Last week, we begun with the first major part of Application Threat Model series for both web/mobile developers, security engineers as well as other stakeholders interested in securing data and protecting sensitive resources from hackers.
We emphasized briefly on how web/mobile developers can secure login page as well as make it difficult for attackers to by-pass authentication. Securing login page is the first and most important step for every company interested in creating effective and practical application threat model.
Eventually, we outlined common attacks such as sql injection attackers may rely on to by-pass authentication put in place by application security engineers and web/mobile developers.
Furthermore we suggested limited solutions for developers just to make it difficult for attackers to by-pass authentication.
This week we are going to throw light on how developers, security engineers and CIO’s could create effective and practical threat model template for web/mobile application. This is just a continuation of application threat model series.
Importance of Protecting User’s Account
Developers and Security Engineers need to attach a great deal of importance to user’s account on web/mobile portals. When user’s account is compromised, it affects business reputation.
How then can developers and security engineers secure user’s account? Below is an example of a less common attacks hackers can use to compromise users account’s on the client-side.
There many other attacks apart from IDOR. However, we will focus briefly only on Insecure Direct Object Reference for now.
IDOR Attacks:
Insecure Direct Object Reference allows attackers to manipulate references to gain access to unauthorized data.It is impossible to say what the potential impact of IDOR is, as it varies. Depending on what kind of data or file the attacker may get hold of, attacker can manipulate user’s balance sheet, transfer money from user’s account and so on.
Solution:
We strongly recommend developers to check the access before using a direct object reference from an untrusted source.The user needs to be authorized for the requested information before the server provides it.
This is just a brief solution of how developers and security engineers could rely on application threat model template to predict type of attacks attackers can use to attack web/mobile applications and how developers/Security Engineers can use secure applications against these attacks.
You can research ahead to find out about other attacks against user’s accounts.
Next week, we shall move onto the next part of our application threat model series focusing on proxy and code logic attacks. Thanks!
#ISA_informs
#ISA_ltd
Sign up our newsletter for update information, insight and promotion.
