Arrow_Dropdownic_001_google+_16ic_002_xing_16Group 2ic_003_facebook_16ic_004_linkedIn_16Groupic_005_message_16ic_006_upload_16ic_007_remove_16ic_008_email_16ic_009_attachment_16ic_010_file_16ic_011_name_16ic_012_arrow_left_16ic_013_arrow_right_16ic_014_arrow_down_16ic_015_arrow_up_16ic_016_dropdown_arrow_down_16ic_016_dropdown_arrow_leftic_016_dropdown_arrow_rightic_017_K&C_dropdown_arrow_up_16ic_018_language_16ic_019_Quote_16ic_020_+_16ic_021_=_16ic_022_phone_16ic_023_twitter_16ic_024_position_16ic_025_company_16ic_026_search_16ic_027_mobile_16ic_028_fax_16ic_029_location_16ic_030_enlarge_16ic_031_downscale_16ic_032_contactic_download_normal_16pxic_033_skype_16ic_006_download_16 copySearchGroup 26Rss_font_awesomeK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxK&C_Icons_32pxic_agile_128ic_business_128ic_agile_white_128ic_banknote_smile_128ic_business_128ic_business_128ic_checkmark_128ic_client_team_manager_128ic_code_file_128ic_code_files_128ic_corporate_cloud_platforms_128ic_crossplatform_apps_128ic_dedicated_team_128ic_developer_128ic_development_team_128ic_enterprise_128ic_faster_timeframe_128ic_fixed_price_128ic_graph_down_128ic_graph_down_128ic_hourly_128ic_hourly_white_128ic_information_finder_128ic_junior_developer_128ic_managed_team_128ic_message_128ic_mobile_app_startups_128ic_mobile_development_128ic_mobile_development_up_128ic_mobile_devices_128ic_multiplatform_128ic_multiplatform_white_128ic_pricetag_128ic_project_checklist_128ic_project_management_128ic_project_management_team_128ic_research_and_development_team_128ic_scalable_team_128ic_senior_developer_128ic_smaller_codebase_128ic_smaller_price_128ic_startup_128ic_team_manager_128ic_three_times_faster_128Consul_VerticalLogo_FullColorPacker_VerticalLogo_FullColorTerraform_VerticalLogo_FullColorVault_VerticalLogo_FullColorethereum_black_64ic_Interest_based_64ic_acrivate_card_64ic_api_client_64ic_application_architecture_64ic_application_architecture_ white_64ic_application_development_user_64ic_application_development_user_64ic_arrow_down_64ic_automated_backups_64ic_automated_infrastructure_provisioning_64ic_automated_infrastructure_provisioning_white_64ic_automated_storage_64ic_automated_storage_64ic_automation_64ic_microservice_architecture_64ic_avaliability_across_the_world_64ic_avaliability_across_the_world_white_64ic_blockchain_64ic_blockchain_white_64ic_brackets_64ic_brackets_64ic_build_64ic_build_64ic_build_64ic_business_64ic_business_partnership_64ic_business_partnership_white_64ic_business_64ic_calculator_64ic_calendar_64ic_calendar_64ic_car_rent_64ic_card_renewal_64ic_chat_64ic_chat_bubbles_64ic_chat_bubbles_64ic_chat_white_64ic_checklist_64ic_checkmark_64ic_blockchain_64ic_smart_development_64ic_blockchain_consulting_64ic_checkmark_white_64ic_clock_64ic_clock_white_64ic_cloud_media_64ic_cloud_solutionsic_cloud_solutions_whiteic_cluster_64ic_cluster_white_64ic_code_base_optimization_64ic_coding_64ic_coding_white_64ic_commenting_widget_64ic_commenting_widget_64ic_containers_64ic_containers_white_64ic_continious_64ic_continious_delivery_64ic_continious_delivery_white_64ic_continious_release_64ic_continious_release_white_64ic_continious_white_64ic_cost_saving_64ic_cost_saving_white_64ic_cpu_load_64ic_credit_card_64ic_crossplatform_app_development_64ic_crossplatform_app_development_white_64ic_custom_crm_64ic_custom_crm_64ic_independence_consulring_64ic_database_calls_64ic_database_calls_white_64ic_dedicated_teams_64ic_dedicated_teams_64ic_desktop_application_user_64ic_desktop_application_user_64ic_desktop_code_64ic_desktop_code_white_64ic_developer_64ic_developer_white