Web Application Security

Learn the fundamentals of web application security including common vulnerabilities.

Rapid7 Research: DAST + AI

What is Web Application Security?

Web application security is the practice of defending websites, web applications, and web services against malicious cyber-attacks such as SQL injection, cross-site scripting, or other forms of potential threats

Scanning your web applications for vulnerabilities is a security measure that is not optional in today’s threat landscape. But before you can effectively scan web applications, it’s essential to understand what a web application is and why it’s so important to have a web application security program at your organization.

You can think of web applications as open doors to your home or business. They include any software application where the user interface or activity occurs online. This can include email, a retail site, or an entertainment streaming service, among countless others.

With web applications, a user must be able to interact with the host’s network to serve up the content they are after. If a web application is not hardened for security, it’s possible to manipulate the application to go back into the host database that it sits on to send you any data that you or an attacker requests, even if it is sensitive information.

Why is Web Application Security Important?

Web applications need to freely allow traffic through a variety of ports and usually require authentication; this means they also require a complex web application vulnerability scanner. Since websites must allow traffic to come and in and out of the network, hackers often attack the most commonly used ports. This includes:

  • Port 80 (HTTP): For unsecured website traffic
  • Port 443 (HTTPS): For secured website traffic
  • Port 21 (FTP): The file transfer protocol for transferring files to and from your servers
  • Ports 25 (SMTP), for simple mail transfer protocol, and port 110 (POP3), the default unencrypted port: Email protocols often used by organizations to send and receive email.

Given the breadth of ports available, it’s no wonder that hackers have abundant opportunities to break into networks by exploiting the openness that websites must have in order to interact with their users.

This is only proven by the Verizon Data Breach Investigations Report, which as repeatedly shown that web application attacks remain the most common breach pattern and are a preferred vector for malicious attackers.

By continuously monitoring and scanning your web applications, you can proactively identify vulnerabilities and remediate them before a breach occurs, staying one step ahead of attackers. Here are some of the most important things to keep in mind when evaluating application scanners for our organization.

Free Scanning Web Application Scanning Is Inaccurate

The number of free web application vulnerability scanners abounds, and although free sounds good to just about everyone, keep in mind that free scanners will likely give you a high probability of both false positive and false negative alerts—a frustrating nightmare for an IT team that is already strapped for time and energy. The old adage applies here: you get what you pay for.

Having said that, many commercial full-functional scanners allow a free-trial version that you can try out before you buy. This offers you a big advantage in purchasing such critical security equipment for your organization. You can test out the scanners to ensure it’ll accomplish what you need it to.

The OWASP Top 10 Vulnerabilities

You want your web scanner to accurately discover vulnerabilities, not just churn out information that is labor-intensive for your IT team to wade through. How can you tell if a web application scanner is accurate? Make sure it can detect the Open Web Application Security Project, or OWASP Top Ten Vulnerabilities:

  1. Injection: Attackers send untrusted data to a SQL, OS, or LDAP interpreter using a command query, “tricking” the interpreter to execute commands or access critical data.
  2. Broken Authentication and Session Management: Hackers use authentication and session management processes to steal passwords, tokens, or keys that enable them to assume the hacked user’s identity and gain access to your network.
  3. Sensitive Data Exposure: It’s hard to believe, but many web applications still don’t properly protect sensitive data, such as credit cards, authentication credentials, or tax IDs. Hackers take advantage of these weaknesses to commit identity theft, credit card fraud, and other attacks.
  4. XML External Entities (XXE): Old or misconfigured XML processors evaluate external entity references within XML docs. External entities can be used to disclose internal port scanning, remote code execution, and denial of service attacks.
  5. Broken Access Control: Restrictions are not often enforced regarding what authenticated users are allowed to do. Attackers exploit this to access unauthorized data and/or functionality.
  6. Security Misconfiguration: Best practice requires security configuration within the application and its surrounding orbit and platform. So if there is a misconfiguration in the security layer, hackers can easily exploit this, gaining access to your network and critical data.
  7. Cross-Site Scripting: A way hackers hijack user sessions, redirect to malicious sites, or deface websites through flaws in XSS.  An application takes untrusted data and sends it to a web browser without a validation process, enabling the hacker to run unwanted scripts in the victim’s browser.
  8. Insecure Deserialization: This often leads to remote execution. Deserialization flaws can be used to perform replay attacks, privilege escalation attacks, and injection attacks.
  9. Using Components with Known Vulnerabilities: Software module components usually run with full privileges, so if a vulnerable component (such as a library, framework, or other software module) is exploited, this can wreak havoc, with hackers easily gaining access to the entire system.
  10. Insufficient Logging & Monitoring: Most attacks are allowed to transpire due to a lapse in proper logging and monitoring. Without sufficient logging and monitoring procedures, attackers can go unnoticed and have a better chance of inflicting severe damage.

Web Application Security Reporting

You want to make sure your web application vulnerability scanner provides easy-to-read reports that output the information your scanner finds in a digestible way. Reports allow your IT team to easily and quickly identify weaknesses or holes in your web applications that could be a prime target for hackers. Reports also let you identify security threats as they happen, providing real-time resolution for any application vulnerabilities.

Remediating Web Application Vulnerabilities 

While having detailed reports is crucial to making use of the data that your scanner finds, it is not enough. Your scanner should also have the ability to convert vulnerability data into a specific, detailed remediation plan.

A remediation plan can provide you with prioritized tasks and context, including what needs to be fixed, why, and by when. The best vulnerability scanners allow you to track and measure the data within the scanner software itself, or integrate the data within your IT ticketing solution.

Web Application Security Summary

Today’s threat landscape is constantly evolving. Given the number of web applications that people interact with daily, whether for business or personal use, it’s critical that these apps are protected. By scanning your applications regularly, you can identify and remediate vulnerabilities before a breach occurs to stay one step ahead of attackers.