Web application security

Computer users who pay high attention to web application security can gain some tricks for fix web application bugs. Here, we will introduce some commonly seen bugs and corresponding fix solutions to protect web application security.

Injection attack and cross-site scripting attack
Infection attack and cross-site scripting attack are two severe bugs threatening web application security. Injection attacks including SQL, operating system, email and LDAP implement their goal by inserting malicious data to application command or query. Those malicious data can enforce web application to execute malicious command or access unauthorized data. For instance, SQL injection attack may happen if SQL query is generated by illegal user data. In such cases, attackers can directly submit malicious SQL query or transmission command.

Cross-site scripting attack will inject client script code such as JavaScript into web application output, posing menace to web application security. Once application users visit the attacked output or webpage, the explorer will execute certain code. In this way, attackers will hijack session, redirect application users to a malicious site, and damage webpage display. Cross-site scripting attack is most likely to appear in dynamically generated page.

To prevent infection attack and cross-site scripting attack so as to protect web application security, application users should follow those solutions:
1. Enforce Web application to assume all data including URL, Cookie and application database to be incredible, so as to ensure web application security.
2. Application users should inspect all codes which are used to handle user data, so as to make sure that those codes are valid.
3. After all malicious character or strings carried by validation function are eliminated, certain validation function can be transferred to script and database.
4. To guarantee incoming data security, application users should inspect data type, length, format and range. Make the best use of all available web application security control policies, and do not edit verification code.

Assailed authentication and session management
Web application should ask for user authentication and create session to track every request due to the drawback of HTTP. The activated session may be hijacked by attackers, and the attacker will disguise as a user, if authentication information and session identity are not encrypted or suffer from malicious attacks such as cross-site scripting attack.
To cope with authentication and session management issues, application users can perform execution code check and penetration test. Also, automatic code and vulnerability scanner can be useful.

Insecure object reference
Insecure object reference is caused by improper application design. If users' account ID is displayed in URL or hidden filed, other relative account ID may be exposed. In this condition, malicious users may submit access request. To prevent certain vulnerability, application users are expected to use random, unpredictable ID, file name and object name. Moreover, protect object name from being exposed. Data can be exposed via URL, hyperlink, Ext. form. Hidden, unprotected view state in ASP.NET, direct list box, JavaScript code and clients object. So application users should pay close attention to mentioned items if they want to protect web application security.

Improper security configuration
Fundamental components of web application including hardware and software such as server, firewall, database, operating system and application software may pose risks to web application security. Thus, application users should perform proper security configuration for those components. System managers lack professional management knowledge and relative resources, so system management is ineffective. In this condition, web application security is affected. To solve this issue, application users can follow those solutions: organize training for system. Conduct a penetration test for all sensitive data.