Table of Contents
Injection flaws are one of the most dangerous vulnerabilities that can lead the attacker to access sensitive data. Injection flaws may occur when user-provided data needs to be validated correctly, and the developer needs to catch up on the point. Some injection flaws are:
SQL Injection: SQL Injection or SQLi is a common vulnerability that allows an attacker to query the databases. If a web application has an SQL Injection flaw, an attacker may retrieve or delete sensitive data from the database.
Command Injection: Command injection is a vulnerability used to execute system commands in the web server. This severe flaw can lead to a complete compromise of the server.
XML Injection: Attackers inject malicious input into XML documents using this vulnerability. Exploiting the flaw makes extracting sensitive information or launching a DoS attack possible.
LDAP Injection: By injecting malicious input into the LDAP statement, the attacker can retrieve sensitive information, leading to a more advanced attack.
These are a few examples of injection flaws commonly seen in web attacks. To protect your site from injection flaws, proper input validation is required.
Broken authentication and session management
Broken authentication and session management vulnerabilities can compromise user accounts or sessions. Here are some example vulnerabilities you may have missed to check:
Weak Password Policy: Weak password policy is easier to crack for attackers. If a weak password is used, an attacker can guess the password and gain access to the account, steal the user’s information, and impersonate the user for further damage.
Session Fixation: Using session fixation vulnerabilities, the attacker sets the session value of his choice. For example, the attacker sends the link
https://vulnerable.com/?login=attacker_set_session to users of a vulnerable web application. The attacker will also have access to the account If the user login to the application by clicking on the link.
Session Hijacking: The user’s active session may get hijacked differently. User’s session is used to identify the user but if an attacker can control the session, he will also have access to the application with the same permission as the authenticated user. An attacker can utilize a different type of technique, such as XSS, Session fixation, and MITM, to steal the session.
Cross-site Request Forgery: The Attacker takes advantage of CSRF(Cross-site request forgery) to execute legitimate action on behalf of the user without knowledge of any consent. For example, an attacker can send the link
https://bank.com/?action=transfer&amount=$10000&to=attacker_acount_number. If the bank application is vulnerable to CSRF, the money will be transferred to the attacker’s account number.
Insecure Login/Logout: Insecure login and logout processes leave user accounts and sessions vulnerable to attack. For instance, an attacker can sniff credentials in transit and read them if a web app does not use SSL/TLS encryption for login credentials. A similar vulnerability exists for session fixation and session hijacking attacks in applications that do not correctly expire a session after a user signs out.
Broken Access Control
Broken Access Control is another common security weakness that occurs in web applications. Broken access control is a vulnerability allowing attackers to access a restricted web application area. Here are some forms of broken access control vulnerabilities:
Insecure Direct Object Reference: Insecure Direct Object Reference(IDOR) is a vulnerability that allows attackers to access the sensitive object in the server directly.
Privilege Escalation: Attackers can escalate to a different user. For example, the attacker can view the order history of other users.
Failure to Restrict Protected URL: By exploiting this vulnerability, an attacker can access the restricted url without proper authentication or authorization checking. For example,
/secret-admin it is a protected area requiring passwords to view information. But with the URL
/secret-admin=1&role=admin attacker can directly access the dashboard.
Security misconfiguration is another common security flaw in web applications. Security misconfiguration could allow an attacker to access a protected area unauthorizedly. Some example vulnerabilities are:
Default Credentials: This is one of the common misconfigurations in web security. People don’t want to change the default credentials or use the most common password that makes the application vulnerable.
Unprotected Files and Directories: Some sensitive files or directories, such as
/db is not appropriately protected. As a result, an attacker can easily access the sensitive data and escalate the attacker to a higher level.
Missing Security Updates: Almost for all popular software new security flaw has been discovered. Regularly updating web applications is crucial to stay protected from these new vulnerabilities.
Improper Error Handling
Improper error handling has a huge impact on web application security as some errors unintentionally reveal sensitive data or information that is useful for an attacker:
Stack Traces: Stack traces may display valuable information for an attacker to identify potential vulnerabilities.
Information Leakage: Sometimes, unexpected errors may reveal more sensitive data, such as the user’s password or payment information.
Improper Input Validation: It is essential to validate user input. If the user-supplied data is not validated correctly, the web application may display an error that leads to exploitation. In this case, every possible form and input field should be validated carefully.
Race condition vulnerabilities may occur when two or more programs attempt to update the same shared data simultaneously. Unpredictable actions and security threats may result from this. Three situations with racial tension will be examined here. Here are 3 example vulnerabilities:
User Authentication: A race condition problem will occur If a web application allows only one user to log in at a time, but two or more users attempt to log in. This behavior may produce an unexpected result, such as authenticating the wrong user.
File Upload: How about two users uploading a file with the same name, but the web application is not designed to handle this? In this case, a race condition may occur that could lead to loss of data and unauthorized access to protect files.
Payment Processing: In many cases, a race condition can also occur during payment processing. A race condition can occur if a web application is not designed to handle concurrent requests and if two users try to purchase the same item. As an unexpected result, the user may not be charged at all or twice, leading to financial loss.
Logic flaws or Business logic flaws occur when application logic is not implemented correctly. Let’s see two examples of logic flaw vulnerabilities:
Password Reset: If a website allows users to receive a password reset link to their email, but the link never expires. An attacker can intercept the password reset link and change the password.
Multi-factor Authentication: Multi-factor is an extra layer of security. Some Multi-factor authentication systems use a cookie to identify the user. No multi-factor verification is required, If it can identify the user. If the attacker can access the authentication cookie, he will be authenticated as the user.
Website is one of the Internet faced services cybercriminals attack for easy access to the corporate network, to steal customer data, or even to launch a more sophisticated attack against your business. So, to secure the web application, two-step should be taken carefully:
- Secure Coding: The developer should follow secure coding practices to minimize the application’s cyber-attack exposure.
- Security Assessment: It is crucial to find all security vulnerabilities before a cyber threat exploits any weaknesses. You can perform comprehensive vulnerability scanning or simulated penetration testing to identify all possible vulnerabilities.