The 4 Most Common Web Security Flaws and How to Avoid Them

One of the last things new web designers consider is the security of their websites. That alone has left thousands of sites unprotected against a large number of threats, many of which can be completely debilitating to a business. Though there are hundreds of problems that could happen, the following are remarkably common on all kinds of websites.

Web security

Many of these issues are addressed with the Open Web Application Security Project (OWASP), and a number of tools have been created to address the OWASP Top 10. Here is a breakdown of several points to keep in mind to make sure you’re doing it right:

Unvalidated Redirection and Forwarding

To use various services involved in their usability, web apps will often forward and redirect users across other pages on a server as well as other domains. The problem arises when web applications use untrusted data to figure which pages to go to. By using this unvalidated data, attackers can redirect web app users at whim, which often leads users to malware or phishing scams. Make sure you’re using trusted data and information at all times, this can really make a difference.

Security Not Properly Defined

To ensure security is running properly, all configuration settings should be working in tandem with each other. From the web applications themselves to infrastructure like framework, servers and platforms, security parameters must be customized for every website since the default options can often be taken advantage of by attackers.

WordPress website security fail
photo credit: Juan J. Martinez

Exploitable Sessions and Authentication

When web apps have functions that are associated with session management and authentication that aren’t set up correctly, attackers can use a frightening number of tools to exploit that shortcoming. Data that can be stolen using session and authentication problems include passwords, session token, keys and other forms of user identification. Take time to make sure you set up everything correctly to seal the security breach and prevent the problem before it exists; a little research might yield a lot!

One of the best ways to solve authentication problems is two factor authentication or 2FA. This authentication method is based on the use of one time passwords (OTP). OTP cannot be reproduced or foreseen without the secret key, known only to the server and to the special OTP generation tool, called token. Also, there is no sense to catch these passwords, because every time appears an absolutely new one.

Probably, you have already come across two factor authentication. Many banks and payment systems could send you one time passwords via SMS or e-mail when you were logging into your account. Today OTP can be delivered not only with the help of SMS or e-mail; there are also special hardware tokens, which look like keychains or credit cards, and software tokens in the form of iOS or Android apps. And as the practice shows, modern tokens are much more reliable, than those we have already got used to.

2FA protects from the majority of modern risks, including phishing, replacement and other hacker’s attacks. But some progressive two factor authentication providers, for example, Protectimus, achieved even better results. Their 2FA services with data signing features can resist even most recent dangers such as a Trojan virus, which manipulates the content of the browser.

Inadequate Protection against DDoS

Where the other attacks discussed so far have to do with attackers getting unpermitted access to sensitive areas on a server or a user’s computer, distributed denial of service (DDoS) is simply intended to be malicious through overloading a domain’s data transfer capacities. Similar to the idea that the attack is different in this situation, the solution will require getting a tool or service specialized to defend against DDoS, like the aforementioned Incapsula or Fireblade which were covered in Noobpreneur before.

Addressing the issues discussed in the OWASP Top 10, among others, and protecting a server against a wide range of malicious acts should be a top priority for any web or app developer, and those discussed above should be the first security topics addressed. With so many great tools to protect your online asset, there is simply no excuse to being idle when malware and threats are on the rise!