Web applications are complex systems, and web application security must use multiple defensive layers and security controls at different stages of the development lifecycle. We look at a range of tools, demystifing their acronyms and those of the attack methods.

What Is Web Application Security?

A web application is an application stored on a remote server and delivered over the Internet through a browser-based interface. Web application security is the protection of web applications from malicious threats using software, hardware, and other methods. As web applications become a critical part of modern businesses, security is essential to protect business continuity, revenue, and customer trust.

Web applications are hosted on third-party web servers, use open source components and may need to support multiple operating systems, and proprietary code. They include many settings, pages, folders, parameters, and authentication methods, any of which can be an entry point for an attacker.

Modern development organizations are transitioning to a DevSecOps work process, in which security is built into applications from day one. For web applications, this means: 

• Including security considerations at the design stage.

• Scanning source code and open source components for vulnerabilities and remediating them immediately at the development stage.

• Testing compiled applications in testing and staging environments for security weaknesses.

• Deploying run time protection to block threats while applications are running in production.

• Carefully monitoring production applications to detect and respond to threats as they happen.

Types of Web Application Vulnerabilities

SQL Injection Attacks

SQL injection attacks attempt to add malicious SQL commands into databases to change, delete, or steal data or gain root access to the system. An SQL injection attack targets servers that store SQL databases, using malicious injections to trick the server into divulging information like credit card numbers and credentials. 

Structured Query Language (SQL) is a programming language used to communicate with databases and manage information on applications. Servers that store information for websites often use SQL to manage data on databases. SQL injection attacks usually succeed because an application improperly sanitizes user inputs, failing to remove SQL code. 

Cross-Site Scripting (XSS) 

XSS attacks inject malicious code into a website or web-based application. This malicious code starts running in a user’s browser once they visit a certain website, directly targeting the visitor. A common XSS technique involves injecting malicious code into an input field that is expected to automatically run when visitors view the affected page. XSS attacks can use legitimate websites to hijack the sensitive information a user sends to the affected site or application, including credentials and credit card numbers.

Cross-Site Request Forgery (CSRF)

A CSRF attack occurs when a user is made to perform an unintended action while logged into a web application. It takes advantage of the fact that the web application has already recognized the user and their browser as trustworthy to execute a malicious action, tricking the user into submitting a malicious request to the application. Threat actors use CSRF for various purposes, including pranks on users and eliciting money transfers. 

Remote File Inclusion (RFI)

RFI is an attack technique that exploits the ‘dynamic file include’ mechanism in web applications. It tricks web applications into including remote files with malicious code when taking user input like URL or parameter value. 

Many web application frameworks support file inclusion to enable packaging commonly used code into separate files later referenced by application modules. Once a web application references this file, it calls specific procedures and executes the code implicitly or explicitly. When the module loads according to elements from HTTP requests, the application becomes vulnerable to RFI.

Security Misconfiguration

Security misconfigurations are amongst the most critical web security vulnerabilities because they provide attackers with easy ways into websites. It allows attackers to exploit insecure or default configurations, ad hoc or incomplete configurations, open cloud storage, misconfigured HTTP headers, or verbose error messages containing sensitive information. All libraries, operating systems, applications, and frameworks can be vulnerable to security misconfiguration attacks.

XML External Entity (XXE)

XXE attacks abuse a commonly used feature in XML parsers to access remote or local files and cause Denial of Service (DoS). Threat actors can also use XXE to execute server-side request forgery (SSRF) to force a web application to make external application requests. Additionally, XXE can allow port scanning and remote malicious code execution. 

Directory Traversal

Directory traversal or backtracking attacks exploit a vulnerability affecting how an application receives data from a web server. Access control lists (ACLs) typically restrict user access to specific files inside the root directory. Threat actors exploit the directory traversal vulnerability to learn which URL format the application uses when requesting files.

Tools to Protect Your Web Applications

WAF 

A web application firewall (WAF), unlike a traditional network firewall, monitors and filters HTTP traffic passing between the public Internet and a web application. This protocol layer 7 defense is not intended to defend against all attacks. Rather, it helps protects web applications against web attacks like CSRF, XSS, SQL injection, and file inclusion. 

WAF is typically used alongside a suite of tools that work together to achieve a holistic defense against various attack vectors. A WAF is placed in front of a web application to serve as a shield protecting the web application against Internet threats. It works like a reverse proxy to protect a server from exposure by making clients pass through the WAF before reaching the server.

A WAF uses rules and policies that define how it filters traffic and protects against malicious traffic. It is relatively easy and fast to modify and implement policies. It facilitates quick response to attack vectors, for example, by configuring policies for rate limiting to protect against Distributed Denial of Service (DDoS) attacks.

XDR

Extended Detection and Response (XDR) provides visibility across networks, clouds, endpoints and applications, while applying analytics and automation to detect, analyze, track, and remediate sophisticated threats.

XDR collects and correlates data from across the IT environment, combining it with threat intelligence to add context to security incidents. Security teams can easily analyze, prioritize, track, and remediate threats. It can help identify and effectively respond to threats that would be missed by other security tools or techniques.

SAST

Static application security testing (SAST) is a white box testing technique that scans source code to identify problematic coding patterns that do not comply with best practices. You can integrate SAST tools into your continuous integration (CI) pipeline to scan source, binary, and bytecode automatically. These tools are programming-language dependent but can generate many false positives. You need to also manually analyze and filter the results to solve the real issue.

DAST

Dynamic Application Security Testing (DAST) can be used to test web applications deployed in a testing, staging, or production environment, to discover security weaknesses. DAST tools attempt to find vulnerabilities by sending anomalous, malformed, or malicious requests to web applications and observe their response. When vulnerabilities are discovered, DAST can provide detailed remediation instructions.

IAST

Interactive application security testing (IAST) helps identify security vulnerabilities in code by analyzing an application during automated and human testing phases and in production. IAST tools report vulnerabilities in real time without delaying the CI/CD pipeline. It uses SAST and DAST to analyze the code and pinpoint an exact location in the code containing a vulnerability.

SCA

Software Configuration Analysis (SCA) is a method for managing open source components. SCA allows development teams to quickly track and analyze the open source components used in their software projects. 

SCA tools can discover components, their libraries, and any direct or indirect dependencies. SCA tools can detect security vulnerabilities or deprecated dependencies in any of these elements, and can also detect software licenses, which might violate the organization’s policies or create legal risk. The scanning process creates a Bill of Materials (BOM) that provides a complete inventory of a project's software assets.

Conclusion

This article has outlined the basics of web application security threats and discussed six types of tools that can help protect your applications:

• WAF - specialized firewall for web applications that can detect, filter, and block malicious traffic.

• XDR - combines data from web applications, networks, and clouds to identify sophisticated attacks. 

• SAST - automated tool that can find security vulnerabilities in source code. 

• DAST - automated tool for testing live web applications for vulnerabilities.

• IAST - combines SAST and DAST.

• SCA - tests web applications for security or license issues with open source components. 

I hope this will be useful as you level up your application security efforts with next-gen technologies.

Related Articles

Five Tips For Securing GitOps Environments

Secure Coding Best Practices for 2022

Insights Into Successful Software Delivery

Happy Developers Think More About Security

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.