How to Correct Security Vulnerabilities for Web Apps

Web application vulnerabilities pose a serious threat to your company's IT services and operations. 

For the most part, web app vulnerabilities stem from programming errors that quality assurance (QA) engineers overlook during the software development and testing process or from continued use of open-source software components that are no longer patched or updated by their vendors.

Web app vulnerabilities recently have become a more serious threat to companies.

Most companies now prioritize shorter software development and release cycles over web app quality and security. As a result, apps are now an easier target for hackers, who exploit vulnerabilities that your company or IT services company overlooked during the development process. 

This article classifies the different types of web application security vulnerabilities, identifies the factors that cause them, and provides several tips to protect your company’s IT services infrastructure in 2018 and beyond.

Types of Web App Security Vulnerabilities & Their Consequences

There are three degrees of security vulnerabilities that affect enterprise and consumer-oriented web applications: high-severity, medium-severity, and low-severity.

High-Severity Vulnerabilities

High-severity vulnerabilities are security flaws that enable hackers to take complete control over a targeted application without having direct access to it. 

Examples of high-severity vulnerabilities are below. 

Cross-Site Scripting 

Cross-site scripting tricks browsers into interpreting and executing malicious JavaScript (JS) code to retrieve sensitive information from your cookie files. This enables hackers to impersonate legitimate users and access your corporate data including passwords and payment credentials.

An example of a cyber attack caused by a high-severity vulnerability is the infamous WannaCry attack of 2017 that infected over 200,000 computers in 150+ countries. 

The malware associated with this attack exploited the Remote Code Execution vulnerabilities common for older versions of Windows. 

Cross-site scripting was among the most common vulnerabilities of 2017.

Source: PT Security

Other common forms of vulnerabilities are SQL injections (see below), path traversal, data leakage, and operating system (OS) commanding. 

SQL Injection 

SQL injection vulnerabilities exist for websites and apps powered by Structured Query Language (SQL) database software. SQL software stores and organizes business data including customer records and payment info.

Although SQL databases require authentication, it is only implemented on the app level.

Thus, hackers who skip the authentication scheme of a web application can retrieve contents of an entire database. SQL injections accounted for 64% of web app attacks that were registered through 2016.

Remote Code Execution

Remote code execution allows hackers to trigger code execution over the internet.

These attacks typically originate from one of your employees who clicks on an email link to a 3rd-party website. That website exploits the vulnerabilities of a web browser or the operating system (OS) running on your corporate computers and infects them with malware.

A hacker can then manipulate the malicious program over the Internet to access sensitive data or lock the computers and demand ransom. Ransomware attacks, for example, grew by 250% last year and caused over $5 billion in damage.

File Inclusion and Directory Traversal

These vulnerabilities allow intruders to read directories and files outside the root directory, the top directory of a web app file system. During a file inclusion attack, access to any data stored “above” the root directory, for example, other websites’ directories, are inaccessible to users but are accessible to hackers. 

Medium-Severity Vulnerabilities

Medium-severity flaws can partially compromise the confidentiality, integrity, and availability (CIA) of a website or web application. These flaws enable hackers to access business data and modify it to prevent your employees and customers from using it when needed.

Hackers take advantage of these vulnerabilities to launch Denial of Service (DoS) attacks and cause software downtime.

That is exactly what happened to Dyn, a US internet performance management company that suffered a major DoS attack in 2016. The cyberattack was triggered by the Mirai botnet, which infected Wi-Fi routers, surveillance cameras, and other connected devices. The botnet bombarded Dyn’s servers with traffic and brought down several prominent websites, including Twitter and Netflix.

Other types of “medium” security flaws include:

• Cross-Site Request Forgery: prompts users to perform an unintended action. For example, these forgeries will direct you to visit a website hosted by a hacker or click on an infected link.
• Directory Listing: web server misconfigurations, which expose data to hackers.
• Transport Layer Security (TLS)/Secure Socket Layer (SSL): vulnerabilities that allow intruders to access data transferred between client and server.

Low-Severity Vulnerabilities

Unlike high-severity and medium-severity vulnerabilities, low-severity flaws cannot be exploited over a network and require authorized access or direct user involvement to take control over a web app.

