Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of Applied Informatics nám. T.G.Masaryka 5555 CZECH REPUBLIC vala@fai.utb.cz, jasek@fai.utb.cz Abstract: - Small business web application vulnerability statistics are growing in recent and new forms of hacker’s attacks, such as Watering Hole Attack are appearing. Well secured enterprise web applications are threatened by smaller vulnerable webs misused by hackers in targeted attacks. This paper discuss an effective and low-cost way of creating better secured web application, applicable also in small business sector. The main issue – improperly validated user inputs, the biggest security vulnerability often misused by hackers – could be effectively fixed by open-source HTMLPurifier library which is usable in various programming languages. Moreover, the article suggests model of web application with proactive on-line embedded intrusion detection system. Key-Words: - web application security, intrusion detection system, injection, watering hole attack, development framework, script monitoring, database profiling, QCubed, XSS 1 Introduction Using network-based services is an integral part of modern human being. Sensitive information is provided every day to untrusted web applications and therefore not only great web portals are facing the threat of web attacks. In addition, according to the Symantec’s Internet Security Thread Report [1], the largest growth area for targeted attacks in 2012 (31%) was business with fewer than 250 employees. It points to the fact, that small businesses which believed that hacker attacks are targeted especially to larger companies are now very threatened. In addition, overall security level of small business web applications is generally very low in comparison with web portals of great companies. Main problem is in insufficient security policy and lack of sophisticated hardware or software Intrusion Detection System (IDS) [2], because in this sector is usually small financial budget for IT security. The growing number of web attacks in small business sector is connected with a new type of hackers attack, called Watering Hole Attack. [3] 2 Problem Formulation During last decade, various IDSs and firewalls were introduced and applied to establish sufficient level of web application security. Above all, these IDSs are deployed in hardware and software infrastructure of enterprise systems and for most of small business solutions are too expensive. It follows that one of the security challenges of today is improving the security level of web application in small business sector which constantly underestimates cyber threads. Therefore, this area is highly threatened because hackers considered it as an easier target than better secured enterprise sector. In 2012, RSA also started to talk about the increase of so-called Watering Hole Attack, a new type of targeted attack. 2.1 OWASP Top 10 According to OWASP Top 10 Vulnerabilities [4] the most common vulnerability in 2013 is still Injection [5]. All of the Top 10 Vulnerabilities are caused by web application developers, who have not followed best practices of secure development. Types of attacks from Table 1 are in general targeted directly against the web application and it does not even matter how strong firewall rulesets are or how frequent the patching mechanism is. The only effective defense is either sophisticated IDS, or web built on a secure development framework. If we are focused into the small business area, we are facing the fact, that the first option is usually not implemented due to high costs. On the other hand, Recent Advances in Computer Science ISBN: 978-960-474-311-7 107