Top 10 Web Threats, Which Make Your Business Subject to Cyberattacks
October 31, 2018

Top 10 Web Threats, Which Make Your Business Subject to Cyberattacks

2

“There is a thin line between cyber security and business and we should find this exact line where both subjects are satisfied.”

Vladimir Atanasov | Senior Cyber Security Engineer | ScaleFocus

Many business people say, “My company doesn’t have anything to hide, so I do not care much about IT security”. Actually, it is not about hiding… it’s about protecting. In the era of digitalization, protecting your business from cyberattacks is crucial. Company sensitive information and data needs to be well-protected as to avoid undesired leakages and security breaches. Those, who fail to realize this on time are putting their business on the line, thus exposing their company assets to attackers, who may harm their operations in both short and long-term.

In this blogpost, we will discuss the Top 10 Web Threats, analyze how they may harm your business operations and give practical advices on how to prevent them.

1) Cyberattacks such as SQL, NoSQL, OS, LDAP injections

An SQL injection is one of the most common web hacking techniques, which may compromise your database. This type of cyberattack is the placement of malicious code in SQL statements, via web page input. The injection is one of the most dangerous issues for data confidentiality and integrity in web applications. It has also been listed in the OWASP Top 10 latest list of the most common and widely exploited vulnerabilities ever since its inception.

System loopholes:

  • User supplied data is not validated or sanitized by the app. Not all input symbols should go into the backend
  • User input is not validated or sanitized and is directly used or concatenated as part of SQL query command. That may lead to further compromise as data leakages

What may happen?

  • The attacker may modify the “id” parameter value in their browser, which would in turn change the meaning of both queries to return all the records from the account table. More dangerous attacks could modify or delete data or invoke stored procedures
  • Hostile data used in Object-relational mapping search prams to extract sensitive data

How to prevent this type of cyberattack?

  • Perform regular source code reviews. Use source code analysis tools (SAST) and dynamic application test tools (DAST)
  • Perform automated testing of all parameters
  • Use programming specific controls to prevent from mass records disclosure in the cases of an SQL injection
  • Perform input validations such as character escaping/sanitization

2) Broken Cyber Authentication

Application authentication and session management are sometimes implemented incorrectly, which allows hackers to compromise passwords, keys, session tokens or even exploit identities. The goal of a cyberattack is to take over one or more accounts for the attacker to get the same privileges as the attacked user.

System loopholes:

  • User credentials are not properly protected
  • Login credentials are predictable and easy to guess
  • The system permits weak, well-known passwords, which makes it easier for the attacker to guess
  • Session IDs are exposed in the URL
  • User sessions or authentication tokens are not properly invalidated during logout or after a specific period of time
  • Lack of multifactor authentication

What way happen?

  • Credential stuffing. This cyberattacker uses stolen account credential lists to gain unauthorized access through large-scale automated login requests.
  • If a person is using a public computer to access an application and instead of signing out, the user simply closes the browser. The cyber attacker uses the same browser an hour later and gets authenticated.

How to prevent this type of cyberattack?

  • Use multi-factor authentication. Business are advised to revise and consider password rotation and complexity requirements, as well as adding another factor for authentication
  • Implement weak-password checker
  • Warning message during log-in should be the same when user id and/or password are incorrect
  • Limit failed login attempts or lock the account for a certain amount of time if the user types the wrong password more than 3 times
  • Remove Session ID from the URL

3) Sensitive Data Exposure

Sensitive data needs to be properly saved and protected as to avoid unexpected cyberattacks. With the introduction of GDPR, many companies are getting concerned about their sensitive information. Cyber attackers may steal or modify such data to conduct card fraud, identity theft and other crimes, if reliable security measures are not in place.

System loopholes:

  • Data is transmitted or stored in plain text and not encrypted.
  • You are using outdated cryptographic algorithms.
  • The user agent (browser, mobile app) fails to verify if the received server certificate is a valid one.

What may happen?

  • A cyber attacker may steal sensitive data and use it to perform fraud
  • If unsustainable encryption algorithms are used, this may lead to data exfiltration.

How to prevent your data from exposure to cyber attackers?

  • Identify which data is considered sensitive as per governance framework and your business needs
  • Clear-out all sensitive data once you don’t need it anymore
  • Ensure strong algorithms, protocols and keys are in place
  • Encrypt all data with secure protocols such as Transport Layer Security (TLS) with perfect forward secrecy
  • Disable caching for responses, which contain sensitive data
  • Store passwords, using strong hashing algorithms

4) XML External Entity Cyberattacks

Many outdated or poorly configured programs, which can read or process XML documents (XML processors) evaluate external entity references within the document. These types of cyberattacks are particularly dangerous since they can have a huge impact on internal files, which would in turn lead to disclosure of confidential data, denial of service, server-side request forgery or other system failures.

Symptoms loopholes:

  • The application accepts file uploads directly from untrusted sources and data
  • Some of the SOAP-based web services have Document Type Definitions (DTD), which is enabled through Windows Communication Foundation (WCF)
  • If you are using SOAP prior version 1.2 is being used, it is likely to be susceptible to cyberattacks if file entries are passed to the SOAP framework.

What may happen?

  • Cyber attackers may exfiltrate sensitive authentication data
  • The cyber attacker may compromise the server’s configuration
  • The cyber attacker may cause unavailability of service/system downtime

How to prevent:

  • Developer training and awareness on possible cyber-attack methods
  • Implement white-listing input validation
  • Use static code analysis tools
  • Regularly update components, which turn out as vulnerable

5) Broken Access Control

Restrictions on what authenticated users are allowed to do is often not properly enforced. Cyber attackers may exploit these flaws to gain unauthorized access to functionalities, data, sensitive documents and files.

