Web applications security is more about code-level and configuration-based security vulnerabilities and not as a set of server and host-based security issues. Servers and hosts may be the most vulnerable sections, but it\’s very important for security professionals that they identify the real impact of poorly scripted web applications. The Internet world stores lots of sensitive information and files which require high security and protection. Security professionals are always awake to keep hackers away and maintain the privacy of proprietary documents.
Here we have picked top ten security vulnerabilities and how security programmers make sure that they prevent all kind of exploitations.
If any web request is sent to the server without proper validation and it\’s not cleansed in an exact time, then it creates an environment for attacks. People usually depend on firewalls for maintaining security but what firewalls usually do is limit the traffic which reaches web applications.
From a programming point of view, whenever any information reaches a web applications, filtration, rejection or approval are must required before going ahead. An IDS (Intrusion Detection System) can inspect traffic for predefined attack patterns and SSL (Secure Socket Layers) also protect customers. The web application should be designed to handle a specific data set of expected data types, not to accept any or all submitted data. Data Validation and Data Cleansing are two basic security programming techniques which need to be followed every time.
2. Issue 2:
Some websites and databases come under Member-Restricted and Administrator-Restricted access as hackers try to access those accounts which have lack of control and restrictions.
Access credentials and authentication schemes should always be protected. Session Hijacking is the most popular hacking technique which are associated with cookies and other stored history. Secure techniques mean sensitive authentication tokens are stored in the session only, not the cookie, and the cookie only stores the Session ID to connect the browser to the correct server-side session. There is another layer of programming required for authentication schemes to operate securely which is enforcement of unique user names. When new modules are added for user access, a complete security review should assure that the new user doesn\’t pose any threat.
Another attacking method is Cross-Site Scripting which allows remote web components get introduced to the host site. The web file code on the host server gets modified to reveal authentication credentials and creates Man-in-the-Middle attacks such as Phishing attacks. A security programmer should diligently invest in XSS Cross Site Scripting as configurations like Magic Quotes and Strip Tags may reduce the success rate of the injections. Data Validation and Data Cleansing must be included at every level of security programming.
A Buffer Overflow is sometimes used to take control of a process and the most vulnerable components can include CGs, DLLLibraries, Various Drivers and some web application server components. But in this case there is not much in the hands of the security programmer, though vulnerabilities in languages like ASP, PHP, CFM and others must be addressed must be addressed by them only, along with quick updates and upgrades. Keeping your server up to date for all software packages is required the most in these types of attacks.
Hacking through Code and SQL injections are the most popular ones which require Data Validation and Data Cleansing techniques once again. Magic Quotes can also mediate SQL or Code Injection attacks.
Poor handling of errors in programming leads to high vulnerabilities as an attacker may use many types of errors to collect a wide range of information about a server. So all errors need to be handled with special care with best mechanisms. The server should not operate in the debug mode after being launched into production.
Poorly programmed websites provide easy access to all kinds of sensitive documents and information. So correct securing of data and files is very important through different types of encryption modes.
Denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) makes a computer resource unavailable to its intended users. DoS attackers target sites or services hosted on high-profile web servers. Preventing these attacks requires Firewalls, Switches and Routers to handle traffic and detect a similar attack.
Poor configuration management create security vulnerabilities and network configuration is very necessary in securing the server and its environment. But programmers have not much to do when it comes to server configuration and more concerned people in this case are server and network administrators. Before putting any server into production, a security vulnerability scan should always be performed followed by a code review.
Reposted from http://www.efytimes.com/e1/fullnews.asp?edid=149514