DEV Community

Cover image for Are you worried about Security at the Application Layer?
Sarah Thompson
Sarah Thompson

Posted on

Are you worried about Security at the Application Layer?

If you're not... do you want to be?

The Application Layer, sometimes called layer 7, is used to help facilitate process-to-process connections over internet protocol (IP). Application layer is the highest level of open system, with the presentation layer right below it.

It allows a user to access and manage files in a remote computer, create features of mail services, use a virtual terminal, etc. The Application level has lots of commonly used protocols, systems, and services. Protocols like File Transfer Protocol (FTP), Web browsers, Simple Network Management Protocol (SNMP), Domain Name Service (DNS), and Hypertext Transfer Protocol (HTTP/HTTPS) are other parts of the application layer system.

So can we make sure our Web application is safe and secure on the application level?

Security on the Application Level

Ensuring security for your website on the application level is very important. Since the application layer is the closest layer to the end user it is all that more vulnerable to hackers. Poor security at this level can cause data theft and performance/stability issues. Below are some of the application level security threats you should be worried about.

Distributed Denial-of-Service Attacks (DDoS)

A Denial of service attack is when a site's server gets flooded with traffic. Attacks like this are normally coordinated with a large number of client computers, many of which are likely to have been infected with a virus that lets hackers remote into the device to force it to join the attack. DDoS causes the server to become inoperable, so true customers or users aren't able to complete their purpose for being on that site. If your web application is an online store, that could mean a lot of missed sales.

Sometimes a site's server gets over flooded with traffic dynamically and legitimately- like if your web application gets an intense spike in web traffic from an advertising or shout out on a popular social media account - this is not a DDoS attack.

The most important thing you can do to prevent Denial of Service Attacks is have a system in place, like a firewall, that can tell the difference between malicious and legitimate traffic.

SQL Injections

A SQL injection attack is when an attacker writes SQL in an input and is able to directly access a web application's back-end data base. The hacker might be doing this to steal information or delete entire tables, which would reek havoc on a web application. It could also be trying to add malicious code into the database, so that the next time it is called it would perform an attack on the innocent user's browser and computer.

//Make sure your form submissions have strong user input validation
<form submit="submitSecure()">
  <label for="fname">First:</label>
  <input type="text" id="fname" name="fname">
  <label for="lname">Last:</label>
  <input type="text" id="lname" name="lname">
  <input type="submit" value="Submit">
</form>

The best way to prevent this is to ensure strong user input validation, preventing users from submitting SQL code in HTML forms and instead of just allow normal text, numbers, and strings.

Cross-Site Scripting

There's a handful of different Cross Site Scripting (XSS) categories, like persistent and reflective, and the variety of attacks based on xss are numerous. Some common versions of xss attacks include transmitting private/personal data like cookies or session information to an attacker and redirecting the victim's browser from their intended site to web content controlled by the attacker. Another large one is performing malicious operations on the user's machine while pretending to be the vulnerable site. This causes many issues since even if the victims computer checks with a pop up if the victim really wanted to download something, since the victim thinks it is coming from a trusted site, they are likely to agree.

Similar to SQL injection prevention, best way to prevent XSS is to ensure strong user input validation, preventing hackers from submitting application code in HTML forms and instead of just allow normal text, numbers, and strings.

Parameter Tampering

Parameter Tampering is a hacker manipulating the parameters passed between the client and the server to be able modify the application data like user credentials, permissions, and price. It is a fairly simple attack, targeting the application's business logic. An example of this attack would be a user manipulating the parameters to order 20 shirts, when only purchasing and paying for 1. Another would be editing the hidden field values to change the price.

//before parameter tampering
<input type="hidden" name="price" value="59.90">
//after parameter tampering
<input type="hidden" name="price" value="5.00">

Someways to prevent the parameter tampering attacks are using regex to limit data, ensure data validation as well as server-side validation compared with the inputs, avoid unwanted or hidden data being displayed in the html, and ensuring you don’t allow interception.

There's a lot of things to be thinking of when protecting your web application from hackers on the application level, but ensuring data validation for user inputs and implementing web application firewalls (WAFs) and/or secure web gateway services are a great place to start.

Discussion (0)