Web application security is one major point in web app development that is not properly focused on when building an application. But it is a major priority if you plan on taking your application online. Luckily, in this article, I'm going to walk you through what web application security is, why it is important, and how to secure or prevent your web application from being hacked.
Here are some of the security vulnerabilities we will cover in this tutorial
- Unrestricted File Upload
- XSS Attack
- Software Update
- Authentication
- End-to-End Encryption
- DDoS attacks
- Captcha
- Npm Dependency Vulnerabilities
What is web application security?
Web application security deals specifically with the security surrounding websites, web applications, and web services such as APIs from attacks by internet-based threats. In other words, the security measures at the application level that aim to prevent data or code within an application from being stolen or captured.
Why is it important?
It is important in today's applications because it is a central component of any web-based business. It prevents malicious agents and cyber thieves from accessing sensitive information from your applications.
Now, let's look at some of the threats and how to prevent them.
Unrestricted File Upload It is one of the security vulnerabilities that can cause or bring threats to your application. Some web applications allow users to upload files such as pictures, documents, videos, Which can cause threats by giving the malicious agent access to upload bad files.
How to prevent it:
- You must check for vulnerabilities in a file that is uploaded to your application
- Only permit specific file type
- Rename files when they are uploaded
- Always scan your file for malware
- Confirm file formats and extensions
Cross-site scripting attack (XSS) Cross-site scripting (Which is known as XSS ) is a type of security vulnerability commonly found in web applications. These attacks enable attackers to insert client-side scripts into web pages viewed by other users. It occurs when a malicious script is injected directly into a vulnerable web application, XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, destroy websites, or redirect the users to malicious websites.
There are three types of XSS attacks
- Reflected XSS
- Stored XSS
- Dom Based XSS
I will give a little definition of each of these attacks.
Reflected XSS: Reflected XSS attacks, also known as non-persistent attacks, is a form XSS where the cross-site component occurs temporarily as a result of user input being reflected into the DOM
Stored XSS: In stored XSS, is a form of cross-site scripting script execution in which the payload (typically Javascript) is persisted typically in a database it is distributed by the application itself by nature of being rendered via application logic from the server's database
Dom Based XSS: is an XSS attack that arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, It is usually caused by writing data to a potential sink within the Dom. One thing that can lead to this attack in your application is your HTML element
One of the libraries we can use for sanitization is DomPurify.
DOM Purify DomPurfiy is a library that we can use for the sanitization of HTML, MathML, and SVG. It's an XSS sanitizer.
You can check out the package on Npm's official website.
How to prevent it:
- Never insert untrusted data in your application
- Try to use interpolated expressions that are stringified and cannot be outputted on the browser
- Always ensure that the data coming from your code is sanitized and purified with Dom Purifier
- Ensure the data passed through prop is rendered the proper way be it v-html or document.write
- Always use what the framework suggests except v-html
- Do not render templates server-side keep them static
Software / Library Update There is always a high risk involved when we use a package or libraries that are not up to the latest version it can cause harm to our application and give these hackers access to our application.
How to prevent it
- Constantly update your packages or libraries manually to the latest and secured version
- Check the security flaws of this library or package to be sure they are not at risk.
- Always add the older version of your packages to the newer ones.
- Always use the selective third packages or libraries which are well-managed, well-documented, and recommended.
- Continuously update your Npm packages to avoid dependency errors.
- Always check them for known vulnerabilities use Npm audit to fix them
Code example
npm audit fix
End-to-End Encryption
End-to-end encryption (E2EE) is a method of secure communication that prevents third parties from accessing data while it's transferred from one device to another. It is another way of securing your application from malicious users. E2EE is very necessary for application because it reduces the number of parties who might be able to interfere with the encryption
Captcha
It's another means of securing your application, It is used to authenticate that a real person or user is accessing your application in other to restrict spammers or bots that tries to access email address, Captcha is used for addressing larger audiences for a large scale project.
Advantage
- It helps in preventing automated spam submissions
- It blocks robot software from submitting a fake request
- It protects the integrity of online by resisting hackers using robots to send in repeated false responses.
Npm Dependency Vulnerabilities It is very good to audit your dependency packages to check if they are upgraded to the latest version or not
Use the command npm audit to audit your packages and check for the outdated versions of packages, vulnerable packages, and upgrade them to the latest version
Distributed denial-of-service attack (DDoS) A DDoS attack is an attempt by the attacker to create so much traffic to an internet application that prevents the traffic flow of normal visitors.
Below is a sign of a DDoS attack
Webpage Not Found: This is one of the signs of a DDoS attack, where a particular website can not open or is not found.
Increase of EMail Spam: This is another sign where there is a very high increase in email spam.
Slow Network Performance: This is a situation where the network is being slowed down when attempting to open files stored on the network or when accessing files in the application.
How to prevent it :
- Develop a response plan/team members
- Secure the network
- Practice a good network security
Authentication Authentication is an action of verifying the identity of a user or process. When authentication is broken it can allow attackers to access the user's data or information and cause harm to your application. one of the ways attackers can access user's data through authentication is
Improper login An improper login can lead to data exposure which can cause havoc by attackers to your web application.
Displaying error messages for authentication
While you are authenticating a form on your web application you must be very careful not to display just a single error message when a user enters a wrong password "Your password is incorrect" This can give the attacker the mindset that the email address or user id is valid while the password is wrong, This can allow the attacker to start suggesting the password for that user. The best way is to display this error is "Incorrect username or password"
Here is a simple diagram example
Session IDs exposed in a URL
A session ID is a special number that a Web site's server assigns a specific user for the duration of that user's visit (session)
If you place a session token directly in the URL, it increases the risk of an attacker capture and exploits it. When you connect to the webserver using HTTPS the risk is less than if you use HTTP but it is still a threat. HTTPS URLs are encrypted during transmission but are often stored in server logs.
Improper Form Validation
If the data entered into a form input is not properly validated, or in the right format, it will lead to injection attacks, memory leakage, and compromised systems. Validating your form is important in your application because a form can be submitted without the user completing all the required fields. But this level ensures that all fields are confirmed when the user tries to submit the form.
This is an example of a formatted input defining the input type as "email" it ensures the input is that of an email address
<input type="email" name="email" placeholder="your_email@mail.com" required/>
Form sanitization Form sanitization is the process of keeping your form input clean, filtered, and sanitized from a malicious agent.
How to prevent all of these attacks:
- Implement proper logging by making sure a user is well authenticated with a two-factor authentication
- Never display a single error message this can give the user access to suggest each data that's missing and hack the user's data in your application
- Always use a strong password when suggesting passwords to your users in your application
- ensure you are using a "secure enough" random generator to build the token.
- Never store session id in a URL
- Always make sure user form input is properly validated and sanitized.
- Provide minimum authentication for your users
Doppler is one company trusted with serving hundreds of millions of secrets to developers and their apps in a secure, performant, and reliable way. A love for security is built into the core of our DNA.
You can check their official website to learn more about security
Conclusion Securing your application is necessary because it keeps hackers and cyber thieves from accessing sensitive information in your application. It also builds customer confidence by keeping their data secure.
Wow, That was a great article. In this article, we have learned what web application security is, why it is important, and how to secure your application from cyber thieves.
Thanks for reading please feel free to add your idea on what I have covered let's improve the security of our application against malicious agents cheers!!!!
REFERENCE