Web App Security Threats

Web applications are an essential component of modern software,
accessible from any device with a browser.
Beyond accessibility, they’re easy to update,
cost-effective and capable of handling many users simultaneously.
Since web apps often store sensitive information like personal data,
financial details and intellectual property,
they are main targets for cyberattacks.

Cybercriminals exploit vulnerabilities in web applications
that can lead to financial losses,
reputational damage and legal consequences for companies.
To counter these threats,
developers implement security controls for web applications.
Let’s learn more about them.

Web application security

Web application security involves protecting websites,
applications and APIs from cyberattacks.
This protection is achieved through a mix of processes,
technologies and strategies aimed at preventing different threats.

As web-based attacks grow more sophisticated,
securing sensitive data is a top priority for businesses and developers.
In this blog,
we explore seven critical web app security threats developers face today
and provide tips on how they can mitigate them.

The looming threats of web apps

Web applications face a range of security challenges.
Let’s dive into some of the most critical threats developers
must be prepared to handle.

1 – Injection attacks

Injection attacks occur when malicious code is inserted into
an application through various input points, such as forms,
query strings, or cookies. Once executed by the application,
this code can enable attackers to steal data,
alter application behavior, or gain unauthorized access.

There are four main types of injection attacks.
SQL injection, where attackers insert malicious SQL code into input fields.
The application executes this code as part of a database query,
allowing attackers to manipulate data,
bypass authentication, or alter the database.
Another technique is OS command injection,
which tricks an application into running arbitrary operating system commands,
giving attackers deeper control over the system.
LDAP injection targets Lightweight Directory Access Protocol (LDAP) servers,
and attackers are able to inject malicious code into input fields,
modifying LDAP queries to gain unauthorized access
or manipulate directory information.
Lastly, NoSQL injection, which is similar to an SQL injection,
but targets NoSQL databases by injecting harmful code into NoSQL queries.

In 2023,
the Cl0p ransomware gang exploited
a zero-day SQL injection vulnerability in the MOVEit Transfer
app (CVE-2023-34362).
This breach allowed unauthorized database access,
leading to the theft of sensitive data across multiple organizations.
The Cl0p gang used the stolen data for extortion,
threatening to publicly release it unless a ransom was paid.

Mitigation strategies include:

• Input validation, which involves carefully sanitizing
  and examining all user inputs to prevent harmful code from being injected.

• Use parameterized queries for database interactions,
  which separate data from SQL code, reducing the risk of SQL injection.

• Conduct routine security testing,
  including penetration tests and vulnerability assessments,
  to identify and fix injection vulnerabilities
  before attackers can exploit them.

2 – Cross-site scripting (XSS)

Cross-Site Scripting (XSS) is a web app vulnerability
that allows attackers to inject malicious JavaScript
into web pages viewed by other users.
This can lead to the theft of cookies,
session tokens and other sensitive information.
XSS occurs when a vulnerable site includes untrusted
data without proper validation,
allowing the attacker’s script to execute on a user’s system.

XSS attacks come in several forms.
In reflected XSS, the malicious script is injected into a URL
and reflected back to the user in the response.
In stored XSS, the harmful script is saved on the server,
such as in a forum post or comment,
and is executed later when another user views the content.
DOM-based XSS runs entirely within the client’s browser,
without direct interaction with the server.

In 2015,
a significant XSS vulnerability was discovered in PayPal’s merchant
directory feature.
The flaw allowed attackers to inject malicious files capable
of executing attacks on registered users.

Mitigation strategies include:

• Always validate and sanitize user input to prevent malicious script injection.

• Properly encode output when displaying user-supplied data
  is crucial to avoid XSS vulnerabilities.

• Regular security testing,
  including vulnerability scanning
  and penetration testing,
  is essential to uncover potential XSS weaknesses.

3 – Broken authentication and session management

It refers to how applications authenticate and manage user sessions.
The flaws in broken authentication allow cybercriminals
to bypass authentication, or hijack sessions.

Attackers use various approaches.
They can exploit weak password policies,
such as allowing simple passwords or not enforcing password complexity.
Failing to limit access based on roles
or using “deny by default” principles can also lead to authentication issues.
Another way is through the management of session errors,
which often involve poor handling of session cookies,
inadequate timeouts and lack of session regeneration.
Credential stuffing can also be used
by abusing stolen credentials to gain access.

In early 2023,
Norton LifeLock experienced a data breach due to credential stuffing attacks.
Cybercriminals gained unauthorized access to customer accounts,
exposing sensitive personal data such as names, addresses,
phone numbers and stored passwords in Norton’s Password Manager.

Mitigation strategies include:

• Enforce strong password requirements, including length,
  character types and expiration.

• Implement multi-factor authentication and strong password hashing algorithms.

• Manage sessions by protecting session cookies,
  using secure HTTP (HTTPS) and regularly regenerating session IDs.

4 – Insecure direct object references (IDOR)

IDOR vulnerabilities often arise from URL manipulation,
where a malicious actor alters a predictable identifier
to directly access something like a database record or file.
Without proper access control,
the attacker can manipulate this identifier to access unauthorized data
or perform restricted actions.

Although IDOR is considered a single type of vulnerability,
it can appear in different forms.
Horizontal privilege escalation happens when an attacker accesses data
or performs actions intended for other users at the same privilege level.
Vertical privilege escalation involves accessing data
or actions meant for users with higher privileges.

