The common security threats and how to protect from them
A modern application is a complex system containing lots of components and uniting lots of technologies. The more complex is the system, the more security threats it has. The risks of insufficient security are too serious to ignore — that is why the businesses pay lots of attention to protecting the sensitive data. In this article, we will tell you about the main application security risks and give you useful tips on server-side and client-side security.
4 types of the most common security threats
Information security is a set of means protecting information from accidental or intentional exposure. The security threat refers to the potential influence or impact on an automated system with a subsequent loss to someone’s needs.
There are more than 100 varieties of threats to the information system. To ensure the security of your mobile application, it is important to understand in what areas you can expect problems.
Cross-site scripting (XSS)
Cross-site Scripting or XSS attack means an intruder injects malicious client-side scripts into a web application. XSS attacks are possible in several software environments, including VBScript, Flash, ActiveX, and JavaScript, and even CSS. However, they are most common in JavaScript, primarily because JavaScript is fundamental to most browsing experiences. This ability to exploit commonly used platforms makes XSS attacks one of the most common security vulnerabilities.
A frequent target for an XSS attack is user credentials. The embedded Javascript modifies the action attribute of the authorization form, which ultimately points to the attacker’s server. With this privilege level, the malicious code is quite capable of reading, changing, or transmitting important data available to the browser. It may steel user’s account, his browser may be redirected to another address, or possibly display fake information in a valid web page or application.
Prevention
- Avoid returning tags the client, redirecting or other similar actions using data on the client-side. Most of these actions can be performed using dynamic pages (server-side).
- Analysis and enhancement of code security (Javascript) on the client-side. References to DOM objects that the attacker can manipulate should be carefully checked.
- Stick strictly to IPS rules. In which, for example, the welcome.html page is allowed to receive one single checked parameter “name”, and any violation leads to a denial of service for the original page.
Cross-site request forgery (CSRF/XSRF)
CSRF (Cross-Site Request Forgery, also XSRF) is a dangerous attack, which allows a hacker performing different actions on behalf of other registered visitors. This type of attack is aimed at simulating a user’s request to a third-party site. This vulnerability is quite widespread due to the architecture of most web applications. They do not clearly determine whether the request is really generated by a real user.
Many web applications use cookies to control the user’s session. The browser is designed so that if it has user cookies for this domain and path, it automatically sends them along with the HTTP request that will be perceived as coming from an authenticated user. Thus, a CSRF attack is to exploit the user’s browser to send HTTP requests to arbitrary sites, and the vulnerability is in the absence of checking the source of the HTTP request.
Prevention
Protecting against CSRF requires two things: ensuring a lack of XSS vulnerabilities and no malware on the client machine. To do so we suggest the following solutions:
- Implement an Anti-CSRF Token
The user browser generates a token when the user fills out the form and sends the result to the server. There is a check for the identity of the token that is stored on the server and what came from the user. If they do not match, the request for the action is cancelled.
- REST
Representational State Transfer (REST) is a set of design principles that provide standards between computer systems on the web, making it easier for systems to communicate with each other. With RESTful principles the implementation of the client and the implementation of the server can be done independently.
- Ensure Cookies are sent with the SameSite Cookie Attribute
CSRF attacks are only possible because cookies are always sent with any requests that are sent to a particular origin related to that cookie. The Same-Site Flag in Cookies is another method that is being used to prevent CSRF attacks and improve web application security. It allows telling the browser if your cookie should be restricted to a first-party or same-site context.
- Include Additional Authentication for Sensitive Actions
Security-sensitive actions, should ask for an additional authentication step. Re-confirmation of login ensures the security of the service, preventing the malicious actor to perform sensitive actions.
SQL injections
SQL injections are among the most frequent threats to data security. Embedding a structured query language (SQL) is a code injection method used to modify or retrieve data from SQL databases. An attacker sends invalid data to the web application to control an application’s database making it operate differently from the intended purpose. By inserting special SQL statements into the input field, a bad actor can execute commands to extract data from a database, destroy sensitive data, or perform other manipulations.
Prevention
To bypass security measures, attackers sometimes perform multi-vector attacks on the target website. DDoS attacks, DNS hijacking and other methods of violation are sometimes used as a distraction for the implementation of radical SQL injection attacks. To mitigate the attack, it is enough to apply the two simple practices
- Keeping all web application software components up to date with the latest security patches will help to prevent server-side security threats.
