Web application vulnerabilities involve a system flaw or weakness in a web-based application.
The common web application security vulnerabilities are:
- Injection flaws
Injections are among the oldest and most damaging threats targeted at web applications. They will lead to data-stealing, data lack, lack of credibility, denial of service, and complete network compromise. The primary explanation for flaws in injections is typically a lack of validity of user data. Injection attacks apply to a broad class of attack vectors. In an injection attack, the attacker provides untrusted program data. Injection flaws occur when untrusted data is sent to an interpreter a part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. This input is interpreted by an interpreter as part of an order or query, that, in effect, modifies the execution of the program.
- Broken Access Control
Vulnerabilities to access control occur if users can act outside their intended permissions. This typically leads to unwanted entry, leakage of knowledge, and computer alteration or loss. Such flaws emerge from unclear coding and insecure application of systems for authentication and authorization. Exploitation of access control is a core skill of attackers. SAST (Static application security testing) and DAST(Dynamic application security testing) tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks. Access control weaknesses are common due to the lack of automated detection, and lack of effective functional testing by application developers. Access control detection is not typically amenable to automated static or dynamic testing. Manual testing is the best way to detect missing or ineffective access control. The technical impact is attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record. Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
- Broken Authentication
Broken Authentication is typically due to poor session management and authentication functions. Broken authentication attacks aim to gain the same privileges as a user in one or several accounts to the attacker. Authentication shall be “broken” if attackers are capable of compromising user identity passwords, keys, or tokens, User account and other details. Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens. The occurrence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications. Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks. Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.
- Insufficient Logging & Monitoring
Insufficient logging and monitoring vulnerability happens when the system does not monitor current events. Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected. The lack of such tasks will certainly make it impossible to track criminal behavior which can damage the efficiency of emergency response in the case of an attack. Auditable events (such as logins, failed logins, and high-value transactions) are not logged. Warnings and errors generate inadequate, or unclear log messages. Logs of applications and APIs are not monitored for suspicious activity. Logs are only stored locally. The application is unable to detect, or alert for active attacks in real time.
- XML External Entities (XXE)
Extensible Markup Language (XML) originally was created that can be used with digital design but is now a popular way to exchange data with different types of applications and is typically more than HTML used for data interchange, in many situations. This makes XML incredibly popular in many types of web applications, services, and documents. This permits the communication and exchange of data between two systems running different technologies. To interpret XML data, applications require some form of XML or XML parser that understands the format of the XML processor to either transfer the data to another format or simply output the result. XXE is a web safety vulnerability that allows an attacker to interfere with the processing of XML data on an application. It often allows an intruder to view files on an application server filesystem and interact with any server-side or external system accessible to the application. Sometimes an attacker can escalate an XXE attack by using the XXE vulnerability to perform server-side request forgery (SSRF) attacks to compromise the underlying server or other backend facilities. Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.