ic_agile_128ic_business_128ic_agile_white_128ic_banknote_smile_128ic_business_128ic_business_128ic_checkmark_128ic_client_team_manager_128ic_code_file_128ic_code_files_128ic_corporate_cloud_platforms_128ic_crossplatform_apps_128ic_dedicated_team_128ic_developer_128ic_development_team_128ic_enterprise_128ic_faster_timeframe_128ic_fixed_price_128ic_graph_down_128ic_graph_down_128ic_hourly_128ic_hourly_white_128ic_information_finder_128ic_junior_developer_128ic_managed_team_128ic_message_128ic_mobile_app_startups_128ic_mobile_development_128ic_mobile_development_up_128ic_mobile_devices_128ic_multiplatform_128ic_multiplatform_white_128ic_pricetag_128ic_project_checklist_128ic_project_management_128ic_project_management_team_128ic_research_and_development_team_128ic_scalable_team_128ic_senior_developer_128ic_smaller_codebase_128ic_smaller_price_128ic_startup_128ic_team_manager_128ic_three_times_faster_128Arrow_Dropdownic_001_google+_16ic_002_xing_16Group 2ic_003_facebook_16ic_004_linkedIn_16Groupic_005_message_16ic_006_upload_16ic_007_remove_16ic_008_email_16ic_009_attachment_16ic_010_file_16ic_011_name_16ic_012_arrow_left_16ic_013_arrow_right_16ic_014_arrow_down_16ic_015_arrow_up_16ic_016_dropdown_arrow_down_16ic_016_dropdown_arrow_leftic_016_dropdown_arrow_rightic_017_K&C_dropdown_arrow_up_16ic_018_language_16ic_019_Quote_16ic_020_+_16ic_021_=_16ic_022_phone_16ic_023_twitter_16ic_024_position_16ic_025_company_16ic_026_search_16ic_027_mobile_16ic_028_fax_16ic_029_location_16ic_030_enlarge_16ic_031_downscale_16ic_032_contactic_download_normal_16pxic_033_skype_16ic_006_download_16 copySearchK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxic_Interest_based_64ic_acrivate_card_64ic_api_client_64ic_application_architecture_64ic_application_architecture_ white_64ic_application_development_user_64ic_application_development_user_64ic_arrow_down_64ic_automated_backups_64ic_automated_infrastructure_provisioning_64ic_automated_infrastructure_provisioning_white_64ic_automated_storage_64ic_automated_storage_64ic_automation_64ic_avaliability_across_the_world_64ic_avaliability_across_the_world_white_64ic_brackets_64ic_brackets_64ic_build_64ic_build_64ic_business_64ic_business_partnership_64ic_business_partnership_white_64ic_business_64ic_calculator_64ic_calendar_64ic_car_rent_64ic_card_renewal_64ic_chat_64ic_chat_bubbles_64ic_chat_bubbles_64ic_chat_white_64ic_checklist_64ic_checkmark_64ic_blockchain_64ic_smart_development_64ic_blockchain_consulting_64ic_checkmark_white_64ic_clock_64ic_clock_white_64ic_cloud_media_64ic_cloud_solutionsic_cloud_solutions_whiteic_cluster_64ic_cluster_white_64ic_code_base_optimization_64ic_coding_64ic_coding_white_64ic_commenting_widget_64ic_commenting_widget_64ic_containers_64ic_containers_white_64ic_continious_64ic_continious_delivery_64ic_continious_delivery_white_64ic_continious_release_64ic_continious_release_white_64ic_continious_white_64ic_cost_saving_64ic_cost_saving_white_64ic_cpu_load_64ic_credit_card_64ic_crossplatform_app_development_64ic_crossplatform_app_development_white_64ic_custom_crm_64ic_custom_crm_64ic_independence_consulring_64ic_database_calls_64ic_database_calls_white_64ic_dedicated_teams_64ic_dedicated_teams_64ic_desktop_application_user_64ic_desktop_application_user_64ic_desktop_code_64ic_desktop_code_white_64ic_developer_64ic_developer_white_64ic_development_64ic_devops_64ic_devops_64ic_documents_64ic_documents_graph_64ic_documents_graph_white_64ic_documents_white_64ic_download_presentation_64ic_education_64ic_email_open_64ic_email_open_white_64ic_environment_healthcheckic_euro_64ic_euro_white_64ic_failure_solved_64ic_globe_outlines_64ic_good_quality_64ic_high_load_websites_64ic_high_load_websites_white_64ic_hotel_booking_64ic_inability_64ic_inability_white_64ic_increase_64ic_increase_white_64ic_increasing_team_64ic_independence_64ic_integration_64ic_it_outsourcing_64ic_it_outsourcing_64ic_knowledge_sharing_64ic_mobile_devices_64ic_laptop_user_64ic_laptop_user_64ic_launch_64ic_launch_white_64ic_learning_64ic_learning_two_white_64ic_lighthouse_64ic_link_64ic_load_balancer_64ic_load_balancer_64ic_load_card_64ic_lock_64ic_lock_white_64ic_low_cost_64ic_low_load_websites_64ic_maintenance_tools_64ic_maintenance_tools_white_64ic_media_player_64ic_messaging_platforms_64ic_microservice_architecture_64ic_microservices_64ic_microservices_64ic_mobile_app_64ic_mobile_app_64ic_mobile_content_64ic_mobile_development_64ic_mobile_development_white_64ic_mobile_devices_64ic_mobile_devices_white_64ic_mobile_payments_64ic_mobile_social_media_applications_64ic_mobile_workflows_64ic_money_transfers_64ic_multimedia_sharing_64ic_multimedia_sharing_white_64ic_my_garage_64ic_no_access_64ic_no_access_white_64ic_no_oldschool_64ic_online_marketplaces_64ic_online_marketplaces_white_64ic_online_trading_64ic_online_trading_64ic_pair_device_64ic_parallels_64ic_parallels_white_64ic_passcode_64ic_payment_systems_64ic_performance_64ic_performance_issues_64ic_performance_issues_white_64ic_performance_white_64ic_plane_64ic_plane_white_64ic_plus_64ic_plus_64ic_pricetags_64ic_pricetags_64ic_product_64ic_product_search_64ic_product_white_64ic_productivity_tools_64ic_productivity_tools_64ic_project_delivery_64ic_project_delivery_white_64ic_project_management_64ic_project_management_collaboration_64ic_project_management_team_64ic_project_management_team_white_64ic_project_risks_reduced_64ic_quality_mark_64ic_quality_mark_64ic_quality_mark_white_64ic_question_64ic_react_native_64ic_response_time_64ic_response_time_white_64ic_rest_api_64ic_retail_64ic_transparency_consulting_64ic_scale_up_64ic_scale_up_white_64ic_self_healing_64ic_self_healing_64 copyic_send_money_64ic_server_64ic_server_white_64ic_shopping_64ic_sleep_mode_64ic_small_is_beautiful_64ic_smaller_price_64ic_social_benefits_64ic_social_connections_64ic_socket_64ic_spare_parts_for_cars_64ic_spare_parts_for_cars_white_64ic_speedometer_64ic_performance_consulting_64ic_speedometer_white_64ic_startup_64ic_target_64ic_team_64ic_testing_64ic_testing_checklist_64ic_testing_checklist_64ic_testing_white_64ic_three_times_faster_64ic_touch_64ic_touch_id_64ic_touch_white_64ic_transparency_64ic_ui_design_desktop_64ic_ui_design_mobile_64ic_ui_design_mobile_white_64ic_umbrella_64ic_umbrella_64ic_umbrella_white_64ic_up_and_down_scaling_64ic_up_and_down_scaling_64ic_users_64ic_users_white_64ic_ux_design_64ic_ux_design_desktop_64ic_ux_design_64ic_ux_design_white_64ic_vehicle_64ic_web_based_search_64ic_web_based_search_white_64ic_web_browser_code_64ic_web_browser_developer_mode_64ic_web_browser_user_64ic_web_development_64ic_web_development_white_64ic_web_portals_64ic_web_portals_64ic_web_user_64ic_web_user_white64ic_workflow_64ic_workflow_steps_64ic_workflow_steps_white_64ic_workflow_white_64ic_working_environment_64

