Introduction
There are many common attack vectors that are used to exploit vulnerabilities in software applications. In this article, we’ll explore some of the most common vulnerabilities and how we address these in Workvivo.
SQL Injection
"SQL injection is a code injection technique, used to attack data-driven
applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)" - Wikipedia
The source code for Workvivo completely abstracts all database interaction through an Object Relational Mapper (ORM) library which automatically sanitises user input and uses parameterised queries to ensure that SQL injection is not possible. There are no direct SQL queries in the Workvivo source code and our code review guidelines mandate that all database interaction must go through the ORM.
XSS Protection
"Cross-Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user." - Source
Workvivo protects against XSS by sanitising all user input and validating it to ensure it does not contain any malicious code. We also sanitise and escape all output to ensure that if malicious code were to make it into the database that it would not execute when output in the browser.
CSRF Protection
"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently Authentication, Authorisation & Application Security – Highly Confidential authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request." - Source
Workvivo protects against CSRF by automatically generating a CSRF token for each active user session managed by the application. This token is then used to verify that the authenticated user is the one actually making the requests to the application. We pass this token in to every API request in the request headers. The token is updated with every request, and an API request that does not pass the correct token with return an error response.
HTTPS
Workvivo only supports operating over the HTTPS protocol meaning that all communications between client and server is processed over a secure, encrypted channel that cannot be sniffed or intercepted. If a user attempts to access Workvivo over unencrypted HTTP they will be automatically redirected to the HTTPS version of the URL.
We use AWS Certificate Manager to automatically generate new TLS certificates when the current certificate is due to expire. This includes provisioning certificates for custom domain names. This approach ensures that a scenario where the TLS certificate expires will never occur.
Intrusion Detection
Workvivo includes a state-of-the-art intrusion detection system that logs all attempted intrusions to the application and actively prevents high risk attempts based on their threat level.