10 is a list of the most common web security vulnerabilities identified by the Open Web Application Security Project (OWASP). These vulnerabilities are often exploited by attackers to compromise web applications and gain unauthorised access to sensitive data.

In this article, we will learn about the different and most common web security vulnerabilities, and those less common, just to be on the safe side, as well as what you can do to help prevent these loopholes and protect yourself on the World Wide Web!

Security Misconfiguration Common Web Security Vulnerabilities

Security misconfiguration is a broad category encompassing a wide range of vulnerabilities that arise from improper configuration of web applications, servers, and network devices. These vulnerabilities can be exploited by attackers to gain unauthorised access, steal sensitive data, or compromise the integrity of a system. Common examples include leaving default credentials unchanged, running outdated software, and misconfiguring firewalls or access control lists.

Indexing of the Directory

The designated method through which web servers store data is by listing them in a single directory. When a user tries to find a certain file from the stored data, they will usually search for it using the file’s name. If such an identical file does not exist, the application will instead project a list of all the other files to allow the user to choose a different file.

Since web servers automatically index files, the perpetrator can exploit the directory index and the application’s listing of all indexed files. One of the most common web security vulnerabilities is created by the perpetrator learning more about the system and accessing further information about the stored files. For example, the files listed can contain user accounts that can help the perpetrator steal the credentials of such users.

Solution:

1. The best way to avoid a directory indexing vulnerability is by disabling this feature from the web server, which is the safest way to handle this problem.

Encapsulation

Encapsulation sheds light on the weaknesses or the demerits found in the method through which the coder designed the application. In this sense, encapsulation refers to the collection of data and the set of actions that can be executed upon this data in a single unit. It protects this data by hiding specific information regarding how the code works. This helps create a better user interface since users aren’t interested in knowing how the application provides them with data; they just want to use it.

If the developer doesn’t clarify the lines between stored data and possible actions on the application, this leads to an encapsulation vulnerability. The perpetrator sends an order into the application that will result in an error message. Through this error message, they can configure how the application works and prepare for other attacks, such as denial-of-service attacks.

Solution:

1. A backup of the data stored on the application or organisation servers is a must.
2. All code must be checked for encapsulation vulnerabilities.
3. All code must be tested for different uses and in different environments.
4. All application sessions must be protected from any data leakage.

Handling Errors

One of the most common error messages users receive is the “404 not found” error, which appears when they try to access a certain website. Although errors might indicate problems, they are a great way for companies and organisations to fix application problems or perhaps even develop a better version of the application.

How the web application responds to requests gives the perpetrators information about how the application works. Since error messages can reveal too much information about the application, the perpetrator will send a request to the network, knowing beforehand it will result in an error message, to illegally gain the information coming back.

Perpetrators resort to gathering information from error messages during what’s known as the reconnaissance phase, which gives them a wider opportunity to explore possible vulnerabilities in the system and further exploit them.

Solution:

1. It’s important to verify that the web application’s pages display the proper error or warning message.
2. Instead of displaying the error message to the user, the web application should be configured in a way that logs errors to a file.

Misconfiguration of Application Security

Security misconfiguration is more common than you think since it’s so easy to take place. This vulnerability happens when the organisation doesn’t change the default security settings provided by the company that provided them with the software. Since most such software usually comes with a set ID and password, the organisation needs to change these to provide more protection for its system and data; failure to do so is called a security misconfiguration.

There are other forms of security misconfiguration as one of the most common web security vulnerabilities, such as:

1. Using default IDs and passwords provided by the seller.
2. There’s no secure password policy.
3. Software that’s unpatched.
4. Failure to complete the configuration of files and directories.
5. Leaving unused components and features without removing them.
6. Not completing the encryption of data.
7. Lack of strong firewall policies.

Solution:

1. Incorporating the separation between the application components when building it ensures better security.
2. Default IDs and passwords must be changed.
3. Using strong passwords.
4. Implement checks on all access controls instead of using directory listings.

