Web-based systems are systems you reach through the internet, often (but not always) through a web browser. Web-based systems are often meant to be public-facing, so they are exposed to the entire internet. This makes them vulnerable to attackers looking for easy targets, such as older and unpatched versions of web server software. There are several areas to review when you assess and mitigate vulnerabilities in web-based systems:
- Web server software. The web server software must be running the latest security patches. Running the latest version of the software can provide enhanced (and optional) security features. You need to have logging, auditing and monitoring for your web servers. The goal of these isn’t to prevent attacks but instead to recognize warning signs early, before an attack or as early in the attack as possible. After an attack, the logs can provide critical information about the vulnerability, the date of compromise and sometimes even the identity of the attacker.
- Endpoint security. You also need to manage the client side. Clients that visit a compromised web server could become compromised. To minimize the risk of compromise, you need a multi-layered approach that includes a standardized browser configured for high security, web proxy servers to blacklist known bad web servers and track web traffic, host-based firewalls to block suspicious traffic, and anti-malware/anti-spyware/anti-virus software to watch for suspicious activity.
- OWASP Top 10. The Open Web Application Security Project (OWASP) publishes a list of the top 10 critical web application security risks. You should read through it and be familiar with these risks.
- Injection flaws (OWASP Top 10, #1). Injection flaws have been around a long time. Two of the most common are SQL injection attacks and cross-site scripting (XSS) attacks. In an injection attack, an attacker provides invalid input to a web application, which is then processed by an interpreter. For example, an attacker might use special characters in a web-based form to alter how the form is processed (for example, comment out the password check). Input validation can help minimize the chances of an injection attack. But you need more than that. You need to properly test these types of scenarios prior to going live. One common mitigation strategy for SQL injection attacks is using prepared statements and parameterized queries; this enables the database to differentiate between code and data.
- XML External Entities / XXE (OWASP Top 10, #4). In this type of attack, the goal is to pass invalid input (containing a reference to an external entity) to an XML parsing application. To minimize the potential for this attack, you can disable document type definitions (DTDs).