How to Secure Web Applications From Vulnerabilities in 2024
Today, enterprise software is increasingly adopting web technologies to deliver SaaS solutions. Companies develop web applications in cloud environments to quickly scale, meet growing user traffic, and efficiently process big data.
The SaaS approach certainly benefits businesses, both those that supply the software and those that use it. However, it poses an additional layer of threat to applications by making them vulnerable to specific attacks.
Web application security statistics
Recent research by Verizon reveals that web application attacks account for 26% of all breaches. This establishes them as the second most prevalent attack pattern.
The SiteLock report says that websites face an average of 94 attacks daily. These attacks are usually performed by bots and aim to identify system vulnerabilities.
The study by Webroot reports 26 million IP-related security incidents occurring globally every day.
According to SecurityMagazine, cyberattacks on a global scale saw a 38% increase in the recent year.
The same resource states that up to 95% of attacks begin with phishing. It lists education, finance, and healthcare as the most affected industries.
In 2024, the average cost of data breaches is expected to surpass $5 million per incident, Acronis says.
What's most interesting is that 79% of companies intentionally use vulnerable code in applications, Apiiro says. This is because they do not meet critical deadlines or consider the vulnerability of applications to be a severe problem.
Understanding the threat landscape in 2024
Cyber attacks have evolved along with computer networks and software systems. They've been adapting to new protections and finding ways to gain access to sensitive information ever since the introduction of computer technology.
From 2021 to 2023, however, the digital threat landscape saw significant changes. In 2021, the pandemic accelerated digital transformation, leading to increased setup of remote workspaces and the rapid development of web applications. Cyberattacks progressed along with digital transformation. Notably, ransomware and DDoS attacks surged, impacting various sectors.
In 2022, russian aggression in Ukraine intensified the digital war. Cybercriminals, often associated with state actors, carried out multifaceted attacks, blurring the lines between hacktivism and state-sponsored operations. In that period, DDoS attacks reached unprecedented levels, and such types of attacks continue to grow.
In 2023, the nature of DDoS attacks evolved. Namely, we saw a shift towards more sophisticated, application-level Web DDoS attacks. These attacks went up to layer 7, focusing on essential app components such as infrastructure and the Domain Name System (DNS).
Malicious actors also transitioned to cloud-based operations. They enhanced their agility, making intrusion detection more challenging.
Thus, the threat landscape shifted from traditional network-level DDoS attacks to more complex, cloud-based application-level attacks. This has required organizations to adapt their cybersecurity strategies accordingly.
Most common vulnerabilities in web applications
Web application security should, first of all, address vulnerabilities that your software is most likely to encounter. According to the latest data by OWASP, there are ten of them:
Broken access control - provides users with unauthorized access to certain parts or functions of a system. Broken access control happens due to:
Poor software configuration
Insufficient validation of user input
Flaws in the design of the access control mechanism
Cryptographic failures - vulnerabilities in cryptographic systems that allow attackers to access sensitive data in transit and at rest. Cryptographic failures happen due to using:
Outdated encryption algorithms,
Default or weak crypto keys
Unvalidated server certificates
Deprecated hash functions
Deprecated cryptographic padding methods
Injection - a type of attack where malicious code or data is inserted into an application. The app is vulnerable to injection attacks when:
Data provided by users is not validated
Dynamic queries are used directly in the interpreter
Dynamic queries or commands in SQL incorporate malicious data
Malicious data is employed in the object-relational mapping (ORM) search criteria to retrieve confidential records
Insecure design - the flaws in app architecture and design that lead to potential data breaches. Web application security gaps due to insecure design occur because of:
Not following secure SDLC
Not using, or using poorly, threat modeling for critical flaws
Lack of comprehensive testing and QA
Security misconfiguration - improper implementation of web application security settings that lead to vulnerabilities. Examples of security misconfigurations are:
Using default configurations of libraries and frameworks
Running unnecessary services and ports on servers
Broken authentication or other access control vulnerabilities
Making configuration files, such as database connection strings or API keys, accessible to unauthorized users
Missing or misconfiguring security headers in web applications
Vulnerable and outdated components - libraries, frameworks, plugins, or modules susceptible to known security flaws. Examples of vulnerable components that weaken web application security are:
Software components of superseded versions
Unsupported OS, DBMS, APIs, etc.
