Web Application Security Part – I

Introduction:

There are so awesome web developers with new idea’s, new initiatives and startups. They sometimes fail what they claim. They claim that the security is in place and the files and have pretty good privacy features. There is always a need to have a security check simultaneously so that no re-engineering is required to implement necessary securities measures. The article is specifically for newbies, developers and security guys to have a checklist or note while they develop or test a web application. Today we will be talking about how a secured web architecture and some security checks you must know, what are the things to be taken care of and what all things to implement, server-side and at application-level.

A head start:

Typical Web Application Working:
So 1st of all we must know how a normal application exists and how it actually works alongside with the server. An Application is firstly hosted on a web server or an application server. There is a difference. The web server accepts the request and accordingly responds. We have clients which we consider a web “browser” because these are used to send a request to a website or a web application to access the feature provided by it. So we have the browser as our client which connects to the internet (1) and then to the web server. That is the 1st request and with that CSS and other UI modules are loaded (2a)(2b).

 

Now the web server interacts (3) with the web application server having web applications and processing stuff where it works and loads modules to provide a feature to the client request along with that many times a database is needed so it also sends the request to the database server (4) and the data. The application server receives the data from the database and then it is again used in the response for the client as (5) with all the reverse process.

This is the working of web application which is very important to know to secure it.

What makes these web application vulnerable?
For most of the web developers, they configure SSL, Firewall, and Host Security to secure their web application. The case is mostly here in India but that should not be the case. These things only secure network and host but not the web application.
The reason why applications are vuln is:

  • Awareness at the 1st point.
  • Security testing session late in the Development Life Cycle.
  • Bad configurations.
  • Logical Issue’s.
  • Leakage of valuable information.
  • Services running which are not in use.
  • Not changing default username and password
  • Revealing information on error such as stack traces.
  • Guessing user id and gaining direct access to the account and many others.

These are some of the common things to be taken care of which leads to compromise a web application. Lets further talk about the secured web.

Secured web application:
A secured web application working consist of many parameters like validation both server side and at application-level, URL manipulation, authorization, authentication, differing user-level access and administration level access, encryption, securing sensitive data etc..
Here lets study about a secured web architecture that how a secure application should look like theoretically.An application should have a WAF(Web Application Firewall) to prevent URL manipulation(Not allowing special characters), protecting secure data and files(Restricting to access the directory), preventing session hijacking and replay attacks, etc.. waf’s like mod_security,naxi, ironbee, csf and few more along withHAProxy for load balancing be configured to protect it as the 1st step.Next is security to implement on a web server like validating the user inputs, providing secure communication(SSL), native security configs, handling HTTP error codes and other exceptions.
On an application server logging activities and fails, authenticating and authorizing the requesting user’s identities, preventing the data and filtering the user inputs here.
Having a daily track on auditing the logs is a very good practice to check out the fail attempts or any kind of server issues or finding a user behaving unexpectedly and possible malicious user.
A database needs to store sensitive information like passwords, cvv, etc. They can be stored with md5 hash and SHA etc.Conclusion:

Analyzing and reviewing the application at the initial level while development becomes efficient because later re-engineering may be required.
Secured web application when applied help reducing a certain level of risk. 

If the application is already built, it will still help to fix the vulnerabilities and mind security in future design. 

This post was cited from http://securedose.blogspot.com whose original author is Bhashit Pandya

You can have a look at my previous article on an XSS vulnerability that I had found in DELL. Here is the link of the article

So that’s for now. See you next time. Goodbye

Loved what you read?

If so, then kindly follow and share our website for much more interesting stuff? ?

For any queries please send a Hi to my Linkedin Handle: Here

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *