Tales from the Road: Think Your Web Application is Attacker-Proof? Think again.

How We Put One Client’s Web App Security to the Ultimate Test

Did you know that a web application is a #1 target for the exploitation of vulnerabilities? Check out these alarming stats:

  • Researchers found around 70 types of weaknesses in web applications. (Source: PT Security)
  • 46% of web applications have critical vulnerabilities. (Acunetix’s report “Web Application Vulnerability 2019”)
  • Four out of five web applications contained configuration errors such as default settings, standard passwords, error reporting, full path disclosure, and other information leaks that might have value for potential intruders. (Source: PT Security)
  • 30% of web applications are vulnerable to XSS. (Acunetix’s report “Web Application Vulnerability 2019”)

These web app vulnerabilities allow cybercriminals to steal the user’s data, or even modify the applications to send sensitive data to any recipient, as we discovered first-hand when we put one client’s web app security to the test.

Spoiler alert! This Client’s Web App Security Left a Lot to be Desired

The overall threat exposure for our client’s web application assessment was ranked at a “severe” level of risk based on failing 7 out of the 10 security risks on the OWASP 2017 Top Ten.

This risk level is not all that shocking when you take into account these grim stats from a 2019 study of 38 fully-functioning web applications: Attackers can compromise user information in 9 out of 10 web applications; unauthorized access to applications is possible on 39 percent of sites; and breaches of sensitive data are a threat in 68 percent of web applications.
We’ve turned the lessons learned by testing our client’s web app security into some valuable tips you can use to help keep your users’ personal data safe from hackers.

Identifying Vulnerabilities to Help Our Client Increase Their Web App Security

The client we worked with is a luxury rental operator that utilizes a web application to allow individuals to sign up for outdoor recreation rentals through a local operator. The client enlisted our services to perform a comprehensive web application security assessment/penetration test of this web application. With members across the country and significant data being shared to enable the process, it was important to verify their web app security.

Our team rolled up their sleeves to simulate an attacker attempting to gain, or elevate, access to the application and its sensitive data by conducting a series of security tests against the web application. We found numerous threats, including two that are the most common security vulnerabilities in web applications.

Threat #1: SQL Injection Flaws

SQL injection is one of the worst and most impactful threats, and we were able to find it. In our testing, we uncovered multiple SQL injection flaws which could compromise the users and the application, allowing an attacker complete access to the sensitive information within the database – and with enough time, the potential to backdoor the server.

How did we find it? Using a member account from within the application, our team dumped out all the data from the entire user database and obtained all user credit card information. Virtually any user logging into the application would be able to gain access to a multitude of sensitive data, including, but not limited to, usernames and password hashes, appointments, email addresses, phone numbers, and credit card information.

How to Avoid an SQL Injection: Failing to properly handle user-supplied input prior to passing information to the database exposes the database to a malicious user via SQL queries. We recommend a complete review of all application modules that interact directly with the back-end database and implementation of properly prepared statements for database queries. In addition, companies should consider adopting a coding standard that includes specified functions for the creation of safe SQL queries, whether that be ORM functions, parameterized queries, or stored procedures.

Threat #2: Authorization Bypass

We also discovered that the web application exhibited multiple authentication issues that could compromise user accounts, as well as potentially sensitive data. For starters, the application didn’t require authentication to allow access to sensitive functions, giving an attacker free reign to make changes to the application data and its state without credentials.

Additionally, the application didn’t perform proper authorization checks on HTTP requests to ensure that users of a specific role are validated to perform certain requests. With role authentication left unchecked, an attacker would have the authority to make changes to the application without needing higher level privileges.

How to Avoid an Authorization Bypass: Deficiencies in authentication could be a result of improper server configuration or a failure to enforce authentication prior to resource access. Insufficient authentication is identified most prevalently in supporting web services, upload or download content, and obscure/hidden resources located in an accessible directory. The majority of issues stem from the often-misused principle of “security through obscurity.” Note: Merely hiding or not exposing a resource via a link will not adequately protect the intended resource.

To ensure all sensitive resources and functions are properly protected, we recommend that the following authentication and session management controls be implemented on each request:

  • Unique user names for all users
  • Password complexity enforced with, at minimum, the following rule sets:
    • At least 1 uppercase character
    • At least 1 lowercase character
    • At least 1 digit
    • At least 1 special character
    • At least 8 characters long (12 or higher is preferred)
  • A ban on common password variants and dictionary words
  • Changes to passwords every 90 days
  • Implementation and enforcement of account timeout and lockout rules
  • A requirement of re-authentication for sensitive functions (user profile modification, purchases, password changes, etc.)
  • Credentials should only be transmitted over secure channels
  • Credentials should be stored encrypted and passwords should use one-way hashing

A Security Breach is Much More Costly than Fixing Your Web Application Security

Many times, a company inherits a web application with security issues through mergers or acquisitions; in this case, the app wasn’t coded right to begin with. This scenario is a perfect example of why it’s so important to do your due-diligence before a merger with or acquisition of a company and its web assets. It’s not uncommon for a company to know about issues with their web app security but delay addressing those issues due to a lack of time, resources or budget.

We understand those challenges, but the biggest takeaway is that it is much less costly to take the steps to ensure that your web app is secure than to suffer the monetary and reputational damage that a security breach will surely bring. And companies can no longer continue to leave vulnerabilities un-checked, because it’s not a matter of if, but when, you will be breached.

Don’t let your web applications threaten the security posture of your reputable organization. Contact DirectDefense today, and let our expert team put your web applications to the test.