What is a Backend Server?
Any web application is divided into two parts: frontend and backend.
The frontend is the client-side which the user uses to interact. The backend is the server-side, i.e. the inner workings, which might include business logic, updates, and changes.
So frontend security depends on the user, whereas the website backend is dependent on the developer.
Risks and Prevention
There are a set of risks points on the backend techs which are commonplace, and comes with their own set of solutions like:
Injection flaws enable users to provide keywords that can potentially modify the whole database.
Prevention: The most convenient way to ensure that there are no injection flaws is to thoroughly review the manual source code to check if the database queries are created through prepared statements.
Poor implementation of security policy can lead to broken authentication.
Prevention: The first step is to implement multi-factor authentication. Then make the user adapt to a strong password policy. Finally, you have to make sure that the session timeout system is tested and the token is invalidated after the user logs out.
Broken Access Control
Ill-setted session and authentication management can lead to this.
Prevention: If the resource is not public, deny by default. The directory listing should be disabled and there should be no backup files present and finally limit API access should be limited to prevent automated attacks.
This is one of the top backend risks, also known as data breach
Prevention: Encrypt sensitive data and secure gateways. Access to data requiring extra protection should be limited to a few legitimate users, and there should always be a secure backup plan.
When data is converted into a different format and stored or sent to another application it is called Deserialization.
Prevention: The golden rule is to never trust user input, always check the data for yourself. And always ensure the reliability and trustworthiness of the sources.
Read Other Article
This is a type of injection used to send malicious code to different users.
Prevention: The three thumb rule to stop Server XSS
- Validate output
- Validate input
- Allow limit HTML
- Security misconfiguration
There is an abundance of web servers and applications with misconfigured security.
Prevention: Having a nice deployment process always helps. Or the easy way is to post-commit hooks to prevent websites from going out with built-in passwords.
Cross-Site Request Forgery (CSRF)
This is the interference of a 3rd party site to make the user’s browser misuse its agency.
Prevention: The token should be stored secretly hidden from the 3rd party and verify the said hidden field.
Usage of vulnerable components
This is more of a maintenance issue and happens due to a lack of auditing.
Prevention: Carefully scrutinize the code before putting it into the software and make sure you are using the latest updated versions of everything.
Unvalidated redirects and forwards
The title is self-explanatory, this is once again an inputting issue.
Prevention: Firstly, whitelist the user parameter, then make a list of valid redirect locations. (even though it’s best to avoid them altogether as they are rarely needed.