There are multiple applications that we use daily. Especially web applications. As their level of adoption increases, vulnerabilities also. Although it is not possible for a cybercriminal to attack all the existing applications around the world, they should all have the appropriate security measures to avoid the main attacks. Unfortunately, cyberattacks strike at any time and we generally do not perceive the signals in time.
Today in this article we have created this guide so that you can have an overview of the main vulnerabilities in the top of OWASP, and how we can proceed to solve or mitigate it as best as possible. We will also teach you what is the best you can do in each case, although there are some that are somewhat more complex. It is good to keep in mind that the vulnerabilities we will cite below are based on the popular OWASP project of application vulnerabilities.
Sensitive data exposure
One of the situations that concerns both users and organizations is the security and privacy of sensitive data. Remember that sensitive data can refer to something personal, work, banking, financial or health. Any type of data that can generate information about you is of great benefit to cybercriminals. Sensitive data not only has the risk of being exposed, but also may be modified, stolen or sold to entities dedicated to the manipulation of sensitive data.
If you have a responsibility to manage sensitive data, one of the best practices is classification. A random example, sensitive data and non-sensitive data. If they are sensitive data, additional security measures should be applied to these, such as more robust encryption methods and avoiding storing them if not strictly necessary, in addition to requiring strong authentication to access them, and even double authentication factor to strengthen the authentication scheme. On the other hand, you must pay attention to the data that is in transit: it is recommended to apply secure protocols such as TLS (Transport Layer Security) and PFS (Perfect Forward Secrecy) .
Bad security settings
It is one of the vulnerabilities that occurs most frequently, mainly due to bad practices when developing applications. Default, insecure or incomplete configurations, implementation of open cloud services when there is sensitive data. Cases like these can involve a high risk for the integrity of applications in general.
One of the measures that can be put into practice more easily is the deletion of services and any other complement to the application that you do not need to use. Remember that these “inactive” components are a great advantage for cybercriminals. Several of these attacks are due to the lack of control of this aspect. Also, check frequently what potential holes in the configuration may arise. One facility for this aspect is to resort to the documentation and support of your provider. In many cases, they have a fair amount of resources to help you get more out of the application infrastructure, as well as raise security levels.
Loss of access control
As user managers, we should never underestimate end users. We say it that way because there are cases when “normal” users have more permissions than they should. Consequently, this can serve as a springboard for you to carry out multiple malicious activities. The worst of this is that this could bypass certain security controls, because you have the permissions to do so. Privilege escalation is a problem for networks of all types of organizations. Attacks of the “insider” type (within the organization) have chilling statistics, so it is mandatory to adjust the permissions that each type of user has.
On the other hand, we should not neglect users with the administrator permissions in question. In this article we have discussed in detail about it, and you can take a look at what you should do to improve the control mechanisms .
Injection based on database engines
Injection involves the insertion of data that contains code capable of executing malicious actions. They can occur in different database engines such as SQL, NoSQL and even LDAP (Lightweight Directory Access Protocol) . A practical example is when we log in to a certain application and instead of entering our access credentials, we write SQL statements that execute malicious actions. This is sometimes not easy to detect. However, there are cases of injections in which the application is practically useless. Likewise, the data present in the applications may be exposed or may not be available to their owners.
The main prevention measure you should consider is applying data input validation to applications. This will allow the user not to enter any type of text in each of the fields of an enrollment form, login, registration, etc. It appears to be a fairly basic practice, but unfortunately, many applications and services in general underestimate this threat. For example, if your form requires numerical data, restrict the data entry to only numbers. If it is text, it limits the entry of commands that can mean database sentences.
As we have seen, these are just some of the vulnerabilities mentioned by OWASP. However, we consider that these are some of the most important in relation to the impact they have on the infrastructure of applications and their users. We must bear in mind that not only must we increase security measures in the face of an imminent risk of attack, but we must do so at all times. Good application development and implementation practices form the most effective protective shield against so many vulnerabilities.