Computer users who pay high attention to web application security can gain some tricks for fix web application bugs. Here, we will introduce some commonly seen bugs and corresponding fix solutions to protect web application security.
Injection attack and cross-site scripting attack
Infection attack and cross-site scripting attack are two severe bugs threatening web application security. Injection attacks including SQL, operating system, email and LDAP implement their goal by inserting malicious data to application command or query. Those malicious data can enforce web application to execute malicious command or access unauthorized data. For instance, SQL injection attack may happen if SQL query is generated by illegal user data. In such cases, attackers can directly submit malicious SQL query or transmission command.
To prevent infection attack and cross-site scripting attack so as to protect web application security, application users should follow those solutions:
1. Enforce Web application to assume all data including URL, Cookie and application database to be incredible, so as to ensure web application security.
2. Application users should inspect all codes which are used to handle user data, so as to make sure that those codes are valid.
3. After all malicious character or strings carried by validation function are eliminated, certain validation function can be transferred to script and database.
4. To guarantee incoming data security, application users should inspect data type, length, format and range. Make the best use of all available web application security control policies, and do not edit verification code.
Assailed authentication and session management
Web application should ask for user authentication and create session to track every request due to the drawback of HTTP. The activated session may be hijacked by attackers, and the attacker will disguise as a user, if authentication information and session identity are not encrypted or suffer from malicious attacks such as cross-site scripting attack.
To cope with authentication and session management issues, application users can perform execution code check and penetration test. Also, automatic code and vulnerability scanner can be useful.
Insecure object reference
Improper security configuration
Fundamental components of web application including hardware and software such as server, firewall, database, operating system and application software may pose risks to web application security. Thus, application users should perform proper security configuration for those components. System managers lack professional management knowledge and relative resources, so system management is ineffective. In this condition, web application security is affected. To solve this issue, application users can follow those solutions: organize training for system. Conduct a penetration test for all sensitive data.