10 Common Web Application

Security Vulnerabilities and How

to Prevent Them in 2023
Cybersecurity | January 27, 2023

Web applications are one of the most common targets for hacking because
they provide easy access to a wider audience, allowing malicious code to
spread faster. But, alas, many companies seriously think about web
security only after the incident has already occurred.

Let’s face it; this omission has a price – for example, a data breach in 2022
cost companies $4.35 million. But many of these occasions could have
been prevented with the proactive and defensive approach to web security.

We want to save your money and your nerves. Therefore, we at Relevant

have prepared an article about the most common web application
vulnerabilities and best practices for protecting web applications from
malicious attacks and accidental damage.

Why are web applications so vulnerable

to attacks?
Web apps can be attacked for various reasons, including system flaws
resulting from incorrect coding, misconfigured web servers, application
design flaws, or failure to validate forms. Any web application has at least
one vulnerability that hackers can exploit at a higher level. 

Such weaknesses or vulnerabilities allow criminals to gain direct and public

access to databases that contain valuable information (e.g., financial
details or personal data), making them a frequent target of attacks. 
Cloud containers that package application software with the elements
needed to run it have recently been found particularly vulnerable when they
are not properly secured or contain insecure elements. The use of open
source and reliance on application programming interfaces (APIs) also
exacerbate security concerns.

Cybercriminals use compromised sites for various purposes: to spread

malware; steal sensitive data; implant unauthorized information; commit
fraud; to infiltrate a company’s internal infrastructure. All this threatens the
organization’s operation and reputation, so web applications must be
protected and all weak points eliminated.

OWASP Top 10 Vulnerabilities: General

Overview
The open community OWASP aims to make the web the safest for users
by creating an overview of the most prevalent web vulnerabilities and
providing industry best practices to mitigate them.

OWASP Top 10 is not just a list. It rates each class of weaknesses using
the OWASP Risk Rating methodology and provides examples, attack
prevention recommendations, and links for each risk. By examining the
vulnerabilities in the OWASP Top 10, application developers can take
concrete steps to create a more secure application that will help keep users
safe when it comes to malicious attacks.

OWASP list is updated every few years based on a combination of security

testing data and surveys of professionals within the industry. On the
diagram, you can see the changes in this list from 2017 to 2021.

Source: OWASP.org

So let’s consider the latest web applications’ vulnerabilities and ways to

prevent them in 2023.
Broken Access Control
Access control implements policies preventing users from acting outside
their specified permissions. But access vulnerabilities could allow
unauthenticated or unwanted users to gain access to sensitive data and
processes and user privilege settings.

Examples of access control vulnerabilities are such manipulation as

spoofing or reusing a JSON Web Token (JWT) access control token and
modifying cookies or hidden fields to elevate privileges or use JWT
revocation.

The second example is a violation of the default rejection principle.

Administrators should only grant access to certain roles, capabilities, or
users, but it is available to everyone. Such errors can make it easier for
attackers to access whatever they want.

Affected objects:
Broken access control can lead to compromised data, gaining permissions
beyond what is intended for normal users, or account takeover attacks
where outsiders take over user accounts and initiate fraudulent
transactions.

How to prevent a Broken Access Control 

You can avoid problems with identity or password management by applying
safe coding practices and precautions such as disabling administrator
accounts and restrictions and setting up multi-factor authentication.

 Apply access control mechanisms only once and reuse them

throughout your application to reduce cross-origin resource sharing.

  Domain models should impose certain constraints on business

applications.

 Restrict access to APIs and controllers to mitigate the effects of

automated attacks.

 Log access control failures with alert administrators as needed.

 Rather than grant users permission to create, view, modify, or delete

information, model access controls should give records ownership.

Cryptographic Failures
Formerly known as sensitive data exposure, cryptographic failures rose to
position two. This is more of a symptom than the underlying cause; the
emphasis here is on cryptographic errors, or lack of them, which often
expose sensitive data.

Affected objects:
Those can be passwords, email addresses, patient health records,
business secrets, credit card information, or other personal user
information. For example, an application can securely encrypt credit card
information using automatic database encryption. Unfortunately, when this
information is accessed, it is immediately decrypted, allowing the SQL
injection failure to extract the credit card information in plaintext, which an
attacker can exploit.

How to prevent cryptographic failures

 Use strong, salted, and adaptive hashing algorithms with delay

factors to store passwords like Script or PBKDF2.

  Avoid outdated protocols, such as Simple Mail Transfer Protocol

(SMTP) or File Transfer Protocol (FTP), when transferring sensitive

data. 

 Use authenticated encryption instead of simple encryption.

 Generate and store cryptographically random keys as arrays of

bytes. If passwords are used, replace them with a key using a

password-based key generation algorithm.

Injection
A vulnerability known as an injection flaw enables an attacker to transmit
malicious code through an application to another system. Injections
typically comprise SQL injections, command injections, CRLF injections,
LDAP injections, etc. That can cover compromising backend systems and
other clients connected to the vulnerable app.

Affected objects:
Attackers conduct injection attacks to get permission to protected areas
and sensitive data, camouflaged as trusted users. Vulnerable objects can
be Input Fields and URLs interacting with the database.

How to prevent injection:

Some useful techniques include: 

 Prevent injection attacks by validating or sanitizing the data

submitted by the user. (Validation refers to rejecting suspicious-

looking data, while cleaning refers to cleaning up suspicious parts of

data.)

 Employ an API that eschews the interpreter, offers a parameterized

API, or translocates to object-relational mapping instruments.

  Apply positive server-side validation input. 

 Use LIMIT and other SQL constraints inside queries to avoid massive

data exposure in a SQL injection.

