Common Security Flaws in Web Apps

Image by Dan Nelson from Pixabay

It’s important to be aware of online applications’ most prevalent security flaws, and we’ve included a list below.

Inadequate access control

The term “access control” describes the process of limiting users’ privileges to only those resources they require. But developers frequently neglect to fix some vulnerabilities that provide unauthorized user access. Insecure access controls allow bad actors to access sensitive data, change or remove data, or even conduct forbidden business operations.

Laxman Muthiyah found one such flaw in Facebook Company Pages. Despite Facebook’s policy against letting strangers post as you, third-party administrators have full access to your page’s settings and can even change your admin permissions. This makes it logical, ensuring the user never loses page control.

Yet Laxman learned that with a single request, he could make anyone an admin of the website and allow anyone to edit or delete any of the page’s content. The original administrator is locked out of the page, while the new admin has full access to post on the page. Facebook paid Laxman $2500 through their bug bounty program, but the cost might have been far higher if unscrupulous actors had discovered this vulnerability.

Inadequate security settings

Lack of proper security setup refers to the absence of all necessary protections for the online application. Security misconfiguration may also refer to an incomplete or inaccurate configuration of a web application’s security.

An insecure setting can compromise your web app at several points throughout its lifecycle. Network services, websites, databases, bespoke code, deployed machines, and so on are all potential entry points for hackers.

Contrary to popular belief, many businesses have paid the price for lax Amazon S3 security over the years. ABC, the Australian Broadcasting Company, is one such institution. Around 1800 daily backups of a MySQL database were found online, comprising sensitive information such as email addresses, logins, hashed passwords, licensing requests, secret access keys, etc.

When ABC learned of the data compromise later, they moved quickly to fix the faulty security setup. Unfortunately, it was too late, and now two years’ worth of private data was exposed.

The whole problem might have been prevented with proper testing and development procedures.

Request spoofing across domains

This social engineering-based vulnerability exists in online applications and may be exploited to gain unauthorized access or to induce unauthorized activities from authorized users. Cross-site request forgery can compromise user accounts, unauthorized transfers of funds, and even the complete compromise of an online application.

With over 689 million users, TikTok is the most popular video-sharing app in the world. TikTok’s massive audience means that successful producers may make money from the app. Because of this, many companies now pay for ads on the site to reach the platform’s massive user base.

Unfortunately, a cross-site request forgery vulnerability was found in the system not too long ago. Injecting a JavaScript payload into the URL parameter would make it possible to take control of any user’s account on TikTok with a single click.

These security holes are only the tip of the iceberg regarding the myriad of different web app security holes, and it would be impossible to look for them all. Instead, you should be diligent about adhering to established standards for protecting online applications.