_64ic_development_64ic_devops_64ic_devops_64ic_documents_64ic_documents_graph_64ic_documents_graph_white_64ic_documents_white_64ic_download_presentation_64ic_education_64ic_email_open_64ic_email_open_white_64ic_environment_healthcheckethereum_white_64ic_euro_64ic_euro_white_64ic_failure_solved_64ic_gdpr_64ic_globe_outlines_64ic_good_quality_64ic_high_load_websites_64ic_high_load_websites_white_64ic_hotel_booking_64ic_inability_64ic_inability_white_64ic_increase_64ic_increase_white_64ic_increasing_team_64ic_independence_64ic_integration_64ic_it_outsourcing_64ic_it_outsourcing_64ic_knowledge_sharing_64ic_mobile_devices_64ic_laptop_user_64ic_laptop_user_white_64ic_launch_64ic_launch_white_64ic_learning_64ic_learning_two_white_64ic_lighthouse_64ic_link_64ic_load_balancer_64ic_load_balancer_64ic_load_card_64ic_lock_64ic_lock_white_64ic_low_cost_64ic_low_load_websites_64ic_maintenance_tools_64ic_maintenance_tools_white_64ic_media_player_64ic_media_player_white_64ic_messaging_platforms_64ic_microservice_architecture_64ic_microservices_64ic_microservices_64ic_mobile_app_64ic_mobile_app_64ic_mobile_content_64ic_mobile_development_64ic_mobile_development_white_64ic_mobile_devices_64ic_mobile_devices_white_64ic_mobile_payments_64ic_mobile_social_media_applications_64ic_mobile_workflows_64ic_money_transfers_64ic_multimedia_sharing_64ic_multimedia_sharing_white_64ic_my_garage_64ic_no_access_64ic_no_access_white_64ic_no_oldschool_64ic_online_marketplaces_64ic_online_marketplaces_white_64ic_online_trading_64ic_online_trading_64ic_pair_device_64ic_parallels_64ic_parallels_white_64ic_passcode_64ic_payment_systems_64ic_performance_64ic_performance_issues_64ic_performance_issues_white_64ic_performance_white_64ic_plane_64ic_plane_white_64ic_plus_64ic_plus_64ic_pricetags_64ic_pricetags_64ic_product_64ic_product_search_64ic_product_white_64ic_productivity_tools_64ic_productivity_tools_64ic_project_delivery_64ic_project_delivery_white_64ic_project_management_64ic_project_management_collaboration_64ic_project_management_team_64ic_project_management_team_white_64ic_project_risks_reduced_64ic_quality_mark_64ic_quality_mark_64ic_quality_mark_white_64ic_question_64ic_react_native_64ic_response_time_64ic_response_time_white_64ic_rest_api_64ic_retail_64ic_transparency_consulting_64ic_scale_up_64ic_scale_up_white_64ic_security_64ic_security_64ic_self_healing_64ic_self_healing_64 copyic_send_money_64ic_server_64ic_server_white_64ic_shopping_64ic_shopping_white_64ic_sleep_mode_64ic_small_is_beautiful_64ic_smaller_price_64ic_social_benefits_64ic_social_connections_64ic_socket_64Group 20ic_spare_parts_for_cars_64ic_spare_parts_for_cars_white_64ic_speedometer_64ic_performance_consulting_64ic_speedometer_white_64ic_startup_64ic_startup_white _64ic_target_64ic_team_64ic_testing_64ic_testing_checklist_64ic_testing_checklist_white_64ic_testing_white_64ic_three_times_faster_64ic_touch_64ic_touch_id_64ic_touch_white_64ic_transparency_64ic_ui_design_desktop_64ic_ui_design_mobile_64ic_ui_design_mobile_white_64ic_umbrella_64ic_umbrella_64ic_umbrella_white_64ic_up_and_down_scaling_64ic_up_and_down_scaling_64ic_users_64ic_users_white_64ic_ux_design_64ic_ux_design_desktop_64ic_ux_design_64ic_ux_design_white_64ic_vehicle_64ic_web_based_search_64ic_web_based_search_white_64ic_web_browser_code_64ic_web_browser_developer_mode_64ic_web_browser_user_64ic_web_development_64ic_web_development_white_64ic_web_portals_64ic_web_portals_64ic_web_user_64ic_web_user_white64ic_workflow_64ic_workflow_steps_64ic_workflow_steps_white_64ic_workflow_white_64ic_working_environment_64solidity_blackGroup 19

