Security threats for web applications

CSRF, DoS, SQL injection and XSS are few of the most common security threats for any web application. Looking at the expand-ability of web preventing such attacks is always on priority. Apart from DoS rest threats can well be prevented at application level. Prevention of DoS is often difficult, expensive and needs 3rd party tools. 

1. CSRF

CSRF stands for Cross Site Request Forgery and makes an attempt execute unwanted action on the website while your authenticated session is active. These attacks are often targeted through email messages. 

Example

  1. You receive a SPAM email in your inbox pretending to be an ecommerce offer. 
  2. You click on the that link considering its an offer.
  3. Coincidently you are logged into your website's admin control panel.
  4. But in reality that link in the email may have some hard-coded link which in turn could delete the content from your website.
  5. By the time you know it was an attack, your website would already get deleted.

Ideally application should be programmed in such a way to identify that any action withing the space of authenticated session is generated by the authernticated user only.

Drupal CMS has very efficient way to counter such attacks. It simply validates the availability to TOKENs before executing any such unwanted actions.

2. DoS

DOS stands for Denial of Service. Such attacks focus on consuming your server resources upto the limits that intended genuine visitors or users will have no server resources left for their utilization and often in such scenarios either website becomes very slow on performance or it may get crashed. Ideally such attacks should be prevented much before it reacches your website (application layer). 

These attacks are not application specific but the environment specific. There is very less that can be done at application level and even though something is developed at the application level that might end-up by consuming lot many resources and without much efficiency.  

Types of DoS attacks

  1. DDoS: Distributed denial of service.
  2. APDoS: Advanced persistent denial of service.
  3. Denial of service as service.

Few of the tools to prevent DOS

  1. Cloudflare
  2. Cisco DDoS prevention system
  3. F5 Networks
  4. Black Lotus
  5. Incapsula

3. SQL Injection

SQL injections are one most commenly used attacks and also one of most commonly prevented at the application level. Most of modern language frameowrks, CMSs or web applications are built with an inherent capability to to prevent SQL injections. All of the ORMs are capable enough to prevent such attaks. 

SELECT first_name FROM employee where id = $id

Lets consider "$id" is passed through the URL, in case of urls [website?id=4]

" Query will become
SELECT first_name FROM employee where id = 2

Lets consider "$id" is passed through the URL, in case of urls [website?id=2;DELETE FROM employee WHERE id = 1;]

" Query will become
SELECT first_name FROM employee where id = 2;
DELETE FROM employee WHERE id = 1;

Instead this way SQL can be written in much secured way such as 

$id = $_GET['id']
$first_name = db_query('SELECT first_name FROM node WHERE id = :id', array(':id' => $id))->fetchField();

There are many more ways to prevent SQL injections which I will discuss in a separate post.

4. XSS

Through Cross Site Scripting malicious scripts are injected into trusted websites. Web browsers have no way to determine if web page contains such injected malicious scripts. While viewing the otherwise trusted web pages such scripts gets executed and can access the cookies, sessions data and often can alter the display of the webpages. 

Prevention

  1. Remove HTTP trace from the web servers.
  2. Make sure validate the raw data at client side as well server side.
  3. Use the code encoding.