Web App Security 101: Keep Calm and Do Threat Modeling

Web applications becoming more and more complex are the new normal. It's always a challenge to keep up with this growth and always know what app does, why and when, and what needs extra security measures on your part. This kind of a holistic analysis of security is known as threat modeling. There are different methods or even tools for doing that. But at the root of all of them are those three questions:


1. Who can attack us?

2. What resources/components do we protect?

3. What is the infrastructure of our system?

1. Who can attack us?

Defining profiles of possible aggressors will help you understand what could be the most probable ways of attack. Those profiles will obviously vary depending on the industry the company’s in and type of the app (banking, military, company blog). Here are some examples:


Competitors

They can be interested, among other things, in stealing data or discouraging your users by lowering the performance of the app.


Robots / hackers

Semi automatic bots will try to find weak spots of your app to install malicious software for spamming or cryptocurrency mining.


Users

Users of your app might find (very often unwittingly) security holes and, for example, see data that they're not allowed to see by changing user IDs in the URL.


Own employees

Even if you have complete trust in your employees (do you?) they can become a threat unwittingly. It can be a matter of stolen session cookie, stolen or broken password or just malicious software installed on worker's computer. 


The last one is especially tricky, and the argument along the lines of "we use VPN, only trusted users are in it, we're secure" is no longer valid when one of them has his or her own computer infected. And it's hard to predict how such viruses can be introduced – on a new USB stick that was delivered in an open box, or fake email entitled “Salaries plan new year final” that looks like it was sent by mistake by one of the company higher-ups.. People tend to open that type of email more often than not.

2. What do we protect?

Analyze what kind of resources/values should be defended. Money? Sensitive data? Or maybe a publicity nightmare – a hacked homepage – has to be averted at all cost? 


Components

To understand all possible ways of attack, create a map of all components of your app. The main application page and it's backend API would be in the center of that map and that's not revelatory. But as the map will grow you may be surprised about what you may find at its edges: barely used legacy components, not updated since ages. A perfect gift for any intruder. 


Front-end

Web page is usually a main way for your users to enter the web application. It can be vulnerable for many kinds of attacks related to front-end, with XSS being the most obvious. Inspect every input, whether it's a contact form, search bar or page's URL – basically, everything that accepts parameters can be target of an attack. Analyze how the client side business logic is implemented, check what messages are being shown to the user, and make sure there are no hints hidden in the source code comments.


Back-end

Web page needs to communicate somehow with the server. An attacker can also do that using the API directly. Is it secure? What endpoints are public and do they really have to be open? How requests are authenticated? Is authorization working? Are the management endpoints available for end users? You don't want anyone to obtain the environment variable values via the /env endpoint of your Spring Boot's actuator.


Database

Are you sure that your database port is not opened? That there's no GUI DB manager installed under secret URL that only admin knows of?


Mobile

This is hacker's favorite channel of getting into the system. Why?

Very often, for the sake of higher comfort, the security is lowered (long lived sessions, captcha not required). The code base of mobile apps can be developed independently of the main application, which may lead to forgetting critical security-related patches. Is the backend API of a mobile version the same as the API for web page? If not, that's another component to consider.


Newsletter

Does your app send emails? Do emails contain images or links to content on your website? Is that content part of the main page, or is it a place dedicated only for newsletter? If it's in a separate space then another component is under threat.


Infrastructure/cloud components

Your application will use a lot of additional components, especially in cloud environments. Things like service discovery (e.g. Eureka), management tools (Spring Boot Admin), logging and metrics (Kibana, Grafana) or other aiding tools (Redis, RabbitMQ). Are you sure that no developer/tester has opened their ports to easily connect from home?


Third party software

Maybe you have a special BPM suite that takes care of some business process under the hood? Or Business Rules Management System? Or maybe you integrate with contracting parties? Those are also components that should be taken into consideration.


