| 7 min read
Table of contents
Web applications currently span a wide range of uses, from e-commerce sites to social media and productivity tools, among many others. Beyond their great accessibility, they’re easy to update, cost-effective and capable of handling many users simultaneously. Since web apps often store sensitive information like personal data, financial details and intellectual property, they are main targets for cyberattacks.
Cybercriminals exploit vulnerabilities in web applications that can lead to financial losses, reputational damage and legal consequences for companies. To counter these threats, developers implement several security controls or strategies.
Web application security
Web application security involves protecting websites, web servers and APIs from cyberattacks. This protection can be achieved through a mix of technologies and strategies aimed at preventing different threats.
As web-based attacks grow more sophisticated, securing sensitive data becomes a top priority for businesses and developers. In this blog post, we explore seven current critical web app security threats and provide tips on how you can prevent them.
Looming threats and preventive strategies
1 - Injection attacks
Injection attacks occur when malicious code is inserted into an application through various input points, such as forms, query strings, or cookies. Once executed by the application, this code can enable attackers to steal data, alter application behavior, or gain unauthorized access.
There are four main types of injection attacks. SQL injection, where attackers insert malicious SQL code into input fields. The application executes this code as part of a database query, allowing attackers to manipulate data, bypass authentication, or delete information. Another technique is OS command injection, which tricks an application into running arbitrary operating system commands, giving attackers deeper control over the system. LDAP injection targets Lightweight Directory Access Protocol (LDAP) servers, and attackers are able to inject malicious code to modify LDAP queries and gain unauthorized access or manipulate directory information. Lastly, NoSQL injection, which is when attackers get to inject arbitrary text into NoSQL queries, targets NoSQL databases (like MongoDB and ArangoDB).
In 2023, the Cl0p ransomware gang exploited a zero-day SQL injection vulnerability in the MOVEit Transfer app (CVE-2023-34362). This breach allowed unauthorized database access, leading to the theft of sensitive data across multiple organizations. The Cl0p gang used the stolen data for extortion, threatening to publicly release it unless a ransom was paid.
Preventive strategies include:
-
Sanitize and carefully examine all user inputs to prevent harmful code injection.
-
Use parameterized queries for database interactions, which separate data from SQL code, reducing the risk of SQL injection.
-
Conduct routine security testing, including penetration tests and vulnerability assessments, to identify and fix injection vulnerabilities before attackers can exploit them.
2 - Cross-site scripting (XSS)
XSS is a web app vulnerability that allows attackers to inject malicious JavaScript into web pages viewed by other users. This can lead to the theft of cookies, session tokens and other sensitive information. XSS occurs when a vulnerable site includes untrusted data without proper validation, allowing the attacker’s script to execute on a user’s system.
XSS attacks come in several forms. In reflected XSS, the malicious script is injected into a URL and reflected back to the user in the response. In stored XSS, the harmful script is saved on the server, such as in a forum post or comment, and is executed later when another user views the content. DOM-based XSS runs entirely within the client’s browser, without direct interaction with the server.
In 2020, a significant cross-site scripting (XSS) vulnerability was discovered in WhatsApp Web. It allowed attackers to send specially crafted messages that, when opened by the user, executed malicious code and enabled the attackers to read files from the user's local system. This vulnerability affected WhatsApp Desktop prior to v0.3.9309 paired with WhatsApp for iPhone versions prior to 2.20.10.
Preventive strategies include:
-
Always validate and sanitize user input to prevent malicious script injection.
-
Properly encode output when displaying user-supplied data.
-
Perform regular security testing, including vulnerability scanning and penetration testing, is essential to uncover potential weaknesses.
3 - Broken authentication and session management
These flaws happen when an application's mechanisms for managing user authentication and sessions are inadequately implemented, which can lead to authentication bypass or session hijack.
Attackers use various approaches to abuse these vulnerabilities. They can exploit weak password policies, such as those that allow passwords of less than eight characters or that do not enforce the use of multiple character types for complexity. Attackers can exploit systems bypassing access controls when role-based limitations are not applied or a “deny by default” policy is not enforced. Another way is through the management of session errors, which often involve poor handling of session cookies, inadequate timeouts and lack of session regeneration. Credential stuffing can also be used to gain access to user sessions.
In early 2023, Norton LifeLock experienced a data breach due to credential stuffing attacks. Cybercriminals gained unauthorized access to customer accounts, exposing sensitive personal data such as names, addresses, phone numbers and stored passwords in Norton’s Password Manager.
Preventive strategies include:
-
Enforce strong password requirements, including length, character types and expiration.
-
Implement multi-factor authentication and strong password hashing algorithms.
-
Manage sessions by protecting session cookies, using secure HTTP (HTTPS) and regularly regenerating session IDs.
4 - Insecure direct object references (IDOR)
IDOR vulnerabilities are often exploited through URL manipulation, where a malicious actor leverages a predictable identifier due to insufficient authentication and access control checks. Without proper checks, the attacker might view private records, modify or delete data, and take over accounts.
Although IDOR is considered a single type of vulnerability, it can appear in different forms. Horizontal privilege escalation happens when an attacker accesses data or performs actions intended for other users at the same privilege level. Vertical privilege escalation involves accessing data or functions meant for users with higher privileges.