All You Need to Know About Web App Security Now

Over the past ten years, we have heard much about the security of web applications, and the threats that can come from using them. For better or worse, modern businesses have become increasingly dependent on the use of web applications developed agile; from complex infrastructure systems to IoT devices.


Attacks on web applications provide intruders with ample opportunities such as:

-Access to a company's internal resources and sensitive information;

-The opportunity to disrupt the functioning of an application or bypass business logic;

-Financial gains for the attacker, and losses, both financial and reputational, for the owner of web applications.


Users of web applications are at risk, because if an attack is successful, the intruder can steal credentials, perform actions on websites on behalf of users, and infect a system with malware.


In this article, we’ll talk about the types of attacks, the ways threat actors can damage your system, and how you can protect your company’s essential data.

Types of Attacks

There are different types of attacks. They differ depending on the sophistication of the way malefactors have chosen to steal sensitive data. The most popular attacks are:

1.Implementing SQL statements

2.Running OS commands

3.Path Traversal

4.Сross-site scripting

5.Denial of service

6.Сonnecting local files

7.Implementing XML external entities

8.Downloading random files

9.Cross-site request forgery


One of the most simple ways to wangle desired data from a web app is to use brute force attacks. This approach is reliant on a user’s laziness and carelessness, which are unfortunately traits that many of us share.

More

As we all know, to access an app, we need to create a username and password. However, it is very seldom that one thinks hard about this task. In most cases, people enter a password connected to their email, name, surname, date of birth, etc. It becomes even worse when the employee writes the password on a post-it note and leaves it on their computer screen.


As the goal of the attack is to find a valid username and password, it’s not as difficult as we would assume for intruders to spend a couple of hours scrolling Instagram profiles of a particular organization in search of a careless photo that reveals login details.

Ways to Implement a Brute Force Attack

3 Don’ts If You Want to Avoid an Attack

DON’T BLOCK THE IP

After finding that there has been an attack, most likely you will want to reactively block the intruder’s IP address. However, we would advise you to refrain from such impulsive actions because:


-the intruder can easily overcome this by dynamically changing the IP address

-blocking a public IP may cut off other users of the same address

DON’T BLOCK THE USER

Another bad idea is to block those users that have failed to log in multiple times. This is a dangerous approach. A potential intruder may try many valid usernames, and you’ll end up blocking each and every one of these people. Most likely this will annoy users and deter them from using your app. A lighter version of this solution is to lock an account temporarily, with a response such as “You entered your password incorrectly a few times in a row. Try again in 30 seconds.”

DON’T USE CAPTCHA

Of course it is great to receive confirmation from CAPTCHA that you’re not a robot, but unfortunately this method is inconvenient. It lacks usability in many cases, and is (unexpectedly) vulnerable to attacks. In applications that prioritize user friendliness, CAPTCHA should be considered a last resort.

How to Protect Yourself from a Brute Force Attack

Step #1. DEFINE WHAT YOU PROTECT

Analyze what kind of resources/values should be defended above all else. Money? Sensitive data? Reputation? A hacked homepage can result in the loss of all three of these and should be obviously avoided at all costs.

Step #2. DETECT THE ATTACK

To eradicate a brute force attack, you need first to detect it. For this, you need to use tools for monitoring the network traffic of your web app. Pay attention to metrics and logs. The HTTP metrics should be detailed enough to determine the URL and method of each incoming request, status, and the number of produced responses. Logs will provide more detailed information about each request that cannot always be collected and presented as metrics.

Step #3. ASK AN ADDITIONAL SECRET QUESTION

Secret questions can be beneficial if you want to detect attackers without bothering the regular users of your web app. As you know, the secret question and corresponding answer are configured in a user’s profile. If a user has failed to login a few times, give them the option of answering their secret question. Make sure to also ask these questions for invalid logins, so the attacker won’t know if an account really exists or not.

Step #4. INTRODUCE LATENCY/ DELAY

During a brute force attack an intruder will make attempts with many passwords. Implementing a delay between failed login attempts can dramatically decelerate the whole process, making it too time-consuming for an attacker. The additional latency won't bother real users.

Step #5. TRICK BRUTE FORCE TOOLS

In a brute force attack, some penetration testing tools may be used, like THC-Hydra. These programs send requests with a User-Agent header set to a default value. This is a tell-tale sign of an attack tool.


By randomly returning the 200 status responses for requests with such header, an application can fool the attacker, who will no longer be able to distinguish between correct and failed attempts. It’ll work on amateur hackers who don't know how to modify Hydra's request headers. Note this isn't a fully secure solution as request headers can’t always be relied on.

