II Management

Key Security Risks of Web Applications

The introduction of web applications also raises new concerns on information security. Important or sensitive information can be stored within the web applications, such as student personal data, copyright teaching material, and university confidential information. Since the web applications are usually designed to be accessed by large numbers of users, they require a high level of system availability as well as information protection controls. The following describes a few common vulnerabilities of web applications which might cause universities to be exposed to hackers' attack.

  1. Insufficient Validation Checks

    Without proper "validation and escaping" mechanism, web applications would accept untrusted data, which could cause injection flaws when deliberate instructions are sent to the database as part of a SQL query. The attacker's hostile data can trick the affected systems into executing unintended commands or accessing unauthorised data.

    In addition, Cross Site Scripting ("XSS") may also occur, which allows attackers to execute scripts in users' web browsers that can hijack user sessions, deface web sites, redirect users to phishing or malware sites, or be forwarded to access unauthorised pages.


  2. Broken Authentication and Session Management

    Web application functions related to authentication and session management may not be sufficiently implemented, which allow attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users' identities. In a recent incident, the AT&T network was found to have session management vulnerabilities, which resulted in iPad user information exploited by the hacker.


  3. Failure to Restrict Web Page Access

    Privileged web pages containing confidential information or powerful configuration access should be protected by web applications through checking the user identifies before processing the web page requests. Lack of comprehensive authentication verification or mis-configuration may allow attackers to access sensitive data or privileged web application functions. For example, direct copy and paste the URL of the configuration page of a web application in the web browser may allow a hacker to access the administrative function.


  4. Exposed Network Traffic Information

    Information exchanged between web application servers and end user web browsers may not be protected using strong authentication and encryption techniques. Weak encryption, weak algorithm, out-dated authentication method or even data transmission in plain text can adversely affect the confidentiality and integrity of sensitive network traffic for web applications.