Web Application Vulnerabilities

The vulnerabilities that may exist in a web application are generally either a weakness in the systems surrounding it or a flaw in the application itself. For the most part, web application vulnerabilities are caused by misapplied settings or misconfiguration of a web server, data entered into webpage forms not being validated for content or format, or design or programming errors. Vulnerabilities in a web application are the result of the necessary design and functions of the app, which requires the web application to be accessible on many networks and to interact with a large number of users. This open accessibility may create vulnerabilities that can be discovered and exploited by attackers.

Several security organizations have developed, maintained, and published web application vulnerabilities lists and information on websites:

• Open Web Application Security Project (OWASP)—This organization collects input from security experts throughout the world and compiles it into a list of the vulnerabilities in web applications, especially those that are publicly accessible and most likely to be exploited. For more information, visit https://owasp.org.

• National Vulnerability Database (NVD)—The National Institute of Standards and Technology (NIST), a U.S. government agency, identifies current vulnerabilities of networks and servers in its Common Vulnerability Scoring System (CVSS). For more information, visit https://nvd.nist.gov.

• U.S. Computer Emergency Readiness Team (US-CERT)—This site is published by the U.S. Department of Homeland Security (DHS) and the US-CERT to provide information on current vulnerabilities, threats, and attacks. For more information, visit https://www.dhs.gov/keywords/us-cert.

• Web Application Security Consortium (WASC)—This is an international organization of security professionals from industry and government that publishes security standards dedicated to improving application security practices. WASC identifies 34 classes of web attacks and 15 different website weaknesses. For more information, visit http://www.webappsec.org/.

Websites and web applications face attacks every day. Some attacks seek to capture data, others to overwhelm the system and applications. Further, many of these attacks cannot be addressed with traditional perimeter security measures. New security and policy measures need to be incorporated into an organization’s security strategy.

Web Application Security Areas

Security is one of the top priorities for websites and web applications. The computing world struggles to ensure that security keeps pace with e-commerce and online business vulnerabilities, old and new. News of exploits, identify theft, data breaches, and major attacks, such as ransomware, can have an impact on consumer and site visitor confidence. However, in spite of the risks, web visitors continue to shop, research, interact, bank, and share personal information on the Web. Depending on the type of interaction or transaction, users provide credit card information, names, addresses, passwords, and other personal information over the Web.

Any information provided to a website can be constantly at risk of theft, misuse, or other forms of maliciousness. Both internal and external security measures were and continue to be deployed to help mitigate these threats. Security for any small, medium, or enterprise-level business has three primary areas: internal, external, and perimeter securities. Security for a website may intuitively seem like an external area, but all three security areas must be considered and applied to secure content and data on the internetwork.

• Internal security—The measures applied within a local network to protect against local attacks and any destructive or modifying actions of authorized users, intentional or otherwise. A majority of the threats to an internal network are internal. The security measures used in an internal security program are components like anti-malware software, restricted access and least privilege, and multi-factor authentication (MFA). Internal security failures could affect a website’s database, displayed content, and any other elements stored on a local web server.

• External security—The security measures applied to all of the computer systems of an organization of any size. External security protects the entire network infrastructure from threats that search for and identify vulnerabilities or launch denial of service attacks, malware, etc.

• Perimeter security—The electronic and digital protective and security measures protecting against physical access threats and attacks to the physical systems, such as servers, computers, routers, security cameras, biometric scanners, and perhaps a security guard.

The security of a website, in terms of protecting it from any form of threat or attack, must be focused on the protection of the different elements that make up a website. The makeup of a website includes many different parts, many of which are vulnerable to a variety of threats. In general, a website is made up of the following components:

• Front-end—A website has two primary parts, each of which includes other parts: the front-end or what you see and the back-end or the processing that you do not see. The front-end of a website has three sets of elements:

  • Navigation—The relationships between the webpages and the links that essentially knit them together make up the navigation structure of a website. Typically, its only visible element is a menu.

  • Page layout—A website tends to apply the same format, layout, fonts, and images on each of its pages for continuity, ease of viewing, and navigation.

  • Graphic design—Although this element may include page layout, its purpose is to provide the images that support the website’s theme or purpose. The graphic design of a website is perhaps the first thing a viewer notices. The design and layout of the website must strike a balance between giving the site appeal and overloading the site with visual activity.

• Content—Often the content of a website is lumped into the front-end, but if you consider that in most cases a website is about sharing information, its content becomes as important, if not more so, as its look and feel.

• Back-end—In the same way that the visual presentation of a website is defined in its front-end, its back-end provides its functionalities. A website that never changes, much like a printed poster, does not really have a back-end, since a web browser does most of the work. However, websites are becoming more sophisticated every day. A website may be searchable, its content or images may change each time its viewed, it accepts data from viewers, which it processes and stores, or it is data-driven or dynamic and is created fresh from text each time it displays. These functions, and a growing number of others, typically happen in background or automatically without user intervention.

As the components of a website continue to add additional visual and functional capabilities, they attract hackers, scammers, and other forms of malicious attackers who devise new ways to exploit the new vulnerabilities. This ongoing battle between function and exploitation has created a new facet of website security: web application security.