How These Web Application Security Vulnerabilities Could Be Affecting Your Business

How These Web Application Security Vulnerabilities Could Be Affecting Your Business

When companies don’t follow basic security practices, they leave themselves vulnerable.

In August, the security blog WordFence published a warning about an ongoing attack on WordPress that potentially compromised the accounts of 60 million users. This ongoing backdoor attack is leveraging the vulnerabilities present in several WordPress plugins. The list of compromised plugins include:

  • Live Chat with Facebook Messenger
  • Blog Designer
  • Visual CSS Style Editor

This attack is the result of a large percentage of WordPress plugins being outdated. According to the 2019 Imperva research on web application vulnerabilities, 97 percent of WordPress plugins may be vulnerable.

Attackers leverage vulnerabilities such as outdated software or plugins, as in this attack, to gain access to your application and system. Organizations like the Open Web Application Security Project (OWASP) give companies and users information about the latest vulnerabilities. They also recommend how to mitigate these web application risks. In this article, we will review the OWASP’s top 10 list of vulnerabilities and look at some recent attacks to help you determine where you might be vulnerable.

What Is the OWASP Top 10?

OWASP is a nonprofit organization dedicated to promoting secure application development and operation. The organization provides free documentation, tools, and reports for users and developers to improve the security of their applications.

The OWASP Top 10 is a document released every few years. It reports the most critical security risks for web applications. This project aims to inform and help organizations stay aware of the most pressing application security risks.

The new list had a few changes from the 2013 version.The changes included two new vulnerabilities and merged two previous ones into A5: Broken Access Control. The Top 10 application vulnerabilities of 2017 include:

  • A1: Injection—the attacker injects malicious code into an application with the intention to control it. The most common injection is SQL injection (SQLi), which involves the attacker inserting an SQL statement with malicious purposes, for example, to expose and extract the data of a table in a database. Another type of injection attack, LDAP injection, inserts malicious code against a directory system. OWASP recommends using a safe API, separating the data from commands and queries to prevent injection attacks.
  • A2: Broken authentication—the attacker gains access to user credentials, impersonating legitimate user IDs to enter your system. The application can be vulnerable if it uses weak passwords or exposes session IDs in the URL. You can prevent attacks by implementing strong access controls and multi-factor authentication.
  • A3: Sensitive data exposure—this vulnerability can affect any web application operating with user personal data. Applications handling credit card or personal data are typical targets to sensitive data exposure. An application can be vulnerable, for example, if it fails to encrypt the data both in transit and at rest. Using strong and up-to-date encryption algorithms scrambles the data, rendering it unusable for the attackers. You can prevent exploits by following security practices such as disabling caching for sensitive data.
  • A4: XML external entities (XXE)—an attacker can divert an XML processor to access files and return the contents of targeted files. The application can be vulnerable if it accepts XML directly, which enables an attacker to upload a malicious XML file. To prevent these attacks, OWASP recommends disabling the external entity's capabilities in all XML processors in the application.
  • A5: Broken access control—this vulnerability occurs when users are not limited in their permissions. Broken access control means the attackers gain administrative or privileged access to the system, which lets them manipulate or delete the data. Preventing these attacks requires enforcing access control in server-side code or in a server-less API. Thus, the attacker cannot change the access control check.
  • A6: Security misconfiguration—this term refers to issues in application security systems, such as unpatched flaws or unprotected files. The attacker uses them to gain access to the system. An application can be vulnerable if it is missing security hardening or if it still enables default accounts. Preventing attackers to leverage security misconfiguration requires, between other OWASP recommendations, a security hardening process and eliminating unused features from the application platform.
  • A7: Cross-site scripting (XSS)—an XSS vulnerability involves misusing the trust given to a specific site, extending it to another with malicious purposes. Attackers can modify a page, usually a contact form, to hijack the session and direct users IDs to the attacker’s website. Preventing cross-site scripting requires separating untrusted data from the active content on the website.
  • A8: Insecure deserialization—applications can be vulnerable to insecure deserialization if they allow deserialized objects from untrusted sources. This vulnerability is not very common as it is difficult to exploit. However, it is also difficult to detect. Some of the OWASP recommendations include restricting the data types for serialized objects and disabling the option to accept untrusted serialized objects.
  • A9: Using components with known vulnerabilities—this is one of the most prevalent vulnerabilities, since most software applications use open-source components. Despite the many benefits of using open source software, it is critical to track and monitor the open source components in your application. This task is becoming increasingly difficult, given the myriad components present in any application. There are several security tools that help developers to track and verify the security status of the application’s open source components.
  • A10: Insufficient logging and monitoring—An application can be vulnerable if it fails to log auditable events, such as security alerts or flaws. You should ensure all login, access control failures are logged and monitored for suspicious activity.

Latest Security Breaches Involving Web Application Vulnerabilities

The trend of web application vulnerabilities has increased in the last couple of years. The most common vulnerability type exploited by attackers was the injection type, followed by cross-site scripting. Some of the attacks that made headlines include:

  • Timehop—vulnerability type: broken access controls. The attackers used compromised admin credentials to extract 21 million user records. The weakness: the admin account, one of their privileged employees, didn’t use multi-factor authentication.
  • Magecart attacks—vulnerability type: cross-site scripting. This attack on British Airways extracted transactional and personal data from more than 385,000 records.
  • WordPress—vulnerability type: using components with known vulnerabilities. The weakness: outdated plugins. As the attack continues, it is not possible to know how many more user accounts might be compromised.

As the saying goes: “it is not a matter of if, but when an attack occurs.” The recent attacks prove that no company or network is 100 percent secure. Moreover, when companies don’t follow basic security practices such as role access control or updating software, they leave themselves vulnerable.

Following the security practices recommended by the OWASP report is a good start to strengthening your application security. A best practice to consider is using tools to automate testing for vulnerabilities. Continuous testing can keep your application covered, enabling you to fix vulnerabilities on the fly. After all, being prepared is the best defense.

Featured

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3