JA6. Web Application Vulnerabilities and Countermeasures¶
Statement¶
Based on what you have learned in the topic “Truncation and trimming attacks, and SQL injection” of this unit, answer the following questions:
- Describe what was the most interesting fact you learned about in this unit. Think about the reasons why you noticed this topic, your impression, or your plans for further exploration of this topic.
- When you were working on this task of the unit, you were doing your internet research on the topics discussed. Did you find something related to the issues discussed that surprised you?
- List your findings.
- Give a rationale to support your answer.
Solution¶
Task 1¶
The most interesting fact I learned about the SQL injection topic, was how easy it is to mitigate; but also how widespread such an attack is Injections were the first in the list of the top 10 web application security risks in 2017; and it has only shifted down to third place in 2021 as 94% of the applications tested by OWASP had at least one injection flaw such as CWE-97 XSS, CWE-89 SQLI, etc (OWASP, 2021).
I liked this topic because it shows how lack of knowledge, laziness, or time constraints affects development teams; where the most important things are ignored to meet the deadlines, but then it comes back later with a greater cost.
I plan to explore the root cause of this issue, I have some theories but I need to validate if it is just the developers being lazy and they don’t care about their jobs anymore. Or, schools do not teach the right things to the students, thus they don’t the dangers of ignorance. Or, other types of stakeholders in the industry do not know about security and they should be educated about it. Or, the regulation bodies should control the baseline of software security with more regulations and laws.
“Computers don’t create crimes. It is the people who are using the computers that commit the crimes. And people in the organizations can be—and often are—complicit” (Kelly, 2017); this quote assures the importance of keeping users informed and educated; by users I mean all the stakeholders in the industry, including developers, managers, testers, designers, investors, etc.
Task 2¶
Web crawling and scraping have surprised me this week; I thought such activities were only good and posed no threat to web applications, but I was wrong. I found out that web crawling and scraping can be used to gather information about applications, which can be used to launch an attack.
This is such a critical matter, as the first step in every successful attack is to understand your target well, and analyze as much information as possible about it; and there is no better way than downloading all online information about the target and analyzing it offline without limitations.
The main threats of web crawling and scraping include data theft, security venerability scanning, and do not stop with denial of service attacks if a lot of scrapers/crawlers target the same application at the same time, and the scraped content may facilitate the process of creating fake replicas of the original application that can be used to launch phishing attacks (Web Scraping Protection: How to Prevent Web Scraping - DataDome, 2023).
With the advancements in scraping tools, any script kiddie can launch a scraping attack that may take down a website or steal its data; which increases the importance of building our websites and applications in a way that is hard to scrape.
References¶
- Introduction - OWASP Top 10:2021. (2021). Owasp.org. https://owasp.org/Top10/A00_2021_Introduction/
- Kingthorin. (n.d.) SQL Injection. OWASP. Retrieved January 10 2022 from https://owasp.org/www-community/attacks/SQL_Injection
- Web Scraping Protection: How to Prevent Web Scraping - DataDome. (2023, December). DataDome. https://datadome.co/learning-center/scraper-crawler-bots-how-to-protect-your-website-against-intensive-scraping/