Top Ten Web Application Vulnerabilities Pt. 2
June 2, 2022
June 2, 2022
Although this is sixth on OWASP’s list, vulnerable and outdated components play a large role in how most attackers get into a system. The longer a system remains unpatched or not upgraded, the more likely it is that vulnerabilities exist in that system. You are likely vulnerable:
Maintaining up-to-date versions of all components in your infrastructure is the best way to prevent attackers from using this attack vector.
Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. If attackers can get credentials for your site, they may be able to leverage that access to gain a foothold on your network. Your application may have Identification or Authentication issues if:
The best way to prevent these attacks is the use of Multi-Factor Authentication. Even if weak, default, or easily guessable passwords are in use, an attacker would be unable to gain access if MFA is in place.
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs) and does not check to verify the integrity of these sources. An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations. The best ways to prevent flaws like this are:
Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response occurs any time Auditable events, such as logins, failed logins, and high-value transactions, are not logged or when warnings and errors generate no, inadequate, or unclear log messages. To prevent these issues Security teams should consider implementing some or all the following controls:
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
At the network layer SSRF can be mitigated by:
At the Application layer SSRF can be mitigated by:
This completes our list of the top 10 Web Application Vulnerabilities. Having a better understanding of how these vulnerabilities work and how to mitigate them can allow your organization to better protect itself but this is only one part of the many ways attackers can gain access to your network.