Assess and Mitigate Vulnerabilities in Web-Based Systems

By Lawrence C. Miller, Peter H. Gregory

Web-based systems contain many components, including application code, database management systems, operating systems, middleware, and the web server software itself. These components may, individually and collectively, have security design or implementation defects. Some of the defects present include these:

  • Failure to block injection attacks. Attacks such as JavaScript injection and SQL injection can permit an attacker to cause a web application to malfunction and expose sensitive internally stored data.
  • Defective authentication. There are many, many ways in which a web site can implement authentication — they are too numerous to list here. Authentication is essential to get right; many sites fail to do so.
  • Defective session management. Web servers create logical “sessions” to keep track of individual users. Many web sites’ session management mechanisms are vulnerable to abuse, most notably that permit an attacker to take over another user’s session.
  • Failure to block cross-site scripting attacks. Web sites that fail to examine and sanitize input data. As a result, attackers can sometimes create attacks that send malicious content to the user.
  • Failure to block cross-site request forgery attacks. Web sites that fail to employ proper session and session context management can be vulnerable to attacks in which users are tricked into sending commands to web sites that may cause them harm.
  • Failure to protect direct objects references. Web sites can sometimes be tricked into accessing and sending data to a user who is not authorized to view or modify it.

These vulnerabilities can be mitigated in three main ways:

  • Developer training on the techniques of safer software development.
  • Including security in the development lifecycle.
  • Use of dynamic and static application scanning tools.

For a more in-depth review of vulnerabilities in web-based systems, read the “Top 10” list at OWASP.