Page 190 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 190

•  Cross-site scripting (XSS)

            XSS attacks enable hackers to inject malicious scripts into the pages of Symfony websites or apps. When
            a user visits such an infected webpage, he or she becomes exposed to malicious code, which enables
            attackers to steal their login credentials or get access to a user’s device. In its 2024 report, Edgescan
            rated XSS a critical security threat and revealed that an average XSS attack requires 100 man-days for
            remediation.

               •  Cross-site request forgery (CSRF)

            During a CSRF attack, an attacker tricks a user into submitting a malicious web request to a Symfony
            website or app in order to perform some unwanted action unintentionally, such as changing a password,
            making a purchase, or altering other users’ permissions. In 2023, MITRE Corporation had ranked CSRF
            as the 9th most dangerous software security risk, but just a year later it moved CSRF up to the 4th
            position.

               •  SQL injections

            SQL injection is another hacker attack technique, which can be used by a malefactor to penetrate a
            website or app database. According to MONITORAPP, SQL injection is one of the most common types
            of hacker attacks – the company has detected over 3,800,000 attacks in December 2024 alone.

            Obviously, you should not consider this list as ultimate, as there are other types of threats, with server-
            side template injections and host header attacks among the examples. To learn more about the risks that
            can compromise the security of your particular web solution, consider consulting with Symfony experts.



            How can you protect a Symfony solution from cyber threats?

            There is no one-size-fits-all approach to securing Symfony solutions, which means you should implement
            a set of practices to minimize the risk of a successful attack.

               •  Leveraging Symfony’s in-built security solutions

            The Symfony framework offers several components and tools that your team members can use to ensure
            the security of your solution. Symfony’s Security Component, for instance, can be used to establish a full-
            fledged  security  system  for  your  company’s  web  software.  The  Security  Component  is  divided  into
            several smaller subcomponents, each serving a specific purpose.

            Some of these subcomponents allow teams to quickly implement common security mechanisms in the
            solution, from authentication and authorization to password encoding. Others can be used to secure
            different parts of the app via firewalls and build a “line of defense” against XSS attacks. There are also
            subcomponents enabling teams to implement anti-CSRF tokens to prevent CSRF attacks.

            While teams can use these and other Symfony’s in-built security components and tools separately, we
            recommend implementing them in conjunction. This way, your team can quickly ensure all-round robust
            security for your Symfony-based solution and prevent the majority of cyber attacks.





                                                                                                            190
   185   186   187   188   189   190   191   192   193   194   195