How These Web Application Security Vulnerabilities Could Be Affecting Your Business

When companies don’t follow basic security practices, they leave themselves vulnerable.

• By Gilad David Maayan
• Oct 18, 2019

In August, the security blog WordFence published a warning about an ongoing attack on WordPress that potentially compromised the accounts of 60 million users. This ongoing backdoor attack is leveraging the vulnerabilities present in several WordPress plugins. The list of compromised plugins include:

• Live Chat with Facebook Messenger
• Blog Designer
• Visual CSS Style Editor

This attack is the result of a large percentage of WordPress plugins being outdated. According to the 2019 Imperva research on web application vulnerabilities, 97 percent of WordPress plugins may be vulnerable.

Attackers leverage vulnerabilities such as outdated software or plugins, as in this attack, to gain access to your application and system. Organizations like the Open Web Application Security Project (OWASP) give companies and users information about the latest vulnerabilities. They also recommend how to mitigate these web application risks. In this article, we will review the OWASP’s top 10 list of vulnerabilities and look at some recent attacks to help you determine where you might be vulnerable.

What Is the OWASP Top 10?

OWASP is a nonprofit organization dedicated to promoting secure application development and operation. The organization provides free documentation, tools, and reports for users and developers to improve the security of their applications.

The OWASP Top 10 is a document released every few years. It reports the most critical security risks for web applications. This project aims to inform and help organizations stay aware of the most pressing application security risks.

The new list had a few changes from the 2013 version.The changes included two new vulnerabilities and merged two previous ones into A5: Broken Access Control. The Top 10 application vulnerabilities of 2017 include:

• A1: Injection—the attacker injects malicious code into an application with the intention to control it. The most common injection is SQL injection (SQLi), which involves the attacker inserting an SQL statement with malicious purposes, for example, to expose and extract the data of a table in a database. Another type of injection attack, LDAP injection, inserts malicious code against a directory system. OWASP recommends using a safe API, separating the data from commands and queries to prevent injection attacks.
• A2: Broken authentication—the attacker gains access to user credentials, impersonating legitimate user IDs to enter your system. The application can be vulnerable if it uses weak passwords or exposes session IDs in the URL. You can prevent attacks by implementing strong access controls and multi-factor authentication.
• A3: Sensitive data exposure—this vulnerability can affect any web application operating with user personal data. Applications handling credit card or personal data are typical targets to sensitive data exposure. An application can be vulnerable, for example, if it fails to encrypt the data both in transit and at rest. Using strong and up-to-date encryption algorithms scrambles the data, rendering it unusable for the attackers. You can prevent exploits by following security practices such as disabling caching for sensitive data.
• A4: XML external entities (XXE)—an attacker can divert an XML processor to access files and return the contents of targeted files. The application can be vulnerable if it accepts XML directly, which enables an attacker to upload a malicious XML file. To prevent these attacks, OWASP recommends disabling the external entity's capabilities in all XML processors in the application.
• A5: Broken access control—this vulnerability occurs when users are not limited in their permissions. Broken access control means the attackers gain administrative or privileged access to the system, which lets them manipulate or delete the data. Preventing these attacks requires enforcing access control in server-side code or in a server-less API. Thus, the attacker cannot change the access control check.
• A6: Security misconfiguration—this term refers to issues in application security systems, such as unpatched flaws or unprotected files. The attacker uses them to gain access to the system. An application can be vulnerable if it is missing security hardening or if it still enables default accounts. Preventing attackers to leverage security misconfiguration requires, between other OWASP recommendations, a security hardening process and eliminating unused features from the application platform.
• A7: Cross-site scripting (XSS)—an XSS vulnerability involves misusing the trust given to a specific site, extending it to another with malicious purposes. Attackers can modify a page, usually a contact form, to hijack the session and direct users IDs to the attacker’s website. Preventing cross-site scripting requires separating untrusted data from the active content on the website.
• A8: Insecure deserialization—applications can be vulnerable to insecure deserialization if they allow deserialized objects from untrusted sources. This vulnerability is not very common as it is difficult to exploit. However, it is also difficult to detect. Some of the OWASP recommendations include restricting the data types for serialized objects and disabling the option to accept untrusted serialized objects.
• A9: Using components with known vulnerabilities—this is one of the most prevalent vulnerabilities, since most software applications use open-source components. Despite the many benefits of using open source software, it is critical to track and monitor the open source components in your application. This task is becoming increasingly difficult, given the myriad components present in any application. There are several security tools that help developers to track and verify the security status of the application’s open source components.
• A10: Insufficient logging and monitoring—An application can be vulnerable if it fails to log auditable events, such as security alerts or flaws. You should ensure all login, access control failures are logged and monitored for suspicious activity.

Latest Security Breaches Involving Web Application Vulnerabilities

The trend of web application vulnerabilities has increased in the last couple of years. The most common vulnerability type exploited by attackers was the injection type, followed by cross-site scripting. Some of the attacks that made headlines include:

• Timehop—vulnerability type: broken access controls. The attackers used compromised admin credentials to extract 21 million user records. The weakness: the admin account, one of their privileged employees, didn’t use multi-factor authentication.
• Magecart attacks—vulnerability type: cross-site scripting. This attack on British Airways extracted transactional and personal data from more than 385,000 records.
• WordPress—vulnerability type: using components with known vulnerabilities. The weakness: outdated plugins. As the attack continues, it is not possible to know how many more user accounts might be compromised.

As the saying goes: “it is not a matter of if, but when an attack occurs.” The recent attacks prove that no company or network is 100 percent secure. Moreover, when companies don’t follow basic security practices such as role access control or updating software, they leave themselves vulnerable.

Following the security practices recommended by the OWASP report is a good start to strengthening your application security. A best practice to consider is using tools to automate testing for vulnerabilities. Continuous testing can keep your application covered, enabling you to fix vulnerabilities on the fly. After all, being prepared is the best defense.