Building Secure Web Applications:
Best practices to mitigate the vulnerability of your web app.
Web applications continue to face daily threats from many attacks and attackers. While some threats are more common than others, The Open Web Application Security Project OWASP has consistently ranked some threats as part of the top 10 for the last couple of years. Although one may be able to deal with web application threats, prevention is always the best form of protection against vulnerabilities.
This article will, in 5 parts, delve into 5 of the common web application vulnerabilities and suggests ways of making your web applications less prone to attacks.
The vulnerabilites are:
- Broken Access Control
- Cross-site Scripting XSS
- Cross-site request forgery (CSRF)
- Injection attacks
- Obfuscation
Broken Access Control
Access Control in a web application means a user cannot access functions that are beyond what they are permitted to do. According to OWASP,
Access control enforces policy such that users cannot act outside of their intended permissions.
When this permission is broken, a user gets unauthorised access and this can lead to data destruction, information disclosure or performance of unauthorised functions or activities.
Usually, attackers exploit flaws in web applications to gain access and perpetrate criminal activities including data breaches.
Many high-profile companies have been victims of Broken Access Control. In 2018 for instance, Facebook reported the exposure of the data of over 30 million (thirty million) users due to Broken Access Control. Many personal data including name, phone number, address and birthdate were stolen by the attackers.
Preventing Broken Access Control
Many proactive steps can be taken to prevent unauthorised access or lock out an attacker. Some of these include:
- Proper implementation of access controls for different levels of users
- Logging access control failures
- Review of access control policy to reflect best practices
- Pruning CORS (Cross-Origin Resource Sharing) usage
OWASP has put together a comprehensive guide on the prevention of Broken Access Control.
Where do you go from here?
If the security of your web application is of importance to you, then OWASP should be your port of call. Every year, they come up with a list of the top 10 vulnerabilities of web applications and how web attacks are perpetrated. Being aware of that information is a great first step toward securing your web application(s)