Cybersecurity For Dummies, 2nd Edition
Book image
Explore Book Buy On Amazon
Web-based systems contain many components, including application code, database management systems, operating systems, middleware, and the web server software itself. These components may, individually and collectively, have security design or implementation defects. Some of the defects present include these:
  • Failure to block injection attacks. Attacks such as JavaScript injection and SQL injection can permit an attacker to cause a web application to malfunction and expose sensitive internally stored data.
  • Defective authentication. There are many, many ways in which a web site can implement authentication — they are too numerous to list here. Authentication is essential to get right; many sites fail to do so.
  • Defective session management. Web servers create logical "sessions" to keep track of individual users. Many web sites' session management mechanisms are vulnerable to abuse, most notably that permit an attacker to take over another user's session.
  • Failure to block cross-site scripting attacks. Web sites that fail to examine and sanitize input data. As a result, attackers can sometimes create attacks that send malicious content to the user.
  • Failure to block cross-site request forgery attacks. Web sites that fail to employ proper session and session context management can be vulnerable to attacks in which users are tricked into sending commands to web sites that may cause them harm. An example is where an attacker tricks a user into clicking a link that actually takes the user to a URL like this: http://bank.com/transfer?tohackeraccount:amount=99999.99.
  • Failure to protect direct objects references. Web sites can sometimes be tricked into accessing and sending data to a user who is not authorized to view or modify it.
These vulnerabilities can be mitigated in three main ways:
  • Developer training on the techniques of safer software development
  • Including security in the development life cycle
  • Use of dynamic and static application scanning tools

About This Article

This article is from the book:

About the book author:

Joseph Steinberg is a cybersecurity and emerging technologies advisor with two decades of industry experience. Steinberg is one of only 28 people worldwide to hold the entire suite of advanced information security certifications (CISSP, ISSAP, ISSMP, and CSSLP). He has invented various cybersecurity-related technologies, which are cited in more than 400 U.S. patent filings.

This article can be found in the category: