The developers have delivered, the web application is ready. It works great, the design is also amazing – but who decides if it is safe enough? Who can we contact to get an independent opinion?
Life has not stopped at developer companies, as most of the development processes can be done remotely from home. Web applications are still being developed, so their security assessments must be continuous.
From a security perspective, protection against insertional attacks is paramount in web applications. One of OWASP’s flagships, the OWASP Top Ten project, also identifies this type of vulnerability as the number one problem. By properly validating and filtering data from users, this exposure can be completely eliminated. However, developers are often unaware of what exactly proper validation and filtering mean, so this flaw often occurs in web application testing.
The ability to inject SQL statements/expressions opens the door to data theft, so in many cases, the company can be severely damaged by the error on the part of web application developers— even years later. Because of the GDPR, it can even take the form of a fine, but the loss of prestige is hard to convert into money, because who wants to be shown in a bad light in the headlines of online newspapers?!
Another common type of injection errors is when JavaScript commands can be injected while entering data. Such an attack is not aimed directly at obtaining data stored in the database, but is typically directed against users of the application. This vulnerability is known as Cross-Site Scripting (XSS). The purpose of an XSS attack is mostly to obtain a user's session. Most web applications store session IDs in cookies. The acquired session ID allows attackers to log on to the system and even gain administrative privileges with a well-targeted attack. In addition to validating the inputs, proper session management is also very important!
Our company, Whiteshield Ltd. has been conducting web application tests since 2011. Following our OWASP guidelines, our experts strive to fully explore vulnerabilities in manual web application testing. Do you also need help examining the app? Call us! We can help you!
