10 Common Web Security Threats Businesses Might Face in 2024
February 17, 2024
A lot of common web security threats are seriously a wake-up call for the importance of web security particularly. To raise awareness of web application security threats that businesses and individuals may face today, this article uses OWASP (Open Source Foundation for Application Security) as a reference to list top vulnerabilities on the web.
In November 2019, Hieu Minh Ngo – or notoriously known as HieuPC, a used-to-be Vietnamese hacker – was released after seven years in US jail. In a recent interview with Kreb On Security, Hieu shared the story of his criminal path. Starting with hacking the Unitec website after exploring a vulnerability there, he continued to operate other international attacks on the websites of MicroBilt, Court Ventures, and Experian. Those companies suffered severe damage from their activity of reselling stolen consumer or financial data. But, he is not the only black-hat hacker in the world.
10 Common Web Security Threats You Should Care About
1. Injection flaws
Injection flaws occur when untrustworthy input data fail to be filtered and then sent to an interpreter as a command or query. Attackers can easily detect the vulnerability when testing codes manually or using the fuzzing technique. They then might use that weakness to inject malicious codes and steal business and client data, or more seriously take over the host server.
Among all types of injection vulnerabilities, SQL Injection is more common with a very high probability of successfully hijacking websites. Besides, other injection flaws can be found in LDAP servers, XPath, or NoSQL queries.
Prevention of this web security threats:
Simply speaking, to secure websites from injection vulnerabilities, you have to filter input data correctly, and more importantly, those data need to come from a whitelist. But you hardly ensure to properly filter all input without letting no hostile data in.
Gergely Kalman, a Spain-based security specialist, advised using filtering functions of your existing framework as they work well in scrutinizing suspect data. Meanwhile, OWASP suggests using Object Relational Mapping Tools (ORMs) or a safe Application Programming Interface (API) as, in part, a subtitle for an interpreter because an API can provide a certain parameterized interface. So this action will reduce the risk of your website being hacked.
2. Broken Authentication
Authentication is the process of determining a user’s identity. Accordingly, this act fails when any app functions regarding authentication or session management are improperly executed. Like Injection Flaws, this vulnerability is very common. Hackers can identify it by manual means and then use automated tools to access username and password lists, consequently changing the ownership of users temporarily or permanently. Apart from identity theft, this mistake can result in money laundering, social security fraud, or loss of confidential information.
Prevention of these web security threats:
To thwart unexpected attacks, users should:
- set up multi-factor authentication, typically two-factor authentication for Apple ID or Google Account;
- do not give default credentials to others, especially admin users;
- ensure their passwords (or called memorized secrets) are not weak;
- immediately delay failed login attempts from suspects and report this issue to administrators;
- use a secure and built-in session manager on the server side that creates a new random session ID with high entropy (unpredictable and random identity for attackers not to guess easily).
3. Sensitive Data Exposure
As the name states, the mistake occurs when sensitive data, especially regarding finance or healthcare are not properly protected, thus easily attacked. Such information should have been encrypted at rest or in transit. But it does not, in fact. Consequently, hackers can manually carry out man-in-the-middle attacks where they can secretly intercept and change the communication of two parties without their knowledge, or illegally take clear-text (or unencrypted) data out of the server.
Prevention of this web security threat:
To minimize this flaw, Gergely Kalman suggests using “HTTPS with a proper certificate and PFS (Perfect Forward Secrecy)” and stopping receiving data from non-HTTPS connections if you do not want your session keys to be compromised when delivering data over systems.
It is advisable to classify which data are sensitive before they are processed, stored, or transmitted by an app, and then to use controls based on the classification. Also, as mentioned, all sensitive data ought to be encrypted at rest, but unnecessary data needs to be removed.
4. XML External Entities (XXE)
XML External Entities are custom entities that have values defined outside the DOCTYPE declaration. To execute XTML data, an app requires an XML processor (or XML parser). However, when such processors are poorly configured or too old-fashioned, attackers may use this gap to send hostile XML external files, which allows them to perform various attacks such as disclosure of internal files or SSRF (Server-side Request Forgery).
