Web Security Vulnerabilities and How to Fix them

Wondering how to fix web security vulnerabilities? Scan regularly with tools like Detectify, do in-depth fixing and establish a security directed culture. This is easier with DevOps tools.

Web applications can have multiple vulnerabilities that are difficult to discover manually. Here you will get an overview of the most common security issues, how to check your application status, and get a security researcher’s best security advice.

To you, it is probably old news: every web application can have vulnerabilities, whether it’s linked to a major kernel system or a single web site based on a popular CMS solution.

Many applications are developed over long periods of time with contributions from different environments and people. If you have been programming yourself, you know that the goal is usually to fix a fault or get something to work. When everything is solved after many hours of work, it is easy to just launch the application as it is, and avoid thinking about security concerns.

«The biggest security mistake of them all is to skip vulnerability detection work. Another issue is actually being aware of vulnerabilities and doing nothing. This is more common than you can imagine. Typically, major security vulnerabilities are fixed while smaller ones remain. Multiple low-risk issues quickly add up to a major security issue,» says Linus Särud, Security Researcher at Detectify.

Integrate security in all parts of your business

So, what is the security advice that beats all others? Make security an integrated part of the business culture and application development.
This might be a challenge because typically, security is an addition to everything else and is hard to prioritize.

«From the starting point of a new web application project, you can establish security as an integrated part of the process. This applies particularly to DevOps processes where everyone from development to the IT management department works on the same platform.» he says.

He continues: «However, starting over is not always that easy. Most developers navigate in complex solutions built by multiple applications and integrations. In such cases, you must analyze vulnerabilities, repair and leverage security in the existing structure. Fixing is great, but you must dive deeper into the structures to be better prepared against future threats.»

Four approaches to cyber security

What are the most common web security vulnerabilities? Typically, hackers will exploit vulnerabilities until they are patched and move to the next in line. Therefore, the security vulnerability field is constantly changing.

Here are four approaches to cyber security you should dedicate some time to right now.

1. OWASP Top 10 anno 2017

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit, charitable organization focused on improving the security of software.

The OWASP’s mission is to create awareness of software security and make it a priority. This is reflected in the top 10 series.

Basefarm’s web application vulnerability assessment partner Detectify has developed an OWASP Top 10 list and a scanner that lets you test your website for vulnerabilities. The list includes code injection, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration and more.

2. Common e-commerce security mistakes

Attackers can intercept requests from shopping cart to server and currency. Changing the currency from USD to WON would make the order a thousandth of the price cheaper. Luckily, simply changing the price had its peak some years ago and usually does not work anymore.

Transferring funds between gift cards can be done through a vulnerability class called race condition. This was successfully tested on where it was possible to make several USD 5 transfers from one card holding USD 5 to two other cards.
Gift cards using incrementing IDs make it easy to guess and use gift card numbers. A similar exploit is to test for example the coupon code «superCheap_50» when you already know that «superCheap_10» gives you 10 per cent off.

Want to know more? Read the Detectify blog where 7 common e-commerce security mistakes are explained.

3. Implementing HTTPS the right way

HTTPS is one of the simplest security measures you can implement. Strangely, many applications ran vulnerable HTTP sites until Google prioritized HTTPS sites in its search engine results. This combined with security concerns boosted the use of HTTPS.

4. Detectify automated 1000+ security tests

Detectify has developed a website vulnerability scanner that performs fully automated tests to identify a 1000+ vulnerabilities. It is continuously updated by a crowdsourced community of 150+ white-hat hackers.

For someone not used to working with security, it can feel overwhelming and hard to understand what to prioritize in a report. Luckily, a service provider with security experience such as Basefarm can assist with this. Read more about our services on our website or contact us directly to learn more!

BIO

Linus Särud (Twitter: @_zulln), 19, already had an interest for IT security when he was only 13 years old. At 14, he got into ethical hacking and discovered severe security vulnerabilities in Google applications as well as contributed IT security articles for IDG Sweden. Today he works as a security researcher for Detectify, a Swedish web security company. At Detectify, Linus is conducting extensive security research, managing the Detectify Labs blog and coordinating 150+ ethical hackers that are part of Detectify’s Crowdsource network.

Download our Cloud Guide

What should you focus on in order to take the next step in your company’s cloud journey?
With help from over 200 IT professionals and a Cloud Maturity Ladder, this report will help you to focus, prioritize and it will guide you to the next level.

Big data consulting

Find undiscovered secrets in your data and on the web: intelligent algorithms provide you with unique knowledge about your customers and your business.

Cybersecurity Updates For Week 17 of 2022

April 29, 2022/in Security blog /by Sjir Bagmeijer

New Nimbuspwn Linux vulnerability gives hackers root privileges A new set of vulnerabilities collectively tracked as Nimbuspwn could let local attackers escalate privileges on Linux systems to deploy malware ranging from backdoors to ransomware. Read more: https://www.bleepingcomputer.com/news/security/new-nimbuspwn-linux-vulnerability-gives-hackers-root-privileges/ Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators On April 12, GitHub […]

Cybersecurity Updates For Week 16 of 2022

April 22, 2022/in Security blog /by Sjir Bagmeijer

CVE-2021-3970, CVE-2021-3971, CVE-2021-3972: Lenovo UEFI Firmware Vulnerabilities Security company ESET discovered 3 new vulnerabilities in the UEFI firmware of Lenovo laptops which affected hundreds of Lenovo models including Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops. Read more: https://securityonline.info/cve-2021-3970-lenovo-uefi-firmware-vulnerabilities/ Hackers Are Getting Caught Exploiting New Bugs More Than Ever A pair […]

Cybersecurity Updates For Week 15 of 2022

April 15, 2022/in Security blog /by Sjir Bagmeijer

Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities Microsoft’s Patch Tuesday updates for the month of April have addressed a total of 128 security vulnerabilities spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others. Read more: https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html Menswear Brand Zegna Reveals Ransomware […]

Cybersecurity Updates For Week 14 of 2022

April 8, 2022/in Security blog /by Sjir Bagmeijer

Cado Discovers Denonia: The First Malware Specifically Targeting Lambda Cado Labs routinely analyses cloud environments to look for the latest threats. As part of ongoing research, we found the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment. Read more: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/ VMware Patches Multiple Vulnerabilities in Workspace ONE, Identity and […]

Cybersecurity Updates For Week 13 of 2022

April 1, 2022/in Security blog /by Sjir Bagmeijer

Spring Core on JDK9+ is vulnerable to remote code executio Spring Core on JDK9+ is vulnerable to remote code execution due to a bypass for CVE-2010-1622. At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available. As we have remediation advice for customers (see below), we […]

Cybersecurity Updates For Week 12 of 2022

March 25, 2022/in Security blog /by Sjir Bagmeijer

Okta’s Investigation of the January 2022 Compromise On March 22, 2022, nearly 24 hours ago, a number of screenshots were published online that were taken from a computer used by one of Okta’s third-party customer support engineers. Read more: https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/ Microsoft confirms Lapsus$ breach after hackers publish Bing, Cortana source code Microsoft has confirmed that […]

Cybersecurity Updates For Week 11 of 2022

March 18, 2022/in Security blog /by Sjir Bagmeijer

High-Severity DoS Vulnerability Patched in OpenSSL OpenSSL updates announced on Tuesday patch a high-severity denial-of-service (DoS) vulnerability related to certificate parsing. Read more: https://www.securityweek.com/high-severity-dos-vulnerability-patched-openssl CISOs face ‘perfect storm’ of ransomware and state-supported cybercrime With not just ransomware gangs raiding network after network, but nation states consciously turning a blind eye to it, today’s chief information […]

Cybersecurity Updates For Week 10 of 2022

March 11, 2022/in Security blog /by Sjir Bagmeijer

Intel and Arm CPUs have a major security flaw A new Spectre class speculative execution vulnerability, called Branch History Injection (BHI) or Spectre-BHB, was jointly disclosed on Tuesday by VUSec security research group and Intel. Read more: https://www.techspot.com/news/93706-arm-intel-cpus-vulnerable-new-spectre-style-attack.html Microsoft tests new cloud-based Microsoft Defender for home users Microsoft has announced that the company’s new cloud-based […]

Cybersecurity Updates For Week 9 of 2022

March 4, 2022/in Security blog /by Sjir Bagmeijer

DORA’s Global Reach and Why Enterprises Need to Prepare A new cybersecurity regulation is coming to the European financial services sector, and its authority will be felt worldwide. Read more: https://www.darkreading.com/risk/dora-s-global-reach-and-why-enterprises-need-to-prepare Shadowserver Special Reports – Cyclops Blink On 2022-03-03 we sent out a second special report with an additional 673 IPs likely infected with Cyclops […]

Cybersecurity Updates For Week 8 of 2022

February 25, 2022/in Security blog /by Sjir Bagmeijer

New Data-Wiping Malware Discovered on Systems in Ukraine Researchers were scrambling to analyze a newly discovered piece of data-wiping malware found in the wild. Read more: https://www.darkreading.com/attacks-breaches/new-data-wiping-malware-discovered-on-systems-in-ukraine Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its […]