Add Your Heading Text Here

Share it:

This week we are going to focus on how companies could generate effective application threat model  to secure web applications facing the internet or on the public domain. Threat Model simply means how a web application could be attacked from an attacker’s perspective. For the first part of this series, we will start from the client side by placing emphasis on the main entry to web application which is the login page.

In real-world scenario, anybody seeking to protect his resources focuses on the main entrance. Likewise web developers interested in securing users’ data from attackers focuses on the login page primarily. Attackers attack login page of web application via the following attacks:

  • Sql Injection
  • Brute Force(or Password Guessing Attacks)
  • Default Password
  • Phishing
  • User-name Enumeration

Five Steps to Secure Your Login Page

  • To prevent sql injection, advise your developers to use prepared statements with parameterized queries.
  • To prevent brute forcing, lock out accounts after defined number of incorrect password attempts. Recover locked accounts after a specified duration. In addition, include a complex CAPTCHA to make it difficult for attackers using computerized means to brute force login page.
  • Don’t dare use default passwords. It is basic wisdom not to do so.
  • To prevent phishing, create a daily or monthly awareness program on dangers of web phishing attacks. It is difficult and tricky to escape from phishing attacks. Thus,  we have program purposely for phishing attacks and prevention. You can contact us on our website for further details.
  • To prevent user-name enumeration, prevent attackers from probing your site whether a user-name exists or not. You can  prevent user-name enumeration by allowing users to sign or log in with email addresses instead of usernames. Allowing user-name enumeration makes it easy attackers to implement bruteforcing attacks.

Although these steps could help secure web application from the above-mentioned attacks, there are other ways attackers could by-pass web authentication. Thus, we suggest that developers should put in place detection measures to capture or log malicious attempts.

Logging malicious attempts helps you to know which technique attackers  tried to by-pass your login page and how you can secure your  web application against such attacks.

In our next series, we shall focus on attacks against user’s accounts and how developers and application security engineers could make it difficult for malicious users to access user’s account.

#ISA_info

#ISA_ltd