How these 5 web security threats can endanger your entire system

How often do you encounter news of data or identity theft, hacked accounts or ransomware attacks? Quite frequently, right?

Data theft has emerged as the most dangerous threat over the last decade. E-commerce websites, social media and instant messaging apps, financial institutions store a lot of personal and sensitive data which is in danger of theft from hackers. This can result in loss of reputation, services being unavailable for a period, and considerable financial loss.

This blog will dive into the top 5 root causes/vulnerabilities that are exploited by hackers to cause harm.

(1) Injection

Injection is one of the oldest forms of security risks - it is the suspicious data sent from the attacker in the form of command or query, and this untrusted data can trick the receiver into executing unnecessary commands and may result in unverified data access.

Example

Injecting an HTML code into a website through its vulnerable parts with malicious intent to change information or harm the website structure.

Preventive Methods

Prevent access to external interpreters wherever possible. Use language-specific libraries that perform a similar function for shell commands and some system calls. Comprehensive data validation with whitelist character set and separation of data and commands should be implemented.

(2) Broken authentication

Broken authentication occurs when an attacker can access some or all the application resources through a poorly managed authentication system and gain access to the account of the user.

Example

Authentication is said to be broken when the attacker has access to user account by compromising passwords, keys, session tokens, and user account information, with all the details required for the intrusion.

Preventive Methods

Implement password protection mechanisms such as:

• Increase password complexity.
• Store user credentials securely on the server and on the end point device.
• Disallow guessable passwords as defaults or as reset passwords.

(3) Sensitive data exposure

Sensitive data exposure takes place when the application does not protect which user can see what data or exposes excessive data through error messages. The information can differ and anything from passwords, session tokens, credit and debit card information to personal health information and more may be exposed.

Example

An application stores credit card numbers without encryption or shows credit card information to unauthorized users.

In another scenario, the application may disclose other PII such as phone numbers or national identification numbers.

Preventive Methods

Sensitive information should be encrypted, where possible or protected at the very least. Delete or do not store sensitive information if not required.

(4) Broken access control

Application access mechanisms can be "broken" when access policies are misconfigured, leading to users getting unauthorized access to data or functionality or resources of the application. Broken access control can lead to unapproved data disclosure, modification or destruction of data, and the access to a business workflow that that is unexpected.

Example

A non-administrative user can access an admin-only dashboard where they can perform administrative tasks such as onboarding a client, changing permissions granted to users, etc.

Preventive Methods

• • Access to resources and data should be strictly restricted based on the role of the user.
• • Deny access by default.
• • Every attempt to access the application must be validated for authorized access.

(5) Using components with known vulnerabilities

Components, for example, libraries, services, software, remote servers and modules quite often execute with high privileges. If an attacker can find a vulnerable component in the system, they can exploit the underlying vulnerability and the system can be compromised.

Example

An Apache web server may have arbitrary code execution vulnerability, which an attacker can exploit to inject malicious code in the application.

Preventive Methods

Deploy a vulnerability management system to appropriately patch vulnerable components and remove unneeded software components from the system and reduce the attack surface of the application. Ensure that there is a robust plan for a regular review of the deployed

Conclusion

The vulnerabilities described in this blog can pose a serious security risk that can impact the reputation and finances of your organization.

cyberSecurist Technologies provides comprehensive and cost-effective information and application security (infosec and appsec) assessment / assurance services to help you discover these vulnerabilities and adopt security best practices to prevent system compromise.