Major Security Errors in Web Application

Web application developers these days have to be skilled in a number of fields. It becomes important to  create an application which is user friendly, accessible, gives high performance and is secure. And, all this has to be done in an untrustworthy environment that you, the developer, cannot control. I am talking about the User Agent, normally seen as a web browser, but no one really understands what's there on the other side of the HTTP connection.

There are various things to worry about when it comes to security testing of web application. Is your website protected from service attacks? Are your users being tricked into doing things which can harm the security? Is your user data safe? Can fake data from an attacker pollute the database? Is it possible to gain unauthorized access to those parts of your website which are restricted. Unfortunately, the answer to these questions will be yes, unless we are careful about writing the codes.

In this article, we will not mention denial of service attacks, but will take a closer look at other problems. To be more relevant to the context, we will talk about Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Click-Jacking and SQL injection. We will also assume PHP as the development language, but the problem will occur regardless of the language and the solutions are identical in all languages.

1. Cross-Site Scripting (XSS)

An attack, in which the user is mislead into executing code from another site, in the framework of our website is called Cross-site scripting. The problem will occur no matter what our website does, but the complexity of the problem will change according to what the user does on the site.

2. Cross-Site Request Forgery (CSRF)

This is an attack where a bad site can trick the visitors into going ahead and taking an action on our website. This generally happens if a user logs into a website that they regularly use (eg. Their e-mails, Facebook, etc.) and then log into a bad site without first logging out of the previous site. If the former site is capable of getting a CSRF attack, then the malicious site can do whatever it wants on the user's behalf.

3. Click-Jacking

It might not be on the OWASP top ten list for 2010, but still it has gained a lot of popularity due to the attacks on Facebook and Twitter, as both of them make it spread very quickly because of their social nature.

We are protected against CSRF attacks as we use a nonce. However, if the user is made to click the submit link themselves, then the nonce will not be able to guard us. In this type of attack, the website is included in an iframe on their own website. Even though the attacker will not have control over our page, they will have control over the iframe element. CSS is used to set the iframe's capacity to 0 and the JavaScript is used to move it around, so that the submit button comes under the user's mouse.

4. SQL Injection

In this type of attack, insufficient input validation is exploited by the attacker, in order to gain shell access to your database server. The message sent by the attacker can get passed to the database and it could get dropped in the 'Messages' section, causing a lot of trouble to you and your user.  

http://www.avyaan.com/blog/five-open-source-security-audit-tools/

Data Not Handled Safely by Forty Percent of Mobile Apps

According to a research, approximately 40% of mobile applications that are used are not safe for handling data. The research was conducted across a set of enterprises to find out the state of mobile application security audit. According to the end result, more than 40% of mobile vulnerabilities detected were related to unsafe and improper handling of data.

The sectors conducting business mainly through mobile and web applications are BFSI and Ecommerce. The companies are already taking proactive measures and all the necessary precautions that are required to secure the data transactions taking place through their stores. The future is going to see a lot of other services that are going to be enabled through mobile. This means that businesses need to have a good focus on mobile app security.

Tests were conducted on top 10 mobile app vulnerabilities listed by OWASP and the conclusion that came out was that 17% of mobile apps experienced accidental leakage of data. There was data storage insecurity in 23% cases and weak server side controls was the issue with 10% cases. Approximately 100 mobile applications were tested by many Indian companies and as much as 21,000 mobile app vulnerabilities were found. This confirms that lot of enterprise mobile apps can be affected by data leaks.

Various security breaches have taken place with Android apps. There have been a number of hacking incidents, that have been reported on Android apps. Critical mobile apps on Apple iOS systems are more susceptible to security threats than Android apps. Both Android and iOS operating systems have the same amount of high level vulnerabilities. But, for the critical vulnerabilities, it was found that Apple iOS was 67% more vulnerable as compared to Android apps which were 33% more susceptible.

Increase in the use of Smartphones is considered to be one of the reasons for rise in vulnerability risks. All mobile apps used in Smartphones have access to the information in user's Smartphone, which makes it all the more risky. Businesses have to find out ways in which they can protect their critical information, which makes mobile and web application security really important.   

www.avyaan.com/blog/checklist-data-mobile-app-security/

How Are Vulnerability Assessment and Penetration Testing Different

There are varied point of views on what constitutes a Penetration Test versus a Vulnerability Assessment. The main difference, however, seems to be that a Penetration Test involves diagnosing as many vulnerabilities as possible. While some feel that Penetration Tests comprises of identifying all the vulnerabilities, if possible, some others feel that Penetration Tests are purpose oriented and are indifferent towards what other vulnerabilities might exist.

