Web Security Guide: Fending Off Web Browser Vulnerabilities
One of the most common mistakes that individuals and companies usually make is not making security a priority until a major breach occurs. The world of IT security seems to be a very complicated and alien concept for some, but that is not entirely true.
Data breaches, ransomware attacks, cryptojacking, threats to your connected devices — these are just some of the cyber security dangers that you will eventually encounter if you fail to use an antivirus scanner and create an effective approach to IT security.
In particular, this guide focuses on the most common web browser vulnerabilities which everyone should be familiar with, including recommendations on how they can be avoided.
Injection flaws occurs when you fail to filter untrusted or unfamiliar input (e.g. passing unfiltered data to the SQL, to the browser, to the LDAP server, etc.) This also results in permanent loss of data and hijacking clients’ browser due to the injection of commands to the said entities.
Prevention: The best way to prevent this is to filter untrusted sources that your application receives. For example, if your system has 1,000 outputs, make sure to filter all of it. Leaving one unfiltered source will only bring your system down, so make sure everything will be covered. If you are not familiar with filtering complicated sources like crypto, follow you framework’s filtering functions .
Insecure Direct Object
A direct object reference is characterized by the exposure of an internal object such as file or database key to a specific user. This user can provide the reference and gain access to data which they should be precluded from.
The password reset function is a common vulnerability example as it heavily relies on user input to determine the password being changed. The attacker can modify the username field in the URL and make her/him the admin.
Prevention: Remember to perform user authorization and whitelist choices. The problem can easily be resolved by avoiding dissemination of personal data and creating an internal storage.
Web servers and applications that have been misconfigured are more common than those that have been configured properly. Here are some examples:
- Executing the application with debug enabled in production.
- Keeping directory listing which leaks valuable information.
- Using outdated software (think WordPress plugins, old PhpMyAdmin).
- Having unnecessary services running on the machine.
- Not changing default keys and passwords. (Happens way more frequently than you’d believe!)
- Exposing error handling info such as stack traces.
Prevention: It is highly recommended to have a good and automated process that can run tests on deploy. The goal is to prevent the code from going out with default passwords.
Components with Known Vulnerabilities
Before applying new code, always take into consideration and auditing efforts. It is convenient using a code from someone you barely know, but it is highly discouraged to risk serious web security vulnerability. There are cases where sites get owned via outside administrative access, so you should be able to document, tests, and plan how to keep it updated especially if it contains open source components.
Prevention: Besides being cautious in using such components, refrain from copy-pasting codes. Double check every code that you are about to put into your software, as it might be broken. Make sure you are using the latest versions of antivirus scanner, and have a plan to update them regularly.
Cross Site Request Forgery (CSRF)
CSRF is best known for pulling off a misleading attack wherein a third party site issues requests to the target site (e.g., your bank) using your browser with your cookies.
Prevention: Always remember that you must already be authenticated into a certain website to be vulnerable. Instead of using cookies that perform session-tracking, switch to session tokens that are dynamically generated.
Always remember the golden rule: good files can be safely run and bad files can be blocked. Never put yourself at risk by running unknown files. Good thing Comodo Internet Security Premium, listed as one of the Top Products in 2018 AV-TEST, has the highest scores in protection and usability under its belt. If you’re looking for the best antivirus scanner for home users and organizations, Comodo Internet Security can cover it all for you.
It puts into place multiple layers of security to keep you safe from emerging and existing threats. It offers real-time protection to spot and eliminate known malware before it can wreak havoc to your computer. With its easy-to-navigate look, Comodo lets you monitor your security status and launch scans easily. It also lets you shop and bank online with its secure shopping feature without the fear of being hacked, tracked, or viewed by malware or internet thieves.