Web-based systems are applications that are accessible using a web browser. Vulnerabilities in web-based systems have been at the root of some of the largest data breaches in recent history such, as Equifax.
This section will speak to vulnerabilities specific to web-based systems. Other issues, such as network security (see Chapter 4) or software vulnerability management and patching (discussed in Chapter 7), can also impact the security of web-based systems.
The definitive references for web security are those published by OWASP and MITRE’s Common Weakness Enumeration (CWE). In turn, other organizations use these references to characterize their various reports, such as SANS’s 25 Most Dangerous Programming Errors. More detailed information for each of these resources can be found at the following sites:
-
The OWASP 2017 Top 10 List:
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
-
MITRE’s Common Weakness Enumerations, version 1:
https://cwe.mitre.org/data/
-
SANS 25 Most Dangerous Programming Errors:
https://www.sans.org/top25-software-errors
The following sections cover some of the most frequently encountered vulnerabilities.
Note that some of these vulnerabilities have applicability outside of the context of web-based systems and are relevant in other contexts and situations.
Injection Vulnerabilities
Injection is when user-supplied content, typically entered into a web form, is not properly checked and sanitized before being processed, enabling the attacker to insert malicious instructions into what is supposed to be data.
The classic example is SQL injection, in which the user’s input is combined with an SQL query which is submitted to the database for processing. SQL injection attacks have been implicated in some of the largest security breaches, including an attack in 2009 that obtained the details of 130 million credit and debit cards and at the time was considered by many to be the biggest case of identity theft in American history. It is a sad reflection of the state of our industry that that claim only lasted four years.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