In 2019,
First American Financial Corp suffered a massive data leak
due to an IDOR vulnerability,
exposing nearly 885 million sensitive records related to mortgage transactions.
By simply altering digits in a URL,
anyone with a web browser could access these documents,
which included bank account numbers, Social Security numbers,
driver’s license images and other financial records.
This vulnerability was discovered through manual penetration testing.

Mitigation strategies include:

• Validate user input to prevent attackers
  from exploiting direct object references.
  Ensure input matches expected types, lengths and formats.

• Implement effective access controls and session management
  like restricting access to resources and data to authorized users only.
  Reviewing OWASP’s cheat sheets on
  authorization
  and authentication
  can help guide best practices.

• Conduct thorough penetration testing,
  including manual testing and dynamic application security testing
  (DAST),
  to reveal potential IDOR vulnerabilities.

5 – Security misconfigurations

Security misconfigurations are among the most common vulnerabilities
and occur when security settings are not optimized or services
are deployed with insecure default options.
This can range from leaving default passwords
on a device to configuring a firewall incorrectly.

Attackers exploit these misconfigurations in various ways.
One common method is taking advantage of default credentials
since many devices come with preset usernames and passwords
that often are left unchanged.
Weak configurations are another target,
such as incorrect firewall settings,
outdated protocols and weak encryption, exploitable vulnerabilities.
Outdated software poses a significant risk as unpatched systems
are vulnerable to known threats.
Cloud misconfigurations,
such as improper settings in storage buckets or virtual machines,
can also expose data and resources to unauthorized access.

In 2021,
the Microsoft Power Apps data leak exposed sensitive information
due to misconfigured portal settings.
Power Apps,
a platform for building custom applications,
suffered from a critical error where settings meant
for authenticated users with specific permissions were set
to be publicly accessible without adequate security controls.

Mitigation strategies include:

• Regularly review security configurations across systems and applications,
  ensuring they align with best practices and compliance requirements.

• Establish and maintain a rigorous patch management process
  to keep all software and systems updated with the latest security patches.

• Implement systematic security testing with assessments designed
  to identify misconfigurations and other security weaknesses
  before they can be exploited.

6 – Cross-site request forgery (CSRF)

Cross-Site Request Forgery (CSRF) is a vulnerability
where users are tricked into performing
unintended actions on a web application.
When a user clicks a malicious link or submits a form,
the action is executed on their behalf,
leading to potential data loss or unauthorized access.

CSRF attacks are typically carried out by crafting malicious links
or scripts that, when clicked,
automatically send forged requests to a vulnerable application.
Attackers may also use double-submit cookie or DSC attacks
to bypass CSRF protections by exploiting how cookies are handled.
Social engineering techniques are often employed
to persuade users into interacting with harmful links or attachments.

In 2008,
a notable CSRF attack exploited vulnerabilities
in YouTube’s web application.
Attackers created malicious requests that,
when a logged-in user visited a crafted web page or clicked a link,
triggered unintended actions on their YouTube account,
such as adding videos to their favorites list without their consent.

Mitigation strategies include:

• Implement token-based protection,
  where a unique anti-CSRF token is generated for each session
  and validated on the server side with every request.

• The double-submit cookie technique can also be used,
  requiring a unique cookie value to be sent alongside form data,
  which the server checks against the stored cookie value.

• Comprehensive vulnerability scans should be conducted
  to evaluate both client-side and server-side defenses,
  ensuring that CSRF protections are effectively implemented and functioning.

7 – Insufficient logging and monitoring

Insufficient logging and monitoring refers
to inadequate practices for tracking and reviewing system events.
This can involve not logging critical activities
like failed login attempts or neglecting to monitor logs
and alerts for suspicious behavior.

Attackers exploit this gap several ways.
By operating without triggering logs for key events,
malicious actors remain undetected for long periods.
They may also manipulate or delete logs to hide their tracks.
Exploiting systems with limited or no logging capabilities also
enables them to take advantage of blind spots where their actions go unrecorded.
The absence of real-time monitoring worsens these risks
by delaying the detection of ongoing threats,
leaving systems exposed.

A prominent example is the 2013
Target data breach,
where attackers infiltrated the network through a third-party portal
and installed malware on point-of-sale systems.
A major contributing factor to this breach was Target’s
inadequate logging and monitoring practices,
allowing attackers to steal millions of credit card numbers.

Mitigation strategies include:

• Ensure that all critical system activities are thoroughly logged,
  including authentication failures, access attempts,
  changes in system configurations, and error messages.

• Continuously monitor logs and system activities in real time to detect
  and respond to suspicious behavior and anomalies promptly.

• Develop and maintain a comprehensive incident response plan
  that outlines procedures for detecting, managing
  and mitigating security incidents.
  Ensure the plan includes roles and responsibilities,
  communication strategies and response protocols.

As you may have noticed,
the mitigation strategy that repeats the most across
the sections is security testing,
which luckily, we offer.
Our Continuous Hacking solution includes
penetration testing,
vulnerability management
and secure code review,
to name a few.
All are key steps in identifying and addressing various vulnerabilities
such as injection attacks, XSS, broken authentication, and more.
Consistent security testing,
which is performed with automated tools and manual techniques,
proactively discovers weaknesses in your web applications,
before attackers can exploit them.

Let Fluid Attacks work for you in the fight against these
and other security threats.
Contact us now.