SECURITY EVALUATIONS TO WEB APPLICATIONS
Currently, with the growth of the internet, the security of information handled daily has been directly impacted. E-commerce sites, banks and even social networks contain sensitive information that in most cases turns out to be very important.
It can be said that one of the most critical points of Internet security are the tools that interact directly with users, in this case web servers. It is common to hear about failures in the protection systems of the most frequently used servers, for example Apache, NGINX, IIS, among others. Or flaws in the programming languages in which the applications are written. However, most of the problems detected in web services are not caused by failures of any of these parts, but the problems are generated by bad practices when developing the application.
We must understand that programming secure web applications is not an easy task, it is required by the programmer, not only to comply with the basic functional objective of the application, but a general conception of the risks that the information processed by the system can run.
The reason for a security assessment, whether in applications or other information assets, is to find and correct network security failures before they are exploited.
Every day there are more businesses that have Web-based applications, so the development and implementation of this type of applications has become more popular. Companies need to ensure or give adequate protection to critical information that is handled by these applications, both internal and external users, to instill confidence and provide security to customers and interested people (stakeholders). Application security is gaining attention from top management in many organizations, and with the growing popularity of mobile devices and cloud computing services, this security has become more relevant, since the same features are now being replicated in mobile App that can be easily downloaded by users and even by malicious people.
Currently there are many tools, including freeware that can detect vulnerabilities, especially for Web applications, in addition to these programs or automated tools we must also rely on manual assessment (not based on tools), that is to perform manual revisions, where we can know the functionality of the application, how it interacts with the user, review the data, things that maybe the programs do not detect it.
How to perform security assessments for web applications.
The first thing we must know when evaluating is the function of the application, the language with which the application is made and its version, Web server that uses (Apache, IIS, others) and its version, Database that uses and the version of it, the platform that supports it (development / production servers), URL or route. Operation architecture and flowchart of the application / system.
User Manuals, Administration and systems that have the application.
All the components that support the application must be evaluated: database, servers, Web server, interaction with other systems, among others.
You must spend time to understand the critical business information processed by the application.
Verify if there is a test scenario for the evaluated application.
Have a basic review list of the security assessment and we can adapt it to the specific application.
Validation of data of the inputs and outputs of the application.
Input data: Provided by a user, machine or program. they will be processed by the application to perform specific tasks.
Data of exit: It is the information obtained from some entrance or internal process of the application.
What should be taken into account when making a security assessment to web applications.
Know the way of data storage (in Database, in directories, in files, others).
Determine the elements, parameters that the application requests to authenticate users (requested data, use of challenge questions, digital certificates, others).
Against which element the application authenticates based on the requested data (verify if it is done against a local database, an LDAP / Active Directory, another application).
Know how this authentication information travels on the network (check whether it travels in plain text or in an encrypted way) Consider this communication between all the components and flows of the application.
Validate if digital certificates are used, verify who authenticates (only the server or the client), such as the process of granting, updating and authorizing the certificate.
Review how the authorization process is carried out in the application (verify if this is done through code and groups in the same application or through Active Directory groups or another element).
Is the authentication process registered both on the server side and on the client? (if applicable)
Does the application present information messages when authentication could not be performed successfully? (check how these messages are, since they should not show details of exactly what the wrong field was).
Is there a procedure in the application to block access to the user after certain failed attempts among other considerations such as disuse time, etc.? (check how many attempts it blocks access, since it should be a maximum of 3 attempts and that other criteria are used to block access).
How does the application inform the user of the blocking of the account.
Does the authentication process reveal information about the application to which you are authenticating.
Are confidential details of the user, the equipment, application, etc. shown? on the screen while the user writes them.
Does the application respond as expected when the data in the authentication is not correct.
During the user's session, is it specified somewhere in the interface of the application, who is the authenticated user or owner of the session.
Is the authentication information stored in the client? Is the customer identification on the device or other information stored in the cache or cookies stored.
How are the sessions handled in the application? Is the application prone to session theft through cookies or back-forward browser buttons or URL escalation? Is it possible to identify the previous user of the current one through the information stored in the computer's cache? Is there any way to refresh the login information by the users who left, to try to access the application without providing the data for authentication?
How does the application react to the attempt to bypass authentication and access privileges through URL escalation? Do you throw error messages, request authentication?
How is the authentication information stored in the database or file system? (Check if it is kept in plain text or encrypted, especially if it is passwords).
Verify the use of Captcha for very exposed environments.
Is it technically possible to do DoS attacks to the application with multiple user accounts?
You must register everything that is done in the application as in the database: failures, changes, updates.
Validate if the date, time of the log files are sequential and are in line with the time of the platform.
In the design of controls to prevent misuse of an application, the most likely attackers should be considered (in order of possibilities and losses updated from most to least):
- Dissatisfied team or developers
- Attacks "Powered by" as side effects or direct consequences of a virus, or worm or Trojan attack.
- Motivated criminal attackers, such as organized crime.
- Criminal attackers against your organization for no reason.
Some attacks on websites or web applications.
- URL attacks of a semantic type.
- Cross-Site Scripting Attacks.
- Counterfeit HTTP requests.
- SQL Injection.
- Brute force attacks.
Among others. In the next post, each of these attacks will be explained.
Once the security assessment was completed, the vulnerabilities present in the application, database and servers were detected, ideally, to send this information to the custodian of the technological platform, it is presented in a report where it is indicate:
What were the vulnerabilities detected.
The risk that runs your platform and the main asset that is the information to have these findings.
The recommendations should be indicated, that is, give the controls or security measures with which the vulnerabilities will be corrected or mitigated.
One of the most important things is to follow up or that the custodian of the platform is committed to mitigate all these findings or vulnerabilities. In this way, a greater level of security is given to this type of applications, to the network and to the technological platform in general.
I hope this shared information is useful.
Interesting publication @mildreduh, certainly protecting the information is important because if the information is leaked, it brings problems or is the bankruptcy of an entity.
Thank you for your appreciation @emiliocabrera, that's right, information is the most important asset, is what we must protect, ensuring or give a level of security to our technology platform and all its devices and services that comprise it, we are protecting our information.