Cyber Threats For Web Applications
The transition to the digital world presents us with new challenges and significant dangers. An Internet interface through which you can communicate with customers and employees of the organization is essential for the continued existence of the organization.
The OWASP project is an online community that provides information, technologies, methodologies, and tools in the field of web application security. Perhaps the most known document of the community is the OWASP Top 10 – detailing the most critical security risks of web applications.
We have gathered information on the five most critical cyber threats for this current year, and how you can defend against them.
XSS Attack
Under the Injection attack category, the XSS attack uses website search queries, application fields, and sign-up forms to inject malicious javascript code.
This attack uses vulnerabilities in websites based on java scripts, which is any website these days. Javascript is a very powerful language, however, it can be easily vulnerable if not configured correctly. The language uses characters such as / sign to mark the end of a command. If not properly configured, the javascript can read a malicious code injected into it and run it.
An XSS attack is the most common attack on web applications- more than 40% of all attacks are carried out by this method. Its popularity stems from convenience- it’s very common to forget to add the / sign, even though webmasters have many tools that assist them in locating and identifying.
XSS attacks types
XSS Stored
Occurs in blogs and social media networks where users can comments. A hacker can write a comment that is JavaScript code, and when the response is published the browser will run the injected code each time there is a new page-load of that specific page.
Reflected cross-site scripting
Is usually executed using a phishing attack- sending a malicious link to the victim’s email, such as a tracking link for a shipment. The victim clicks on the link, and if the site is vulnerable it will run the malicious code and reflect it to the user.
Usually, the code asks to send information back to the hacker. This attack is targeted, meaning that users have to click on the specific link sent, unlike the previous attack that is executed with every page load regardless of user action.
XSS attacks usage and aftermath
An attacker who exploits a cross-site scripting vulnerability is typically able to:
- Impersonate as the victim user.
- Carry out any action that the user can perform.
- Read any data that the user can access.
- Capture the user’s login credentials.
- Perform virtual defacement of the website.
- Inject Trojan functionality into the website.
SQL Injection
This common web application security vulnerability allows an attacker to interfere with the queries that an application makes to its database.
Wait, what?
Yeah, let’s start from the beginning
SQL is a coding language, used to write common features in web applications like search queries, login boxes, and contact forms.
If you write in an online shoe store Nike, you’ll probably get a catalog of all the available Nike shoes. Now, usually, when an input is given by the user, aka you, the server processes our command and retrieves the information we want. We want “Nike shoes”, it gives us Nike shoes.
So far so good, right?
But what if we want the details of every username and password to their account?
Not possible? Think again.
If not properly configured, the website’s search query can be given a command attached to the original “Nike shoes” query, and retrieve the information requested.
DDOS Service Denial
An attempt to make an Internet service – like a website – unavailable to its users, usually by temporarily disrupting the server on which the site is located. There are many types of DDoS, but the essence is flooding the site and its server with malicious traffic that will cause it to shut down due to overload, sometimes by using many devices that were once hacked and exploited without the knowledge of the device owner. Hackers have been perfecting these attacks by using AI (artificial intelligence). But not all is bleak in our future, and artificial intelligence can be used to look for the vulnerabilities of the systems, especially if there is a large amount of information.
Attacks of this type are very common because they do not rely on security vulnerabilities but on the limitations of web servers that are probably unable to handle much traffic. High-resource companies will usually invest in dedicated servers that are capable of withstanding high traffic, but most organizations host their site on shared servers.
MITM Attack
The Man in the middle is perhaps the most difficult method to identify by a non-expert. MITM occurs when a hacker inserts himself between the user and the service provider, whether as a bystander listening or as an imposter of one party. The purpose of the attack is to steal personal information – credit card details, passwords, and account information – most often occurs in communications between users and financial companies, SaaS, online stores, and sites that require login to an account.
This type of attack has two stages – interception and decryption:
- Interception- The hacker tries to intercept the connection between the user and the service provider, usually by creating a free and public hotspot. Once the victim connects to the hotspot without the need for a password, the attacker has full access to the internet communication.
- Decryption- After intercepting the user’s Internet communication, the information received must be decrypted without alerting the user – SSL abstraction or hijacking can be used, and HTTPS Spoofing.
Brute Force
Like chocolate chip cookies, the simplest cyber attacks are the best.
All you have to do is find out the password of the system username by systematically going through all the possible passwords – as you do with physical locks.
If you recognize the image below, it’s no coincidence. The “How hard is your password” table is the best response to a Brute Force attack and gives the average Joe an understanding of how easy it is to decrypt your password.
Quite ironically, for 20 years, during the Cold War between the United States and the former Soviet Union, the launch passwords for the United States’ nuclear missiles were none other than 00,000,000.
To perform a brute force attack all a hacker has to do is run a code that attempts to log in using all possible passwords. When the hacker has no prior knowledge regarding the password pattern, a.k.a guessing, they start with the shortest passwords and when all options for a password of a certain length are exhausted, the code switches to longer passwords, systematically going through the lengths.
