How These Web Application Security Vulnerabilities Could Be Affecting Your Business

How These Web Application Security Vulnerabilities Could Be Affecting Your Business

When companies don’t follow basic security practices, they leave themselves vulnerable.

In August, the security blog WordFence published a warning about an ongoing attack on WordPress that potentially compromised the accounts of 60 million users. This ongoing backdoor attack is leveraging the vulnerabilities present in several WordPress plugins. The list of compromised plugins include:

  • Live Chat with Facebook Messenger
  • Blog Designer
  • Visual CSS Style Editor

This attack is the result of a large percentage of WordPress plugins being outdated. According to the 2019 Imperva research on web application vulnerabilities, 97 percent of WordPress plugins may be vulnerable.

Attackers leverage vulnerabilities such as outdated software or plugins, as in this attack, to gain access to your application and system. Organizations like the Open Web Application Security Project (OWASP) give companies and users information about the latest vulnerabilities. They also recommend how to mitigate these web application risks. In this article, we will review the OWASP’s top 10 list of vulnerabilities and look at some recent attacks to help you determine where you might be vulnerable.

What Is the OWASP Top 10?

OWASP is a nonprofit organization dedicated to promoting secure application development and operation. The organization provides free documentation, tools, and reports for users and developers to improve the security of their applications.

The OWASP Top 10 is a document released every few years. It reports the most critical security risks for web applications. This project aims to inform and help organizations stay aware of the most pressing application security risks.

The new list had a few changes from the 2013 version.The changes included two new vulnerabilities and merged two previous ones into A5: Broken Access Control. The Top 10 application vulnerabilities of 2017 include:

  • A1: Injection—the attacker injects malicious code into an application with the intention to control it. The most common injection is SQL injection (SQLi), which involves the attacker inserting an SQL statement with malicious purposes, for example, to expose and extract the data of a table in a database. Another type of injection attack, LDAP injection, inserts malicious code against a directory system. OWASP recommends using a safe API, separating the data from commands and queries to prevent injection attacks.
  • A2: Broken authentication—the attacker gains access to user credentials, impersonating legitimate user IDs to enter your system. The application can be vulnerable if it uses weak passwords or exposes session IDs in the URL. You can prevent attacks by implementing strong access controls and multi-factor authentication.
  • A3: Sensitive data exposure—this vulnerability can affect any web application operating with user personal data. Applications handling credit card or personal data are typical targets to sensitive data exposure. An application can be vulnerable, for example, if it fails to encrypt the data both in transit and at rest. Using strong and up-to-date encryption algorithms scrambles the data, rendering it unusable for the attackers. You can prevent exploits by following security practices such as disabling caching for sensitive data.
  • A4: XML external entities (XXE)—an attacker can divert an XML processor to access files and return the contents of targeted files. The application can be vulnerable if it accepts XML directly, which enables an attacker to upload a malicious XML file. To prevent these attacks, OWASP recommends disabling the external entity's capabilities in all XML processors in the application.
  • A5: Broken access control—this vulnerability occurs when users are not limited in their permissions. Broken access control means the attackers gain administrative or privileged access to the system, which lets them manipulate or delete the data. Preventing these attacks requires enforcing access control in server-side code or in a server-less API. Thus, the attacker cannot change the access control check.
  • A6: Security misconfiguration—this term refers to issues in application security systems, such as unpatched flaws or unprotected files. The attacker uses them to gain access to the system. An application can be vulnerable if it is missing security hardening or if it still enables default accounts. Preventing attackers to leverage security misconfiguration requires, between other OWASP recommendations, a security hardening process and eliminating unused features from the application platform.
  • A7: Cross-site scripting (XSS)—an XSS vulnerability involves misusing the trust given to a specific site, extending it to another with malicious purposes. Attackers can modify a page, usually a contact form, to hijack the session and direct users IDs to the attacker’s website. Preventing cross-site scripting requires separating untrusted data from the active content on the website.
  • A8: Insecure deserialization—applications can be vulnerable to insecure deserialization if they allow deserialized objects from untrusted sources. This vulnerability is not very common as it is difficult to exploit. However, it is also difficult to detect. Some of the OWASP recommendations include restricting the data types for serialized objects and disabling the option to accept untrusted serialized objects.
  • A9: Using components with known vulnerabilities—this is one of the most prevalent vulnerabilities, since most software applications use open-source components. Despite the many benefits of using open source software, it is critical to track and monitor the open source components in your application. This task is becoming increasingly difficult, given the myriad components present in any application. There are several security tools that help developers to track and verify the security status of the application’s open source components.
  • A10: Insufficient logging and monitoring—An application can be vulnerable if it fails to log auditable events, such as security alerts or flaws. You should ensure all login, access control failures are logged and monitored for suspicious activity.

Latest Security Breaches Involving Web Application Vulnerabilities

The trend of web application vulnerabilities has increased in the last couple of years. The most common vulnerability type exploited by attackers was the injection type, followed by cross-site scripting. Some of the attacks that made headlines include:

  • Timehop—vulnerability type: broken access controls. The attackers used compromised admin credentials to extract 21 million user records. The weakness: the admin account, one of their privileged employees, didn’t use multi-factor authentication.
  • Magecart attacks—vulnerability type: cross-site scripting. This attack on British Airways extracted transactional and personal data from more than 385,000 records.
  • WordPress—vulnerability type: using components with known vulnerabilities. The weakness: outdated plugins. As the attack continues, it is not possible to know how many more user accounts might be compromised.

As the saying goes: “it is not a matter of if, but when an attack occurs.” The recent attacks prove that no company or network is 100 percent secure. Moreover, when companies don’t follow basic security practices such as role access control or updating software, they leave themselves vulnerable.

Following the security practices recommended by the OWASP report is a good start to strengthening your application security. A best practice to consider is using tools to automate testing for vulnerabilities. Continuous testing can keep your application covered, enabling you to fix vulnerabilities on the fly. After all, being prepared is the best defense.


  • Cloud Adoption Gives Way to Hybrid Deployments

    Cloud adoption is growing at an astonishing rate, with Gartner forecasting that worldwide public cloud end-user spending will approach $600 billion by the end of this year—an increase of more than 21% over 2022. McKinsey believes that number could eclipse $1 trillion by the end of the decade, further underscoring the industry’s exponential growth. Read Now

  • AI on the Edge

    Discussions about the merits (or misgivings) around AI (artificial intelligence) are everywhere. In fact, you’d be hard-pressed to find an article or product literature without mention of it in our industry. If you’re not using AI by now in some capacity, congratulations may be in order since most people are using it in some form daily even without realizing it. Read Now

  • Securing the Future

    In an increasingly turbulent world, chief security officers (CSOs) are facing a multitude of challenges that threaten the stability of businesses worldwide. Read Now

    • Guard Services
  • Security Entrances Move to Center Stage

    Most organizations want to show a friendly face to the public. In today’s world, however, the need to keep people safe and secure has become a prime directive when designing and building facilities of all kinds. Fortunately, there is no need to construct a fortress-like entry that provides that high level of security. Today’s secured entry solutions make it possible to create a welcoming, attractive look and feel at the entry without compromising security. It is for this reason that security entrances have moved to the mainstream. Read Now

Featured Cybersecurity

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3