Complex is a term that is often used to describe the technological make up of modern web applications. They are like onions, made up of intricate layers where, if not designed or secured appropriately, can foster many critical vulnerabilities. In fact, successful web application attacks pose a serious threat, as they account for almost half of all data breaches (43%) in 2019 and are the single greatest cause of data breaches according to the Verizon DBIR 2020 report. It’s known fact that visibility is key – only by locating application flaws, organizations can begin to implement the right security controls in the right places to secure their web applications, otherwise your half-baked security controls and remediation won’t protect you.
Some may think that basic security hygiene and WAF are alone will prevent disastrous web application breaches but unfortunately even some of the biggest brands (with huge resource and budget) continue to suffer from application exploits. Examples include an incident where there were a lack of authentication controls (First American Financial), publicly available servers (Facebook) and the infamous Fortnite breach when a vulnerability allowed a cross-site scripting (XSS) attack where millions of users were tricked into clicking a link planted by an attacker and resulting in massive data leak.
Hackers are masters of reconnaissance, duly gathering information on the potential victim to locate weak spots on the systems before initiating the attack. Therefore, businesses that do not proactively address weaknesses within their online infrastructure are underestimating the will and skillset of the modern hacker. The slightest error spotted could give a hacker the pathway to your crown jewels and get a piece of your pie without you noticing.
So, how does one go about mapping the entire attack surface of the web application and identify the deadly attack vectors that can put your data at risk?
Well this can be broken down into three stages starting with application footprinting, just like the hackers would. Organizations should have an itinerary of what critical web apps they own and where they are being exposed at all times. But here lies a problem as the number of web apps and associated vulnerabilities could easily be in the thousands, especially in larger enterprises where shadow IT is prevalent, so having a process to locate publicly exposed web apps at a regular cadence is vital to eliminate blind spots.
Once you know where they are you need to assess the risk level of web applications against the 7 most common vectors that hackers look for when exploiting software vulnerabilities:
- Vector 1: Security mechanisms – This determines the how web traffic between users and the application is secured
- Vector 2: Page creation method – Not all coding language and web design program are made equal, some could lead to more security problems than others
- Vector 3: Degree of distribution – More pages mean more potential to encounter issues as all pages must be monitored
- Vector 4: Authentication – Verification of the identity to ensure it’s a legitimate user. All access privileges must be reviewed and should be restricted to only those that need it
- Vector 5: Input vectors – The more input fields, the more likely the attack surface will increase which can lead to cross site scripting attacks
- Vector 6: Active contents – When applications run scripts it initiates active contents and depending on the way those scripts have been implemented, potential issues could arise if a website has been developed using several active content technologies
- Vector 7: Cookies – These are required for real time application security to help with monitoring session activity. They also help keep hackers away from unauthorized areas.
Now we have a pretty good picture of the web application surface (see sample above), and risk scores displayed on the attack surface radar gives a visual representation of where security efforts should be directed – by focusing on the most critical of threats. To take it a step further, correlate the results against business criticality (e.g. revenue generating or amount of PII contains) and update frequency (highly dynamic web apps makes it more vulnerable for attacks) to determine the overall risk posture in the context of your business.
By applying this level of security insights, security teams will be better equipped to create or adapt their application security testing program by knowing exactly what they own, pinpointing the biggest risks and protecting critical apps. You will not only improve customer experience and business growth but, most importantly, remove your business from the crosshairs of hackers with less effort and better efficiency.
Debunk your web application attack surface today with Outpost24.