Using Components with Known Vulnerabilities Common Web Security Vulnerabilities

Using Components with Known Vulnerabilities refers to the risk associated with employing third-party libraries, frameworks, or software components that contain known security vulnerabilities. These vulnerabilities can be exploited by attackers to compromise the security of the application, even if the application itself is well-coded. Regular updates and security patches are essential to mitigate this risk.

Malicious Code

Malicious code is any code used to cause harm, such as malware, ransomware, or viruses. It’s no secret that it’s one of the most common web security vulnerabilities. What can also be called malicious code is when code is used to open a backdoor to a certain application, giving the attacker unauthorised access to a remote computer connected through that application.

The lack of secure coding opens these backdoors through applications, and while they aren’t intentional, they make the web application more vulnerable to malicious code. More recently, web applications have been copying code from one another, which means that the same vulnerability is copied into another application. This means that one malicious code can be used to open a backdoor into multiple applications at the same time.

Solution:

1. When designing a web application, using original code, not code copied from another application, is preferable to avoid any code loopholes.
2. Antiviruses must be installed, and software must always be up to date.
3. Pop-up ads must be blocked.
4. If you think your computer has been compromised, change your passwords, even those saved or cached in your browser.
5. Always back up your data.
6. Disable auto-run or auto-play features so media or video won’t automatically play and possibly infect your computer.
7. Enable a firewall and anti-spyware features.
8. Keep an eye on your accounts; if you notice any suspicious transactions or behaviour, immediately change your passwords and notify your organisations, especially banking accounts.

Other Components that have Known Vulnerabilities

Every web application relies on several components. Some of these components have known vulnerabilities, such as the unpatched server you’re running the application on. The server is the factor that has known vulnerabilities. There’s a list called CVE, or Common Vulnerabilities and Exposures that lists all the known common web security vulnerabilities.

Perpetrators know of the CVE list so they’re always on the lookout for any component that’s missing security patches or updates, and all they need is to gain access to one component to be able to gain access to the data of the application as well.

Solution:

1. Be attentive to the vulnerabilities on the CVE list and work to fix them or prevent their occurrence.

Sensitive Data Exposure Common Web Security Vulnerabilities

Sensitive Data Exposure occurs when sensitive information, such as personal data, financial details, or credentials, is not adequately protected, making it vulnerable to unauthorised access. This can lead to data breaches, identity theft, and other severe consequences. Proper encryption, secure storage, and access controls are crucial to prevent sensitive data exposure.

Insecurity of Cryptographic Storage

Encrypting stored data is the best way to keep this data secure from unauthorised access or usage of this data to obtain unlawful gains. Encryption takes data in a readable format, such as plain text, and scrambles the data using mathematical algorithms to render the data unreadable. The key to the encryption and decryption of data is called an encryption key, which is the algorithm used to encrypt and decrypt the data. Hence if you don’t have the encryption key you can’t unscramble the data and read it.

Your data is no longer protected if the perpetrator finds the encryption key. The vulnerability of insecure cryptographic storage denotes problems with one of the following: not all sensitive data was encrypted, the encryption algorithm is easy to crack, using an algorithm that’s been internally designed by the organisations and has not been fully tested or the improper management or storage of the encryption key.

Solution:

1. Organisations must not create their cryptographic algorithms.
2. Using publicly approved algorithms such as SHA-256 and RSA public-key cryptography.
3. Using proper standard strong cryptographic algorithms.
4. Offsite backups must be encrypted, and the encryption keys are all both managed and backed up separately from each other.

Exposure of Sensitive Data

This is one of the most common web security vulnerabilities. While a data breach indicates illegal activity by the perpetrator to obtain sensitive data, exposure of sensitive data indicates that this sensitive data has been left visible to the public, not intentionally but through several actions or lack of actions thereof. Actions that could lead to an exposure of sensitive data vulnerability include:

1. Lack of data encryption and storing most of it in plain text.
2. The misconfigurations of the cloud storage settings and locations.
3. The transmission of data in clear text.
4. Using encryption algorithms that aren’t sophisticated enough or out of date.
5. Not changing the cryptography keys or using weak ones.
6. Not using Secure Sockets Layer or SSL which is responsible for the authentication and encryption of data.

