An estimated 113 million websites contain a security vulnerability; that’s around 6% of all websites on the internet, and 2019 has seen the accumulative cost of malware reach $2 trillion! That’s both staggering and hugely concerning, especially for businesses who rely on internet-facing applications. It’s never been more important for companies to fully understand the threat landscape and take the appropriate action to sufficiently protect themselves and their applications.
The Open Web Application Security Project (OWASP) is a great place to access freely available and regularly updated resources and information. Perhaps their best-known resource is the OWASP Top 10 list, a report of the ten most critical security risks put together by a group of experts. It’s recommended all businesses read and incorporate the list into their security processes.
However, the list only briefly expands upon the details of its contents. So, if you’re in need of some more information about the potential cyber security risks its highlights, you’re in the right place. This blog post will breakdown each security risk and expand upon their security implications.
Occupying the top spot is injection. A huge problem in online security, it is one of the oldest web application threats out there. As the name suggests, it is a code injection technique which launches malicious executions on data driven applications. In an injection attack, untrusted data is submitted onto a web application by an attacker. Once the data has been input to the program, the web application processes it and executes an unauthorized command or query.
Injection attacks can lead to loss of data, data theft, denial of service and in worst case scenarios, a fully compromised system. The main injection vulnerability is inadequate user-input validation, therefore validating and rejecting suspicious data can help to prevent injection attacks, as well as maintaining stricter access controls over the information that would be exposed in the event of an attack.
When users visit websites to login to their accounts, they are given a unique ID serving as the user’s identity on that server. If this ID is not encrypted, or is exposed in the URL, it could be intercepted and used by a hacker to impersonate the user. This can give an attacker unauthorised access to user accounts, leading to data loss and theft, as well as access to admin accounts which could fully compromise the system and all of its users.
The implementation of a secure authentication strategy is essential to protect against vulnerabilities in this area. This includes a minimum of two-factor authentication, with complex passwords that are encrypted in storage, and session ID management whereby a user’s entire session is protected via SSL (Secure Sockets Layer).
When sensitive data is exposed it can have disastrous implications on both businesses and individuals. In the event of a data breach, users can fall victim to financial loss and identity theft, and with the introduction of GDPR, businesses within the EU could face huge fines (up to 4% of annual global turnover or simply a fine of €20 Million – whichever is greater) as well as the inevitable impact on their reputation.
The first port of call when mitigating against this type of data leakage should be encryption. This includes encryption at rest for data which is stored, such as passwords, as well as encryption in transit for data that is transmitted, such as credit card information.
Extensible Markup Language, or XML, is a common tool for sending, storing and editing data; everything from documents, web services and image files. It’s easily compatible with a variety of software and can be exploited in a variety of different ways, but most commonly it’s used to trigger a denial of service attack and gain unauthorised access.
Access control manages the access of anyone interacting with a system or application. It governs administrators and users by authorising or rejecting access to certain information or functions. However, if this control is broken, it can leave vulnerabilities for hackers to bypass the system’s authorisation and use the application and access its resources. This can lead to data loss, data theft, loss of data integrity, and provide a hacker with data to generate further attacks. For example, an attack may occur by manipulating a request URL, usually by changing the parameter value, in turn tricking the web page or web application into granting access.
A good first security measure in preventing against exploits such as these is using a completely random reference string, making the ID harder to predict. Using an incrementing integer should also be avoided as it provides ample opportunity for attackers to gain access to all accounts if one account is compromised. On top of this, consider using multi-factor authentication. Although this doesn’t provide complete protection, it does decrease the opportunity for an attack if a hacker gains access to basic login details.
Misconfigurations in security code can prevent safeguards from working efficiently and leave systems open to vulnerabilities. It’s worth baring in mind that this can include pre-made applications, as well as those developed in-house. In fact, exploits commonly occur through the system’s security configurations, such as firewalls, being left at default by the user and not securely configured for the specific applications, servers, platforms, etc.
With security threats and defenses becoming more complex, vulnerabilities created through human error are an increasingly common problem. Common mistakes include overly-detailed error messages exposing exploit opportunities, neglecting old or unused features leaving them open to attack, and assuming third-party’s security is up to scratch; often this is not the case.
Cross-site scripting is another form of injection-based attack. Malicious scripts are loaded onto a web page or web application by an attacker and the victim unwittingly executes the malicious code within their browser, usually via social engineering techniques. Due to the nature of cross-site scripting and its need for user interaction, XSS attacks are commonly found on forums, message boards, and any other websites that allow comments.
Vulnerabilities to cross-site scripting attacks can occur when web pages and web applications do not correctly manage and sanitise (remove, if content is malicious) their users input. Allowing a user to inject data unchecked provides opportunity for an attacker to use the website as a vehicle to deliver malicious code to other users. To avoid this scenario, web pages and web applications should filter all user input as strictly as possible, and apply an output encoding system to ensure outbound data is not interpreted as active content. This encoding might simply extend to HTML special characters, like openings and closing tags, or depending on the web page or web application it may be required to be more complex.
Serialisation is the process of changing an object into a format so that it can be used for a purpose – saved on a disk for example. Deserialisation is this process in reverse, converting serialised data back into the original object. An insecure deserialization vulnerability can occur if this process is not adequately secured and an application has limited control over what data is being serialised and deserialised. Similar to an XEE attack, when exploited this can lead to external serialised data being processed and used to introduce malicious code, or deserialised data being accessed without authorisation.
Deserialisation vulnerabilities are technically hard to exploit. However, in the case a hacker is competent enough to mount an attack, a good precaution is to either disallow data from being serialised or set parameters on the types of data that can be deserialised – in keeping with those that are expected and necessary for functionality.
In web application development, third party components, frameworks and development tools are often used as a foundation upon which developers are then able to create their own applications. This saves both time and money, however, if these underlying components can be identified and exploited, this leaves the entire application vulnerable to an attack. Many possible exploits that can be triggered through using compromised components are on this list; injection attacks, broken access controls, cross-site scripting, and more.
It is essential developers know what components they are using and keep them up to date, especially if a bug is discovered and a patch is required. Using fewer third-party components will obviously make this job easier and decrease the likelihood of a vulnerability. Scanning and monitoring applications to locate and patch vulnerabilities is the best form of defence and should be implemented into any security strategy.
Whereas the previous entries in this list present direct threats to systems, insufficient logging or poor monitoring cannot in itself lead to an attack. However, what it can do is ensure any intrusion or malicious activity is detected, and failure to do so can be hugely detrimental; from both a technical standpoint, as well as a financial one.
A log is effectively a time stamped record, outlining all of the actions carried out on a computer system. Effective log management is an essential component of any security strategy, as it provides complete visibility to everything that has happened and allows for complete monitoring of everyone using the system, so any unauthorised action is immediately flagged up. Log management can be automised through log management software.
We hope this blog post has been helpful, and you understand The Open Web Application Security Project’s top 10 security threats more clearly. As always, if you have any questions, please don’t hesitate to get in touch.
Matthew is Secura’s content specialist, producing gripping, emotionally complex, edge of your seat, cloud hosting articles and videos.
Tweet me at: