Application Security

Cybercrime has risen exponentially in recent years, exposing a wide range of vulnerabilities in web and
mobile applications. Most of these security issues are caused due to poor coding practices, which lead to
poor application code integrity. In other words, hackers are exploiting application-layer loopholes in
poorly-coded applications to initiate their attacks.

Web application security is the process of protecting websites and online services against different
security threats that exploit vulnerabilities in an application’s code. Common targets for web application
attacks are content management systems (e.g., WordPress), database administration tools (e.g.,
phpMyAdmin) and Software-as-a-Service(SaaS) applications.

Reasons, why web-applications seem to be the most favorite target, are:

Coding practices

o If the code is poorly written hackers can exploit application-layer loopholes to initiate an attack
o If the code is complex, it increases the likelihood of unattended vulnerabilities and malicious code
manipulation

Ease Of Execution

o Most attacks can be easily automated and launched indiscriminately against thousands, or even
tens or hundreds of thousands of targets at a time.
o Cybercriminals get paid in bulk amount to attack applications

Hence organizations failing to secure their web applications run the risk of being attacked. And this is
mostly due to vulnerabilities present in the application. Application vulnerabilities are creating havoc in
today’s cyberspace giving leeway for different kind of attacks.

Let’s take a look at a few leading attacks on web applications:

SQL Injection:

Here, the perpetrator uses malicious SQL code to manipulate a backend database so that he/she get
his/her hands on sensitive information

Cross-site Scripting(XSS):

XSS occurs when the attacker injects malicious code directly into an application, thereby gaining access
to accounts, activate Trojans or modify page content

Remote File Inclusion:

Hacker injects a file onto a web application server. By doing so he can execute malicious scripts or code
within the application, as well as steal data and manipulate it
Cross-site Request Forgery(CSRF):

It’s caused when a malicious web application makes a user’s browser perform an unwanted action in a
site to which he is logged into.

Well, these are few most popular types of attacks, that exploit vulnerabilities in an application to initiate
the attack. OWASP (Open web application security project) lists top 10 application vulnerabilities along
with the risk, impact, and countermeasures, every 3-4 years.

Application security checklist

‘Prevention is better than cure’. Most of the time organizations have countermeasures to ensure safety
against these attacks. These countermeasures can take the form of software, hardware, and modes of
behavior.

Software counter measures include:

o Web application firewalls: Firewalls are usually designed to examine incoming traffic to block
attack attempts, thereby compensating for any code manipulation
o Pop-up blockers: Also known as pop-up killers prevents pop-ups from displaying in a user’s Web
browser
o Cryptography: Different kind of encryption and decryption algorithms can be used to secure all
the data transmissions
o Spyware detection programs: Variety of spyware detection and spyware removal programs can
be installed to prevent cyber attacks
Hardware countermeasures include:

o A router that can prevent the IP address of an individual computer from being directly visible on
the Internet
o Biometric authentication systems that identify third-party hosted content, keeping your
application safe
o Intrusion detectors and alarms

Behavioral countermeasures include:

o Frequent deletion of stored cookies and temporary files from Web browsers
o Regular installation of updates and patches for operating systems
o Regular scanning for viruses and other malware
o Refraining from opening e-mail messages and attachments from unknown senders

Today, cyber threats are so routine and sophisticated that they seem almost impossible to prevent. Yet
security programs continue to evolve new defenses as cyber-security professionals identify new threats
and new ways to combat them.

SQL injection, also known as SQLI, is a common attack that uses malicious SQL code for
backend database manipulation to access information that was not intended to be displayed.

A successful injection attack may result in the unauthorized viewing of user lists, the deletion of entire
tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are
highly fatal to a business. SQL injection usually occurs when you ask a user for input, like their
username/ userid, and instead of a name/id, the user gives you an SQL statement that you
will unknowingly run on your database.

Look at the following example:

1 txtUserId = getRequestString("UserId");

2 txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

The original purpose of the code was to create an SQL statement to select a user, with a given user id. A
user with malicious intentions can input this: User Id: 105 OR 1=1

Well, the input is valid, in fact, it will return ALL rows from the “Users” table because OR 1=1 is always
TRUE. This way a hacker might get access to all the usernames and passwords in a database, by simply
inserting random data.