How These Web Application Security Vulnerabilities Could Be Affecting Your Business

How These Web Application Security Vulnerabilities Could Be Affecting Your Business

When companies don’t follow basic security practices, they leave themselves vulnerable.

In August, the security blog WordFence published a warning about an ongoing attack on WordPress that potentially compromised the accounts of 60 million users. This ongoing backdoor attack is leveraging the vulnerabilities present in several WordPress plugins. The list of compromised plugins include:

  • Live Chat with Facebook Messenger
  • Blog Designer
  • Visual CSS Style Editor

This attack is the result of a large percentage of WordPress plugins being outdated. According to the 2019 Imperva research on web application vulnerabilities, 97 percent of WordPress plugins may be vulnerable.

Attackers leverage vulnerabilities such as outdated software or plugins, as in this attack, to gain access to your application and system. Organizations like the Open Web Application Security Project (OWASP) give companies and users information about the latest vulnerabilities. They also recommend how to mitigate these web application risks. In this article, we will review the OWASP’s top 10 list of vulnerabilities and look at some recent attacks to help you determine where you might be vulnerable.

What Is the OWASP Top 10?

OWASP is a nonprofit organization dedicated to promoting secure application development and operation. The organization provides free documentation, tools, and reports for users and developers to improve the security of their applications.

The OWASP Top 10 is a document released every few years. It reports the most critical security risks for web applications. This project aims to inform and help organizations stay aware of the most pressing application security risks.

The new list had a few changes from the 2013 version.The changes included two new vulnerabilities and merged two previous ones into A5: Broken Access Control. The Top 10 application vulnerabilities of 2017 include:

  • A1: Injection—the attacker injects malicious code into an application with the intention to control it. The most common injection is SQL injection (SQLi), which involves the attacker inserting an SQL statement with malicious purposes, for example, to expose and extract the data of a table in a database. Another type of injection attack, LDAP injection, inserts malicious code against a directory system. OWASP recommends using a safe API, separating the data from commands and queries to prevent injection attacks.
  • A2: Broken authentication—the attacker gains access to user credentials, impersonating legitimate user IDs to enter your system. The application can be vulnerable if it uses weak passwords or exposes session IDs in the URL. You can prevent attacks by implementing strong access controls and multi-factor authentication.
  • A3: Sensitive data exposure—this vulnerability can affect any web application operating with user personal data. Applications handling credit card or personal data are typical targets to sensitive data exposure. An application can be vulnerable, for example, if it fails to encrypt the data both in transit and at rest. Using strong and up-to-date encryption algorithms scrambles the data, rendering it unusable for the attackers. You can prevent exploits by following security practices such as disabling caching for sensitive data.
  • A4: XML external entities (XXE)—an attacker can divert an XML processor to access files and return the contents of targeted files. The application can be vulnerable if it accepts XML directly, which enables an attacker to upload a malicious XML file. To prevent these attacks, OWASP recommends disabling the external entity's capabilities in all XML processors in the application.
  • A5: Broken access control—this vulnerability occurs when users are not limited in their permissions. Broken access control means the attackers gain administrative or privileged access to the system, which lets them manipulate or delete the data. Preventing these attacks requires enforcing access control in server-side code or in a server-less API. Thus, the attacker cannot change the access control check.
  • A6: Security misconfiguration—this term refers to issues in application security systems, such as unpatched flaws or unprotected files. The attacker uses them to gain access to the system. An application can be vulnerable if it is missing security hardening or if it still enables default accounts. Preventing attackers to leverage security misconfiguration requires, between other OWASP recommendations, a security hardening process and eliminating unused features from the application platform.
  • A7: Cross-site scripting (XSS)—an XSS vulnerability involves misusing the trust given to a specific site, extending it to another with malicious purposes. Attackers can modify a page, usually a contact form, to hijack the session and direct users IDs to the attacker’s website. Preventing cross-site scripting requires separating untrusted data from the active content on the website.
  • A8: Insecure deserialization—applications can be vulnerable to insecure deserialization if they allow deserialized objects from untrusted sources. This vulnerability is not very common as it is difficult to exploit. However, it is also difficult to detect. Some of the OWASP recommendations include restricting the data types for serialized objects and disabling the option to accept untrusted serialized objects.
  • A9: Using components with known vulnerabilities—this is one of the most prevalent vulnerabilities, since most software applications use open-source components. Despite the many benefits of using open source software, it is critical to track and monitor the open source components in your application. This task is becoming increasingly difficult, given the myriad components present in any application. There are several security tools that help developers to track and verify the security status of the application’s open source components.
  • A10: Insufficient logging and monitoring—An application can be vulnerable if it fails to log auditable events, such as security alerts or flaws. You should ensure all login, access control failures are logged and monitored for suspicious activity.

Latest Security Breaches Involving Web Application Vulnerabilities

The trend of web application vulnerabilities has increased in the last couple of years. The most common vulnerability type exploited by attackers was the injection type, followed by cross-site scripting. Some of the attacks that made headlines include:

  • Timehop—vulnerability type: broken access controls. The attackers used compromised admin credentials to extract 21 million user records. The weakness: the admin account, one of their privileged employees, didn’t use multi-factor authentication.
  • Magecart attacks—vulnerability type: cross-site scripting. This attack on British Airways extracted transactional and personal data from more than 385,000 records.
  • WordPress—vulnerability type: using components with known vulnerabilities. The weakness: outdated plugins. As the attack continues, it is not possible to know how many more user accounts might be compromised.

As the saying goes: “it is not a matter of if, but when an attack occurs.” The recent attacks prove that no company or network is 100 percent secure. Moreover, when companies don’t follow basic security practices such as role access control or updating software, they leave themselves vulnerable.

Following the security practices recommended by the OWASP report is a good start to strengthening your application security. A best practice to consider is using tools to automate testing for vulnerabilities. Continuous testing can keep your application covered, enabling you to fix vulnerabilities on the fly. After all, being prepared is the best defense.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3