By Sohaib Amin, Security Consultant
Software applications are used by almost all businesses and individuals these days and serve a variety of purposes such as for businesses, daily work, entertainment etc.
In the business domain, businesses are becoming more and more dependent on applications to perform core business functions and are critical to the organization. For example, Enterprise Resource Planning (ERP), financial accounting, HR Management are a few of the functions that are entirely dependent on software in both bigger companies as well as SME. These applications help to increase the efficiency and productivity of the business by automating or making it easier to accomplish specific tasks.
Almost all applications are based on a client-server architecture wherein there is a central system known as the ‘server’ which hosts the application and is responsible for processing application data based on user inputs. The client is the user who has access to the client interface of the application and is responsible for data input and manipulation and for sending data processing requests to the server, the server then processes the data and sends the output back to the client.
The client interface is of two types primarily,
Native client; where a client application is installed on the local user machines and is then configured to connect to the application server.
Web-based client; is where in the user access the client interface through their Internet browser. In this setup, all requests are sent from client browser to a web server which then send the data to the applications server. Depending on the type of architecture the web server and application server may be two different systems or even function as one system.
Of the two, web-based application are more popular and and one of the most commonly used. This is because web applications are platform independent (it doesn’t matter what OS the client has), easy to use and access and are easily scalable (you just need a browser) as well as easy to manage (web server).
All applications are developed on a software development platform and use software code such as Microsoft.NET, Java etc.
Web applications are becoming more and more complex as they continue to provide more and more functionalities depending on the needs of the business. Also in competitive environments rapid development and upgrading of applications are required on a continuous basis to meet the market needs.
This has made software code more complex and critical testing stages are not done thoroughly before an application is made available to the public. These factors have contributed to vulnerabilities in web applications that can be exploited causing a significant negative impact to a business.
Web application attacks on websites, online servers etc. are becoming more and more common as they offer the hackers a convenient d way to exploit the systems, as the applications are available in the public domain.
Some of most common attacks on web applications are:
· SQL Injection (SQLi)
· Cross-site scripting (XSS)
· Buffer overflow
· Remote File Inclusion (RFI)
· Attacking Encrypted Sessions
· Man in the Middle (MiTM)
These attacks exploit weakness in the software code and application logic which can lead to theft or disclosure of confidential business data such as customer information, internal company data etc.
In order to effectively mitigate or reduce the risk of attacks, software code reviews should be conducted during testing and before the application is published.
A software code review checks critical functions of the applications such as
· Administrative functions (User creation/modification/deletion, Assigning of roles and privileges)
· Database connections
· Creation/Modification/Deletion of content
· User Sessions
· Error control
· Internal application logic
Application should be thoroughly tested for security weaknesses before they are published and secure coding practices should be followed such as encryption, input validation etc. Open Web Application Security Project (OWASP-owasp.org) is good resource to know the secure coding practices and how to develop your supplication so that it is protected from such attacks.