Security Problems In Web Application
The growth of the Web Application has benefited to various business sectors as e-commerce, banking, etc as well as to the end-user. However, the sharing of the data over the internet has also attracted the malicious hackers. Generally, the different level of sensitive data of the user is shared to particular application for the transaction over the internet and sometimes the security vulnerability over the application can cause the great harm to the business proprietor as well as to the customers.
Some of the Security problems in web applications :
Generally, session is a way of maintaining the user information and keeping track of the particular user throughtout
the interaction with the application. If the application is not secure, then the intruder can intercept between the
user request and the server and see all the credentials. So, it is necessary to encrypt the whole site behind https which
encrypts the data transmission over the internet. For that, you need to purchase SSL certificate and setup the webserver to
support SSL. Then, in
config/applicatin.rb make the following configuration
1 config.force_ssl = true
Cross-Site Request Forgery (CSRF)
CSRF is the method of attacking the user running the particular application by sending them links which unwantedly redirect to destructive URL executing the unwanted commands. For e.g
1 <img src = "http://www.webapp.com/project/1/destroy">
If the user’s session in the
www.webapp.com is still alive, by clicking on the above link the user unwantedly/unknowingly
has deleted his project number one.
It is the process of bypassing the authorization of the application and manipulating the database through the malicious query sent through the user input field. For e.g
In input field, user_id : 105 OR 1=1 is equivalent to
SELECT * FROM Users WHERE UserId = 105 OR 1=1;.Since,
OR 1=1 is always true, this way the hacker
can get all the users from the database.
Cross Site Scripting
It is a feature of rails which allows an application to create a record from the value of hash. For e.g
Unfortunately, if there is a user field called ‘admin’ which controls administration access, now any user can make themselves an admin with the query like