I believe in the second theory and what follows are some points, which makes my belief stronger.

 Language Is Important

There are two reasons why we feel that language is important. We have a security test for collecting the full list of vulnerabilities and it is called Vulnerability Assessment. If there isn't a communicable and clear distinction between this test and penetration testing then two separate terms would not have existed. There is a distinction between the two types of tests and it is a crucial one.

Explained Definitions

Vulnerability Assessments are formed to produce a planned list of vulnerabilities and are meant for clients who understand that their IT security is not fool-proof and they need to work on it. The customer knows that they have issues and they just need help in identifying them.

The more problems identified the better, so a white box approach should be adopted whenever possible. The output of this assessment is, more importantly, a planned list of explored vulnerabilities.

Web application penetration testing services are devised to accomplish a certain attacker simulated goal and should be done by enterprises who have already achieved their desired security level. A typical objective is to access crucial information in a customer database in the internal network, or to correct a record in an HR system.

Exploitation through Penetration Tests

Another mistake while discussing penetration tests vs. vulnerability assessments is to center around the point of exploitation. The basic description is:

“Finding vulnerabilities is a vulnerability assessment, and exploiting them is a penetration test.”

But this is not correct.

Exploitation can be thought of as a sliding bar between nothing and a lot, which can be taken advantage of in both penetration tests as well as vulnerability assessment. Although the more serious penetration tests lean more towards showing rather than telling (which lead to exploitation), it's also a situation where you can show that even without full exploitation a vulnerability is real.

To Conclude

Vulnerability Assessment: It is usually requested by customers who are aware that they have issues and need help in getting started. The goal is to accomplish a planned list of vulnerabilities in an environment, so that the solution can be found.

Penetration Tests: Requested by customers who believe that their defenses are strong and want to test that theory. The goal is to find out whether a security posture can stand an intrusion by an advanced attacker.

Read more Here http://www.avyaan.com/blog/understanding-social-engineering/

What Can Penetration Testing Do for Your Business?

An enterprise understands the importance of safeguarding their information from hackers. Such people are capable of taking down your network, penetrating your internal security and defacing your website. Penetration testing which is also known as ethical hacking is a perfect solution to this problem. Businesses get into contracts with such ethical hackers to do their best in attacking their security systems, in the same way that a criminal might attack their business. However, this procedure is done without causing any damage to the systems. The result of this testing is a focused report that explains the security loopholes in the system, as well as the solutions to the problems.

The following example can explain penetration testing in a simpler way. If one day you return from a party late at night and leave the keys at the door, that will be called a vulnerability. An automatic scan might offer the following suggestions to your wife – 'remove the keys', 'install a swipe card system' or even 'kick him out of the house'.

On the other hand, a penetration tester might find out that you had the sense to bolt the door from inside: i.e, the situation was not as high risk as you had thought. The pen tester would further take the keys, try the back door and steal your car. This way, the vulnerabilities are exploited to find the true impact of the weakness, rather than theoretical guessing. Advantages of a manual penetration tester rather than an automated system, is that a pen tester is more likely to discover the true risks to your information assets.

Your Business Can Benefit from Different Types of Penetration Tests, Such As:

White box test: Complete knowledge is provided in advance, about the systems which are supposed to be tested. This is a very thorough process of penetration testing.

Black box test: In this kind of testing, there is no knowledge of the system being tested. It mimics the actions of an unethical hacker.

Pen Testing Consists of the following Phases:

Research: Check all the information available publicly about the IT deployment of the company, network addresses, etc, that can be exploited by a potential attacker.

Enumeration: Scan by appointment and identify the architectural features, as well as the systems of the organization.

Exploitation: Analyze the potential of an attack, just stopping short of causing a disruption to the system.

Analyzing and reporting: Report vulnerabilities, examine all the findings, reach a conclusion and inform the client.

 Get connected for more detail http://www.avyaan.com/services/penetration-testing.php