Upgraded components not being tested
Unsecure components' configurations
Components not being regularly scanned for security flaws
Identification and authentication failures - issues related to confirming the identity of users and ensuring they are who they claim to be. Identification and authentication failures pose a major obstacle to web application security and occur when an application:
Uses default, weak, or well-known passwords
Uses ineffective methods for recovering credentials or resetting forgotten passwords
Stores passwords in plain text, unencrypted, or with weak hashing methods
Lacks multi-factor authentication
Reveals the session identifier within the URL
Software and data integrity failures - these happen when code or infrastructure is implemented without undergoing integrity checks. Software and data integrity failures take place when:
Software and data sources are not checked
Libraries and dependencies do not use trusted repositories
Code and configuration changes are missing
The CI/CD pipeline lacks efficient separation, configuration, and access control
Unsecured serialized data is transmitted to clients that are not trusted
Security logging and monitoring failures - shortcomings in the mechanisms of recording security-related events and detecting suspicious activities within a web app. The reasons for failures in the application logs system are:
Incorrect configuration settings
Reliance on outdated logging and monitoring systems
Incompatibility issues between different app components
Limited computational resources, such as storage and processing power
Lack of incident response plan
Server-side request forgery - arises when a web application fetches a remote resource without properly validating the URL provided by the user. This weakens web application security on network and application layers and arises from:
Unvalidated input data
Raw responses to clients
Enabled HTTP redirections
Not adopting "deny by default" firewall policies
Unsegmented remote resource access functionality
Web application security: how to avoid code vulnerabilities
Web application security is a complex approach that covers all project stages, from planning and development to testing and release.
Writing secure source code resistant to malicious intrusion is the basis of a security strategy. By programming applications with security in mind, developers achieve minimal to zero code vulnerabilities and prevent significant data breaches that could potentially happen in the future.
Some of the best practices for developing secure code are:
Implementing input validation and output encoding
Input validation and output encoding will help you prevent injection attacks such as SQL injection or cross-site scripting (XSS).
To implement input data validation:
Define the expected input for each field
Specify which characters or patterns are allowed
Utilize trusted input validation libraries
Validate on both client and server
Provide generic error messages to users without revealing specific details about the validation failure
Log detailed error messages for internal use
To implement output encoding, use context-aware encoding:
HTML Encoding. For content displayed in HTML context, use HTML encoding to convert special characters (<, >, &, etc.) into their respective HTML entities (<, >, &).
JavaScript Encoding. When outputting data within JavaScript, use JavaScript encoding to escape characters and prevent XSS attacks. Libraries like JSON.stringify can help in JSON encoding.
SQL Encoding. When inserting data into a database, use parameterized queries or prepared statements provided by your database interface. Avoid dynamic SQL queries to prevent SQL injection.
Output Encoding Libraries. Use encoding libraries specific to your programming language/framework. For example, in Java, you can use the OWASP Java Encoder library.
Protecting against CSRF and SSRF vulnerabilities
Protecting against Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF) vulnerabilities is crucial for web application security.
CSRF best practices cover:
Including anti-CSRF tokens in forms and requests
Setting the SameSite attribute on cookies to 'Strict' or 'Lax'
Using GET requests only for safe operations and avoiding using GET for state-changing actions. Using POST, PUT, DELETE, or other appropriate methods for actions that modify data.
Including custom headers in requests, which are checked on the server side to validate the origin of the request
Implementing the Double Submit Cookies technique, where a random token is placed in both a cookie and a request parameter. Upon submission, compare the tokens to ensure they match.
SSRF best practices cover:
Whitelisting specific protocols (e.g., HTTP, HTTPS) and blocking others (e.g., file, gopher) to prevent attackers from accessing sensitive internal resources
Resolving hostnames to IP addresses using a trusted DNS resolver
Configuring firewalls to restrict outbound traffic from server instances
Keeping all libraries, frameworks, and server software up-to-date
Ensuring secure file uploads
It is essential to securely handle file uploads to ensure web application security. The best practices for this include:
Whitelisting allowed file types
Checking file extensions
Limiting file size
Using secure file storage
Scanning files for viruses
Transmitting files over HTTPS
Logging file upload activities
Establishing secure session management
This ensures that user sessions are protected against various data thefts, such as session hijacking and session fixation.
The guidelines to ensure secure session management are as follows:
Generating long, random, and unique session IDs
Transmitting session IDs over HTTPS to encrypt the data in transit
Setting the HttpOnly attribute for cookies to prevent them from being accessed via JavaScript
Implementing session timeouts to automatically log out users after a prescribed time of inactivity
Regenerating session IDs after a user logs in to prevent session fixation attacks
Setting a maximum session duration based on the app requirements
Authentication and authorization are essentials of web application security
Web application security is impossible without strong authentication and authorization.
Authentication ensures the identity of users through usernames, passwords, or multi-factor authentication methods.
