NCC warned of an increase in the number of massive attacks on web applications

Digest of amendments to Russian legislation on Information Security No. 20

The National Coordination Center for Computer Incidents (NCCC) has prepared recommendations in connection with massive computer attacks on web applications in the Russian segment of the Internet.

“Information about massive computer attacks on web applications in the Russian segment of the Internet, including through external components of the code of web pages, is received through the channels of the NCCCI. Such components may include plug-in JavaScript libraries, CSS frameworks, anti-malware plugins, information and analytical plugins (news feeds, interactive maps, counting visits to an information resource, etc.), as well as web fonts downloaded from third-party servers,” the NCC bulletin says.

In addition to classic computer attacks such as code injection for hacking, “cross-site scripting” and the use of incorrect settings of web application components, hackers can compromise the infrastructure of hosting legitimate code of third-party components and replace the code with malicious code. In this case, the normal functioning of the applications will be disrupted. “As a result, incorrect or complete absence of visual display of information is possible, as well as computer attacks aimed at users of the web application,” the bulletin explains.

In this regard, the NCC recommends that the authorized user of the web application be able to independently terminate the session in it and access the protected resources of the application only after passing the authentication procedure. It is also worth ensuring that the identifier of the corresponding session is deleted after the end of the application session, and the data of the application users is stored only in a cryptographically protected form. It is also proposed to exclude the storage of authentication data in files and HTML pages accessible by URL. “If the web application provides for the possibility of making changes by the user to the profile belonging to him, their introduction must be confirmed by an additional authentication procedure,” the recommendations say.

Start a discussion …