Web Security Issues and Solutions

            The primary face of the internet is the World Wide Web (WWW), which since its invention has been transforming the world around us.  Websites deliver us all sorts of information from healthcare advice, to websites dedicated to cat photos.  We even trust websites to our most personal communications and our financial lives.  However, everything is not all rainbows and unicorns on the internet’s World Wide Web.  There is a darker side to the internet, people who trade in your personal information and steal your identity for profit and fun.  Large criminal hacker organizations exist on the internet today, pillaging the World Wide Web like modern day pirates.  Sadly though, many websites today do not take the most basic precautions to protect themselves properly form the darker side of the internet.

 

            Web security; often overlooked by developers as it is normally implemented at the end of a development project when most program managers are just trying to get a project done on time.  Nevertheless, there are some basic security features a developer can implement on their website to protect it from a large amount of the most used attacks.  According to the Open Web Application Security Project (OWASP) the top three web site vulnerabilities for 2013 are, SQL[1] Injection Attack, Broken Authentication and Session Management, and Cross-Site Scripting (XSS). (Lampe, 2013)  Let us look at these vulnerabilities; what are they and how they are implemented to protect your website.

 

            Thee “SQL Injection Attack” has been the number one website vulnerability since 2007, and with the rise in data driven applications used on the WWW, we will probably not see it go off the list for some time.  SQL injection is a technique, used to attack data driven applications, in which the attacker inserts malicious SQL statements into an entry field for execution.  The attack must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.  SQL injection is an attack vector for websites but can be used to attack any type of database that supports SQL. (Wikipedia, 2013)

 

            However, there are techniques that you can use to counter a “SQL Injection Attack”.  Google Code University suggests several methods for countering this type of attack.  First, implement, “Whitelisting-based input validation”.  Whitelisting only allows data field input that is within a well-defined set of safe values.  This prevents code that is not on the list of approved commands from being submitted to the SQL server, thereby blocking the attack before it even gets started.  

 

            You can also apply “Input Validation” to your data fields.  This is where you validate all input early at the entry point into the code; also, it is start to reject overly long input fields as it could prevent buffer overflow exploits.  Furthermore, it is recommended to validate the input at every level from the point of entry until the point it interacts with the database. (Neil Daswani, 2013) 

           

            Broken Authentication and Session Management is the second most common website vulnerability from the OWASP 2013 list.  This is where application functions related to authentication and session management are not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume another users identity. (OWASP, 2013)  As this is a very broad topic, I will only look at a few ways you can mitigate this vulnerability.  For further reading on this subject, I recommend reading the articles at www.owasp.org.  

 

            There are many methods you can use to mitigate authentication and session management vulnerabilities on your website.  The biggest one is ensure all authentication credentials for accessing services external to the application are encrypted and stored in a protected location.  Furthermore, be sure to use strong encryption on your password files like SHA512[2]+SALT[3], this to ensure that if your password file is compromised that it will be of no use to the attackers.  Next, ensure that your website logs out users automatically after periods of inactivity and allow no more than one session per user to prevent man in the middle and ride along attacks.  Lastly ensure that all authentication sessions are conducted over secure connections using such end to end protocols as SSL and SSH.  This is to protect your user’s sensitive data while it is in route to your website. (OWASP, 2013)

 

            Number three on the OWASP list is Cross-Site Scripting.  XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.  XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. (OWASP, 2013)  So how can you protect your site from XSS attacks?  Preventing XSS requires separation of untrusted data from active browser content.  The preferred option is to properly escape all untrusted data based on the HTML context that the data will be placed into.  

 

            Another mitigation technique is the HttpOnly flag, which allows a web server to set a client side cookie that is unavailable to client-side scripts.  Lastly, your users have to take some precautions to protect their info from XSS attacks.  For example, some browsers allow the users to create whitelists of websites that are trusted and require scripts to operate properly.  Furthermore, your users can even set their browsers to ask them every time a site asks them to run a script. (Wikipedia, 2013)

 

            I could only hit on a very small portion of the website security issues developers face when building a website in todays environment.  The hackers are not going away and we are starting to see a stronger focus on web security issues on the internet today.  Remember the extra man-hours spent securing your website today will pay dividends in the future.


 

Works Cited

Lampe, J. (2013, 05 20). OWASP’s 2013 Web Vulnerabilities List Will Shuffle the Top Ten. Retrieved from INFOSEC Institute: http://resources.infosecinstitute.com/owasps-2013-web-vulnerabilities-list-will-shuffle-the-top-ten/

Neil Daswani, C. K. (2013, 11 30). What Every Web Programmer Needs To Know About Security . Retrieved from Google Code: http://gcu.googlecode.com/files/8.ppt

OWASP. (2013, 11 30). OWASP Application Security Verification Standard Project. Retrieved from Open Web Application Security Project: http://sourceforge.net/projects/owasp/files/ASVS/OWASP%20ASVS%202013%20Beta_v1.0.docx/download

OWASP. (2013, 11 30). Top 10 2013-A2-Broken Authentication and Session Management. Retrieved from Open Web Application Security Project: https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management

OWASP. (2013, 06 23). Top 10 2013-Top 10. Retrieved from Open Web Application Security Project: https://www.owasp.org/index.php/Top_10_2013-Top_10

Wikipedia. (2013, 11 30). Cross-site scripting. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Cross-site_scripting

Wikipedia. (2013, 11 30). SQL injection. Retrieved from Wikipedia: http://en.wikipedia.org/wiki/SQL_injection

 



[1] Structured Query Language (SQL) – A special-purpose programming language designed for managing data held in a relational database management system. http://en.wikipedia.org/wiki/SQL

[2] Secure Hash Algorithm (SHA) – a cryptographic hash function designed by the United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard. http://en.wikipedia.org/wiki/SHA-2

[3] SALT – Random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks and pre-computed rainbow table attacks. http://en.wikipedia.org/wiki/Salt_(cryptography)

Share

Comments are closed.