Authorization, on the other hand, defines the actions and resources a verified user can access within the app.
The best practices for preventing web application vulnerabilities through authentication and authorization are as follows:
Developing strong password policies
Implementing multi-factor authentication
Enabling account lockout after a certain number of unsuccessful login attempts
Hashing and salting passwords using strong cryptographic algorithms like bcrypt
Developing secure password recovery mechanisms
The best practices for preventing web application vulnerabilities through authorization include:
Developing role-based access control
Implementing resource-based access control
Following the least privilege principle
Secure communication
Secure communication ensures that data exchanged between users, clients, and servers remains confidential and integral. Here are key elements to consider for secure communication in web applications:
Secure communication protocols (HTTPS/TLS)
HTTPS encryption. Always use HTTPS to encrypt data transmitted between clients and servers. HTTPS encrypts the data in transit, making it unreadable to unauthorized parties.
Transport layer security (TLS). Implement the latest version of TLS for secure encryption. Regularly update TLS configurations to keep up with security standards.
SSL/TLS certificates. Obtain SSL/TLS certificates from trusted Certificate Authorities (CAs) to authenticate your server's identity and establish a secure connection.
Perfect forward secrecy (PFS). Enable PFS to ensure that past communications remain secure even if a long-term secret key is compromised.
Certificate management and HTTPS configuration
Certificate renewal. Monitor SSL/TLS certificate expiration dates and renew them in advance to prevent service interruptions.
Strong cipher suites. Configure your web server to use strong and secure cipher suites. Disable weak or deprecated encryption algorithms.
HTTP strict transport security (HSTS). Implement HSTS to ensure that web browsers always use HTTPS when communicating with your server, mitigating downgrade attacks.
Protecting sensitive data in transit
Data minimization. Minimize the amount of sensitive data transmitted. Avoid sending unnecessary user information over the network.
Data encryption. Encrypt sensitive data before transmission, even within HTTPS connections. Use strong encryption algorithms to protect data integrity.
Avoid query parameters. Avoid transmitting sensitive data via URLs (query parameters). Use POST requests with request bodies for sensitive data.
Secure API communication
Authentication tokens. Use secure authentication tokens (JWTs, OAuth tokens) for API authentication.
API rate limiting. Implement rate limiting to prevent abuse and protect against DDoS attacks on your APIs.
Input validation. Validate and sanitize all inputs, especially those coming from API requests, to prevent injection attacks and data manipulation.
Security headers and content security policies
Content security policy (CSP). Implement CSP to prevent XSS attacks by specifying which content sources are allowed.
X-content-type-options header. Use this to prevent browsers from interpreting files as a different MIME type, reducing the risk of MIME-sniffing attacks.
Security testing and code reviews
Testing and code review play a crucial role in web application security. A properly implemented testing process is seamlessly integrated into the software development lifecycle and accompanies the product at all stages of its creation. Here are the key web application testing tactics that help prevent hacker attacks:
Continuous testing
Continuous testing ensures high product quality from the very beginning of its creation. Unlike traditional testing, which focuses on testing specific product modules after they are built, continuous testing checks the product as it is built. This allows the use of a shift-left approach that identifies security gaps in the early development stage and removes them before they become major issues.
Code reviews
Code review is needed to confirm the high quality of the code base and to avoid web application security gaps associated with spaghetti code and other code antipatterns. With the help of a code review, you get an unbiased assessment of your code, identify potential vulnerabilities, and make timely adjustments, reducing technical debt.
Code review can be done manually or using automatic tools. For the best effect, it is recommended to use a combination of the two. When using manual code review, consider applying instant, ad hoc reviews or reviews by a group of experts.
Penetration testing
Another effective way to reduce web app security vulnerabilities is to use penetration testing. Unlike traditional testing, where QA engineers run a product and see how it works, in penetration testing, testers try to hack it.
Pentesters may or may not know how the product works. If pentresters have preliminary information about how the system works, this is called white box testing; if not, it is called black box testing. The pentesting method is selected depending on the goals and objectives of the project. If you have a sufficient budget, you can use two techniques simultaneously to get a more effective result.
Ensuring web application security with Erbis
Web application security is a priority for companies seeking excellent business results. At Erbis, we have been developing secure websites and SaaS for 11 years. Our services include security audits, security risk assessments, third-party integrations analysis, interactive testing, and implementation of attack prevention.
Our expertise covers various types of software, including real-time and open-source projects. If you are looking for a reliable partner to develop a robust web app resistant to malicious attacks, do not hesitate to get in touch.