Examples of low-severity vulnerabilities that can affect the CIA of your web application include:

• Documentation files, which inattentive developers often leave in website or web application directories. A cybercriminal can use web crawlers to retrieve data from such files and discover what type and version of a web app you use.
• Insufficient protection against password-guessing attacks. These flaws help hackers discover a password by trying different combinations of letters and numbers.
• Failure to encrypt sensitive data. The transmission of unencrypted data between two parties – for example, a mobile app and its web server – may result in hackers’ attempts to intercept it.

As you can see, low-severity vulnerabilities are the easiest to avoid. Simple protective mechanisms like two-factor authentication (2FA) and diligent care for your company files can go a long way in preventing these vulnerabilities. 

How Do Security Vulnerabilities Arise?

Security vulnerabilities arise from a few different factors, many of which result from failure to follow security best practices. 

Common factors that compromise website and web application security include:

Use of Open-Source Software Components

Neither software developers nor their customers want to reinvent the wheel every time they build a website or enable a new feature in a web application. As a result, the open-source software market is thriving.

The use of unpatched libraries and plugins, however, poses a serious threat to IT infrastructure security. Once a vendor stops rolling out security updates for a web app, hackers can freely exploit its documented vulnerabilities.

Take Java, for example, the No. 1 programming language for enterprise software development. Its unpatched third-party libraries, for instance, allow hackers to bypass firewall and connect to a company’s email servers through File Transfer Protocol (FTP) injections.

Wrong Choice of Software Components That Comprise the Infrastructure of a Website or App

Although most security vulnerabilities stem from poor coding practices, programming languages and web app development frameworks are not created equal.

Drupal, for instance, is considered the most secure website content management system (CMS) on the market. It’s no wonder General Electric, Pfizer, and Qualcomm chose it over WordPress.

According to WP White Security, 70% of Alexa's Top 1 Million WordPress websites are vulnerable to hacker attacks due to the fact that anyone can create a WP plugin and upload it to the official store.

Short project timeframes

The easiest (and cheapest!) way to mitigate security risks is to devote more time to quality assurance and fixing bugs before an app goes into production.

With shorter software development and release cycles, however, developers have other priorities, which include on-time and on-budget project delivery.

In fact, 43% of software engineers admitted they had released apps with known vulnerabilities in the past, simply because flaw remediation would have pushed delivery dates into indefinite future.

4 Web App Security Best Practices to Follow in 2018 & Beyond

The road to web security starts with a detailed blueprint of all the software assets you use.

2018 is going to be a turning point for all the companies that try to keep pace with technology. As more businesses invest in custom software development, embrace the fragmented and insecure internet of things, and allow employees to use personal gadgets in the workplace, we are all at a greater risk than ever.

Take the time to discuss your company’s IT services priorities or the web development company you choose for outsourcing your projects.

Here are a few things that should be on your agenda:

• Determine what business data is the most sensitive and make sure to secure apps dealing with it. For this purpose, you should procure a reliable quality assurance provider and make a thorough inventory of your business software to detect its most vulnerable parts. Vulnerabilities may either be rooted in source code or software architecture. After identifying vulnerabilities, you should prioritize security risks to manage your development and QA resources more effectively
• Deploy a web app firewall to protect your IT infrastructure during the website or web application security overhaul. Otherwise, sensitive data will become available to any internet user.
• Conduct manual and automated tests to make sure the newly written code meets your security requirements.
• Review and verify third-party software components by the number of open issues or all the vulnerabilities mentioned above. Apply security fixes/updates immediately.

As a forward-thinking businessperson, you cannot be too serious about cybersecurity. After all, it can take up to 196 days to fix a critical vulnerability like SQL injection or Cross-Site Scripting once an attack actually takes place.

About the Author

Andrei Klubnikin is Senior Content Manager at R-Style Lab. Andrei has been a tech blogger since 2011 and currently writes for several websites including Gamasutra, Business.com, SmallBizClub, IndieWatch, MyCustomer, Mobile App Daily, and GameAnalytics.