Who you protect is unique and no detail or component is too small. There can be a lot of minute things you can forget that you even have them, things like RSS feeds, cache servers or fancy plug-in for the web page.

3. Infrastructure

Having all of software components mapped, it's time to get the similar view on infrastructure. How many environments are there? What servers do we use? How they're connected to each other? How they're connected to the internet?


Protect you dev and testing environments 


From the attacker's point of view the most interesting are the development and testing environments. Why? Because usually their security configuration is more liberal than the one in production, as the programmer's convenience often has higher priority than system's security.


Having gained access to the development environment, an attacker can do a lot of nasty stuff:

-Understand how to prepare successful attack on production servers

-Steal data (there are known cases of leaks caused by production data being copied to development environment without any modification)

-Steal passwords (some of which may be valid in production stages)

-Install malicious software on dev servers

-Analyze detailed debugging logs.


The source code repositories also should be restricted from the outside world. With an access to it attacker could obtain the passwords from your config files.


How an intruder could find your dev environments?


DNS transfer

One of first things to try is to inspect your domain and try to transfer the DNS information. One tool that enables this is the host program (DNS lookup utility). Defining the query type as NS will show the Name Servers record for given domain:


$ host -t NS example.com

example.com name server b.iana-servers.net.

example.com name server a.iana-servers.net.


Then, in the list mode (enabled by -l option), host will try to perform the zone transfer.


$ host -l example.com b.iana-servers.net


If transfer succeeds, an attacker will see all registered subdomains, like dev.example.com, test.example.com, qa.example.com and so forth, along with their IP addresses. To prevent this check your DNS configuration and make sure that zone transfers are restricted.


DNS bruteforcing

If simple DNS transfer fails, an intruder can try to guess the subdomains in a process called DNS brute forcing. One of the programs that can do that is called dnsenum When provided a dictionary file with list of domain prefixes, the target domain and DNS server it will report all existing subdomains with the given candidates. There are public dictionaries for dnsenum, consisting of a lot of probable guesses.


After obtaining the IP's of your servers, attacker will usually scan their ports, searching for opened ones and planning next steps. A good practice is to hide all test environments from the public world in private networks, allowing the remote access for workers only via VPN networks.


To conclude, the last point that could be taken into consideration is the usage of HTTPS connections not only in production but also for test environments. Certificates may be self-signed, it doesn't matter. What's important is that neither your employees nor viruses installed on their computers will be able to sniff the HTTP traffic inside the VPN.

To be continued…

This post was intended as a sort of web security briefing both for developers and business audience, and covers many topics briefly, and those can be googled in detail, of course. In our day and age it’s super important to at least know the basic security steps and to have a checklist of things that needs to be security checked (pardon the pun).


In the next Security 101 post we’ll talk about various attacking techniques. Sing up for our blog and newsletter so we could let you know when it comes out!