Prevention of this web security threat:
As many web apps now use an XML format to store and transfer data, developers should:
- be trained to identify and mitigate XXE;
- use less complex data formats (i.e. JSON) and avoid serializing sensitive data;
- upgrade all XML parsers and libraries.
5. Broken Access Control
This flaw arises when authenticated users can access some unauthorized functionality. For example, when a malicious user logs in to his own account on a banking app, he can change the account ID parameter to gain access to the account details of other users, or craft a request to perform an admin-level activity, like searching the user database. Accordingly, consumer data are unintentionally revealed, modified, or even compromised.
Prevention of this web security threat:
Developers should choose appropriate access control models for the design and development of web apps, and concurrently implement access control in trusted server-side code or server-less API.
6. Security Misconfiguration
To understand how the vulnerability occurs, just look at the picture. Imagine the ladder is the system; the girl is a user; the boy is an attacker, while books and football are configurations. When the boy hits the ball, the ladder will fail, involving the girl in an unexpected accident. This is obviously an inevitable result of using unsuitable ladder mounting (the football) or having a “misconfigured structure”. Similarly, like the ball, configurations of many traditional web servers still remain out-of-date and insecure, while hybrid or cloud environments change so quickly that it is challenging to build the right, secure configurations. Consequently, the flaw can allow hackers to illegally control or even compromise a system.
Prevention of this web security threat:
The most possible solution to fix the mistake is to have a secure development and deployment process.
7. Cross-Site Scripting (XSS)
The flaw appears when web apps receive HTML or JavaScript input tags that are not sanitized (or inspected) after victims click on script-injected links. Hijackers can use such hostile files to execute codes on the user’s browser remotely and steal their credentials and sessions. OWASP reports this problem in two-thirds of modern apps, even on three XSS forms Reflected XSS, Stored XSS, and DOM XSS.
Prevention of this web security threat:
Simply speaking, this issue can be prevented by trying not to return HTML or JavaScript tags to users. Besides, developers can use frameworks (e.g. Ruby on Rails or React.js) that automatically avoid the injection.
8. Insecure Deserialization
Serialization is the act of converting an object to a format for later restoring, whereas deserialization is the opposite turning data obtained from files or networks into an object. When deserialization is insecure, attackers can abuse this vulnerability to inject hostile objects into a web app and implement remote code attacks on business data.
Prevention of this web security threat:
According to OWASP, the safest solution to the issue is not accepting serialized objects from unknown or unreliable sources. Furthermore, developers should strictly monitor the deserialization process and use a firewall to help determine the flaw.
9. Using Components with Known Vulnerabilities
Apparently, vulnerable components (e.g. frameworks, libraries, or software modules) can get exploited by attackers for bad purposes. Depending on different databases and applications, the impacts of the vulnerability can vary, from purloining private data to taking over the server.
Prevention of this web security threat:
Developers should follow some essential principles to minimize the risk of having the flaw, particularly:
- carefully check codes they write for software;
- remove unused features, files, or documents;
- only get components from official or trustworthy sources.
FURTHER READING: |
1. Progressive Web App Tutorial for Beginners |
2. What Is Drupal? All You Need to Know Before Starting |
3. Software Development Costs: A Detailed Guide to Estimate Your Project |
10. Insufficient Logging & Monitoring
Logging means managing logs that are event records related to a system, hence ensuring the collection of useful data. Meanwhile, monitoring helps supervise server performance and detect any intrusions. Therefore, when those actions are insufficiently implemented, they fail to record and detect unknown attacks on the database.
Prevention of this web security threat:
Organizations should effectively monitor and alert suspicious activities. Similarly, any login or access control failures should be adequately recorded to identify suspects in time.
Final Thought of Common Web Security Threats
Common web security threats are an unavoidable outcome of Internet development. So not only cybersecurity engineers but also non-experts should take a web security course to protect their assets from unanticipated attacks in the future.
For more articles like this, let’s follow our Facebook, Twitter, and LinkedIn!
Also published on
Share post on
Read more topics
