Author: Chris Cooper / Source: Information Security Buzz
Chris Cooper, Security Team Leader for SureCloud, examines three web application flaws that are still posing a risk to organisations
Web application security is finally catching up with the threat landscape in which it is situated. Common vulnerabilities have been identified and are being fixed. The industry has generally adopted the Open Web Application Security Project (OWASP) Top 10, a list of the most critical web application security risks and the steps needed to mediate them. The most recognisable flaws at the highest rungs of this list are in decline, and when they are identified, developers fix them. Awareness is growing – but it is not equal everywhere.
In areas where awareness is poor, developers are more likely to make mistakes and are weaker at responding to them. This means that rather than focusing all our attention on the weaknesses we already understand, we must start talking more about the ones we don’t. Here are three of the major ones to consider.
CSRF
Cross-site request forgery (CSRF) is perhaps the most common high-severity flaw in web applications today, and the most poorly understood.
CSRF attacks work when a user is tricked into sending a request that makes a change on the vulnerable web application. The server assumes that, because the request was received from the victim’s browser, that they genuinely initiated it. In actuality, it might have been initiated by a malicious website that they were lured onto, a crafted link that they followed, or an image they loaded in an email. When an application is vulnerable, it can often be leveraged to take any action on behalf of the user. This depends on the application in question, but it might include changing their login details or triggering a money transfer to the attacker.
The only way to prevent this is to allow the application to tell the difference between a genuine request initiated by the user, and a crafted request from an attacker. The most highly recommended method is the use of a synchroniser token. The attacker can only craft an effective request if they know beforehand all the…
Click here to read more
