In a recent survey conducted across multiple industries in the United States it was found that over 50% of organisations had at least one serious vulnerability every single day of the year (White Hat Security, 2015)!
Web applications have enabled organisations to build stronger relationships with their customers, suppliers and stakeholders however it has created another avenue for critical data to be exposed. A vulnerable web application can bring serious risk for your entire database of sensitive information – it can also turn your website into a launching site for further criminal activity such as hosting phishing or illegal content transfers.
To understand the complex nature of Web Application vulnerabilities we have summarised the top 10 risks to your web applications and the effects a breach can have to you and your customers.
1. Injection Flaws
When there are injection flaws an attacker can access back-end database information. All data, including sensitive client and partner information, could be stolen, modified or deleted. Injection can sometimes lead to complete host takeover.
2. Cross-Site Scripting (XSS)
An attacker can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.
3. Broken Authentication & Session Management
Attackers are able to compromise passwords, keys, session tokens, or exploit other implementation flaws to impersonate users. This type of vulnerability may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
75% of cyber-attacks such as ransomware occur at web application level
4. Insecure Direct Object Reference
Applications don’t always verify if the user is authorised for the target object. Without an access control check or other protection, attackers can manipulate references to access unauthorised data.
5. Cross-Site Request Forgery
This type of vulnerability allows the attacker to force the victim’s browser to generate requests that appear to be legitimate requests from the victim. This type of attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context.
6. Security Misconfiguration
Such flaws frequently give attackers unauthorised access to some system data or functionality. Occasionally, such flaws result in a complete system compromise. Your system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time, leading to a costly recovery process.
7. Insecure Cryptographic Storage
This type of vulnerability may compromise all data that should have been encrypted. Typically this information includes sensitive data such as health records, credentials, personal data, credit cards, etc. Impacts include loss of trust, reputation and legal liability issues.
8. Failure to Restrict URL
Applications are not always protecting page requests properly. Sometimes URL protection is managed via configuration, and the system is misconfigured.
Occasionally developers may forget to include the proper code checks. Such vulnerabilities provide hackers the opportunity to forcefully browse and access pages past the login page.
9. Insufficient Transport Layer Protection
An attacker can expose an individual user’s data leading to account theft. If an admin account was compromised, the entire site could be exposed. Poor SSL setup can also facilitate phishing and MITM attacks.
10. Invalidated Redirects and Forwards
Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. This type of vulnerability can result in major exploitation of sensitive information leading to a strong distrust of your web applications by users.
Recent research shows that 75% of cyber-attacks such as ransomware occur at web application level, proving that ensuring web app security is crucial for business continuity and safety.
Trident Computer Services have developed the Web Application Security Test to ensure the web becomes a more secure environment for administrators and users. The test identifies security vulnerabilities and exploitable elements residing within web applications that could be used to affect the confidentiality, availability or integrity of information.
- Trackback Link
- Post has no trackbacks.