- Use Web Application Firewalls to monitor the traffic and filter potentially malicious web requests.
Brute force attack
Brute force attack is to search for a password access to a site or server from the set of all its possible values by completely enumerating them. Password various combinations are sorted out until the is matched. This usually takes into account the smallest and largest possible password lengths.
DOS & DDOS attacks are the most popular types of brute force ones. DOS attacks refers to multiple requests from a single IP-address that leads to the denial of the service. If lots of DOS attacks are performed from the differnet machines, it is called a DDOS-attack (distributed denial of service) A DDOS-attack usually comes from the network connecting thousands of computers — botnet. The machines of a botnet are usually infected by malware and their owners even do not know that they are part of a DDOS-attack.
Prevention
Restrict login requirements on client-side
- limit failed login attempts
- use Captcha
- introduce strict password requirements
- limit logins to a specified range
- introduce two-factor authentication
- create unique login URLs for the different user groups
Protect the infrastructure on server-side
- Configure your SSH access: restrict the SSH access to the root account, change the default SSH ports from 22 to the different one.
- Monitor the server logs
- Use DDOS-protection services like Cloudflare. In case or an attack, it will limit the bandwidth of the server resources
Malware
Malware is the software intended to disrupt the computer functions or to steal personal information. The most common variations are as follows: adware, rootkits, spyware, Trojan horses, viruses, and worms.
Prevention
Although malware infections are quite a common thing, it is easy to prevent the infection following the simple rules:
- Using reliable, up-to-date and patched software
- Using WAFs, anti-viruses, malware scanners, sanitizers on all layers
- Using sandboxes for launching suspicious code without risk to harm the device or network
6 ways to secure your messaging infrastructure
To ensure the security of your business communication is a very important process, preventing compromise and the use of insider information. Organizations in the finance, healthcare, and legal industries should specifically look for a secure enterprise messaging service that offers the technical requirements, audit controls, and additional measures required by HIPAA and other regulations.
Here’s how to keep your messaging infrastructure secure.
Use of SSL-certificates (HTTPs, XMPP protocol)
Using SSL-certificates ensures that all data is encrypted before it’s sent. So even if the attacker gets it, he would not be able to modify or capture it. This is the most important step in securing a text messaging app.
Control of user access
Users accounts, their access rights and a history of operations performed should lock down and align with compliance and regulatory laws. Improper security may affect user accounts being vulnerable and unauthorized access.
- Use secure API authentication tokens that are valid for a limited time.
- Use one-time login links instead of the passwords, limit login attempts
- Use SSH key authentication
- Encrypt and hash all passwords
- Set security rules to the passwords
- Introduce multi-factor authentication
Secure data storage & Backup
Do not store sensitive information on your local device. Using cloud storage, you keep the information on a remote server protecting it from hardware damage or intrusion. In case of any hardware issues, you can always restore the backup.
- Ensure that your app or web browser has an encrypted connection before downloading or uploading sensitive data.
- Ensure minimal privilege for the database access user account. Don’t use the database root account and check for unused accounts and accounts with weak passwords.
Secure development practices
Conducting regular security audits and following back-end and front-end security best practices will help to mitigate the risks.
- Scan your code for vulnerabilities, cover with tests
- Use only secure, up-to-date software from trusted sources
- Conduct security audits
- Service Identity, Integrity, and Isolation
- Inter-Service Access Management
- Encryption of Inter-Service Communication
Protecting the traffic
- Configure server-side validation of the client-side data input. Do not put user content into responses.
- Verify all SQL statements. If a suspicious script has passed into the application, API or database, it should be rendered as a text, not a script
- Use SSL/TLS encryption to protect the data in rest and in transit
- Follow DDOS-protection practices
- Use VPNs and private networking when possible
Operational security
- Always scan for viruses
- Have a robust firewall system
- Update software and operating systems
- Install trusted software
- Regularly check for vulnerabilities
Conclusion
Any application can get compromised regardless of its size and complexity. For business, this will result in reputational and financial losses. In this article, we told you about the most common threats that can potentially harm your application. Yet, if you will follow the simple security recommendations from the QuickBlox team, your confidential data will be safe and sound.
