Investigating the Top 10 Application Vulnerabilities

947

By: Anthony Bettini, CTO, WhiteHat Security

More often than not, vulnerabilities can be traced back to the development process due to the consequences of developers moving faster with shorter deadlines. With the stress the development team is facing, it’s no wonder it translates to coding errors in code deployments. Because of this, its of extreme importance to use application security tools and patch vulnerabilities as soon as they are found.

As long as applications continue to drive revenue and success for businesses, they will remain a top target for digital attackers. Data leaks and breaches can do unrepairable damage to a brand’s reputation and hurt the privacy of customers. When software teams take the time to build their applications securely, code vulnerabilities and data leaks are ultimately prevented.

The proof of the damage data breaches can cause companies has been saturated in headlines throughout the past year. However, there are valuable lessons we can learn from them. Perhaps the most important lesson is that all personal information should be treated with the highest level of concern. Unfortunately, once a leak of information happens, there is no way to take that information back.

The WhiteHat Threat Research Center looked at the top vulnerabilities of 2019 that were caused by application-based attacks, coding bugs and errors. We then looked at the steps organizations can take to protect their applications and codes in 2020 and beyond.

Here were some of the highlights:

Cross-site Leaks

Cross-site leaks are not new, but are gaining momentum with HTTP caching being attacked from all fronts. Unfortunately, most of the Internet is still prone to these attacks despite decent preventions against it.

Google Search XSS

Most security researchers dream of finding a vulnerability on Google. The Google Search XSS vulnerability represents years of knowledge, persistence and collaboration to find a vulnerability that was at least partially well-known and executed. This vulnerability represents the importance of performing continuous testing on items that people feel are already secure.

Web Caching en Masse

Despite being discovered in 2017, this vulnerability appeared again thanks to a white paper by Sajjad Arshad titled, “Cached and Confused: Web Cache Deception in the Wild.” The study found that just having cache headers is not a solid indicator of whether or not something was cached.

Cache Poisoned Denial of Service

Cache poisoning made its presence felt again in the denial of service (DOS) fashion. Researchers found three ways to target content delivery networks with cache poisoning that lead to distributed denial of service (DDoS).

  1. HTTP Header Oversize (HHO)
  2. HTTP Meta Character (HMC)
  3. HTTP Method Override (HMO)

The attack was fairly grand scale and merited responses from Akamai, Microsoft and Amazon Web Services, to name a few.

Ensuring that caching is secure can be difficult for companies. Not using the correct error codes seemed to help the researchers a lot. Cache-control: no store header could have also helped.

Null Byte Buffer Overflow

This attack shows the importance of continuous testing as an application matures and grows.  Researcher Sam Curry was able to get RSA private keys, internal HTTP requests, the DOMs of users, plaintext usernames and passwords and much, much more.

Edge (Cromium) -> RCE

This attack opened the door to trick a user into accessing local files, editing top sites in the NTP, updating NTP preferences, tracking user activity, etc. It was a real top-notch bug that kept developers quite busy.

This is another example of a top-layer component being too accessible to users, and creative minds will always find a way through.

DOM Clobbering Gmail

Using a well-known technique known as “DOM Clobbering,” researcher Michał Bentkowski, shows how to perform XSS in AMP4Email (a feature in Gmail that makes it possible for emails to include dynamic HTML content).

Padding Oracles with Fixed IVs

In an outstanding display of patience and creativity, Teddy Katz walks you through how Static IVs (Initialization Vectors), padding oracles, concatenation and moving random junk can lead to escalated privileges. This was a great example in stringing together several attacks to get to the ultimate goal. Most of which are well known and documented.

Reusing Cookies

This vulnerability illustrates the struggles of bringing good information to people of interest in the bug bounty world.

Here, we learned that cookies could be reused, not only on different subdomains, but from the same application. This was an intended feature at one point, but it was being removed.

Sub-domains are commonplace, and research shows that it can be tough to manage, when something as simple as cookie usage tied to a unique user/session/domain can be easily overlooked. The penalties can be great.

QR Code Scan XSS

QR codes are used in many places. For example, Amazon Prime members can scan QR codes in Whole Foods stores to get a Prime membership discount. What happens when the wrong hands start handing them out? What security is out there for them?

In reading this research, it’s clear the frontier was open when the researcher stumbled across various types of XSS.  By creating a QR code to include malicious JavaScript URL, the browser was happy to run it. The researcher was even able to bypass CSP headers with ease.

Simple testing could’ve gone a long way here, as there was no filter evasion or any encoding that was even needed. Firefox has since fixed this issue, but Opera mini for iOS has yet to respond.

How do we stop these vulnerabilities? 

All of these problems should serve as a reminder for organizations to practice reducing risk by practicing DevSecOps, incorporating security into every stage of the development process. In addition, security and development teams have to remain up to date on the latest vulnerabilities and exploits.

Continuously monitoring code is the best way to find problems. Enterprises should be vigilant and identify anything that has changed in the threat landscape that might require new preventative measures.

By incorporating these best practices and constantly patching applications when updates are available, any organizations can prevent the next wave of top vulnerabilities for 2020 and beyond.

Anthony Bettini, CTO, WhiteHat Security

Anthony Bettini is the Chief Technology Officer for WhiteHat Security. Previously, Anthony ran Tenable Research where he joined via Tenable’s acquisition of FlawCheck – a leading Container Security startup where Anthony was the Founder and CEO. Before FlawCheck and Tenable, Anthony was the Founder and CEO of Appthority, a leading Mobile Security startup and winner of the “Most Innovative Company of the Year” award at the RSA Conference. Anthony led Appthority to successful acquisition by Symantec in 2018. Here at WhiteHat, Anthony leads product management and development, engineering and threat research.