Web Applications are everywhere, and are in most cases a core component for companies. They are used for various reasons and very often capture, handle, store and transmit sensitive data (confidential business information, employee information, customer personal data, financial information, etc.).
It is a fact: your web applications are one of the easiest ways for cyber criminals to get access to your sensitive information and break into your organization. This was confirmed by numerous researches including the Verizon Data Breach Investigation Report (DBIR) 2016 that established Web Application Attacks as the #1 Source of Data Breaches!
This article covers various points and reasons why your web applications are such a great target for hackers, and why extra care is required.
An Easy Target
Your web applications and websites are in the majority exposed to the Internet allowing any users to reach them with an internet connection and a simple web browser. The wide exposure of web applications not only allows targeted attacks, but also malicious bots and other scanners to check if your application is affected by a specific vulnerability.
One other thing to consider is that the exposure to the world-wide web can make a vulnerable application a golden door to your entire internal network. Cybercriminals can use specific flaws to compromise the web server hosting of the application, and use it as a pivot point to attack other assets within your DMZ and Internal networks.
Homegrown Web Applications
A good portion of web applications have been developed in-house. While this is not a problem by itself, not all web application developers have secure software programming foundations allowing flaws and vulnerabilities to be introduced by design. It is even more tragic as the majority of web-borne vulnerabilities exist since the beginning of the Internet and are actually quite easy to avoid if taken into account at the beginning of the development phase.
Web developers’ secure software programing skills are not the only issue. When creating an application, many companies are adopting rapid development strategies which place the security of the application and the data its serves in the back seat.
To understand the type and the frequency of web vulnerabilities, let’s look at some statistics on the more than 200 web application penetration tests engagement performed by wizlynx group in 2016 :
- 66% of tested web application have critical flaws related to authentication or authorization creating flaws such as Privilege Escalations [CWE-269] and missing authentication for critical functions [CWE-306]
- 50% of tested web applications have Cross-Site Scripting (XSS) vulnerabilities (CWE-79]
- 33% of tested web applications with file upload functionalities can allow an attacker to upload or transfer files of dangerous types that could lead to remote code execution (RCE) [CWE-434]
- 20% of tested web applications have SQL injection vulnerabilities [CWE-89]
Therefore, it is extremely important for web application developers to be more familiar with the type of attacks that affect web apps, and how to avoid introducing them while developing the app.
Outdated CMS and Plugins
Another well-known problem is related to content management system (CMS) such as Drupal, WordPress, Joomla! and others, but also all 3rd party plugins and extensions. Many companies do not upgrade their CMS and plugins often enough, and this leads to defacement attacks, data breaches, or full compromise of the web server.
In 2016, 19 vulnerabilities were reported for Drupal (and it does not include 3rd party plugins). It’s not better for WordPress with already 16 vulnerabilities reported since January 2017 – That is one vulnerability reported every 6 days! This should give you an idea on how often your CMS alone should be patched or upgraded.
Absence & Blinded Detection and Prevention Security Controls
It is more and more common to find web applications reachable via HTTPS to increase user’s privacy when surfing the web. The encryption of web traffic with SSL/TLS comes with another challenge. Since the traffic is encrypted, traditional protection mechanisms such as Intrusion Detection System (IDS) or Firewalls are blind to web attacks.
Another alarming fact is the absence of protection measures tailored for web applications (e.g. Web Application Firewalls (WAF)). Since web applications are the number one source of data breaches, additional care must be taken to ensure they are properly protected and attacks can be detected and responded to in a short time.
Google has launched two factor authentications (2FA) to protect its online services in 2011! 6 years later, most companies still do not have 2FA implemented for web applications hosting sensitive data and exposed to internet.
On more than 200 web applications tested in 2016 by wizlynx group, only 2% had a two-factor authentication enabled – Yes, only 4 web applications!
Two-factor authentication is extremely important because it may highly reduce the chances of your web application being compromised due to the theft of one of your user’s credentials which happens more often than you may think.
According to Verizon 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. This shows how important 2FA is not only for web apps but also for all information assets protected by an authentication mechanism.
A False Sense of Security
More and more companies are running periodic vulnerability scanners against their websites and web applications for compliance & security reasons and it is a great thing, but is it enough?
Many web application vulnerability scanners are not very reliable and have either a lot of false-positives, or worse, false negatives. This means the scanner may not discover all vulnerabilities affecting the web application. There is nothing worse than believing your application is secure when it isn’t and that is why other test that involves manual testing by humans (such as penetration testing and secure code review) should be conducted on a regular basis.
Recommendations from our Penetration Testers & Secure Software Programmers
You may have been lucky thus far not to suffer a data breach via one of your web application or believe your web apps are well protected.
As the above illustrative picture shows, we may implement many types of security measures to protect our web apps, but one vulnerability or succession of weaknesses may be enough for a hacker to compromise an app.
As such, we strongly advise you to read and follow the recommendations in our previous article covering 5 steps to effectively secure your corporate web applications.
The recent massive data breach at credit reporting company Equifax allowing cybercriminals to access sensitive information, such as Social Security numbers and addresses, of up to 143 million Americans via a undisclosed vulnerability in a U.S. website application vulnerability (source) should serve as a reminder: no web applications are safe if not regularly maintained, updated and checked for vulnerabilities.
wizlynx group has long-lasting experience in developing, protecting and penetration testing web applications. Contact us if you seek advice to increase the security posture of your web apps!