Friday, October 4, 2019

Web Security Issues

No Authentication & Authorization

Authentication is knowing who an entity is, while authorization is knowing what a given entity can do. APIs should have proper authentication and authorization in place.

What is the solution?

  1. We added authentication and authorization for most APIs.

XSS (Cross-site scripting)

Qualys scan result can help on XSS detection.
With that being side, any sensitive data in HTML body or Javascript is not allowed.

What is the solution?

  1. Always encode customer input to avoid display direct HTML/JS
  2. Move the data from visible JS object to browser memory
  3. Use a framework which takes care of XSS.

CSV Injection

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula.

What is the solution?

To remediate it, ensure that no cells begin with any of the following characters:
Equals to ("=")
Plus ("+")
Minus ("-")
At ("@")
This should apply to all download CSV files.

No Input Validation

Input validation on backend APIs is so critical to application security.

What is the solution?

Anything that our application receives from untrusted sources must be filtered, preferably according to a whitelist.
Input validation
Input filtering
Input encoding

Sensitive data exposure

Sensitive data should be encrypted at all times, including in transit and at rest. Also, the logging file should not print any sensitive data.

What is the solution?

  1. In transit: Use HTTPS. Do not accept anything over non-HTTPS connections. Have the secure and HttpOnly flag on cookies.
  2. In storage: if you have sensitive data that you actually do need, store it encrypted and make sure all passwords are hashed.

Security misconfiguration

Do not widely open your environments to the internet access, which gives Hacker chance to explore vulnerabilities.

What is the solution?

  1. Do NOT widely open environment to outside. Use IP whitelist for access control
  2. Perform regular host/container vulnerability scan
  3. Perform regular web application vulnerability scan using Qualys alike tool

DoS or DDoS

Denial of service attack is crucial.

What is the solution?

  1. Add rate limit control to the application 

CORS (cross-origin resource sharing)

The most common and problematic security issue when implementing CORS is the failure to validate/whitelist requestors. Too often developers set the value for Access-Control-Allow-Origin to ‘*’. Unfortunately, this is the default. This allows any domain on the web to access that site’s resources.

What is the solution?

  1. Should we Set Access-Control-Allow-Origin to * ?
  2. What About Access-Control-Allow-Methods?

SSL Certificate Uses Weak Signature

The integrity of the signature hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. The MD5 signature has long been considered outdated by cryptographic specialists. SHA-1 is outdated and has been phased out by several sources - including Microsoft, Google, and Mozilla as of January 1, 2016.

What is the solution?

  1. Use SHA256 algorithm

1 comment: