Tech & Sec

Web Application Security: Understanding Common Vulnerabilities

3 min read 616 words web-security owasp vulnerabilities appsec

Web applications are a primary target for attackers. Understanding common vulnerabilities is essential for both developers and security professionals.

The OWASP Top 10

The Open Web Application Security Project (OWASP) maintains a list of the most critical web application security risks.

1. Broken Access Control

Description: Users can act outside of their intended permissions.

Examples:

  • Accessing other users’ accounts by modifying URL parameters
  • Bypassing authorization checks
  • Elevation of privilege

Testing:

# Try modifying user ID in URL
https://example.com/account?id=123  # Your account
https://example.com/account?id=124  # Try another user's account

2. Cryptographic Failures

Description: Sensitive data exposure due to weak or missing encryption.

Examples:

  • Transmitting passwords in plain text
  • Using weak hashing algorithms (MD5, SHA1)
  • Storing sensitive data without encryption

Prevention:

  • Use HTTPS everywhere
  • Implement strong encryption (AES-256)
  • Use bcrypt or Argon2 for password hashing

3. Injection Attacks

Description: Untrusted data sent to an interpreter as part of a command or query.

SQL Injection

Example of Vulnerable Code:

# Vulnerable
query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"

# Attacker input: username = "admin' --"
# Results in: SELECT * FROM users WHERE username='admin' --' AND password=''

Secure Alternative:

# Using parameterized queries
cursor.execute("SELECT * FROM users WHERE username=? AND password=?", (username, password))

Command Injection

Example:

# Vulnerable: ping command with user input
ping -c 4 {user_input}

# Attacker input: "8.8.8.8; cat /etc/passwd"
# Results in: ping -c 4 8.8.8.8; cat /etc/passwd

4. Cross-Site Scripting (XSS)

Description: Injecting malicious scripts into web pages viewed by other users.

Types:

  • Reflected XSS: Script in URL parameter
  • Stored XSS: Script stored in database
  • DOM-based XSS: Script manipulates the DOM

Example Payload:

<script>alert(document.cookie)</script>
<img src=x onerror=alert('XSS')>

Prevention:

  • Encode output data
  • Use Content Security Policy (CSP)
  • Validate and sanitize input

5. Security Misconfiguration

Common Issues:

  • Default credentials still enabled
  • Unnecessary features enabled
  • Directory listing enabled
  • Verbose error messages revealing system information
  • Missing security headers

Check Security Headers:

curl -I https://example.com

# Look for:
# - Content-Security-Policy
# - X-Frame-Options
# - X-Content-Type-Options
# - Strict-Transport-Security

6. Vulnerable and Outdated Components

Description: Using libraries, frameworks, or components with known vulnerabilities.

Tools to Identify:

  • npm audit for Node.js
  • pip-audit for Python
  • OWASP Dependency-Check
  • Snyk
# Check Node.js dependencies
npm audit

# Check Python packages
pip-audit

Testing Methodology

1. Reconnaissance

  • Identify technologies used (Wappalyzer, BuiltWith)
  • Enumerate subdomains
  • Review robots.txt and sitemap.xml

2. Mapping the Application

  • Spider the application
  • Identify all input points
  • Note authentication mechanisms

3. Vulnerability Scanning

# Nikto web scanner
nikto -h https://example.com

# OWASP ZAP
zap-cli quick-scan https://example.com

4. Manual Testing

  • Test authentication and session management
  • Test authorization controls
  • Test input validation
  • Test error handling

Essential Tools

Burp Suite

Industry-standard web application testing tool.

Key Features:

  • Intercept and modify requests
  • Spider and scan
  • Intruder for automated attacks
  • Repeater for manual testing

OWASP ZAP

Free and open-source alternative to Burp Suite.

Browser Developer Tools

Built-in tools for inspecting requests, responses, and client-side code.

Security Headers

Implement Essential Headers

# Prevent clickjacking
X-Frame-Options: DENY

# Prevent MIME type sniffing
X-Content-Type-Options: nosniff

# XSS protection
X-XSS-Protection: 1; mode=block

# Content Security Policy
Content-Security-Policy: default-src 'self'

# HTTPS enforcement
Strict-Transport-Security: max-age=31536000; includeSubDomains

Best Practices for Developers

  1. Input Validation: Never trust user input
  2. Output Encoding: Encode data before displaying
  3. Parameterized Queries: Prevent SQL injection
  4. Least Privilege: Grant minimum necessary permissions
  5. Security Headers: Implement all relevant headers
  6. Keep Dependencies Updated: Regularly update libraries
  7. Error Handling: Don’t reveal sensitive information in errors
  8. Logging: Log security-relevant events

Conclusion

Web application security is a continuous process. Stay updated with the latest vulnerabilities, practice secure coding principles, and regularly test your applications.

Remember to always test ethically and with proper authorization. Many of these techniques can cause damage if used irresponsibly.

Additional Resources