SHARE WITH FRIENDS
You might find this interesting
Our cases
Bosch Classic Cars - Digital Engagement Platform for 19K Vintage Car Owners
Our cases
Liferay Portal Performance Tuning Services for a Major Online Gaming Software Supplier
Web
Three Authentication Approaches to Keep Your Clients Safe
Our cases
How to apply React Native while developing heavy cross-platform mobile apps
Mobile
Reasons to believe in Ionic hybrid app
Web
SEO Tips & Tricks for Single Page Web Applications
E-book
How to Secure Web Product Development — FREE eBook
E-book
Digital Transformation: the Philosopher’s Stone of Economic Growth
Web,Outsourcing,Other
Angular 5 VS React.js – Who’s Going to Set the Tone in the Upcoming Year?
Web
Agile and DevOps are Key Drivers of Digital Transformation
Web
K&C insights: how to make your workflow work for you
Web,Other
GoLang: Features, Pros and Cons
Our cases
Reference: Major producer of auto electronics and spare parts
Outsourcing,Other
Hybrid, SaaS+PaaS, IoT: Cloud Trends to Catch in 2018
Web,Outsourcing,Other
Angular vs. React vs. Vue – Let the Fight Start!
DevOps
DevOps with Puppet: Tips on Setting it up for Configuring Servers
Web,Outsourcing,Other
JS Frameworks: The Trendiest Frameworks You Should Know
Our cases
Micro-service Architecture for New AngularJS Application - Case Study
Mobile
Native or Hybrid Apps: A Quick Comparison
DevOps
Installation and setting up: Nextcloud as a local network storage on CentOS7
Web
Centralized Logging with Logstash, Elasticsearch & Kibana
Web
A Guidance for Keeping Your Web Development Project Within the Budget: Three Key Pillars
Web
Plan to Succeed: 4 Tips for Building Scalable Software
Web
Microservices… when do we need them?
Web
Debunking imaginary shortcomings of cross-platform frameworks
Our cases
Portal Performance Tuning For Major German Travel Agency
Web
Technologies that Foster Digital Transformation
Web,Other
How to Make Your Web Solution Rock: 7 Areas to Check
Web
4 Time-Saving Ways to Test Your Cross Platform Mobile App
Web,Outsourcing,Other
Angular 5.0.0 – A Better Version of Itself
E-book
Top Tools for Cost-Effective Web Development — eBook
Web
A secret formula of an agile dream team
Web
Cloud Deployment: Overview of Options
Web
How to Motivate Your Dedicated Team to Work with Legacy Projects
Web,Our cases
White Label: A Customized Software Solution from a Business and Tech Perspective
Web
Cost efficient technologies
Web
Scaling software solutions - how it works
DevOps,Outsourcing,Other
How to setup Kubernetes cluster on AWS
DevOps
Docker: Virtualize Your Development Environment Right
Web
When Microservices Help Make Future-Ready Products
Outsourcing,Other
How to Ramp up Your Team Wisely
Outsourcing,Testing
How the QA Team Tests Your Project
DevOps
How We Manage Our Infrastructure with Chef
Our cases
Reformation of Deployment Cycle for Bosch Classic Cars Portal
Our cases
Fast and Lightweight Mobile Application based on PhoneGap/ Cordova
Our cases
Drivelog.de — Web Marketplace for Car Owners and Service Providers
DevOps
Use case: how to build and run Docker containers with NVIDIA GPUs
DevOps
How We Use Ansіble for Configuration of Our Environments
Web
Angular 2.0 vs Angular 1.4. What fits you best?
Other
Big Data: Why Your Business Needs it ASAP
Web,Outsourcing,Other
How a Company Can Benefit from White Label: K&C experience
DevOps
How to Build a Rancher & Docker Based Cloud
DevOps
Setting Up: Traefik Balancer In Rancher Cloud
E-book
Determining Approaches to Mobile App Development
Web,Other
Dedicated Teams for Web Development: Choice Criteria to be Checked
Web
Angular 4 vs React – what to choose in 2017
Outsourcing
The BPM in the Microservice Environment
DevOps,Outsourcing,Other
ROCKET.CHAT as an internal messaging system and helpdesk platform
Web
Monolith, Microservices, Serverless... Are We in the Middle of the Way?
Web
JQuery vs. Angular: Ad Astra per Aspera
DevOps
How to start services on Linux
Web
Advanced Technologies for Marketing Automation
Web,Outsourcing
Node.js vs. Angular.js – Two Sides of the Same Coin
DevOps,Outsourcing
AWS DevOps: A New Way to Run Business
Web,Outsourcing
Why It’s Better to Use Vue.js than Angular and React in 2018
Web,Outsourcing
Migration from Angular 1 to Angular 5
DevOps,Outsourcing
Information Security with AWS DevOps
Other
Europe’s Big Payments Directive PSD2
Our cases
The Platform Providing Event Organization
Web,Outsourcing,Other
Golang vs. Node.js
Our cases
VAIX - Fault tolerant infrastructure for 24/7 high-load machine learning service
Web,DevOps,Our cases
Our case: Marketplace for gaming goods
Web,Outsourcing
Angular 6 Will Be A Hit
Web,Mobile,Outsourcing,Other
All You Wanted to Know About Chatbot Platforms
Web,Outsourcing
What's New in React 16.3