5 Dangerous Web Application Flaws Coveted By Attackers !

Ninety-nine percent of applications have one or more vulnerabilities. Many of the high-profile data breaches over the past several months were the result of a common Web application vulnerability. While it may be impossible to eliminate all flaws in Web applications, software security experts say eliminating the most commonly targeted errors could help magnify the risk of many automated attacks. These are the following points :-

 

1. Cross site scripting bother continues

Cross site scripting vulnerabilities appear 61 percent & it is the most commonly detected vulnerabilities in Web applications. It enables an attacker to send malicious scripts by shifting the script from an otherwise trusted URL.They can be detected with a Web application security scanner or blocked using a Web application firewall.

2. Information leakage errors a serious threat

Information leakage accounted for only 17 percent of Web applications, but the danger posed by the vulnerability makes finding and eliminating them extremely critical. Web applications can leak information in a kind of ways. Poorly implemented encryption also can yield information to an attacker.

3. Session management most common error
 

Session management vulnerabilities were detected in 80 percent of applications, more than any other application vulnerability class. Attackers can take advantage of poorly implemented session management, enabling them to interject themselves as valid website users. 

4. SQL injection rising
 

SQL injection accounted for 16 percent of all Web applications. While all other classes of vulnerabilities saw declines in but SQL injection has risen. SQL injection is a favorite vulnerability of attackers because automated scripts can be used to get a website to send a malicious SQL command to the underlying database in an effort to expose its content. 

 
5. Beware of cross site request forgery errors

 

Cross Site Request Forgery (CSRF) accounted for 22 percent of all Web applications tested. The class of vulnerabilities that make up CSRF allows attackers to send per-authenticated but unauthorized commands using credentials that the application trusts. Attackers can use a CSRF attack to ride the session of an individual on a particular website by using the victim’s browser credentials. In addition to the browser, an attacker can use a malicious script in a Microsoft Office document or Flash file that exploits CSRF. 

Critical denial-of-service flaw in BIND software puts DNS servers at risk.

The BIND software maintainers support server administrators to disable regular expression support or install patches as soon as possible.

 

BIND is by far the most widely used DNS (Domain Name System) server software on the Internet. It is the de facto standard DNS software for many UNIX-like systems, including Linux, Solaris, various BSD variants and Mac OS X. A flaw in the widely used BIND DNS software can be exploited by remote attackers to crash DNS servers and affect the operation of other programs running on the same machines.

The vulnerability can be exploited by sending specifically crafted requests to vulnerable installations of BIND that would cause the DNS server process -- the name daemon, known as "named" -- to consume excessive memory resources. This can result in the DNS server process crashing and the operation of other programs being severely affected. BIND 10 is not affected by this vulnerability.

Oracle unveils faster servers with T5 microprocessors.

Oracle has refreshed its SPARC family with the world’s fastest processor and launched the world’s fastest single server for Database, Java and multi-tier applications.

Oracle also announced two new Oracle Optimized Solutions that exploit the performance, reliability and value of SPARC T5 servers, Oracle storage, Oracle Database and Oracle Middle ware. These new solutions help maximize application performance and availability while lowering acquisition cost and operating expenses.

Servers built with Oracle's new T5 microprocessors have beaten several performance records and run business databases and applications much faster than previous versions.

When Oracle bought Sun, a lot of people thought the SPARC microprocessor was a real laggard and would never catch up. We've done better than catch up.

Why developers are turning to API services ?

It Companies and respective developers alike are heavily leveraging API-based access to data and services, especially for mobile and cloud apps. And they're getting an increasing scope of technologies to choose from for managing all those API processes.

Companies acquired Layer 7 Technologies, MuleSoft, Temboo, and WSO2 are tackling the API management need. Some secure API access, some provide an API exchange, and some provide cloud-based conduits to APIs :-

• Layer 7's API management suite offers back-end data and application integration, mobile capabilities, cloud orchestration, and developer management.

• MuleSoft's Any Point platform connects applications, APIs, and data sources across on-premise and cloud systems.

• Temboo offers a library of common-access APIs, with links to systems such as Facebook.

• WSO2's API Manager enables publishing of APIs, managing a developer community, and routing API traffic.  

In some ways, API management is a follow-up to service-oriented architecture (SOA), an approach to modular, orchestrated software delivery that was the "it" enterprise technology in the mid-2000s but later fell out of favor as too academic and abstract for businesses paying the software architecture bills. Nonetheless, SOA's principles remain as valid as ever and have continued to be used -- especially in cloud offerings -- even as few vendors and developers dare speak the term.

API management vendor Layer 7 also views API management as the SOA successor, with SOA now geared to behind-the-firewall operations and API management to exposing data over the Internet to mobile applications and cloud services. SOA strategies mostly target internal users while open Web APIs target mostly external partners. API management requires developer portals, key management, and metering and billing facilities that SOA management never provided.

Because of the proliferation of API-enabled data access from corporate applications via mobile devices, lighter-weight REST-based APIs are gaining prominence over more-complex SOAP APIs. API management vendors such as WSO2 and Layer 7 have thus added REST support in their tools.

Old Java can learn new tricks from C, Android

Experts say the language should crib app isolation, locality, and automated parallelism from more modern sources.

 

Java and its linchpin JVM (Java Virtual Machine) still have much room to get better even after debuting 18 years ago, say experts who would like improvements in such areas as locality, application isolation, and parallel operations.

The JVM, which has provided a mechanism to run Java applications on multiple hardware platforms, could be fitted with capabilities similar to the C language's struct feature, providing benefits in locality by improving linkage between memory and processors. "[Struct] gives advantages in the area of footprint," and provides a lightweight object with fields and no methods.

Java and mobile applications in particular, meanwhile, could benefit from Google Android's "failsafe" capabilities enabling application isolation Automated parallel operations for the Java language and runtime are desirable. Lambda capabilities in Java Standard Edition 8 bring this closer to happening via an API, but it would like to see parallelism go a step further. "Ideally, what you'd like to be able to have is a language and a run time that you don't have to express it explicitly. It just figures this out automatically."