With the increase of SaaS solutions, attackers are streamlining their attacks to vulnerabilities in web applications. Vulnerabilities in commercial web applications have become the largest source of enterprise security attacks. Most of the times, such weaknesses are the result of badly configured servers, bad design of the architecture or poor programming practices among other technical and operational flaws. Perimeter firewalls or web application firewalls may help to prevent some exploits from hitting your setup but they do not protect you against all vulnerabilities!
Let's go through some of the most basic exploits found in web application:
- Where authentication is required, insufficient verification or weak password recovery validation allows an attacker to either gain access to sensitive data or obtain other user's passwords. This can be easily done through Brute force attacks.
- Attackers can leverage other users' session IDs. Insufficient session expiration permits an attacker to reuse old session IDs.
- Content spoofing can take place through cross-site scripting techniques where the attacker's code loads into a user's browser which may appear as legitimate and part of the website content.
- Buffer overflow attacks happen when application inputs are manipulated and access to memory space is gained. The most common are illegal SQL statements and SSI (server side include) Injections.
- Information disclosure can occur through directory listing/indexing on poorly configured servers. Listing of sensitive files and commands that may reside in an administrative folder can compromise the system integrity and disclosure of information.
- An overlooked security threat is the website own features and functionality. Some may abuse the sites own functionality to cause DoS attacks or circumvent access control mechanisms. Web developers or administrators tend to automate processes even if some are intended to be performed manually for security reasons. This may create insufficient process validation.
Detecting as much as possible vulnerabilities requires both automated tools and manual inspection of the source code. It is recommended to perform source code analysis, get third-party external contractors to perform on-site penetration testing and use automated tools such as, online scanners that can repeat tests on regular intervals.