Top 5 Common Web Vulnerabilities and How to Fix Them
TechUK has listed the top vulnerabilities based on penetration tests conducted in the UK over the last year. The guide entitled Securing Web Applications and Infrastructure notes common issues on web applications that companies and organizations face. You can download their report here.
Based on the data collected, here are the common web vulnerabilities: “Account weaknesses, Secure Sockets Layer (SSL) issues, Cross Site Scripting (XSS), No Brute Force Protection.”
How to Fix Common Web Application Vulnerabilities
With so many cyber security attacks happening, it is important to develop secure applications to avoid potential losses to your business. IT Security Researcher, Andrea Tarquini, shares his insights on how we can best fix these issues.
The most common issue with accounts is having weak passwords so the first and basic thing you need to do is have a strong password policy set up. Using tools like Keepass or Lastpass, you can generate secure passwords that meet a strong criteria while effectively managing them. Secondly it is recommended to implement a multi-factor authentication (such as mobile phone two-factor authentication) as this adds another layer to your account security.
Secure Sockets Layer (SSL) issues
Be sure to have an updated SSL implementation and to configure it accordingly to the best cryptographically secure protocols. Don’t forget to check the certificate expiration date and be careful when self-signed certificates are involved.
Cross Site Scripting (XSS)
Attackers may inject executable code into your web pages. To fix cross site scripting issues, the rule is: do not trust external input (especially user input). Always check the data displayed by the web-page and sanitize it (by using filters and escaping technique).
UPDATE 7/19/2015: Aside from XSS, another type of injection that I want to mention is SQL Injection. The fix is the same: do not trust any kind of input (especially user input). Always check the data displayed by the web-page or used by SQL queries (even if it comes from internal sources) and sanitize it (by using filters and escaping technique).
No Brute Force Protection
Brute force is done by automatically trying various password combinations to access an account. To prevent this, make sure you application has a human factor verification set up. It is possible to implement Captcha resolvers or authentication methods to avoid robot operations such as automated password guessing or resource consuming.
There are other web application vulnerabilities that affect all types of businesses. Being aware of the problems and fixes helps in keeping security as a priority.
Open Web Application Security Project
Which resources do you recommend for IT Security enthusiasts to get more information on the latest web application developments?
OWASP.org – it’s like Wikipedia for web apps. You will find latest updates on web vulnerabilities, news and information, etc. all gathered by individuals and organizations to improve the security of software. It contains useful sources and it’s designed under a free and open license.
Web Application Penetration Testing (WAPT) FREE Trial
If you want to learn how to find bugs in web applications, then start for FREE with our Web Application Penetration Testing course and understand the techniques in web app pentesting. Start here.
Andrea Tarquini is an IT Security researcher and software analyst/developer at eLearnSecurity. He is the main developer of JustCryptIt and IzzieCloud. He is also the author of ‘Ruby for Penetration testing and Metasploit’ section of Penetration Testing Course Professional.