Solution:

1. Ensuring proper encryption of data, especially sensitive data.
2. Refraining from storing data in plain text.
3. Ensuring the encryption of data before transmission.
4. Referring from using default encryption keys and using sophisticated ones.
5. Adding an additional step into the authentication and encryption of data by using an SSL.

Managing Credentials

Credentials are the information a user uses to gain access to a certain application or to use a certain service. These consist of an ID and a password. When the user inputs these credentials into the login page, the server compares them to those saved on the organization’s server. If the credentials match, the user is then granted access to their stored information.

However, it’s not uncommon for organisations to use weak encryption algorithms or even store data in plain text; it can be easily read, and this creates one of the most common web security vulnerabilities. If the credentials set by the user are not strong and hard to guess, the perpetrator can easily gain access to the user’s data and, from there, access the web application.

Solution:

1. Use of multi-factor authentication to ensure the user credentials are not stolen.
2. Encrypting all user data that’s stored on the servers, having back-ups of the data as well but stored separately from the original files.
3. Users are urged to change default usernames and passwords, and using strong passwords is a must.

Broken Authentication and Session Management Common Web Security Vulnerabilities

Broken Authentication and Session Management vulnerabilities arise from weaknesses in how applications handle user authentication and manage sessions. This can lead to unauthorised access, password theft, and session hijacking. Implementing strong authentication mechanisms, secure session management practices, and regular vulnerability assessments are essential to mitigate these risks.

The Leakage of Session ID

A session ID is the unique method of identifying and authenticating the user of the application and tracks their activity while using the web application. There are a couple of instances which might result in a leakage of session ID vulnerability, these being:

1. The session ID is stored in a part of the URL known as the query string. This part is responsible for giving the application commands to retrieve information stored in the database. By storing the session ID in that part of the URL, the application recipient, be it the real user or the perpetrator, can access the same session again without re-authentication.
2. The session ID is stored in what’s called HTTP cookies. These small files of data are responsible for the web server remembering the web browser. The HTTP session protocol is not encrypted, and using it to store the session ID gives the perpetrator an easy way to steal it and assume the user’s personality.

Solution:

1. A method of time-out is applied, after which the session expires, and re-authentication is required.
2. Reducing the dependency on storing the session ID in HTTP cookies will help eliminate one of the most common web security vulnerabilities.

Authentication Breakage

One of the common web security vulnerabilities targets user data used for authentication, such as passwords, pins, and security codes that aim to confirm the user’s identity. While broken authentication targets user data, it normally takes place because organisations lack secure methods to verify the identities of their users, hence giving the perpetrators unauthorised access to systems, software, and networks.

Solution

1. All requirements for authentication and session management should conform with the OWASP standards for the Application Security Verification.
2. Credentials must never be exposed in either logs or URLs.
3. Prevent XSS flaws as much as possible since they could be used to steal session IDs.

Injection Common Web Security Vulnerabilities

Injection vulnerabilities occur when an application fails to properly validate and sanitise user input, allowing malicious code to be executed. This can lead to a variety of harmful consequences, including unauthorised access, data manipulation, and system compromise. Input validation and parameterisation are essential techniques to prevent injection attacks.

Structured Query Language (SQL) Injection

SQL is one of many programming languages, and it allows programmers to easily retrieve and/or manipulate data for relational databases. SQL injection vulnerability is categorised as one of the unvalidated user input vulnerabilities and one of the most common web security vulnerabilities. The perpetrator can access the system by sending a false request that they know will give an error message as a response. The perpetrator can understand how the database is protected and organised through this error message.

Solution:

1. When building the code to display error messages on the web server, the coders must know what information such error messages share with the perpetrator and work on limiting them.
2. A method of listing the input fields is used to restrict the user input.

Operating System Command Injection

Web applications connect to operating systems by using calls to communicate with the hardware or the OS. Some of these calls are like:

1. File Management: the OS allows the application to interact with the files.
2. Process Control: monitoring the application’s processes and providing means of termination of the process.
3. Device Management: includes the management of hardware, such as processing power.
4. Information Maintenance: keeping the database current through maintaining or managing the information.
5. Inter-process Communication: the coordination of processes to reach effective operation.