 Avoid displaying detailed error messages useful to an attacker.

 hy
Insecure Design
This new category for the OWASP Top Ten focuses on application design
and architectural flaws leading to increased security threats. When an
application is inherently designed insecurely, the perfect implementation of
security controls and risks cannot compensate for these design flaws.
Sophisticated attackers will eventually find and exploit design flaws.

How to prevent design weaknesses:

Secure specialists can prevent these threats using the following methods:

 Set up a secure development lifecycle with Relevant experts to

assess and create security and privacy controls.

 Use threat modeling for access control, critical testing, application

logic, and core flows.

 Include security terminology and controls in user stories.

Identification and Authentication Failures

Identification and authentication errors can occur when user identification,
authentication, or session management functions are not implemented
correctly or sufficiently secured by the app.

Affected objects: 
Authentication vulnerabilities can include brute force attacks, improperly
hashed and salted passwords, leaks involving user account data,
improperly set timeouts, or typical password stuffing like password1 or
admin1234.

How to prevent authentication vulnerabilities: 

You can protect your web application from authentication vulnerabilities by:

 Multi-factor authentication for user verification.

 Creating strong passwords with periodic updates.

 Correct setting of timeouts and password security in your database.

Software and Data Integrity Failures

When apps use modules, extensions, or repositories from Content Delivery
Networks or unauthorized sources, a lack of verification of the integrity of
these sources introduces the risk of malicious code, unauthorized access,
and compromise.

Affected objects:
Modern software delivery pipelines include auto-update functionality that
streamlines the lifecycles by downloading updates and applying them
without inherent permissions. Attackers can exploit such functionalities by
performing a Man-in-the-Middle attack to inject malicious code into the
pipeline during the update process. This results in corrupted payloads
being deployed and executed outright on app installations.

Prevention methods include:

 Measures such as digital signatures can be used to verify that data or

software comes from the expected sources without any interference.

  The CI/CD workflow must have the necessary segmentation, access

control, and parameterization to protect code integrity during

configuration and deployment operations.

 Compilation data that is not signed or encrypted should only be sent

to untrusted clients if an integrity check or digital signature is

performed to detect alteration or duplication of the data.

Security Logging and Monitoring Failures

Logging and monitoring help to provide security accountability, visibility into
events, incident alerting, and forensics. When there are failures in these
capabilities, your company’s ability to detect and respond to app breaches
becomes severely compromised. 

Affected objects:
Insufficient monitoring, logging, or reporting makes your app susceptible to
attacks that target any part of the application stack.

How to prevent Security Logging and Monitoring Failures

Measures to prevent security logging and monitoring failures include 

 All authentication, access security, and server-side data validation

issues must be logged with sufficient user information to detect

suspicious or fraudulent accounts and kept for a while enough to

allow a pending full investigation.

 Assure that logs are generated in the formats used by log

management systems.

 Employ a recovery and incident response strategy, such as NIST

800-61r2 or later.
  Establish effective monitoring and alerting to detect and respond to

suspicious activities quickly.

 Ensure the log data is properly encrypted to avoid intrusions or cyber

threats to monitoring systems.

Server-Side Request Forgery (SSRF)

Server Side Request Forgery is a web security vulnerability that allows an
attacker to trick an application into sending a fake request to an unwanted
location, even if VPNs, firewalls, or a network access control list protect it.

Affected objects:
In a typical SSRF attack, a hacker can force a server to establish a
connection to internal services in an organization’s infrastructure. In other
cases, they can cause the server to connect to arbitrary external systems,
which can leak sensitive data such as login credentials.

How to prevent SSRF

With this in mind, you can avoid such attacks by using the following
prevention methods:

 To limit the impact of SSRF, you should separate the remote access

functionality into separate networks.

 Set firewall settings to “deny by default” or network access control

rules to block all web traffic except necessary internal traffic.

 It’s useful to be mindful of the accuracy of the URL to protect against

attacks such as DNS redirection and “time to check, time to use”

situations.
Security Misconfiguration
This occurs when basic security settings are either not implemented or
have errors. Such bugs create dangerous security holes that leave the
application and its data (and, therefore, the organization itself) open to
cyberattack or hacking.

Affected objects: 
These can include unpatched flaws, unused pages, unprotected files or
directories, outdated software, and running software in debug mode. When
a misconfiguration is found, it is vital to run a security audit to check for
attacks or breaches.

How to prevent security misconfigurations: 

To avoid configuration complications, you must use secure installation
methods, including:

 The development, operational, and QA environment should be the

same, with different user privileges. The automatic deployment will

also keep your applications up to date and prevent attacks

 Unused features and frameworks should be removed or not installed.

 A core platform with no unnecessary features, components,

documentation, or demos reduces the chance of configuration

vulnerabilities.

Vulnerable and Outdated Components

Most online applications are built using third-party frameworks. Unknown
application codes can lead to unwanted results and situations such as
accent control violations, SQL injections, etc.

Affected objects:
If the program is insecure, unsupported, or outdated, there may be dangers
associated with vulnerabilities. The package includes the application/web
server, operating system, applications, database management system
(DBMS), APIs, other elements, libraries, and runtimes.

How to prevent risks from vulnerable and outdated components

Based on our experience in software development, we strongly recommend
the following: 

 Purchase components from official sources through secure channels.

 Watch out for modules and items that don’t work or don’t provide

security updates for older versions. If patching is impossible, consider

developing virtual patches to observe, identify, or protect against a

discovered vulnerability.

 Remove any excessive requirements, functionality, items, folders, or

documentation.
While the OWASP Top Ten is useful for improving web application security,
it is not the be-all and end-all. There is a strong focus on securing the
server side, but many of today’s attacks focus on the client side. In other
words, it’s important to look in all directions. Сonsider the OWASP Top 10
as a starting point and complement it with practices tailored to your needs.