How These Web Application Security Vulnerabilities Could Be Affecting Your Business

How These Web Application Security Vulnerabilities Could Be Affecting Your Business

When companies don’t follow basic security practices, they leave themselves vulnerable.

In August, the security blog WordFence published a warning about an ongoing attack on WordPress that potentially compromised the accounts of 60 million users. This ongoing backdoor attack is leveraging the vulnerabilities present in several WordPress plugins. The list of compromised plugins include:

  • Live Chat with Facebook Messenger
  • Blog Designer
  • Visual CSS Style Editor

This attack is the result of a large percentage of WordPress plugins being outdated. According to the 2019 Imperva research on web application vulnerabilities, 97 percent of WordPress plugins may be vulnerable.

Attackers leverage vulnerabilities such as outdated software or plugins, as in this attack, to gain access to your application and system. Organizations like the Open Web Application Security Project (OWASP) give companies and users information about the latest vulnerabilities. They also recommend how to mitigate these web application risks. In this article, we will review the OWASP’s top 10 list of vulnerabilities and look at some recent attacks to help you determine where you might be vulnerable.

What Is the OWASP Top 10?

OWASP is a nonprofit organization dedicated to promoting secure application development and operation. The organization provides free documentation, tools, and reports for users and developers to improve the security of their applications.

The OWASP Top 10 is a document released every few years. It reports the most critical security risks for web applications. This project aims to inform and help organizations stay aware of the most pressing application security risks.

The new list had a few changes from the 2013 version.The changes included two new vulnerabilities and merged two previous ones into A5: Broken Access Control. The Top 10 application vulnerabilities of 2017 include:

  • A1: Injection—the attacker injects malicious code into an application with the intention to control it. The most common injection is SQL injection (SQLi), which involves the attacker inserting an SQL statement with malicious purposes, for example, to expose and extract the data of a table in a database. Another type of injection attack, LDAP injection, inserts malicious code against a directory system. OWASP recommends using a safe API, separating the data from commands and queries to prevent injection attacks.
  • A2: Broken authentication—the attacker gains access to user credentials, impersonating legitimate user IDs to enter your system. The application can be vulnerable if it uses weak passwords or exposes session IDs in the URL. You can prevent attacks by implementing strong access controls and multi-factor authentication.
  • A3: Sensitive data exposure—this vulnerability can affect any web application operating with user personal data. Applications handling credit card or personal data are typical targets to sensitive data exposure. An application can be vulnerable, for example, if it fails to encrypt the data both in transit and at rest. Using strong and up-to-date encryption algorithms scrambles the data, rendering it unusable for the attackers. You can prevent exploits by following security practices such as disabling caching for sensitive data.
  • A4: XML external entities (XXE)—an attacker can divert an XML processor to access files and return the contents of targeted files. The application can be vulnerable if it accepts XML directly, which enables an attacker to upload a malicious XML file. To prevent these attacks, OWASP recommends disabling the external entity's capabilities in all XML processors in the application.
  • A5: Broken access control—this vulnerability occurs when users are not limited in their permissions. Broken access control means the attackers gain administrative or privileged access to the system, which lets them manipulate or delete the data. Preventing these attacks requires enforcing access control in server-side code or in a server-less API. Thus, the attacker cannot change the access control check.
  • A6: Security misconfiguration—this term refers to issues in application security systems, such as unpatched flaws or unprotected files. The attacker uses them to gain access to the system. An application can be vulnerable if it is missing security hardening or if it still enables default accounts. Preventing attackers to leverage security misconfiguration requires, between other OWASP recommendations, a security hardening process and eliminating unused features from the application platform.
  • A7: Cross-site scripting (XSS)—an XSS vulnerability involves misusing the trust given to a specific site, extending it to another with malicious purposes. Attackers can modify a page, usually a contact form, to hijack the session and direct users IDs to the attacker’s website. Preventing cross-site scripting requires separating untrusted data from the active content on the website.
  • A8: Insecure deserialization—applications can be vulnerable to insecure deserialization if they allow deserialized objects from untrusted sources. This vulnerability is not very common as it is difficult to exploit. However, it is also difficult to detect. Some of the OWASP recommendations include restricting the data types for serialized objects and disabling the option to accept untrusted serialized objects.
  • A9: Using components with known vulnerabilities—this is one of the most prevalent vulnerabilities, since most software applications use open-source components. Despite the many benefits of using open source software, it is critical to track and monitor the open source components in your application. This task is becoming increasingly difficult, given the myriad components present in any application. There are several security tools that help developers to track and verify the security status of the application’s open source components.
  • A10: Insufficient logging and monitoring—An application can be vulnerable if it fails to log auditable events, such as security alerts or flaws. You should ensure all login, access control failures are logged and monitored for suspicious activity.

Latest Security Breaches Involving Web Application Vulnerabilities

The trend of web application vulnerabilities has increased in the last couple of years. The most common vulnerability type exploited by attackers was the injection type, followed by cross-site scripting. Some of the attacks that made headlines include:

  • Timehop—vulnerability type: broken access controls. The attackers used compromised admin credentials to extract 21 million user records. The weakness: the admin account, one of their privileged employees, didn’t use multi-factor authentication.
  • Magecart attacks—vulnerability type: cross-site scripting. This attack on British Airways extracted transactional and personal data from more than 385,000 records.
  • WordPress—vulnerability type: using components with known vulnerabilities. The weakness: outdated plugins. As the attack continues, it is not possible to know how many more user accounts might be compromised.

As the saying goes: “it is not a matter of if, but when an attack occurs.” The recent attacks prove that no company or network is 100 percent secure. Moreover, when companies don’t follow basic security practices such as role access control or updating software, they leave themselves vulnerable.

Following the security practices recommended by the OWASP report is a good start to strengthening your application security. A best practice to consider is using tools to automate testing for vulnerabilities. Continuous testing can keep your application covered, enabling you to fix vulnerabilities on the fly. After all, being prepared is the best defense.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.