Bug or feature? Hidden vulnerabilities in web applications discovered

Web Application Vulnerabilities

 

Web application security consists of many security controls that ensure that a web application:

  1. Functions as expected.
  2. Cannot be exploited to operate outside its borders.
  3. Cannot start operations that are not allowed to be performed.

Web applications have become ubiquitous following the expansion of Web 2.0, with social media platforms, e-commerce websites, and email clients saturated the Internet space in recent years.

As the applications consume and store even more sensitive and extensive data, they become an increasingly attractive target for attackers.

General attack methods

The three most common vulnerabilities in this area are injections (SQL, remote code), cryptographic flaws (formerly sensitive data exposure), and broken access control (BAC). Today we will focus on injections and broken access control.

Injections

SQL is the most widely used database software and hosts a plethora of payment data, PII data and internal company documents.

An SQL injection is an attack that uses malicious SQL code to manipulate the backend database to access information that was not intended to be displayed.

The starting point for this is a command like below:

Vulnerabilities in web applications

This returns ALL rows from the “Users” table, because OR 1=1 is always TRUE. Continuing with this, this method will also return passwords if there are any.

Imagine an attack like this being carried out against a major social media company or a major e-commerce company, and you can start to see how much sensitive data can be retrieved with just one command.

Broken access control

Broken Access Control (BAC) has risen from fifth place in the OWASP top ten to become the most common security risk for web applications. The 34 Common Weakness Enumerations (CWEs) assigned to Broken Access Control appeared more frequently in applications than any other category during OWASP’s recent testing.

The most common types of BAC are vertical and horizontal privilege escalation. Vertical escalation of privilege occurs when a user can elevate their privileges and performing actions, which they should not have access to.

The CVE-2019-0211, an Apache Local Privilege escalation. This critical vulnerability from 2019 affected Apache HTTP servers running on Unix systems, especially those using the mod_prefork, mod_worker, and mod_event libraries.

This gave attackers the ability to run scripts without privileges, potentially leading to root access and compromising shared hosting services. Exploiting this flaw requires manipulation of shared memory areas within Apache worker processes, which must be done before initiating a smooth restart of Apache.

Below is a screenshot of the POC code. As you can see, a certain level of technical skill is required in this regard, but vertical escalation of privilege can just as easily occur when a user’s permissions are too permissive, or are not revoked when they leave a company.

Vulnerabilities in web applications

This brings us back to the principle of least privilege, a ubiquitous term found throughout the IT world that is now becoming increasingly common as we realize how critical web applications have become.

Horizontal privilege escalation gives a user access to data they should not have access to, but that data is kept at the same level as their own permissions. This can be seen when one standard user has access to the data of another standard user. Although this should not be allowed, privileges do not rise vertically, but spread horizontally. This is sometimes seen as more dangerous as it can happen without generating alerts on security systems.

With BAC becoming more prominent in recent years, it is important to remember the following:

  • Relying solely on blackout is not sufficient for access control.
  • If a resource is not intended to be accessible to the public, it should be denied access by default.
  • Developers must explicitly specify the allowed access for each resource at the code level, with access denial being the default.

Best Practices – Reading between the lines (of code!)

To maintain security, developers must authenticate incoming data, implement parameterized queries when interacting with databases, and employ effective session management methods to protect sensitive data. Much of this depends on the security of web browsers, but also on the back-end security of the web servers that serve web content, leading to a separation of duties in web security.

The biggest problem here is that while Web Application Firewalls (WAFs) can mitigate these risks, much of the responsibility for the secure implementation of Web content falls to the developers who put these sites together. Cybersecurity can often become an afterthought, with functionality taking precedence.

Practical example – Input validation

Input validation is the simplest and most effective way to implement secure encryption, in this example to prevent SQL injections.

    1. User input: The user provides input, for example:
Vulnerabilities in web applications
  1. Cleanup: The user input is not inserted directly into the SQL query. It is cleaned and treated as data, not SQL code.
  2. Query execution: The SQL query is executed with the user input as parameter:
  3. As such, the query enters the backend as below:
Vulnerabilities in web applications

In this code, the (user_input,) is a tuple containing the user’s input. The database driver takes care of escaping and properly handling these inputs. It ensures that the input is treated as a data value and not as executable SQL code.

If the user input contains malicious code, such as ‘105 or 1=1’, it will not be executed as SQL. Instead, it is treated as a value to be compared against the UserId in the database.

The database driver automatically handles input escaping, preventing it from affecting the structure of the SQL query or introducing security vulnerabilities.

Web Application Firewalls (WAFs)

A WAF operates at layer 7 of the OSI model and acts as a reverse proxy, allowing client traffic to pass through the WAF before entering the backend server. The rules or policies on the WAF protect against the documented vulnerabilities present in these backend servers and filter out malicious traffic.

There are a plethora of WAFs on the market, and all of them can provide strong defense against the more novel attacks, and contribute well to a defense-in-depth approach. The practice of secure coding is something that ensures that the foundation of the web application is safe and secure and will not fall victim to more complex or newer attacks in the future.

WAFs are currently evolving into a combination of security models that use behavioral analytics technologies to detect malicious threats and further mitigate threats from more sophisticated ‘bots’ deployed for low-effort attacks on websites.

The main disadvantage of using a WAF, aside from the additional latency and HTTP overhead, is the fact that a WAF can be bypassed by using a 0-day exploit against a web application, making secure encryption and proper sanitization more effective countered. offsetting all web application security to a WAF. It’s important to remember that a WAF is just a layer of security and not the entire solution.

Incident response and recovery

Security headquarters suggestions to limit attacks:

  1. Deploying a WAF as the first line of defense is critical to ensuring businesses can defend against a wide range of attacks.
  2. Ensure that up-to-date and strong standard algorithms and protocols are used, this should be accompanied by good key management.
  3. Encrypt data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers and server-side cipher prioritization. Enforce encryption using guidelines such as HTTP Strict Transport Security (HSTS).
  4. Enable bot management strategies on websites and have a documented incident response plan.
  5. Ensure safe development practices are in place, with a documented process for testing new features on web applications and ensure input validation is implemented.
  • This must be accompanied by safeguarding the principle of least privilege.
  • Test for vulnerabilities regularly, with Vulnerability managementAnd Managed defense with IBM tooling and keep track of component versions.
  • Use a red application test to expose vulnerabilities that scanners cannot find.
  • Ensure that developers are trained regularly to stay abreast of the latest security trends and emerging threats.

For more information about these threats, please contact a expert here. Or if you suspect a security incident, you can do that too report an incident here.

Note: This article was expertly written by Tim Chambers, Senior Cyber ​​Security Manager at SecurityHQ

 

#Bug #feature #Hidden #vulnerabilities #web #applications #discovered

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
Crypto Hardware Wallet

Crypto Hardware Wallet Ledger’s supply chain breach results in theft of $600,000

Next Post
pfSense Firewall Software

New security vulnerabilities discovered in pfSense Firewall software

Related Posts