Conclusion

Many of the attacks committed nowadays are not particularly ingenious and can be easily avoided or detected by following the aforementioned pieces of advice. Nevertheless, we can’t get complacent. The technical expertise that modern cybercriminals possess make it possible to carry out attacks with a high level of complexity, including through a series of actions that occur at different times and at first glance do not seem related.


If you’re not sure you can cope with a complicated series of attacks, make sure to schedule a free workshop with K&C specialists, who will consult and provide you with 100% web app security.

SHARE WITH FRIENDS
You might find this interesting
Our cases
Bosch Classic Cars - Digital Engagement Platform for 19K Vintage Car Owners
Our cases
Liferay Portal Performance Tuning Services for a Major Online Gaming Software Supplier
Our cases
How to apply React Native while developing heavy cross-platform mobile apps
E-book
How to Secure Web Product Development — FREE eBook
E-book
Digital Transformation: the Philosopher’s Stone of Economic Growth
Our cases
Reference: Major producer of auto electronics and spare parts
Our cases
Micro-service Architecture for New AngularJS Application - Case Study
Our cases
Portal Performance Tuning For Major German Travel Agency
E-book
Top Tools for Cost-Effective Web Development — eBook
Our cases
Reformation of Deployment Cycle for Bosch Classic Cars Portal
Our cases
Fast and Lightweight Mobile Application based on PhoneGap/ Cordova
Our cases
Drivelog.de — Web Marketplace for Car Owners and Service Providers
E-book
Determining Approaches to Mobile App Development
Our cases
The Platform Providing Event Organization
Our cases
VAIX - Fault tolerant infrastructure for 24/7 high-load machine learning service
Web,DevOps,Our cases
Our case: Marketplace for gaming goods
Web
Scaling software solutions - how it works
Other
Don’t Treat Me Like a Fool: The worst thing you can do for your business
Mobile
Native or Hybrid Apps: A Quick Comparison
Web,Outsourcing,Amazon Web Services
DEBUGGING AWS LAMBDA FUNCTIONS
Other
Europe’s Big Payments Directive PSD2
DevOps,Outsourcing
Rancher 2.0: A Quick Look at the New Version
Outsourcing
The BPM in the Microservice Environment
DevOps
Installation and setting up: Nextcloud as a local network storage on CentOS7
Web,Outsourcing,Other
Angular 5 VS React.js – Who’s Going to Set the Tone in the Upcoming Year?
Web
Microservices… when do we need them?
Web
Plan to Succeed: 4 Tips for Building Scalable Software
Web
Cloud Deployment: Overview of Options
Other
How to Convert Your Business to an Amazon-Style Market Leader
DevOps,Other
Security in Kubernetes and How Companies Can Benefit from It
Our cases
How to Save Money Using Your Own Infrastructure
Other
Swimming with Sharks
DevOps
How We Manage Our Infrastructure with Chef
Other
GDPR: Smart Practices
Web,Outsourcing
ANGULAR 6 versus REACT 16.3
Web,Outsourcing,Other
JS Frameworks: The Trendiest Frameworks You Should Know
Web,Other
JAMSTACK IS THE NEW FACE OF STATIC SITES
Web
Angular 4 vs React – what to choose in 2017
Web
When Microservices Help Make Future-Ready Products
Web,DevOps,Outsourcing
DevOps als DevSecOps – Integrierter Schutz vor Bedrohungen ohne Termin- und Budgetüberschreitung
DevOps,Outsourcing
AWS DevOps: A New Way to Run Business
DevOps
DevOps As DevSecOps – Full Integration of Threat Protection Without Compromising Deadlines of Budgets
DevOps
How to start services on Linux
Web,Outsourcing,Other
Angular 5.0.0 – A Better Version of Itself
Web,Mobile,Back-end,Amazon Web Services
Why Enterprises Choose Serverless Architecture
Other
Big Data: Why Your Business Needs it ASAP
Outsourcing,Testing
Die Rolle des QS-Teams in Software-Projekten
Other
Culture eats technology for breakfast
Web,Outsourcing,Other
How a Company Can Benefit from White Label: K&C experience
Web,Outsourcing
Migration from Angular 1 to Angular 5
DevOps,Amazon Web Services
Kubernetes at the Forefront of Secure Microservices Future
Web,Other
Dedicated Teams for Web Development: Choice Criteria to be Checked
