Web Security Basics: Is Your Web Application Secure?


You could read that a lot in our old advertisements 70 percent of the websites are hackable. However, the sad truth is that any website and web application can be hacked if there are enough time and resources.

What makes a website or web application fall under the 70 percent above isn’t just vulnerabilities. The security of your website also depends heavily on the skills and motivation of the attacker.

Attacker and target categories

To understand the security risks, you need to first understand the basics of web security – what types of attackers you might encounter and how they choose their targets. Attackers can be divided into three main categories depending on their technical knowledge, motives and approaches:

  • Script kiddies: This term refers to amateur attackers whose primary motivation is either to wreak havoc (e.g. their knowledge of cybersecurity is limited and they mostly use existing tools and look for easy gains. They have no ambitions to access sensitive data, it unless they have direct financial value, such as credit card numbers.
  • Black hat hackers: This term refers to professional attackers whose main motivation is financial and whose conduct is illegal and unethical. Their technical knowledge can be very extensive and they can apply very complex and efficient working methods and use advanced attack algorithms. Unfortunately, more and more black hat hackers are now involved in organized crime, which makes it even more dangerous.
  • White hat hackers: This term refers to professional attackers whose motivation is financial in nature but whose approach is legal and ethical. They help you eliminate your vulnerabilities and take security measures by finding security threats and notifying you about them. White hat hackers do no harm, on the contrary. You should respect them and Invite them to test your protection by offering bug rewards.

Attacks can also be broken down into two main categories depending on how the target is selected:

  • Opportunistic attacks: This term applies when targets are randomly selected based on the recovery potential. The attacker scans a series of targets and finds those that are vulnerable to a particular attack technique. For example, the attacker could search for all WordPress 1.5 installations that are vulnerable to SQL injection (CVE-2005-1687). Such attacks are widespread among script kiddies.
  • Targeted attacks: This term applies when targets are specifically selected based on a certain value for the attacker. The attacker tries to find security issues in order to achieve his goal. For example, the attacker could attempt to gain unauthorized access to sensitive data such as a company’s detailed customer list, and his motive could be industrial espionage. This type of attack is the domain of black hat hackers.

Even if you think your company is of little value to professional attackers, you can still be a potential target for opportunistic attacks. And if the value of your sensitive information is high enough, even strong access control and state-of-the-art security mechanisms may not be enough to deter a professional malicious hacker. The more you do to protect yourself, the less chance the attacker will succeed. And the biggest mistake you can make is thinking that this doesn’t apply to you.

The importance of web application security

While web attacks are not the only type of attack that can compromise security, they are one of the most common types, along with all forms of social engineering (including phishing) and malware. These types are also often used in conjunction. However, despite the importance of web application security, many organizations still struggle to maintain them. Here are our recommendations on how to achieve the best levels of security:

  • Use heuristic detection. If you only use signature-based recognition systems, only protect your assets against script kiddies. Professional black hat hackers rely on finding vulnerabilities in web applications that can only be discovered with a heuristic Web vulnerability scanner, like Acunetix, or manual penetration tests.
  • Prioritize web security over network security. If your focus is on network security more than web security, you should be aware that there have been very few major breaches in the past few years due to network security issues such as: B. in connection with SSL / TLS errors. On the other hand, there have been some major violations caused by web security issues from OWASP top 10 list like SQL injection attacks, cross-site scripting (XSS), CSRF, Web server and container misconfiguration etc.
  • Eliminate the source of the problem. When you feel that Web application firewall enough to protect your assets, you should be aware that WAF rules can often be bypassed with malicious code and well-designed user input. By using a WAF without further action, you do not eliminate the cause of the problem, you just put on a temporary patch.

Web application security is not just about discovering and eliminating vulnerabilities, it is also about prevention. It’s about changing your ways of web development and operations:

  • Raising: The most efficient way to reduce the attack surface is to train your entire team. Your developers, administrators, testers, and non-technical personnel should be aware of potential web security problems and how to avoid such problems.
  • Move to the left: You should try to fix web security problems up as soon as possible move left and integrating web security into your software development lifecycle. If you discover a problem on your production web server and not before, it could be a sign that your processes are not optimized.
  • Be comprehensive: Remember that web security applies not only to server-side and client-side content that can be accessed directly from web browsers, but also to web services, APIs, mobile services, IoT devices, and more.

Tomasz Andrzej Nidecki
Technical content author

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer and works for Acunetix. As a journalist, translator and technical editor with 25 years of IT experience, Tomasz was Managing Editor of hakin9 IT Security magazine in his early years and ran a large technical blog devoted to email security.

Source link


About Author

Leave A Reply