A handy primer on the most common web vulnerabilities
The Open Web Application Security Project Foundation, the not for profit organisation that is focussed on improving software security, has a list of the top Web application vulnerabilities and what to do about them. Here are 10 of the most common.
1. Unvalidated inputs
Definition: Not checking whether text a user types into a field on a website is appropriate for that field.
Problem: Hackers use these fields to type commands that allow them to scan for vulnerabilities and gain access.
What you can do: Validate that each field accepts only those characters that are common for that field (such as numbers for a post code field) and are an appropriate length. Run the inputs against a small library of post codes and addresses to confirm that the information is valid.
2. Broken access control
Definition: Access controls determine what a user can access after logging in to his personal account and blocks access to other accounts.
Problem: About half of all websites have serious access problems because of poor testing during development.
What you can do: Test all possible permutations of what a user may do to try to access information that is not his own.
3. Broken authentication and session management
Definition: After logging into a website with a user name and password, you receive a cookie that works like a hand stamp at a night club, authenticating your identity as you go through the site.
Problem: Sometimes companies will customize authentication, inadvertently allowing hackers to infiltrate sessions and use the ID cookie to access the legitimate user's account.
What you can do: Rely on the built-in authentication schemes in the application; use secured sockets layer (SSL) to encrypt the session.
4. Cross-site scripting
Definition: When a hacker sends commands embedded in queries to a website.
What you can do: Make sure every text field will accept only those characters and length of characters that are suitable for that field--for example, five numbers in a ZIP code field and five numbers only.
5. Buffer overflow
Definition: Allows an attacker to input more information than the buffer can manage.
Problem: Attacker can take control of application server, gaining access to all the data that the server manages.
What you can do: Move away from C++ programming language, which is most vulnerable, to Java or .Net languages. If you must use C++, use static analysis tools to find overflow vulnerabilities.6. Injection flaws
Definition: Web applications that use interpreters, specific so-called stake words that are instructions for a database to return specific information, are susceptible to commands written in the middle of a query, thereby changing the nature of the query.
Problem: Hacker can send a specific command in a user name and password field so that instead of accessing one file or account attached to that user name and password, the database is commanded to send back all accounts.
What you can do: Use parameter queries, in which the command and data are separate. Each command is associated with certain files, so that a hacker has no way to manipulate the command.
7. Improper error management
Definition: Purposefully inputting errors into fields to receive an error message or to open up a secure area.
Problem: Error messages contain information about the information that may lie underneath, such as receiving an "access denied" message, which indicates a file is associated with the data the hacker input.
What you can do: Keep track of errors and log users out after three errors. Do not provide specific information about the infrastructure or directory in error messages.
8. Unsecured storage
Definition: Not protecting stored data using encryption, not properly securing the keys for accessing encrypted data, and not using effective randomness for passwords.
Problem: Once a hacker gains access to a system, non-encrypted data is easily accessed or hacker can find unsecured encryption keys to gain access to encrypted data.
What you can do: Do not store data that is not absolutely necessary for the operation of the business, and minimize use of encryption. If encryption is used, store the master secret to open the encryption in two locations (say, a configuration file and an external sever) and assemble it at runtime.
9. Denial of Service
Definition: Sending thousands of queries to a Web server to overload the system, slowing it down or causing it to crash.
Problem: While not an attack meant to steal personal information, the attack is meant to be purely malicious by slowing down a business's online services and commerce.
What you can do: Require users to log on to your site so that you process queries only from legitimate users. Limit the number of queries within a certain time frame per user. After three log-in failures, lock out the user for a certain amount of time to thwart a DNS attack on the log-in app.
10. Insecure configuration management
Definition: Unpatched security flaws on server, use of default passwords or improperly secured passwords, improper file and directory permissions, and others.
Problem: A hacker scans for these vulnerabilities, and if found, gains access to administrative and other sensitive accounts.
What you can do: Create configuration security guidelines that lay out the specific steps that developers and Web operations staff must check off. Removes the debate between staff on how to set up proper configuration.