Top 6 common flaws in web application security and their resolution

Web applications are increasingly becoming more feature rich, powerful, and complex. This complexity in web applications is a result of the rising technological demands of the customers. To meet their customers’ demands, organizations are consistently releasing new versions of their web applications. While Software Development and Operations teams provide faster release cycles, it becomes difficult to scale web security.

Common Web Application Security Flaws

1. Remote Code Execution (RCE)Remote Code Execution is generally the most dangerous vulnerability in a web application.

In this type of flaw, attackers can run their own code within a web application that possesses some defect or weakness. Once the application is compromised, attackers can get the right to access the server where all the important information exists like a database with client-related information.

1. SQL Injection (SQLi)SQL Injection is a vulnerability in which an attacker inserts malicious SQL statements to the web application that makes insecure SQL query to a database server (for example, MySQL). The attacker exploits a web application’s weaknesses that are usually the result of poor development practices.
2. Cross-site Scripting (XSS)Regardless of the variation in this category, all cases of cross-site scripting follow almost the same pattern. In cross-site scripting type of vulnerability, the attackers inject client-side scripts into the websites viewed by other users. They may take place anywhere a web application allows input from a user without validating it.

The common objective of an attacker is to make a victim execute a malicious script (also referred as the payload) to an unknowing user. This script runs on a trusted web application. The prime focus is to steal the data of users or modify it to threaten to get access to the sensitive information.

4. Path TraversalA path traversal attack (or directory traversal) is made to get access to files and directories that appear outside root folder of the web application. Path or directory traversal attacks typically manipulate the variables or its variations to access server file system folders.

Since these files contain critical information like access tokens, passwords, or backups, a successful attack may allow a hacker to further exploit other vulnerable applications as well.

Path traversal flaw may not be as common as Cross-site Scripting and SQL Injection flaws but still pose a major risk to the web application security.

5. Source Code DisclosureThis type of vulnerability is more common and could provide sensitive information of a web application to an attacker. Hence, it is important that a source code is kept safe, away from the attacker’s eyes, especially if the web application is not open source.

In source code disclosure, a weak server can be exploited to read arbitrary files. Further, this can be used to get access to the source code of web application files and configuration files. Disclosure of source code can leak sensitive information such as passwords, database queries, or input validation filters.

6. Weak PasswordsWeak passwords always play an important role in a hack. To make it easy, sometimes, applications allow simple passwords without complexity, such as Admin123, Password@123, 12345, etc. Such passwords can be easily guessed allowing an attacker to easily login to the server.

In some cases, an attacker cracks a weak password using a dictionary attack. In a dictionary attack, common dictionary words and names or common passwords are used to guess the password. Most of the times, weak passwords are just default usernames and passwords such as admin or admin12345.

ZNet is owned by RP tech India (a division of Rashi Peripherals Pvt Ltd.). Founded in 1989, RP tech India is the fastest-growing value-added distributor of IT and mobility solutions with 50 branches.