When an OS command call is compromised, users supply unvalidated information. The perpetrator can intercept the OS command call, insert a query notation of their own, and gain more information about the application and how to exploit it, hence creating one of the most common web security vulnerabilities.

Solution:

1. The safest way is to avoid calling OS commands from a code level. In most cases, alternative ways to implement the desired functions using APIs of safer platforms are available.
2. If calling OS commands must be used with user input, then validation is also necessary. Validation can be done through a white list denoting permitted values, with input in numbers and only in alphanumeric characters.

Injection Flaws

Injection flaws are a gateway for many cyberattack methods. Applications that allow their users to execute shell commands, update a certain database, or even use operating system calling are most likely to have injection flaws.

In the computing world, an “interpreter” is a program that translates commands into the instructions required to perform a certain action inside the application. The perpetrator uses an injection flaw to alter the commands, ultimately leading to a different set of actions within the application. While using this vulnerability, the perpetrator can read, edit, delete, update or even create new data. 

Solution:

1. All input must be validated to ensure that the data entered is not malformed. It is preferred that input validation take place right when the data is received.
2. The web application must only run using the privileges necessary for its functioning.
3. If an external command is necessary, all input data must be thoroughly checked. Hence, the organisation must have the proper mechanisms installed to handle possible errors, blockages, or timeouts during the call.
4. External interpreters should be avoided to avoid shell commands as much as possible.

Remote Code Execution (RCE)

This type of common web security vulnerabilities is related to mistakes in the coding that give the perpetrator the chance to input malicious code no matter where they are. The RCE vulnerability is considered a wider category of web vulnerabilities where the perpetrator inserts his code into an application that doesn’t verify user inputs, meaning that the application reads this malicious code as legitimate. The perpetrator will look to benefit from the common vulnerabilities to insert their code into a certain application.

Solution:

1. Allow access to information based on roles, so restrict access to team members or have data be read-only, and give full access to the administrators.
2. Monitor your network for any malicious activity and run detection systems.
3. Don’t broadcast any default server information.

Remote File Inclusion (RFI)

When using a certain web application, the application might need to pull a certain piece of information from a specified database. Developers here use the “include” command, which means they don’t need to code the application to pull every file; they use the “include” command to connect to a specified database or directory to use all information stored on it.

An RFI vulnerability, one of the most common web security vulnerabilities, means that the perpetrator can use the application to upload malicious malware or any malicious code onto the website, database, or server, obtaining information illegally.

Solution:

1. Using a filter to scan input for the possibility of any file inclusions.
2. Build a thorough white list of approved actions.
3. Do not use arbitrary data input when you receive a literal file that includes a request.

Insecure Direct Object References Common Web Security Vulnerabilities

Insecure Direct Object References vulnerabilities occur when an application directly exposes a reference to a resource without proper authorisation checks. This allows attackers to manipulate URLs or parameters to access unauthorised data or perform unauthorised actions. Implementing proper access controls and input validation are crucial to prevent these vulnerabilities.

Unlimited File Upload

Many web applications allow you to upload files using certain methods to authenticate and authorise the uploaded data, such as uploading a CSV file that contains masses of information. The vulnerability of unlimited file upload can refer to the lack of authentication and authorisation while uploading the data file. This means the application failed to verify the user, allowing the perpetrator to upload compromising files.

Another form of this vulnerability is the failure to remove malicious factors from the files before completing the upload; macros can carry malware that hides inside the data files, whether this data is being uploaded by the original user but is infected data or uploaded by the perpetrator, hence paving the way for one of the most common web security vulnerabilities.

There are several other forms of the unlimited file upload vulnerability, including:

1. Allowing all file formats for uploading.
2. The failure of authenticating and authorising users.
3. Failure to scan the proposed data to validate the suitability of the file type.
4. Storing files in a directory that’s accessible to the public.
5. Giving the webserver permission to obtain and fetch files.

