How do you uncover Hidden Risks in Web App?

How do you uncover Hidden Risks in Web App?

Businesses are becoming increasingly concerned with the problem of infiltration into their apps by unauthorized persons. Every business, small or big, uses apps to provide better service to customers. When these apps are compromised by unauthorized code, the business loses credibility. How then can you protect your business apps from being compromised? The first step is to understand how and why apps are compromised.

Why are apps vulnerable?

First and foremost, the very nature of the web code – HTML! HTML is a clear text language which is visible to anyone visiting the site. Hackers can easily modify the code and add functionalities that either act differently or obstruct existing functionality. Hackers can infiltrate code in the following ways:

  • Injection: The attacker injects malicious code into the web code. This malicious code is written to extract information from the client’s computer or device for unscrupulous use.
  • Cross Site Scripting (XSS): Here the hacker inserts a script into the code that is run at the client’s site. This script may be for extracting information or providing misinformation in order to undermine competition.
  • Identity Theft: Here the attacker assumes the identity of the user and accesses important or sensitive data. The hacker then can use this data to cause inconvenience or loss to the user.
  • Direct Object Reference: This type of risk occurs when objects such as tables within a database are directly referenced in the URL. The hacker can use this object to access related objects within the database.
  • Uuencoded or insecure cryptography: Sensitive data such as credit card information and bank details may be hacked by corrupt persons if they are stored, or travel over the internet, uuencoded or encoded in a simple and easy to break code.
  • Insufficient Layering: Applications that do not encrypt and decrypt data or authenticate users, or check certificates, may be used by hackers to gather personal data of the users.

How to avoid these risks

The above list is by no means exhaustive but does cover some major areas of vulnerability. Programmers, developers, and web designers can counter these vulnerabilities by being aware of them and including code that will look out for malicious code.

Basic Security Practices for Web Applications:

  1. Applications use data entered into forms to access databases. If this data is validated before accessing the database, injections can frequently come to light. Proper validation can also detect malicious scripts entered into the code.
  2. Coders must assume that any data entered by users is untrusted. All inputs must be validated before use. Checking for type, length, format, and range are the common ways in which inputs are validated.
  3. Identity thefts and broken authentications can be prevented by forcing a user to re-login even though he has not explicitly logged out. When a user logs in to a site an id is created. If this id is created using a predictable formula, hackers can “steal” that identity and resend it to access client information. Generating random id’s is the best way to avoid risks of identity thefts.
  4. Randomizing ids can also mitigate attacks due to direct object reference. In fact, databases should never be directly accessed by user entered data. Applications should validate and clean data before accessing databases.
  5. Most importantly, the infrastructure used to run applications including hardware, software, OS and other components must be secured.

Need help? Gallop’s Security Testing services can provide you customized test methodology that focuses on both business logic and application security, while adhering to industry standard secure coding practices. Our security assessments are performed by Certified Ethical Hackers to provide a “Hacker’s eye-view” of the application.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.