When there is prior knowledge about the password, for example, an anniversary date, it’s possible to run all date combinations systematically.
Hackers can also run the most common passwords.
Luckily, it’s very simple to prevent these attacks. You can limit users’ login attempts, but take into consideration that loopholes are possible, as Facebook discovered. A post written by a programmer details how he found a way around bypassing user blocks. He revealed this to Facebook management and received a $ 15,000 reward.
Common Vulnerabilities In WordPress Websites
Get yourself familiar with the content management system, or CMS for short, known as WordPress. First launched in 2003, with very basic functionality that was intended for the creation of small and simple blog sites, today this system is the basis for a third of the world’s websites, from small blogs to Fortune 500’s companies’ websites.
But you know how the saying goes, and with great power comes great responsibility.
WordPress might be a convenient, easy-to-use system, but it does have weaknesses that can be used by malicious attackers.
Offensive groups and single attackers are aware that due to its convenience, the WordPress system is used by quite a few organizations on a global scale. As a result, extensive research is being conducted about this CRM’s capabilities and vulnerabilities, be it by visible or hidden sources. The extensive research gathered on the WordPress system makes it easier for hackers who wish to reach sensitive databases located in any organization. These hackers use vulnerabilities found in the system that have not yet been fixed by the IT team after updating a version or installing a new plugin.
The plugins that are released by private developers improve the WordPress system, and the ready-made design templates make working in the system more convenient. These tools have no doubt contributed to the general community, but without the oversight of those tools or plugins, problems arise.
When the development and addition are done by private individuals, weaknesses can be discovered in those plugins, and without a quick and effective fix by the developers, the plugin can be used as a weakness. This can lead to vulnerability exploitation by a malicious factor and result in data leakage, which harms the company’s reputation and may lead to lawsuits.
Israel, a leading country in the cyber industry, or as it is called “Start-Up Nation”, was the victim of an organized attack that used a weakness in one of the largest web hosting providers in the country, UPress. It was not difficult to find out that the attackers took advantage of a weakness in one of the plugins installed in WordPress, and as a result of the attack 150,000 Israeli sites were damaged.
There are several common attacks among WordPress sites:
- An old version of the system/plugin – It is convenient and easy for attackers to exploit vulnerabilities in an out-of-date site. When all options are open to them, hackers can easily find vulnerabilities known online as CVEs of the same version intended for an attack. However, when vulnerabilities are discovered in the previous versions, updates are released to correct them. All we have to do is make sure that all our plugins are up to date and so is the WordPress version – it is recommended to set it to automatic mode.
- Denial of Service Attack (DDOS Attack)
- Malicious code – A code that aims to get into the victim’s environment indirectly. There are several methods for inserting malicious code or software into organizations, such as targeted phishing attacks on organization employees while requesting the download of certain files. In our case and as part of the WordPress-focused article, the code is usually inserted by downloading various plugins or design templates from unsupervised sources, which contain malicious code. This code can latch onto your work computer, and as a result, transfer your data to the attacker.
Cases that include the infiltration of malicious code into an organization’s network. It might take a while until the severity of the situation is revealed. Unfortunately, some organizations are not aware of the situation and do not indicate whether their information has been leaked or stolen.
The recommendation is to only work with qualified parties, and not to click on files or links that appear to us in the network space. Even when the link is sent via messages or emails from a familiar person, it is advised to directly call the sender to verify the source. Additionally, those responsible and in the decision-making circle of the organization must conduct a briefing for employees on information security while increasing employee alertness. Increased awareness and alertness combined with order and organization win it all!
How To Protect Your Website
Storage Server
It is crucial that the storage server chosen to run our site not only fits our budget but comes with a built-in SSL package and DDOS security. Available and fast customer service is just as important, and it is best to have the option of automatic security threat scans.
Web Application pen testing
To prevent disruptions like hacking, information theft, and denial of service, many companies understand the importance of penetration tests which examine the defense systems and map the organization’s weaknesses. There are three possible courses of action available to businesses who wish to fortify their cyber defense systems through web pen tests:
Gray box
A test that can be performed from an outsider’s point of view or an insider attacker. In some cases, the tester will receive limited information about the organization’s information systems, such as user per system. The tester will then use this information to scan for potential vulnerabilities that can be exploited for malicious purposes.
White box
simulates a cyber-attack conducted by a hacker from within the organization (for example, a resentful employee who wants revenge) that is already accessible to the network and the company’s resources. This test requires the organization to provide the software’s source code, including characterization and detailed information.
Black box
When performing black box, the pen tester does not receive any preliminary information about the organization or the existing systems in it. Black Box pen testing begins as an external test, however, if a breach has been made the tester will continue as an inside intruder, in coordination with the boundaries that have been initially set.
For a deeper understanding of all pen-testing types, continue to our full penetration testing article.