Top Network Web Application Vulnerabilities

The Top 10 OWASP security vulnerabilities and a ranked library of hundreds more.

Text

Never-ending Vulnerabilities

The digital age has opened the door for a seemingly endless number of cybersecurity vulnerabilities.    In order to keep track, Open Web Application Security Project® (OWASP),  provides a top 10 list of known and newly discovered vulnerabilities. Focused on software security, OWASP is an online community that provides documentation and other reference tools to help IT Professionals stay up-to-date on web security trends, It is well known for its OWASP Top 10 list, which features what are broadly agreed to be the most critical web application security risks.

The sheer volume of vulnerabilities makes an adaptable, layered cybersecurity solution more important than ever.  While some vulnerabilities are latent and low on the scale of exploitation, we do keep a list of active and highly exploitable vulnerabilities.

Broken Access Control

Access control is a security setting that grants permissions for users of a certain security level. Broken access control lets attackers impersonate or bypass user permissions and access high-level, sensitive information and data that’s above their permission setting. This leads to data corruption, loss, and modifications.

Cryptographic Failures and Sensitive Data Exposure

A sensitive data exposure happens when a company exposes its sensitive data unknowingly. This data exposure can lead to sensitive data being destroyed, tampered with, or illegally leaked. This type of exposure occurs when there is faulty database protection, access misconfigurations, and incorrectly used data systems. 

Sensitive data exposure can be:

  • Confidentiality breach, which is unauthorized disclosure of sensitive data.
  • Integrity breach, where sensitive data undergoes alteration.
  • Availability breach, when sensitive data is temporarily or permanently destroyed, unavailable, or inaccessible.

Injection Vulnerabilities and Cross Site Scripting

An injection vulnerability is a weakness in an application where an attacker can inject coding or partial code and compromises backend systems and clients connected to that application.

This attack can allow a cybercriminal to target and execute system calls on connected machines, compromise backend data storage, hijack user sessions, and/or imitate or force actions as other users. These attacks are not difficult to use against an application. Application scanning during development and after launch helps detect known and unknown flaws that can be corrupted.

Cross Site Scripting

Cross-Site scripting, also known as XSS, is a type of code injection attack, malicious scripting is injected into a trusted website. A web application sends this malicious code, typically as a browser side scripting, to an end user. The weaknesses this code creates a site-wide attack range, whenever this specific web application is being used as an input point for users on the website.

The end user doesn’t see the malicious XSS script, and their browser believes it’s coming from a trusted source, executes the script, and then that attack script can access cookies, session tokens, and other sensitive data that is being stored in that browser.

Insecure Design

Insecure Design represents a large variety of weaknesses.  Factors that make a design insecure are the lack of business risk profiling within the software and system being developed, which leads to weaknesses depending on the level of security required in the design.  Insecure Design is listed as “missing or ineffective control over design”.  Insecure design is different from Insecure Implementation because design flaws aren’t in the same category as implementation defects.  The base causes for each weakness requires a different remediation solution.  Secure design can still have implementation defects and insecure design isn’t fixed with perfect implementation.

Security Misconfiguration and XML External Entities

Security misconfigurations are when there are no security settings implemented or the ones that have been put in place have errors within the settings. Many security errors happen when a system admin doesn’t update, change, or enable a device or application security system.

Leaving security settings in the default position, not engaging them, or not reverting temporary configurations can leave easy vulnerability access. Other errors that can leave security settings wide-open are unpatched flaws, unused pages, unnecessary features, inadequate control access, disabled antivirus, vulnerable XML files, and poor hardware management.

XML External Entities

An XML External Entity attack occurs when an application uses an XML input that has a weak configured parser. An XML entity is a type of data storage system that can access remote and local data through a system identifier. This type of attack is part of the application processing the XML file, an attacker uses the application’s trust to maliciously redirect to other unprotected internal systems. A successful breach can expose confidential data, create a denial-of-service error, expose server-side forgery requests, and parser machine port scanning.

Vulnerable Outdated Components

Open-source applications can contain known vulnerabilities and organizations that utilize these components can have weaknesses they’re unaware of.  Cyberattackers search for these applications and APIs and create an easy target without creating a new, specific attack.  Staying up to date on the latest updates and patches along with the right cybersecurity can help eliminate these unknown threats.

Identification and Authentication Failures and Broken Authentication

Broken authentication attacks try to use an existing account to give the attacker high-level privileges to enter higher secure data areas. Authentication is broken when passwords, session token keys, account information, or user identities are compromised.

Poorly implemented session and authentication management are the top reasons this vulnerability is widely exploited. If the access controls have predictable login credentials, unprotected authentication credentials, exposed session IDs, no logout time outs, or login information that’s transmitted over unencrypted connections, then there’s a chance an attacker and use any of these credentials to bypass security and access sensitive data. 

