The common security threats and how to protect from them
A modern application is a complex system containing lots of components and uniting lots of technologies. The more complex is the system, the more security threats it has. The risks of insufficient security are too serious to ignore – that is why the businesses pay lots of attention to protecting the sensitive data. In this article, we will tell you about the main application security risks and give you useful tips on server-side and client-side security.
4 types of the most common security threats
The security threat refers to the potential impact on the system that is likely to harm it or lead to data loss. There are more than 100 varieties of threats to the information system. Let’s consider 4 the most common ones.
Cross-site scripting (XSS)
To avoid an XSS attack, take several simple security measures:
- Avoid returning tags to the client, redirecting or other similar actions using data on the client-side. Most of these actions can be performed using dynamic pages (server-side).
- Follow IPS rules. For example, if the welcome.html page can receive one single checked parameter “name”. Any violation leads to the denial of service.
Cross-site request forgery (CSRF/XSRF)
CSRF attack simulates the request of an authenticated user to a third-party website. This might be an action of privileged users (like modifying the user access) or some user-specific ones like changing the password.
To force a user to send a request to a malicious server, the hacker can use technical security vulnerabilities, like XSS or set up a redirect to the necessary page.
Performing a CSRF attack, the hacker uses website vulnerabilities to steal the cookies. To protect from it, we suggest the following solutions:
- Implement an Anti-CSRF Token. It sends the unique token to the browser and checks if it returns it back. Since it is impossible to proceed without the verification, only a legitimate user can send secure API calls.
- Representational State Transfer (REST). This is a set of design principles providing standards on how to secure REST API. With RESTful principles, you can independently work with the client-side and server-side of your app. This will keep your code clean, simplifies scaling, and removes the vulnerabilities.
- Use SameSite Cookie Attribute for sending cookies. It helps to tell the browser if it should restrict the cookies to a first-party or same-site context. Lax and Strict are the two values available for the same-site attribute. Lax mode allows GET request for cross-site usage, while Strict one blocks sending cookies if the request comes from a different site.
An attacker sends invalid data to the web application to control an application’s database making it operate differently from the intended purpose. By inserting special SQL statements into the input field, a bad actor can execute commands to extract data from a database, destroy sensitive data, or perform other manipulations.
To bypass security measures, attackers sometimes perform multi-vector attacks on the target website. Brute-force attacks, DNS hijacking, and malware can be used to help the hacker to implement a radical SQL injection. As a result, a comprehensive mitigation strategy provides the broadest range of protection.
- Update and patch. SQL injection vulnerability is a frequent error and it’s discovered regularly. Keeping all web application software components up to date with the latest security patches will help to prevent server-side security threats.
- Firewall. It filters out the malicious requests protecting the app against SQL injections. You can set up the firewall on your web server or to request the cloud service provider to protect your environment. The QuickBlox team uses firewalls to secure our API.
Brute-force attack is one of the simplest and least sophisticated methods to forcefully gain access to the user accounts. The attackers send thousands of requests per second until they guess the credentials. This hacking method doesn’t need lots of knowledge and can be performed even with the help of automated tools.
DOS & DDOS are the most widely-spread types of brute-force attacks. A DDOS-attack usually comes from the network connecting thousands of computers – botnet. The machines of a botnet are usually infected by malware and their owners even do not know that they are part of a DDOS-attack.
To protect your servers from brute-force attack, you may take the following measures:
Restrict login requirements on client-side
- limit failed login attempts
- use Captcha
- introduce strict password requirements
- limit logins to a specified range
- introduce two-factor authentication
- create unique login URLs for the different user groups
Protect the infrastructure on server-side
- Configure your SSH access: restrict the SSH access to the root account, change the default SSH ports from 22 to the different one.
- Monitor the server logs
- Use DDOS-protection services like Cloudflare. In case or an attack, it will limit the bandwidth of the server resources
Malware is the software intended to disrupt the computer functions or to steal personal information. The most common variations are as follows: adware, rootkits, spyware, Trojan horses, viruses, and worms.
Although malware infections are quite a common thing, it is easy to prevent the infection following the simple rules:
- Using reliable, up-to-date and patched software
- Using WAFs, anti-viruses, malware scanners, sanitizers on all layers
- Using sandboxes for launching suspicious code without risk to harm the device or network
6 ways to secure your messaging infrastructure
Organizations in the finance, healthcare, and legal industries should specifically look for a secure text messaging service that offers the technical requirements, audit controls, and additional measures required by GDPR, HIPAA, and other regulations. Here are some rules on how to secure web API.
Use of SSL-certificates (HTTPs, XMPP protocol)
Using SSL-certificates ensures that all data is encrypted before it’s sent. So even if the attacker gets it, he would not be able to modify or capture it. This is an important stage of making your web API secure.
Control of user access
User accounts, their access rights and a history of operations should comply with regulatory laws. Improper security may affect user accounts being vulnerable and unauthorized access.
- Use secure API authentication tokens that are valid for a limited time.
- Use one-time login links instead of the passwords, limit login attempts
- Use SSH key authentication.
- Encrypt and hash all passwords
- Set security rules to the passwords
- Introduce multi-factor authentication
Secure data storage & Backup
Do not store sensitive information on your local device. Using cloud storage, you keep the information on a remote server protecting it from hardware damage or intrusion. In case of any hardware issues, you can always restore the backup.
- Ensure that your app or web browser has an encrypted connection before downloading or uploading sensitive data.
- Ensure minimal privilege for the database access user account. Don’t use the database root account and check for unused accounts and accounts with weak passwords.
Secure development practices
Conducting regular security audits and following back-end and front-end security best practices will help to mitigate the risks.
- Scan your code for vulnerabilities, cover with tests
- Use only secure, up-to-date software from trusted sources
- Conduct security audits
- Service Identity, Integrity, and Isolation
- Inter-Service Access Management
- Encryption of Inter-Service Communication
Protecting the traffic
Setting up a secure network with industry-standard security protocols will cut the risk of attacks.
- Configure server-side validation of the client-side data input. Do not put user content into responses.
- Verify all SQL statements. If a suspicious script has passed into the application, API or database, it should be rendered as a text, not a script
- Use SSL/TLS encryption to protect the data in rest and in transit
- Follow DDOS-protection practices
- Use VPNs and private networking when possible
There are many different issues to consider when thinking about operational security. Make sure that you have virus scanners, firewall system, all your software is up-to-date and comes from trusted sources.
Any website or application can get compromised. As a result, the resource can lose its working capacity, and confidential user data will be harmed. This will result in reputational and financial losses. We mentioned methods that can help you detect and mitigate malicious attacks before they hit your business critically.
For more information on how QuickBlox will secure the messaging API for you, please contact us