Hardening Your WebApp Security

Top 5 tips from PenTesters


The recent explosion of web apps has led to a dramatic rise in cyber attacks specifically targeting vulnerabilities in web applications. Three quarters of the web applications tested by Silent Breach presented high or critical vulnerabilities that could have led to a data breach, or even total compromise of the website.

Fortunately, the most common vulnerabilities among web applications are quite predictable, and have been successfully mapped into the Top 10 Application Security Risk table (2021) by OWASP.

However, while the issues can be clearly identified and classified, little has been done to describe the mitigation process. Here are the top 5 tips from our expert pentesters to close these vulnerabilities and harden your web application.

1) Sanitize all application inputs and outputs

Sanitizing all application inputs and outputs should be your number one priority. A successful website hack usually means that a user has abused your application in a way it wasn't designed for, thereby pushing the app beyond its limits. Forcing the application to deliver information that should have been kept secret constitutes the art of exploitation. This is only possible if user input allows an attacker to include special characters such as a semi-colon, for example, which holds a special meaning in most programming languages (instruction separation). By 'injecting' code into your web application input forms, a malicious payload can make its way to the database to extract information there (SQL injection) or surface back in another client's application in order to steal valuable information (Stored XSS attack).

Most programming languages already have libraries to assist with input sanitation, such as the Sanitize filters in PHP, or DOMPurify for Javascript. By filtering user input, as well as anything produced by your application (to block stored XSS attacks), you can address both Injection and Cross-Site Scripting (XSS) from the OWASP Top 10 table.

2) Review the configuration files of each module in your stack

Software components usually ship with a default configuration that simplifies deployment and testing. However, going to full production requires that you pay additional attention to these settings. Default configurations are dangerous because open source software is freely available to anybody, including hackers. Most opportunistic attacks typically target mis-configured systems by simply looking up default credentials or configurations of common frameworks. By playing the numbers, it's only a matter of time before they manage to find a vulnerable system somewhere on the web.

Nowadays, most software components are built with security in mind, and mechanisms do exist to harden their security. However, they need to be configured and tightly adjusted to your use case. By addressing these problems, you can often address Cryptographic Failures and Security Misconfigurations.

3) Practice code review on your security features

Code review is considered 'best practice' in most companies to catch programming errors. However, it can also be a powerful method for catching security vulnerabilities that can lead to poorly implemented authentication mechanisms, for example, or inadequate access control.

APIs in particular should be well secured and reviewed by peers to make sure they don't allow more control than initially intended.

Another important security feature that is underestimated is application logging. Each security event should be logged so that traces for a given activity and user exist somewhere on the disk. Lack of proper logging can make the task of tracking down a hacker virtually impossible. In addition, code review should point out areas of the code that require additional trackers. Also keep in mind that the logs produced can be useful when integrating with event and monitoring tools such as System Information and Event Management or other security tools.

Careful code review can help catch most issues in the Identification and Authentication Failures, Broken Access Control, Software and Data Integrity Failures and Security Logging and Monitoring Failures categories.

4) Keep your system up to date

As obvious as this may sound, keeping your system up to date with patches is critical for protecting your web application. The time window between the moment a vulnerability is found (i.e. the 0-day) and the moment a particular system is patched presents a vulnerability window that can be exploited by hackers who simply attack faster than your ability to defend. The sooner patches are deployed, the lower the likelihood that a vulnerability will be exploited on your system.

Keeping your system up to date with patches will help address Vulnerable and Outdated Components

5) Check your security headers

Most websites typically manipulate cookies and frames, along with making AJAX requests to external or internal resources. But have you ever wondered if the mechanisms your WebApp relies on are really secure? Use this great tool to check your security headers: https://securityheaders.com

Protected security headers will help you further address Identification and Authentication Failures, Broken Access Control, and Cross-Site Scripting (XSS).

Conclusion

Follow these tips to harden your web application and make sure you adopt a pragmatic approach to security. It's usually considered best practice to perform a penetration test at least twice a year to make sure all of your security measures are implemented correctly. Nothing beats a reality check when it comes to security and whenever possible, these tests should occur in the QA environment, before rolling out the application to production.


Similar Reads:
Top 10 Challenges Facing CISOs in 2023
Leveraging Threat Intelligence to Defend Against Ransomware
How ChatGPT Can Boost Your Corporate Cybersecurity


About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.