Software and Data Integrity Failures and Insecure Deserialization

Considered one of the biggest critical security vulnerabilities, insecure deserialization bugs are one of the most dangerous and difficult to defend against.  Insecure deserialization is created by an attacker that manipulates a serialized object to cause unpredictable consequences within programming.  This code can be remotely executed and can grant cybercriminals a wide range of capabilities with that application.

There are multiple factors to prevent this type of attack, unique to the organizational security implemented.  There is no “one size fits all” in security, but, creating a layered offensive security bundle is the best way to ensure strong security against this attack.

Security Monitoring and Logging Failures and Insufficient Logging and Monitoring

Security admins use logging and monitoring to help detect potential threats through analyzing patterns and finding abnormal ones. This is the basis for all cybersecurity. However, with insufficient logging and monitoring, an organization is left wide open to an attack. Attacks that can circumvent insufficient logging and monitoring rank incredibly high when it comes to the considerable damage that can be caused. Almost every major security incident that occurs from an exploitation like this is major. Without sufficient logging and monitoring, the attack surface area is wide-open leaving multiple targets vulnerable to maximum damage that’s nearly undetectable.

Server-Side Request Forgery (SSRF) NEW 2021

Server-Side Request Forgery (SSRF) happens when a web application fetches a remote resources and doesn’t validate the given URL.  Attackers can use this URL application to send a customized request that sends the request to an unexpected destination.  Firewall, VPN, and other types of network access cannot protect against this type of cyberattack.

Modern web applications have convenient features that direct end-users, which makes an SSRF attack much more commonplace.  The severity of an SSRF attack is incredibly high because of the complexity of cloud features and services.

Vulnerability Solutions

There’s no single quick fix for security vulnerabilities.  It may be necessary to have a suite of scanning and assessment solutions, depending on the application development cycle.

Fortra Vulnerability Management (Fortra VM) is a powerful yet flexible vulnerability management solution.  Designed with simplicity in mind, it balances speed and accuracy so your IT department can maximize their time prioritizing the biggest security threats. 

BeSTORM is a dynamic application security tool (DAST) that includes a Black Box Fuzzer, enabling it to attack your network and applications the same way a criminal would.  Black Box Fuzzing creates real-world scenarios before a product is launched, so weaknesses can be found in the developmental phase, and remediate before deployment.  

Web Application Security (WAS) scans web application data and transactions, keeping them secure.  Frontline WAS delivers unrivaled accuracy and has minimal resource usage.  Frontline WAS is easy to deploy and maintain, making it a favorite of security professionals.  The accurate scanning results and simplicity makes it one of the best web application scanning tools.

Web Application Penetration Test (WAPT) tests web applications that have been internally developed and third-party applications to identify and discover potential weaknesses.  Not just a software scan, Frontline WAPT uses a variety of automated tools to detect SQL insertion, improper character filtering, cross-site scripting, buffer overflows, and more.

Most Common High Risk Vulnerabilities:

  1. Microsoft Windows HTTP.sys Code Execution Vulnerability
  2. OpenSSH Trusted X11 Cookie Connection Policy Bypass Vulnerability
  3. OpenSSH Privilege Separation Monitor Weakness
  4. Mountable NFS Shares
  5. Apache APR apr_palloc Heap Overflow
  6. .NET Framework and Microsoft Silverlight Allows Code Execution (MS11-039)
  7. Combined Security Update(MS12-034)
  8. Internet Explorer 8 Allows Code Execution(KB2847140)
  9. Cisco SSH Malformed Packet DoS
  10. Insecure Library Loading Allows Code Execution (KB2269637)
  11. Vulnerabilities in Windows Kernel-Mode Drivers Allow Elevation of Privilege (MS12-047)
  12. Vulnerabilities in Elevation of Privilege Using Windows Service Isolation Bypass (982316)
  13. PHP Running Version Prior to 5.2.15
  14. Unauthorized Digital Certificates Allow Spoofing (KB2728973)
  15. VMware ESX Running Version Prior to 4.1
  16. OpenSSL Running Version Prior to 1.0.1i
  17. Oracle Java SE Multiple Vulnerabilities (October 2010 CPU)
  18. Oracle Java SE Multiple Vulnerabilities (June 2011 CPU)
  19. Multiple Vendor IPMI ‘cipher zero’ Authentication Bypass Vulnerability
  20. Vulnerabilities in MySQL Unsupported Version Detection
  21. Vulnerabilities in Server Service Allows Code Execution (MS08-067, Network)
  22. Vulnerabilities in Group Policy Allows Code Execution (MS15-011)
  23. Vulnerabilities in Apache Running Version Prior to 2.2.28
  24. Vulnerabilities in PHP CGI Query String Code Execution
  25. Vulnerabilities in SQL Injection
  26. Vulnerabilities in Cross Site Scripting
  27. Vulnerabilities in Custom Web Code
  28. Vulnerabilities in VMware ESXi 3.5