The History of Web Application Security Risks
Software Technology Research Laboratory
De Montfort UniversityLeicester, LE1 9BH UK
@mydmu.ac.uk Mohamed SarrabSoftware Technology Research LaboratoryDe Montfort UniversityLeicester, LE1 9BH UK firstname.lastname@example.org
this article refers generally to current web applicationrisks that are causing public concern, and piquing the interest of many scientists and organizations, as a result of an increase inattacks. The primary concern of many governments,organizations and companies is data loss and theft. Thus, theseorganizations are seeking to insure their web applications againstvulnerabilities. Revealing that awareness of the vulnerabilities of web applications leads to recognition of the need forimprovements. The three main facets of web security are:confidentiality, integrity and safety of content, and continuity.This paper identifies and discusses ten web applicationvulnerabilities, detailing the opinions of researchers and OWASPregarding risk assessment and protection.
INTRODUCTIONThe Internet is a fascinating and multi-faceted technology,opening a window on the world by allowing people across theglobe to access information simply and quickly; allowing themto broadcast their ideas and culture, communicate and accessresearch data from anywhere. It is now even seen as a form of e-government; based on its achievements in the last four yearsand the acquisition of 300 million users.However, the Internet lacks geographic borders, or nationalcontrols and this has led to concerns about the security of conducting business online. Indeed; there are those whoexpend considerable effort in seeking to penetrate and stealimportant information from websites, justifying apprehensionamongst the owners of this information and electronic service providers. Therefore, companies are doing their utmost tomaintain the confidentiality, privacy and accuracy of information they hold (integrity); systems can now be protected in a number of ways and some of the programs thathave helped in intrusion detection and reducing viruses havesomewhat eased the trepidation of network users.Recently attackers have turned their focus to web applicationswhich allow surfing, shopping, communication withcompanies in other countries, etc. This is because they rely ondatabases to facilitate information exchange and thedistribution of information. These applications have anincreasing number of users, increasing their attractiveness toattackers, despite the numerous programmers and developersemployed to protect them.This paper will identify and discussten web applications’ vulnerabilities, which constitute a threatto web applications’ security; assessing information provided by researchers and OWASP regarding risk assessment and protection.II.
INJECTION FLAWSIn 2007 OWASP  mentioned numerous Injection flawsincluding: SQL, LDAP, XPath, XSLT, HTML, XML and OS;with SQL being the most common of such injection types. In2004 OWASP  cited the main cause of vulnerability inweb applications to be there use of features of the operatingsystem and external programs to implement functions. Thisenables attackers to exploit previous information from anHTTP request, to inject malicious code as the web application passes information through.The attack occurs when data is sent to the interpreter after theuser has initiated a command or query. The attacker exploitsthis situation with the injection of malicious code alongsidethe command or query, which enables full access to the system bypassing any protection and calling for data from operatingsystems and databases.OWASP in 2010  described thistype of attack, as the attacker sending simple text to exploit thesyntax that targets the interpreter. Almost all data sources usean injection vector’ which includes internal sources. This flawis typically found in SQL queries, LDAP queries and OScommands .
Avoid using interpreters if possible.
Avoid detailed error messages that may be useful toan attacker.
Reject all script injection (Gregory (2009).
SQL injection is common among injection flaws, and yetapplications those are vulnerable to itare used in our daily
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 6, June 201140http://sites.google.com/site/ijcsis/ISSN 1947-5500