Web Application Security – FAQ

Learn about Web Application Security

Web applications have changed the way businesses and customers interact online. From streamlining business processes to enabling online interactions, web applications have transformed online user experience and enabled better communication between businesses and their customers. This comes with additional risk making web application security a priority.

• What are web applications?
• What is web application security?
• Why is web application security important?
• What is a web application vulnerability?
• How are web applications attacked?
• What are common ways that attackers exploit vulnerabilities?
• How can web application vulnerabilities be prevented?

What are web applications?

A web application is application software that is accessed by users through a web browser. Visitors to a website can submit and retrieve data over the internet. The web application has a number of elements that each play a part in managing a task. The web server manages the request from the user. The application service executes the request. This may involve processing data, or querying another element in the web application – the database. The results are then returned to the user. Some of the most well known web applications include email, ecommerce, online auctions, wikis and social media. 

What is web application security?

To function, web applications access critical and confidential corporate resources. This comes with a greater chance that vulnerabilities within the code can be exploited and exposes businesses to higher levels of risk. Web applications that are not secure can provide hackers with a gateway to databases and the valuable data they contain. The data in these databases can include personal and sensitive information that is a prime target for cybercriminals who can sell this on for a high price.

Web application security defines the actions taken to protect the organisation, its data and its customers. This includes following best practices to build security into the Web application  throughout the Software Development Lifecycle (SDLC). This helps to identify and address any potential defects before the application is in production. 

Why is web application security important?

Firewalls can not provide protection to web applications because they are designed to be accessible to users at all times. Web applications are targeted because they contain complex source code that can contain weaknesses, and these can be manipulated by hackers to access confidential and critical resources. If there are any weaknesses or errors in the code, hackers can take advantage of the functionality that accepts user input to access the database, the application or even the server. These attacks target the application to access sensitive data, or hackers may use the application to attack users of the application. Without understanding web application vulnerabilities and addressing them, organisations risk an attack, and this can result in data theft and significant damage to their operations and their reputation. The consequences of an attack are serious and include – 

• Unauthorised access to/theft of confidential content (financial, personal, sensitive data)
• Regulatory penalties
• Installation of malware – impact to operations/sales/revenue
• Reputational damage
• Loss of sales and customer trust

What is a web application vulnerability?

A vulnerability is a weakness or misconfiguration in a web-based application that attackers can exploit to gain unauthorised access. Some simple examples include form inputs not being validated or web servers being misconfigured. Hackers use sophisticated technologies such as scanners and botnets that automate attacks allowing them to target vast numbers of websites seeking out vulnerabilities at speed. 

How are web applications attacked?

• Malware refers to malicious programs that attackers use to exploit an application. Ransomware, viruses, spyware and trojans are all types of malware and work by deceiving users and tricking controls to install the malicious software.
• Distributed denial of service (DDoS) attacks overwhelm the application with requests that make it unavailable to genuine users. This is often used as a means of distraction for another form of attack. 
• SQL Injection attacks target databases with attackers injecting malicious code using a field on a web page. This enables attackers to evade security controls and interfere with queries made to the database. Attackers can view data they should not be able to see and in some cases they can modify the data to change how the application behaves. It generally allows an attacker to view data that they are not normally able to retrieve. 
• Cross-site scripting (XSS) attacks inject malicious code into the application to compromise communications between the browser and server. This allows the attacker to pretend to be a user; carrying out any of their allowed actions and accessing their information. If the user has greater privileges, the attacker could take control of the application and its data.  

What are common ways that attackers exploit vulnerabilities?

The OWASP Top 10 is a reference document that details the 10 most critical security risks for web applications. The report is compiled by security experts from all over the world using data from a number of organisations. The OWASP Top 10 has become a world-renowned resource used by organisations and developers to develop secure applications. The Top 10 is used extensively as a baseline for compliance, education, and vendor tools. 

The Top 10 was updated in 2021 and includes three new categories, changes to the naming or scoping of four categories with naming and scoping changes, and consolidation in others.

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery

How can web application vulnerabilities be prevented?

Web application security is a priority. Organisations are exposed to more attacks by hackers looking to take advantage of vulnerabilities. Securing web applications requires a range of actions that, when coordinated and consistent in their approach, can defend them from many forms of attack. Technologies including Web Application Firewalls (WAFs) help by monitoring traffic between the web application and the user, to block anything that is potentially malicious. Vulnerability scanning solutions can also help by identifying and addressing any issues in the application. 

However, the approach must be proactive. Training is essential and provides the knowledge and resources required to prevent vulnerabilities in web applications from the outset; identifying critical vulnerabilities that are present, understanding how exploitation works and implementing the necessary corrective measures.

The Web Application Security Essentials course provides the knowledge and resources required to those responsible for implementing, managing, or protecting web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.