Solution:

1. Installing additional tools to scan the user’s data before allowing the upload, if malicious actors were found in the data, the upload is refused until the data is secure.
2. Using additional methods of authenticating users before authorising them.
3. Encrypting and storing data in a directory that needs specific authorisation to access, hence it can be accessed only by those who have permission.

Unvalidated Redirects and Forwards

Redirects and forwards occur when the user submits a form to obtain something from the website. For example, if the user needs to fill out and submit a form to download a whitepaper from your website, the next page that will appear that the user is directed or forwarded to is a “thank you” page. This is called a redirect or forward action.

The way in for the perpetrator is through hacking into the URLs of the redirect or forward page, through which they can steal the user’s information. This vulnerability of unvalidated redirects and forwards, which is one of the most common web security vulnerabilities, is generally a characteristic of many websites that:

1. Include way too many destination pages.
2. Don’t store the full URL.
3. Don’t use identifiers for the redirects and forwards.
4. Don’t filter untrusted inputs into URLs.

Solution:

1. If possible, using redirects and forwards should be avoided entirely.
2. If using redirects and forwards cannot be avoided, it’s best not to include any user parameters in the calculation of the destination.
3. If there’s no other way but to use user parameters, it’s best to limit them to a certain value that is valid and authorised only for the user.

Insecurity of Direct Object References (IDOR)

URLs can be used in revealing the format and, or the pattern that directs the users to the backend locations of storage, such as the format of a record identifier of a certain storage system, like the file system or database.

IDOR vulnerabilities might not pose a great risk on their own. Still, when coupled with a failed access control vulnerability, they allow the perpetrator to execute an enumeration attack, constituting two of the most common web security vulnerabilities.

Solution:

1. The implementation of access control checks.
2. Using verification of authorisation for all reference objects.
3. Object references must not be revealed in URLs.

The Vulnerability of Cipher Transformation

Cipher stands for the math behind data encryption and decryption. Transformation denotes the commands performed on a certain input to get a particular output. So, Cipher Transformation stands for the commands that turn unreadable encrypted data into readable decrypted data.

The Vulnerability of Cipher Transformation, one of the common web security vulnerabilities, means that the algorithm of data encryption is not complex and is easy to break, negating the purpose behind encrypting the data in the first place. The easy decryption of data gives the perpetrator access to sensitive information.

Solution:

1. Do not use self-designed encryption algorithms.
2. Use strong and difficult-to-crack encryption algorithms to ensure the safety of the saved data.

Directory Climbing

Also known as Directory Traversal, backtracking attack, and dot-dot-slash, this vulnerability depends on how the application obtains the data from the server. Access Control Lists, or ACLs, restrict user access to a number of files in the root directory. If you don’t have the information required to access a specific root folder, you won’t be able to access the stored data in this folder.

This is the same way web applications store information. In a directory climbing or traversal attack, the perpetrator finds out the structure of the URL order used by the application to request files, creating one of the most common web security vulnerabilities.

Solution:

1. Validation of any user input before processing it in the application, such as using a white list of values and comparing the user input to the list.
2. If using a white list of values isn’t possible, then input can be validated by ensuring it only contains the permitted content.

Failure in Restricting URL Access

Applications use access control rights to determine which users can access certain data on their application, where every button that can be clicked will direct to a certain URL. These URL restrictions are how applications give access to privileged data only to privileged users, such as data that requires a subscription to access it.

The failure to restrict URL access vulnerability means that even though clicking on a certain button in the application might prevent unauthorised access, using the URL name in the web browser will open the web page. When an application fails to restrict URL access, this is called “forced browsing.”

Solution:

1. Implementing strong checking methods on access controls.
2. Restricting access to URLs that aren’t supposed to be accessed.
3. Implementing authentication and authorisation methods that depend on authenticating and authorising each user separately.

Other Common Web Security Vulnerabilities

The following category of common web security vulnerabilities includes various vulnerabilities. They reflect how the smallest glitch in the code can allow the perpetrator to steal data from the system.

Access Control Breakage

Access controls define and control the method by which users can view and interact with data. When access control is broken, it means users can interact with data in a way that they shouldn’t be able to. An example of access control is how a user can access their bank statements online. If the user can edit or alter those bank statements, an access control is broken.

