Web applications are an essential component of any modern business. They can help convey the company vision, advertise services and deliver content to customers.
Regardless of their use, they are a necessity to make oneself or a business known to the world. However, as beneficial as they can be, they can also be a double-edged sword…
The silent killer (the vulnerability, or worse, multiple vulnerabilities) can ruin the time and effort spent on the website’s aesthetics and brand building. This post discusses the five deadliest web application attack vectors and how they can be detected, shut down (and then remediated) through web application testing.
Vector 1: Broken Authentication
The first attack vector is a category of vulnerabilities that often get overlooked, which can result in an attacker gaining unauthorised access to the web application. In some cases, these flaws are very subtle and easy to miss.
This vulnerability type can be exceptionally dangerous if the account the attacker has gained access to is an administrator. Suppose this privileged account can reset any user password; this single compromise has given the attacker the ability to take over any user account on the website.
Web application testing can help identify issues such as a lack of controls against brute force attacks, and subtle logic flaws in the authentications code. This vulnerability also often exposes a wider attack surface in the application, revealing the true risk associated with broken authentication.
Vector 2: Cross-Site Scripting (XSS)
The second vector is one of the most widespread vulnerabilities on the web today. XSS is where an attacker can execute malicious scripts on other users’ browsers.
An XSS attack, depending on the context can result in users being tricked into visiting malicious domains under an attacker’s control, hijack sessions and even full account takeovers. In the context of an administrator account, this vulnerability can result in a complete application takeover.
A web application test will likely identify at least one instance of XSS, if present, on the website. More importantly, they will reveal the risks associated with the vulnerability and what security controls the application is missing to prevent the injection of malicious scripts into a user’s browser.
Vector 3: Insecure Direct Object Reference (IDOR)
IDOR is a vulnerability where a web application accepts user input to retrieve objects directly. An example of an IDOR would be an application that uses a back-end database to retrieve customer account details.
A customer’s ID is being used directly as a record index in queries that are performed on the back-end database. If no other controls are in place, an attacker can simply modify the ID’s value, bypassing access controls to view other customers records. This is an example of privilege escalation because of an IDOR.
Web application testing would uncover IDORs which would either result in privilege escalation or enable anybody to access documents that contain sensitive information.
Vector 4: Information Disclosure
The fourth vector is a very common vulnerability, yet it should not be underestimated or ignored. Information disclosure refers to the event where a website unintentionally leaks information that is either sensitive or useful for an attacker to leverage.
Examples of information disclosure can include:
- Data about other users, such as usernames or financial information
- Sensitive commercial or business data
- Technical details about the website and its infrastructure
One of the most common examples of this is the server version being returned in a requests response header. An attacker can easily query a web application to retrieve its headers; if the server version happens to be vulnerable, the attacker could gain access simply through information disclosure.
A web application test would identify any instances of information disclosure, from information in response headers to server errors that leak verbose information about the application’s infrastructure.
Vector 5: Cross-Site Request Forgery (CSRF/XSRF)
The final vector is similar to cross-site scripting. CSRF depends on social engineering to trick users onto a malicious website. From there, if the user is logged in to a vulnerable application, this may lead to malicious actions being performed.
The risk associated with this vulnerability is user contextual, as is often the case with security flaws. If the attacker can perform a CSRF attack on the web application user, they could potentially change their account information such as their email or password.
A CSRF on an administrator account can compromise the entire web application. Web application testing can reveal whether the appropriate mitigations against CRSF are in place. For example, where a framework is being used, a tester can audit this for built-in CRSF protection and make recommendations based on their findings.
Prevent Web Application Attacks
To conclude, these are 5 out of many deadly attack vectors which a web application test can identify. Whilst these are not the only vulnerabilities to be aware of, the result of a breach is the same.
Web application testing can help you avoid these vulnerabilities, which can result in breaches of security. In return, this will help prevent loss of revenue as well as reputation.
Take our advice and act, the change starts with you. So, get started.