Tales From the Road: The Fortifying Abilities of an In-Depth Web Application Security Assessment

Tales From the Road: The Fortifying Abilities of an In-Depth Web Application Security Assessment

Internal app assessments, while helpful, won’t reveal all of the vulnerabilities weakening your security.

Web applications, or web apps, are a common and useful way for companies to interact with both employees and customers. Without adequate assessment, however, security risks thrive, leaving the door open for bad actors to manipulate the systems and cause serious issues at many levels of an organization.

In our recent client assessment of a communications company’s web application, we uncovered a surprising amount of vulnerabilities that were unexpected by both the client and our team. Heading into this project, we felt confident that this company, which serves customers in commercial and military environments, would prove to be up to par on its security systems. However, with our unique approach to a web application security audit, we were able to find more vulnerabilities than expected.

An Attacker’s Approach

Part of the reason we were confident this company’s web application assessment would reveal minimal vulnerabilities is that they informed us they perform regular internal assessments on their web application. Using automated security tools on a regular basis is a great way to keep up with your company’s security, but without the added intervention of human-led screening, vulnerabilities remain. That’s why when we approach a project such as this, we shift our mindset to that of an attacker. When looking for vulnerabilities from an internal perspective, it’s easy to overlook what can be major security gaps. When you recruit an outside entity such as DirectDefense, the fresh perspective and knowledge of how bad actors operate and think can open the door to vulnerabilities you may not even have imagined.

On that note, many organizations often underestimate the potential for bad actors to arise within their employee pool and customer base. We all want to work alongside and serve people who are trustworthy and honest, but there is no denying that attackers can manifest from disgruntled employees, spiteful customers, and even unwitting users.

When we think of “attackers,” our minds often go to so-called “hackers” who set out to infiltrate organizations for malicious purposes like phishing and exploitation. In reality, anyone can become an “attacker” if granted the right to unauthorized access; thus the need for high-level security assessments and security measures is ever-present.

Observed Strengths & Weaknesses

Throughout our web application security audit, we uncovered several security strengths that we would recommend to other companies and were happy to see our client using. We also discovered numerous weaknesses, however, that we were able to propose remediations for in order to fortify this client’s web app security.

Let’s take a bird’s-eye look at both categories:

Security Strengths

1. Zero Unauthenticated Issues: We found that authenticated access would be required for any attacker to exploit any of our found vulnerabilities. This is a fantastic roadblock to block attackers attempting to access the web app.
2. Multi-Factor Authentication: Multi-factor authentication (MFA), one of the most important security features,  was enabled for all users and required a secondary device for login access. On top of MFA, though, this client also enabled an ultra-secure time-sensitive key (TOTP), which strengthens MFA authentication.
3. Robust Session Handling: We found that this client had enabled short session timeouts to help prevent the compromising of confidential data. Replay attacks were also prevented through the invalidation of sessions at the time of logout.

Security Weaknesses

1. Unnecessary Data Exposure: This client’s API allowed for lower-privileged users to access data that should remain on the server and only be available to higher-privileged users.
2. Cross-Role Access Control Issues: Lower-privileged users were able to improperly gain authorizations through the API, allowing them to access privileged data and even escalate their user accounts.
3. Unvalidated Input Accepted: Some API operations were forgoing data validation and implicitly trusting user input, allowing for issues like cross-site scripting, excessive access to server logs, and server-side request forgery.

Expanding On Critical Vulnerabilities

While there were a slew of vulnerabilities to address, we found that the most prominent ones revolved around authentication within the API. Let’s take a more in-depth look at these:

Cross-Site Scripting

Cross-site scripting is a common and severe risk that is often overlooked, even by the most experienced developers. This issue allows attackers to write JavaScript on web pages and execute attacks, such as redirecting users to malicious websites and theft of session data. While JavaScript is a common web tool, vulnerabilities allow users to bypass security measures, leaving organizations open to the above-described attack variations.

This weakness is created when developers allow users to modify their UI, making it possible for users to write scripts on their pages while making relatively innocent cosmetic changes.

Server-Side Request Forgery (SSRF)

This vulnerability essentially allows attackers to direct API server requests to their own servers and access request data from the backend API. This vulnerability can allow bad actors to access account information and relay it to another network server, an action that can be extremely dangerous when performed by an attacker. A rare vulnerability to be sure, but one that creates an environment for exploitation.

Role Escalation

Certain backend API systems allow all levels of users to escalate their roles, leaving the door open for malicious activity from bad actors. This vulnerability can be further exploited when multiple versions of a web app are rolled out, allowing for multiple malicious activities.

Why A Web Application Security Assessment Can Protect Your Company

Throughout our assessment, we identified two of the most common web app vulnerabilities that we regularly see: the potential for misuse and the web apps being used as attack vectors. As an example, think of one of the most common attack vectors used today: confirmation emails. When a web app allows for the manipulation of these emails, attacks can easily replace benign information with malicious phishing emails. Passwords and account information, for example, can be accessed in this way, which is a major vulnerability at all levels.

By thoroughly examining an API, we are able to make proposals for updates and increased security measures that fortify existing security protocols and make it much more difficult for bad actors to gain improper access. In-depth, human-led assessments are the best way to uncover these vulnerabilities because, as we’ve learned through multiple assessments, automated security tools don’t always get the job done.

Contact Us Today!

Get a professional web application assessment that will leave no stone unturned. Contact us online or call 1 888 720 4633.

   By: Bethany Kozal   01.16.24