This is one of the common web security vulnerabilities; broken access control is how hackers can gain access to networks, systems, and software. One of the most common objectives behind using this method is to give wider access to the user ID within the system, eventually damaging the organisation’s integrity, transparency, and confidentiality.

Solution:

1. Continuous testing and inspection of the access control.
2. Denying any access by default, where everyone can only access the resources when they are made publicly accessible.
3. Limiting the usage of CORS, since if the protocol for CORS is misconfigured, it can allow the perpetrator to control the web application’s domain, through which it can access the user’s domain.
4. Using role-based access control, users are given access according to their roles, such as assigning several users to one group of roles.
5. Using permission-based access control, the system checks if the user has the proper permission to access the requested data.
6. Using mandatory access control, to restrict access to sensitive data.

The Insecurity of Deserialisation

This is one of the most common web security vulnerabilities and one of the most dangerous to any web application. The perpetrator manipulates the logic of data and is then able to remotely execute the code. To understand deserialisation, we must first understand serialisation.

Serialisation is the method used to breaking down a certain structure into simpler commands that can be easily followed and stored then puts the commands into a single file that includes all the commands relating to the structure.

A simple example can be the steps required to make a sandwich; serialisation is the process used to break down the process of making the sandwich into easy and direct steps to follow, labelled under one file called “Making a sandwich”, which saves time and storage space.

Deserialisation is the process of reassembling all the divided steps to return to the original structure, so when you open the file labelled “Making a sandwich,” you will see all the steps required to make the sandwich.

Solution:

1. Using a black list approach, where objects from certain classes only will be forbidden.
2. Using a white list approach, where only the objects on the list will be deserialised.

Insufficient Transport Layer Protection

Insufficient Transport Layer Protection is one of the Missing Function Level Access Control common web security vulnerabilities. Computer applications use a language called Transport Layer Security, or TLS, to talk to each other over the Internet. Despite this, some applications only use this language for the authentication process, which leads to leaving data as well as session IDs exposed online during application usage.

The perpetrator can then intercept the data transmitted to and from the user’s device and the web application. Unfortunately, this is one of the most common web security vulnerabilities.

Solution:

1. The application should enable secure HTTP.
2. Credentials must be transferred only through HTTP.
3. While using the application, ensure your certificate is still valid and hasn’t expired.

Cross-Site Scripting (XSS)

Cross-site scripting is one of the OWASP common web security vulnerabilities. While the one of the requirements for an CSRF attack is that the user must be logged in and performs a certain action, an XSS attack is where the perpetrator inserts code in one of the elements of the web page, such as an image for example. As soon as the user opens the web page, the malicious code is downloaded into the browser and starts to mine data. A simple example of this malicious code is where it can direct users from the legitimate website to a malicious one, which is one of the most common web security vulnerabilities.

Solution:

1. The encoding of both input and output actions.
2. Using whitelisting when it comes to input fields.

Cross-Site Request Forgery (CSRF)

An attack using CSRF is one that depends on the methods of social engineering to force the user the change their information, such as the user ID and password in a certain application for example. There are two requirements for a successful CSRF attack, the first being that the user must be logged into the application, and the second being that the application uses what are known as session cookies to track the sessions or validate the user’s requests.

When the user takes the action, the perpetrator can access the browser to help them complete the attack; they can even transfer money from the user to their accounts without the user realising what happened. A common example of a CSRF attack is when a customer uses the “buy now” offer on a retailer’s website. The cookies stored on the browser save the customer’s payment data, which the perpetrator can exploit to finish their attack. It needs no mention that this is one of the most common web security vulnerabilities.

Solution:

1. Specify the actions a user can take while taking sensitive actions involving sensitive data.
2. Implementing bot-checking mechanisms such as Re-Authentication, CAPTCHA and what’s known as Unique Request Tokens.

It’s imperative that while using the internet, you obtain good anti-virus software that you keep up to date all the time. Run periodic security scans, always use strong passwords and if you have any doubt that your computer has been compromised, it’s better to immediately scan for malware or ransomware. Keep yourself secured online!

FAQs