In 2019, First American Financial Corp suffered a massive data leak due to an IDOR vulnerability, exposing nearly 885 million sensitive records related to mortgage transactions. By simply altering digits in a URL, anyone with a web browser could access these documents, which included bank account numbers, Social Security numbers, driver’s license images and other financial records. This vulnerability was discovered through manual penetration testing.
Preventive strategies include:
-
Validate user input to prevent attackers from exploiting direct object references. Ensure input matches expected types, lengths and formats.
-
Implement effective access controls and session management, such as restricting access to resources and data to authorized users only. Reviewing OWASP’s cheat sheets on authorization and authentication can help guide best practices.
-
Conduct thorough penetration testing, including dynamic application security testing (DAST), to reveal potential IDOR vulnerabilities.
5 - Security misconfigurations
Security misconfigurations are among the most common vulnerabilities and occur when security settings are not optimized or services are deployed with insecure default options. This can range from leaving default passwords on a device to configuring a firewall incorrectly.
Attackers exploit these misconfigurations in various ways. One common method is taking advantage of default credentials since many devices come with preset usernames and passwords that often are left unchanged. Weak configurations are another target, such as incorrect firewall settings, outdated protocols and weak encryption. Outdated software poses a significant risk as unpatched systems are vulnerable to known threats. Cloud misconfigurations, such as improper settings in storage buckets or virtual machines, can also expose data and resources to unauthorized access.
In 2021, the Microsoft Power Apps data leak exposed sensitive information due to misconfigured portal settings. Power Apps, a platform for building custom applications, suffered from a critical error where settings meant for authenticated users with specific permissions were set to be publicly accessible without adequate security controls.
Preventive strategies include:
-
Regularly review security configurations across systems and applications, ensuring they align with best practices and compliance requirements.
-
Establish and maintain a rigorous patch management process to keep all software and systems updated with the latest security patches.
-
Implement systematic security testing with assessments designed to identify misconfigurations and other security weaknesses before they can be exploited.
6 - Cross-site request forgery (CSRF)
CSRF is a vulnerability that allows users to be tricked into performing unintended actions on a web application. When a user clicks a malicious link or submits a form, the action is executed on their behalf, leading to potential data loss or unauthorized access.
CSRF attacks are typically carried out by crafting malicious links or scripts that, when clicked, automatically send forged requests to a vulnerable application. Attackers can also spoof double *cookie submission requests (DSC) to bypass established safeguards by exploiting how cookies are handled. Social engineering techniques are often employed to persuade users to interact with harmful links or attachments.
In 2008, a notable CSRF attack exploited vulnerabilities in YouTube’s web application. Attackers created malicious requests that, when a logged-in user visited a crafted web page or clicked a link, triggered unintended actions on their YouTube account, such as adding videos to their favorites list without their consent.
Preventive strategies include:
-
Implement token-based protection, where a unique anti-CSRF token is generated for each session and validated on the server side with every request.
-
Conduct comprehensive vulnerability scans to evaluate both client-side and server-side defenses, ensuring that CSRF protections are effectively implemented and functioning.
7 - Insufficient logging and monitoring
Insufficient logging and monitoring refers to inadequate practices for tracking and reviewing system events. This can involve not logging critical activities like failed login attempts or neglecting to monitor logs and alerts for suspicious behavior.
Attackers exploit this gap in several ways. When a web app operates without triggering logs for key events, malicious actors can remain undetected for long periods. They may manipulate or delete logs to hide their tracks. Exploiting systems with limited or no logging capabilities also enables them to take advantage of blind spots where their actions go unrecorded. The absence of real-time monitoring worsens these risks by delaying the detection of ongoing threats, leaving systems exposed.
A prominent example is the 2013 Target data breach, where attackers infiltrated the network through a third-party portal and installed malware on point-of-sale systems. A major contributing factor to this breach was Target’s inadequate logging and monitoring practices, allowing attackers to steal millions of credit card numbers.
Preventive strategies include:
-
Ensure that all critical system activities are thoroughly logged, including authentication failures, access attempts, changes in system configurations, and error messages.
-
Continuously monitor logs and system activities in real time to detect and respond to suspicious behavior and anomalies promptly.
-
Develop and maintain a comprehensive incident response plan that outlines procedures for detecting, managing and mitigating security incidents. Ensure the plan includes roles and responsibilities, communication strategies and response protocols.
As you may have noticed, the prevention strategy that repeats the most across the sections is security testing, which luckily, we offer. Our Continuous Hacking solution includes penetration testing, vulnerability management and secure code review, to name a few. All are key steps in identifying and addressing various vulnerabilities such as injection, XSS, broken authentication, and more. Consistent security testing, which is performed with automated tools and manual techniques, proactively discovers weaknesses in your web applications before attackers can exploit them.
Let Fluid Attacks work for you in the fight against these and other security threats. Contact us now.
Table of contents
Share
Recommended blog posts
You might be interested in the following related posts.
Protecting your PoS systems from cyber threats
Top seven successful cyberattacks against this industry
Challenges, threats, and best practices for retailers
Be more secure by increasing trust in your software
How it works and how it improves your security posture
The importance of API security in this app-driven world
Protecting your cloud-based apps from cyber threats