An application vulnerability is a flaw or weakness in a system or network that could be exploited to cause damage, or allow an attacker to manipulate the application in some way.
The way that an application vulnerability is exploited depends on the nature of the vulnerability and the motives of the attacker. These vulnerabilities can exist because of unanticipated interactions of different software programs, system components, or basic flaws in an individual program. It’s important to know that vulnerabilities are present in virtually every service and application components - there is no way to identify and address them all, because of the complexity of modern application architecture.
However, you can significantly reduce your risk of a data breach or similar event by knowing some of the most common network vulnerabilities and finding ways to address them.
Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Access control or #authorization, is how a web application grants access to its contents and functions to users. These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. A web application’s access control type is closely tied to the content and functions that the site provides and its user's roles with different abilities or privileges. .....more
Broken Authentication
Application functions related to #authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Authentication is the process of verifying that an individual, entity or website is who it claims to be. Authentication in the context of web applications is commonly performed by submitting a username or ID and one or more items that only a given user should know. If the application is vulnerable the attacker will be able to capture or bypass authentication methods that are used by a web application.
Cross-Site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. #XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Cross-site Scripting is a client-side code injection attack. The attack aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits a web page or web application that executes the malicious code.
Cross site request forgery (CSRF)
CSRF forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests and not theft of data since the attacker has no way to see the response to the forged request. With a little help of sending a link via email or chat, an attacker may trick the users of a web application into executing actions of the attacker's choice.
If the victim is a normal user, a successful #CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Injection flaws allow attackers to relay malicious code through an application to another system. These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to backend databases via SQL (i.e., SQL injection). Scripts that are written in Perl, Python, and other languages can be injected into vulnerable applications. Any time an application uses an interpreter of any type there is a danger of introducing an #injection vulnerability. .....more
Insecure Deserialization
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Insufficient Logging & Monitoring
Insufficient #logging and #monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Security Misconfiguration
#Security misconfiguration is the most commonly seen issue. Attackers with the help of automated scanners, will attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories to gain knowledge of the system. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured #HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
Unvalidated Redirects and Forwards
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other #software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references within #XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
XXE attack is a type of attack that happens against an application that parses the XML input. This attack occurs when the XML input containing a reference to an external entity is processed by a poorly configured XML parser. #XXE is one of the main attacks lead to Disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Comments