Outsourcing,Other
How to Ramp up Your Team Wisely
Web,Outsourcing,Testing
QA for CxOs: How to Hire and Outsource
DevOps
Hashicorp in Kubernetes: The short guide for Consul & Vault
Web
Three Authentication Approaches to Keep Your Clients Safe
DevOps,Outsourcing,Other
How to setup Kubernetes cluster on AWS
Web,Outsourcing,Testing
Sicherheit für Web-Anwendungen - dank Threat Modeling
Web
Node.js 10.0.0: Everyone’s Favorite Got Even Better
Outsourcing,Other
Hybrid, SaaS+PaaS, IoT: Cloud Trends to Catch in 2018
DevOps
Docker: Virtualize Your Development Environment Right
Web,Mobile,Outsourcing,Other
All You Wanted to Know About Chatbot Platforms
Web,Outsourcing
Why It’s Better to Use Vue.js than Angular and React in 2018
DevOps
What to Choose: NFS or CEPH?
Testing
What Is Quality Assurance and Why You Need It Immediately
Web
Debunking imaginary shortcomings of cross-platform frameworks
Web
Angular 2.0 vs Angular 1.4. What fits you best?
Other,Marketing
How to Become a Leader in Your Market
DevOps
Use case: how to build and run Docker containers with NVIDIA GPUs
Web
Cost efficient technologies
DevOps
DevOps: Kubernetes Federation on Google Cloud Platform
Web,Other
SSR or CSR for Progressive Web App
Web
A secret formula of an agile dream team
Web
SEO Tips & Tricks for Single Page Web Applications
DevOps
DevOps with Puppet: Tips on Setting it up for Configuring Servers
Outsourcing
SCALED AGILE FRAMEWORKS: YOUR COMPLETE GUIDE TO WHICH, WHY AND HOW
Web
K&C insights: how to make your workflow work for you
Web
4 Time-Saving Ways to Test Your Cross Platform Mobile App
DevOps,Outsourcing,Amazon Web Services
Information Security with AWS DevOps
Marketing
Аudience-based Marketing
Other
Ember, jQuery, Angular, React, Vue: What to Choose?
Web,Other
GoLang: Features, Pros and Cons
Web,Outsourcing
How to Control Agile Development: Progress and Costs
Outsourcing,Other
Fortschritt und Kosten im Griff: agile Software-Entwicklung unter kontrollierten Bedingungen
Web,Outsourcing,Other
Golang vs. Node.js
Web,Mobile,Back-end,Amazon Web Services
Serverless Architecture for Modern Apps: Stacks Providers & Caveats
DevOps
Setting Up: Traefik Balancer In Rancher Cloud
Web,Outsourcing
Angular 7 vs React
Other
The Power of the Holistic Business Analysis
Web,Outsourcing,Testing
Web App Security 101: Keep Calm and Do Threat Modeling
Web,Mobile,Outsourcing
Web-Anwendungen ziehen mit Mobile-Apps gleich
Web
How to Motivate Your Dedicated Team to Work with Legacy Projects
Web
Centralized Logging with Logstash, Elasticsearch & Kibana
Web,Outsourcing
Node.js vs. Angular.js – Two Sides of the Same Coin
DevOps,Outsourcing,Other
ROCKET.CHAT as an internal messaging system and helpdesk platform
Web,Other
How to Make Your Web Solution Rock: 7 Areas to Check
Outsourcing,Testing
How the QA Team Tests Your Project
Web,Our cases
White Label: A Customized Software Solution from a Business and Tech Perspective
Web
What's New in React 16.3.0 - 16.4.2: Features Overview
DevOps
Kubernetes backup with Heptio Ark
Web
Agile and DevOps are Key Drivers of Digital Transformation
Other
I’m Tired of Blockchain Hype, Are You?
Web,Amazon Web Services
Monolith, Microservices, Serverless... Are We in the Middle of the Way?
Web
JQuery vs. Angular: Ad Astra per Aspera
Web
Technologies that Foster Digital Transformation
DevOps
How We Use Ansіble for Configuration of Our Environments
Web
Fintech Apps - A Lucrative Solution for Customers and Businesses Alike
Web
Advanced Technologies for Marketing Automation
Web,Other
Progressive Web Apps and Why You May Need Them
Web
Web App Security 101: How to Defend Against a Brute Force Attack
DevOps
How to Build a Rancher & Docker Based Cloud
Web,Outsourcing
Angular 6 vs. Ember 3
Mobile
Reasons to believe in Ionic hybrid app
Web,Outsourcing
Angular 6 Will Be A Hit
Web,Outsourcing,Other
JavaScript & WebSockets: How to Build Real-Time Applications
Web
A Guidance for Keeping Your Web Development Project Within the Budget: Three Key Pillars
Web,Outsourcing,Other
Angular vs. React vs. Vue – Let the Fight Start!