How to improve the security of web applications?

In this article, we will present a number of solutions that will enable the security of web applications to be improved quickly:

X-Frame-Options header
Cookies
HTTP Strict-Transport-Security
X-Content-Type-Options header
Subresource Integrity (SRI)

X-Frame-Options header

The X-Frame-Options header has been designed to maximise the possibility of Clickjacking attacks. This header restricts or blocks completely external domains that may place our web application in <object>, <frame> and <iframe> tags.

The header can use various parameters:

X-Frame-Options: Allow-From http://example.com — the website can only be placed in a frame on the indicated domain

X-Frame-Options: SameOrigin — a page can only be placed in a frame within the same domain

X-Frame-Options: Deny — the page cannot be placed in a frame

Cookies

We can raise the security of cookies by adding two additional flags, HttpOnly and Secure.

The HttpOnly flag protects our cookies from the effects of XSS attacks. The file with the HttpOnly flag is available only for http requests, it is not possible to read it e.g. with javascript.
Most often when executing an XSS attack, the attacker attempts to download the document.cookie value for a session cookie. If the HttpOnly flag is enabled, the document.cookie will not return any value.

Secure flag protects cookies from being sent using http protocol. When this flag is activated, cookies are only sent using the secure https protocol.

Sample session cookie with HttpOnly and Secure flags set.

Set-Cookie: token=1znpr7zx3m29w4n5zf2d1; HttpOnly; Secure

HTTP Strict-Transport-Security

HSTS is a mechanism that significantly increases the security of connection with the web application. This mechanism forces the browser to connect to the server only via a secure HTTPS connection. An attempt to establish a connection with an unsecured HTTP protocol will fail. Thanks to this solution we defend our application against man-in-the-middle attacks.

Definition of a header:

Strict-Transport-Security: max-age=31536000

The max-age parameter specifies how many seconds from the last user access the HSTS header will be valid. 31536000 seconds = 1 year.

When a web application forces the HSTS header, the user’s browser will behave as follows:

• all attempts to establish a connection using the http protocol will be changed to the https protocol e.g. http://example.com -> https://example.com
• If the connection security is not ensured because the SSL certificate has expired or is incorrect, the user will receive an error message which they cannot skip

X-Content-Type-Options header

The X-Content-Type-Options header disables MIME-guessing of a document while protecting the web application from file attachment attacks in a different context than indicated by their Content-Type.

Example: The web application allows users to upload images. At the same time, as a result of another vulnerability (e.g. XSS), the user may manipulate the content of the web application. An attacker may upload, e.g. a jpeg file, which will in fact be a js file.

A web application with the X-Content-Type-Options header turned off will attach this file and execute malicious code.

<script src=”http://example.com/uploads/image.jpeg”></script>

If we use the X-Content-Type-Options header, this execution will fail because the Content-type response will be equal to e.g. image/png. The browser will skip loading the file.

X-Content-Type-Options: nosniff

Subresource Integrity (SRI)

SRI is a security feature that allows browsers to verify that the resources they intercept (e.g. Js, css files) reach them without unintended changes. This is possible thanks to the use of cryptographic hash, with which the intercepted resource must be compatible.

A potential hacker who wants to access our well-protected web application may attack the component provider’s server which we use, for example, the jquery library.

<script src=”https://code.jquery.com/jquery.js"> </script>

In the event of a successful attack on a jquery server and a replacement of jquery.js file with another dangerous file, an attacker may execute any code in the context of our web application.

Implementing hash protection, the browser will detect a discrepancy between the cryptographic hash file and the cryptographic hash declared in the code and omit loading the file.

An example of a properly attached file from an external server.

<script src=”https://code.jquery.com/jquery-3.5.1.js" integrity=”sha256-QWo7LDvxbWT2tbbQ97B53yJnYU3WhH/C8ycbRAkjPDc=”></script>

“Subresource Integrity” reduces the risk of such attacks by ensuring that files that an application or a web document intercepts from an external server are delivered without the involvement of a third party who has “enriched” our data with additional content.

Conclusions

Web applications are now widely used. By adopting different applications and functions, they bring a variety of benefits, which translate into improved business operations, increased productivity and reduced costs. The increase in the complexity of web applications and their prevalence creates challenges in terms of securing them against threats. The result is that they are unfortunately a frequent target of attacks.

The above article presents several solutions that allow to quickly improve the security of web applications. In addition, a step that is worth making is to perform penetration tests of this type of applications. They will allow to reveal any existing vulnerabilities before someone wants to use them to our disadvantage.