Published on March 14th, 2019 | by Sunit Nandi0
Unauthorized Access: The State of Web Application Security
Your company’s website may include applications that allow users to enter personal information or do interesting things with their account. If so, have you put enough thought into the security of these web apps? How embarrassing would it be if a hacker took advantage of a flaw in your website to steal all that data? In this piece, we’ll talk about some of the major flaws with web application security and how a web application firewall (WAF) is crucial to protecting your organization.
OWASP And Web Application Security
The Open Web Application Security Project (OWASP) is a group that tries to educate developers about the most common mistakes made when creating web applications. They are best known for their Top Ten List for web applications, which was most recently updated in 2017.
The vulnerabilities covered by the 2017 version of the Top Ten list are as follows:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
One of the most significant features of the Top Ten list is that it doesn’t change much from revision to revision. The previous version was released in 2013 and in those four years, the only changes were merging two distinct vulnerabilities on the previous list into Broken Access Control, dropping Cross-Site Request Forgery and Unvalidated Redirects and Forwards, and adding vulnerabilities 4, 8, and 10.
The OWASP Top Ten list is well-known within the development community. This makes it even more surprising and distressing that the same issues are prevalent four years after the publication of the previous list (which was largely the same as the previous version published in 2010). Obviously, adoption of modern development practices and tools has done little to change the state of web application security.
In addition to the Top Ten List, OWASP has broadened their offerings to include Top Lists in a variety of different fields (mobile, Internet of Things, etc.). In 2015, they added an Automated Threat Handbook for Web Applications, which now describes the twenty most common threats that automated bots pose to web application security. Like with the Top Ten List, only minor changes have been made to this list between edits (primarily adding and renaming threats).
The State of Web Application Security
Theoretically, the publicity of the most common security vulnerabilities and the availability of automated security scanners should mean that most web applications are free of known vulnerabilities. Unfortunately, this isn’t the case. According to Veracode’s State of Software Security report, about 85% of applications have at least one vulnerability and 33-35% of apps have a critical security vulnerability.
Knowledge of previous vulnerabilities within the application has minimal impact, and applications scanned for the first time are only 0.2% more likely to have a vulnerability than applications scanned at least once before. OWASP Top Ten compliance was less than 30% for all applications, and, worse, this represents the third straight year of a decrease in OWASP pass rates.
Web application security flaws can have significant impacts on companies and their users. In September 2018, a vulnerability in Facebook’s “View As” feature was disclosed. This vulnerability allowed hackers to steal access tokens for 400,000 users, allowing them to see everything on their profile page (including contact information) just like a friend would be able to. For 29 million users, their names and contact information were accessed (with 14 million having additional data accessed). This breach, which was damaging to Facebook’s reputation and potentially expensive under new privacy laws like GDPR, was caused by a simple security misconfiguration flaw.
Protecting against web application attacks
The current state of web application security means that organizations cannot rely on their web applications to be free of vulnerabilities upon deployment. Many applications act as an interface between an untrusted user and a database holding sensitive data, and a single vulnerability can be enough to enable a data breach. With the advent of new, stricter privacy regulations like the EU’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA), a single SQL injection vulnerability that reveals a client’s personal data could leave an organization liable for significant fines.
A Web Application Firewall (WAF) is a must for any organization with a web presence that has access to sensitive data. The purpose of a WAF is to act as a gatekeeper between your web applications and the Internet, identifying and blocking any malicious traffic that may try to take advantage of vulnerable applications.
While most WAFs are capable of identifying common exploits against the vulnerabilities in the OWASP lists, these vulnerabilities are not the only risks associated with web applications. Hackers have developed many different methods of exploiting web applications and websites, and it is important to choose a WAF that is capable of identifying anomalies in web traffic, rather than just matching signatures of known vulnerabilities.
For example, hackers have been increasingly using legitimate web servers as hosts for phishing pages. After compromising a vulnerable server, they will create directories buried within the webserver to host phishing websites. In 2017, a Stanford University website was hacked and used to host credential-stealing phishing pages for months. A traditional WAF would probably not catch this attack, but deploying one with dynamic application profiling, which learns normal traffic patterns for a site and reports on anomalies, could save your organization from this type of threat.
Protecting your organization
The state of web application security is hardly looking good – applications with the same vulnerabilities are being created year after year. If your organization uses web applications to access sensitive data, protecting them against attack is a must. The smart move would be to choose a strong web application firewall capable of blocking both known and unknown attacks.