Cybercriminals are a lot like termites – they seek out any opening and feed on the foundation of an organization. There is no easy way to protect an environment from a determined attacker. Many enterprises and governments dedicate significant portions of their budget just to prevent, detect, and respond to cybercrime. However, the dedicated attacker is not the only threat out there. In fact, automated attacks and probes can present just as big a threat to organizations if their perimeter is not properly secured.
One of the most common discoveries from these automated attacks are the openings in a network associated with a web application and their associated server. These servers host services that focus on providing users the capability to utilize their specialized applications from the internet. In many circumstances, web applications are open to the world wide web for convenience. However, this convenience comes with a major security risk. If an everyday user can find a server, so can an attacker. Web applications are a major source of risk for many organizations and attackers have developed tried-and-true methods to compromise the security of users and enterprises alike.
OWASP and The Top 10 Web Application Security Risks
OWASP, or the Open Web Application Security Project, is “a nonprofit foundation that works to improve the security of software.” – OWASP. This organization publishes a well-known “Top Ten” list that outlines the 10 most critical risks to web applications. Generally, this list is oriented towards software developers in order to help them avoid security flaws into their software. Attacks on the OWASP Top 10 are generally considered to be the standard threats that a web application should expect to face on a regular basis. Understanding the threats that face an organization can drastically increase the chances of successfully defending the network.
Top 10 Overview – Malicious Injection
Let’s take a look at one of the most popular and devastating attacks on the OWASP Top 10. Injection attacks are actually a wide range of attacks with similar core functionality. Injection attacks operate on the principle of submitting (injecting) malicious content or code into a web application. Generally, injection attacks focus on exploiting flaws in the way that input data is parsed by the host application. SQL injection is a popular attack since many web applications utilize SQL for the backend database. For example, instead of inputting a username in the “user” field, an attacker might try to input a command to retrieve all usernames from the web application’s database. These attacks can go even further than data exfiltration, enabling attackers to input malicious code and gain access to or infect core components of the server. Since these attacks are focused on the attacker running potentially arbitrary code on the server, the repercussions of a successful injection attack can be devastating. Checkout the OWASP Top 10 article on Injection for more information and methods that may help prevent this type of attack.
Top 10 Overview – Nobody is Watching
Access to sensitive data on a web application exposes a significant security gap directly on the perimeter of a network. The ramifications of a data breach can go much further than many realize. Attackers are desperate for information from systems, especially information accessible via public means. Even equipped with this knowledge, many organizations still fail to realize the extent of monitoring that these perimeter systems require. Attackers exploit the fact that most web applications exist in a silo and are not fully monitored. Even the best defenses will fail; monitoring is critical to detect and remediate breaches before they become unmanageable. For more information on the importance of logging web application events, see the OWASP Top 10 Page on Insufficient Logging and Monitoring.
Top 10 Overview – The Best Laid Plans
A properly managed server environment and application stack can be key to preventing security misconfiguration vulnerabilities. The tactics for security misconfiguration attacks are based on an ecosystem lacking proper configuration, control management, and baselines. Often, something as simple as a default account name + password can be enough to lead to a total compromise of a network. This type of vulnerability often makes the news when it is found by bug bounty participants. These “White Hat” security researchers find hidden web application pages that are unintentionally accessible via the world wide web and report the misconfiguration for a payout. Attackers will try to exploit these vulnerabilities for their own malicious gains. More information and prevention details can be found on the OWASP Top 10 page on Security Misconfiguration.
Top 10 Overview – What You Do Know Can Hurt You
Sometimes an organization’s IT leadership can feel like they have no choice when it comes to the software and hardware that they utilize. A huge number of organizations utilize components of the web application stack that have vulnerabilities. The cause for this can be budget constraints, unsupported and defunct software, or even internally developed apps from a disbanded team. These components are often rife with an abundance of disclaimers regarding their lack of security. Part of any risk management strategy at an organization is measuring the potential impact of a vulnerability against the probability of a successful attack. This can lead to scenarios where known-vulnerable components are in use, regardless of associated risk. Unfortunately, it can be extremely difficult to properly map the true impact of a compromise and the breaches associated with these known vulnerabilities can prove to be costly in both reputation and finances. The OWASP Top 10 summary regarding Using Components with Known Vulnerabilities emphasizes the risks associated with this practice.
How Vulnerable is your Organization?
Cybercrime will continue to grow as the world moves to remote operations and hosted applications. Web application attacks are just one small weapon in the extensive arsenal available to cybercriminals. Organizations need to understand the risks associated with hosting their own web applications and implement the proper controls to protect their assets and data. Awareness is the key preventative factor when it comes to most cybercriminal activity. Be sure to check out The OWASP Top 10 to get a full picture of the critical threats and the preventative actions recommended by the experts.
A1:2017-injection. (2017). Retrieved May 04, 2021, from https://owasp.org/www-project-top-ten/2017/A1_2017-Injection
A3:2017-sensitive data exposure. (2017). Retrieved May 04, 2021, from https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
A6:2017-security misconfiguration. (2017). Retrieved May 04, 2021, from https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration
A9:2017-using components with known vulnerabilities. (2017). Retrieved May 04, 2021, from https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities
OWASP top ten. (2021). Retrieved May 04, 2021, from https://owasp.org/www-project-top-ten/
Positive Technologies. (2020, November 27). Web applications vulnerabilities and threats: Statistics for 2019. Retrieved May 04, 2021, from https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/