One of the most common attacks according to the OWASP report for 2017 is the «Injection» or specifically the «SQL Injection». In this attack, the attacker attempts to inject malicious code into an application in order to read, modify or even delete data without permission. This is made possible by SQL, a so-called «Structured Query Language», which is used to send instructions to a database: If an application allows users to enter data - for example via a text field – and these entries are integrated directly into an SQL query in the background, attackers can submit a query to the database without being authorised to do so.
This can be prevented by first validating user input. This ensures that the input corresponds to the format expected by the application. In addition, so-called «prepared queries» can be used. These are special SQL queries in which the user input does not occur directly in the query, but is sent separately to the database. In this way, the database can clearly distinguish between what belongs to the query and what is added as an external parameter.
Because we at Renuo use Ruby on Rails as standard for our development, we are protected against most cases of SQL injection. However, the risk from Rails is not completely avoided, which is why we use the security analysis tool Brakeman, which protects us from possible further risks.
«Broken authentication» is another common vulnerability. It describes a generally insecure authentication (mechanism for user logins). Possible scenarios for this are, for example:
- An application allows standard passwords such as «1234» or «password». Attackers have long lists of the most used passwords, which are easy to crack.
- An application allows so-called «Brute Forcing". In this attack, passwords are systematically tried out until the correct one is found.
- An application stores passwords unencrypted or only with weak encryption on the server. Once a hacker has gained access to the user list (e.g. by SQL injection), he can log into any user profile. In addition, many people use the same password in every application, which is why an attacker will probably be able to access other applications.
- An application does not delete the session after logging out. The session is a key that is stored as a cookie in the user's browser so that the user remains logged in to a specific application. However, if this key is not reset after logging out, the attacker can log in on behalf of the user, even if the user has already logged out.
It is therefore advisable to install a password validation at login to ensure that the password meets security requirements such as a minimum length or sufficient numbers and special characters. Renuo also uses strong encryption algorithms together with so-called salting, which guarantees the highest possible level of security.
Another common security vulnerability is the transmission of sensitive data via unprotected channels. This can be, for example, a login via an insecure HTTP protocol. HTTP is used to send all
data unencrypted, which makes it easy for attackers to intercept login data or the like by placing themselves between the server and the browser.
Another attack scenario exists when the server does not force the browser to adhere to encryption – i.e. when you can log in using HTTP instead of HTTPS. This enables a so-called «downgrade attack», in which the attacker forwards the victim via a seemingly harmless link to the unencrypted page and can thus track all data. This can be prevented by forcing HTTPS with protocols like the HTTP Strict Transport Policy (HSTS).
Cross Site Scripting
The last attack variant described here is called «Cross Site Scripting (XSS)». It aims to intercept user data by running scripts - small programs that run in the browser – on the victim's computer. This is achieved by infiltrating the script into an input on the web page, which is then displayed to other users. An example would be a comment section where users can write text that other users can read as well. If the application is not protected, code can be smuggled into the input, which is executed when the comment is displayed. We at Renuo eliminate this risk by using frameworks that «escape» input by default, i.e. convert it into a format that the browser cannot execute.
Third party libraries
There is another security risk which cannot be directly influenced: the use of code written by third parties, so-called «frameworks». In order to develop modern applications as time-efficiently and cost-effectively as possible, the use of frameworks is unavoidable. However, these frameworks can contain security gaps just as much as specially written code. In order to keep the risk low, it is all the more important to regularly carry out security updates in order to be protected against the current dangers. For this reason, we regularly monitor all running applications so that irregularities and errors can be quickly detected and corrected.
This is how we have described the most important attacks in the online area – or do you know more? Write us, we are happy about every input.