System loopholes:

  • Bypassing access control checks by modifying URL, internal application state or the HTML page
  • Allowing the session token to be changed to another user’s record, which will enable them to view and edit someone else’s files
  • Missing authorization layer among the APIs.

What may happen?

  • Cyber attackers may gain privileged rights to accounts
  • The cyber attacker can get access to sensitive information
  • The cyber attacker can get the rights to change/modify content

How to prevent:

  • Invalidate session tokens once the user is logged-out
  • Enable forced login/logout after a password change
  • Apply role-based access control to all resources
  • Access control models should enforce record ownership, rather than accepting that the user can create, read, update or delete any record.

6) Security Misconfiguration

In some cases, deadlines and pushy clients put a lot of pressure on development teams. Time is ticking away, and you need to finish that project soon. When such situations occur, engineers rush into finish setting-up a system with all components to ensure functionality and tend to overlook on security. Insecure default configurations, incomplete or ad-hoc ones as well as misconfigured HTTP headers may open the doors for cyber attackers.

Security misconfiguration loopholes:

  • Improperly configured services
  • Enabled default accounts and passwords
  • Outdated and/or vulnerable systems and server components

What may happen?

  • Cyber attackers may gain privileged access to services
  • The cyber attacker will have access to sensitive information
  • The cyber attacker will have the rights to change/modify any file
  • The cyber attacker may perform reverse engineering by listing available folders or downloading complied code
  • The attacker may cause service disruptions or system unavailability

How to prevent:

  • Avoid unnecessary feature installations
  • Verify the effectiveness of the configuration and settings in all environments
  • Harden and automate processes which make it easy to deploy another environment with good security features
  • Review and update security of configurations

7) Cross-Site Scripting (XSS)

In the case of cross-site scripting, the cyber attacker can insert or update untrusted data in a given webpage, without going through proper validation first. Scripts, inserted by the attacker get executed in the browser and may steal sensitive information.

Types of Cross-Site Scripting Attacks:

  • Reflected XSS – The web application displays unvalidated user input as part of the page. This may allow cyber attackers to execute arbitrary code in the victim’s browser.
  • Stored XSS – Application components store not validated user input, which can be recalled and executed later by another user.
  • DOM XSS – The attack payload is executed as a result of modifying the DOM environment in the victim’s browser.

What may happen?

  • Cyber attackers may receive the user’s session ID, which will allow them to take over the user’s current session
  • The attacker will gain access to the user’s account and steal sensitive data
  • The attacker will have the rights to change/modify files while he is logged in the user’s account

How to prevent:

  • Use frameworks which have a higher level of XSS detection
  • Validate all client input data
  • Consider Content Security Policy (CSP)

8) Insecure Deserialization

Tampering object serialization may result in a threat, which occurs when untrusted data is used to abuse the logic of an application. This often leads to remote code execution, which can further enable injection attacks, executed by cyber attackers.

Examples of Insecure Deserialization

  • Altering cookie objects – Access control related cyberattack, which may result in session hijacking
  • User state serialization – Object and data structure related cyberattacks can execute remote code or modify data logic

How to prevent:

  • Implement integrity checks for serialized data
  • Log deserialization exceptions and failures
  • Restrict and monitor incoming and/or outgoing from system components, which deserialize

9) Components, with known vulnerabilities

When components, such as libraries, frameworks, modules, with well-known vulnerabilities are used by an application, this may lead to serious security gaps, which would further enable cyber attackers to cause breaches or system takeovers.

System Loopholes:

  • Used software is vulnerable or out-of-date
  • The underlying platform, frameworks, dependencies are not upgraded or fixed, when needed (known vulnerabilities, enhanced defensive mechanisms).
  • Software and system engineers fail to test the compatibility of updated, upgraded or patched libraries

What may happen?

  • Execution of arbitrary code on the system may be enabled
  • Cyber attackers may take over the application or its infrastructure
  • Total/partial system unavailability

How to prevent:

  • Remove unused dependencies, unnecessary features, components and files
  • Continuously maintain versions, libraries and security patches
  • Obtain components only from their official corresponding sources

10) Logging and Monitoring

Inefficient logging and monitoring, combined with ineffective integration with incident management may result in cyber attackers exploiting systems, exfiltrating data or causing service unavailability.

Your application is at risk if:

  • Logs are not monitored for suspicious activities
  • Logs are stored locally, rather than in a centralized location
  • Important events, failed login attempts, and other suspicious activities are not logged
  • No log monitoring system is applied to raise alerts and detect cyber-attacks in real time

What may happen?

  • The cyber attacker may succeed in hacking a component while remaining unnoticed for a long period of time
  • The application is unable to detect, escalate, or alert for active attacks in real time or near real time
  • Warnings and errors generate far too generous log messages to the clients

How to prevent:

  • Ensure extensive logging and monitoring of all important events in your systems
  • Implement centralized log monitoring and correlation system
  • Establish effective monitoring and alerting capabilities
  • Adopt security incident management (incident response and recovery plan)

Cyber incidents are avoidable. Although there is no guarantee you will never suffer from a cyber incident, there are some things you can do to seriously lower your risk. Ensure long-term business protection by securing your systems in advance. Cyber attackers can be unpredictable and may strike when you least expect them to. Take the proactive approach and follow our advices on how to keep your company safe. Our Cyber Security Engineers and Data Security Experts are here to help you strengthen your systems as to avoid unexpected cyberattacks and guarantee stability.

Read more