importance of secure web applications

with Advances in web technologies coupled with a changing business environment, have made web applications more prevalent in corporate, public and Government services today. with the added convenience, efficiency and popularity of web applications, a number of new security threats have also emerged, which could potentially pose significant risks to an organisation's information technology infrastructure if not handled properly.

Web applications remain the most vulnerable, with web application attacks accounting for 35% of breaches. In order to tackle the threats related to these new application services, it is essential to understand the vulnerabilities commonly found in web applications.

MOST common vulnerabilities

The OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations.

1- injection Flaws 

Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

2- Cross-Site Scripting (XSS)

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

3- Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

Web Application Vulnerability scanning

Web Application Security Scanners are automated tools to test web applications for common security problems such as Cross-Site Scripting, SQL Injection, Directory Traversal, insecure configurations, and remote command execution vulnerabilities, etc. These tools crawl a web application and locate application layer vulnerabilities and weaknesses, either by manipulating HTTP messages or by inspecting them for suspicious attributes.