Securing web applications from both generalized and targeted attacks remains more challenging today than ever before. The list identified in this document is not a new list; the OWASP group has revised their top 5 list each year and has regularly re-ranked according them according to prevalence, but the method employed and the attack vectors targeted is consistently the same.
The following is a brief summary explanation of the Top 5 most dangerous web vulnerabilities.
1. SQL Injection
SQL injection attacks attempt to use application code to access or corrupt database content. This is accomplished via a web request where the web user input is incorrectly filtered for string literal escape characters that can be embedded in your SQL statements (like ” or *) or more generally not strongly typed or sanitized, and thereby unexpectedly interpreted and executed as SQL.
2. Cross-Site Scripting (XSS)
Often used in conjunction with phishing, social engineering, and other browser exploits, XSS attacks inject malicious HTML or client-side scripts into web pages viewed by other users, thereby bypassing access controls that browsers use to make sure requests are from the same domain (same origin policy).
By these means, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other client-side objects through a XSS attacks. Some XSS attacks can be tracked to DOM-based or local cross-site script vulnerabilities within a page’s client-side script itself, often called non-persistent or reflected XSS vulnerabilities.
3. Session Fixation
Session Fixation is an attack technique that forces a user’s session ID to an explicit value. Depending on the functionality of the target website, a number of techniques can be utilized to “fix” the session ID value. These techniques range from Cross-site Scripting exploits to peppering the website with previously made HTTP requests. After a user’s session ID has been fixed, the attacker will wait for that user to login. Once the user does so, the attacker uses the predefined session ID value to assume the same online identity.
Without active protection against Session Fixation, the attack can be mounted against any website that uses sessions to identify authenticated users. Websites using sessions IDs are normally cookie-based, but URLs and hidden form fields are used as well. Unfortunately, cookie-based sessions are the easiest to attack. Most of the currently identified attack methods are aimed toward the fixation of cookies.
4. Information Leakage
Camouflage should be “standard issue” for web servers. The first task of a web attacker (a cyber criminal, internal or external) is to determine your operating system, web server, application server and database platforms.
The most successful attacks are often targeted attacks, so removing or obfuscating the signatures of your technology platforms — both obvious ones like the server name header or file extensions in HTTP, or the TCP/IP window size, as well as more subtle signatures, like cookie names, ETag formats, HTTP header order, or services running on IP/port combinations — is an important type of countermeasure in itself.
This can either dissuade intruders from attacking your website or web application altogether or force them to make incorrect assumptions that lead them to try the wrong types of attacks (for instance, a Linux/UNIX hack on a Windows system). In turn, this makes it easier for firewalls and IDS systems to better identify and block those attacks directly.
5. Remote File Inclusion (RFI)
Remote File Inclusion (RFI) is an attack technique used to exploit “dynamic file include” mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.
Almost all web application frameworks support file inclusion. File inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application might be vulnerable to RFI.
There are many other web application vulnerabilities, but these top 5 can give you an idea of what security measures you can put in place to better protect your environment. A 24×7 security monitoring solution, like Security On-Demand’s ThreatWatch service can help you find if a vulnerability is being exploited, and then alert you with the known information. Security On-Demand is uniquely equipped to detects threats quickly and catches twice as many alerts than our competitors using our ThreatWatch Advanced Detection and Analytics.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection and analytics services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.