Ruslan Rakhmetov, Security Vision
Today's cyber threat landscape is quite diverse, and the media is constantly filled with news about data breaches, DDoS attacks, virus infections, cyber extortion and cyber espionage. At the same time, there is a category of cyberattacks that has been consistently popular with attackers for the past several decades, in fact since the development of the Internet - attacks on websites, Internet applications and various web systems. The attractiveness of such targets for attackers is easy to understand: to attack web systems, attackers need only attack a resource that is publicly accessible from the Internet.
For these reasons, web resources are exposed to an increased risk of unauthorised access, cyber intrusions, and exploitation of web vulnerabilities, which in turn can lead to data leakage (e.g., the site's user database), unauthorised changes to the appearance of the web resource (defacement), the placement of malicious or fraudulent content on the site without the owner's knowledge, and the compromise of information resources to which the web server has access through the corporate network. Web application security issues receive a lot of attention in the IS world, for example, from the OWASP (Open Web Application Security Project) community, which, among other things, creates a directory of various web attacks. As part of the work of this project, lists of the 10 most common types of web vulnerabilities and web application configuration errors have been regularly released since 2003. The latest version of this OWASP Top 10 list was released in 2021 and contains the following types of vulnerabilities:
- Broken Access Control (Broken Access Control);
- Cryptographic Failures;
- Injection, including XSS, SQL injection, injection of OS commands, injection of XPath and XQuery expressions, etc...;
- Insecure Design;
- Security Misconfiguration;
- Vulnerable and Outdated Components;
- Identification and Authentication Failures;
- Software and Data Integrity Failures;
- Security Logging and Monitoring Failures;
- Server-Side Request Forgery.
Let's take a closer look at these vulnerabilities.
1. Access Control Failure (A01:2021-Broken Access Control )
Access control mechanisms ensure compliance with access policies and system users' authorities to prevent unauthorised access of subjects to protected objects. Common access control vulnerabilities include non-compliance with least privilege and default deny principles, bypassing access checks by modifying HTML and API requests, accessing objects by direct link without authentication, lack of access control when executing POST, PUT and DELETE requests for API access, unauthorised privilege escalation (including bypassing the authentication mechanism), metadata manipulation (including reusing or forging JWT tokens, cookies, hidden fields), and configuration errors.
2- Errors in Cryptography (A02:2021-Cryptographic Failures)
Failures in the application of cryptographic techniques to protect information during storage, use and transmission can lead to unauthorised access, disclosure and data leakage. Particular attention should be paid to the cryptographic protection of data whose security is regulated by legal regulations, such as personal data, banking information, trade secrets, and sensitive data such as authentication information (logins, passwords, email, telephone). For such sensitive data, it should be determined whether it is transmitted in unencrypted form (clear text), whether unstable, unreliable, obsolete cryptographic functions and their modes are used, whether cryptographic key management is implemented, whether there are requirements to enforce strong cryptography for web clients, whether cryptographic certificate trust chains are verified, whether passwords are used as cryptographic keys without PBKDF function, which random number generators are used, n
3. injections (A03:2021-Injection)
A web application is vulnerable to injection attacks when the data passed by the user is not validated, filtered, sanitised by the web application, dynamic queries and unparameterised function calls are used without shielding user input, unsafe user input is passed into queries, commands, stored procedures. The most common types of injection are SQL/NoSQL injection, OS command injection, ORM (Object Relational Mapping) injection, LDAP injection, EL (Expression Language) injection, OGNL (Object Graph Navigation Library) injection. Regardless of the interpreter used by the web application (JavaScript, PHP, Python, etc.), the best way to prevent such vulnerabilities is to perform source code checks on all parameters, headers, URLs, cookies, JSON, SOAP, XML data. To automate such checks you can use tools of static code analysis (SAST, Static Application Security Testing), dynamic code analysis (DAST, Dynamic Application Security Testing), interactive code analysis (IAST, Interactive Application Security Testing), which can be integrated into CI/CD pipeline.
4. Insecure Design (A04:2021-Insecure Design )
Insecure design is a broad definition for errors and vulnerabilities introduced as a result of missing or ineffective design controls in the design of a web application. A distinction should be made between an insecure design of a web application and its insecure implementation: even with a secure design, an incorrect implementation can lead to vulnerabilities, and an insecure design cannot be fixed by a quality implementation because the necessary security features were not built in during the system design phase. One of the reasons for insecure design is the lack of business risk assessment, cyber threat modelling and secure system design rules, which results in the inability to determine the security level of a web system during the design phase.
To develop secure web application design, the business requirements for the application should be collected and agreed upon with stakeholders, including requirements for secure functionality to ensure the confidentiality, integrity, availability, authenticity of the data used by the system and its operating logic. Consideration should be given to the extent to which the web application is potentially available to attack, and the need for data segregation between tenants. All technical requirements, including security requirements, should be formulated and aggregated, and then the cost of designing, developing, testing, and operating the web application should be planned with cybersecurity in mind. Secure design should also include continuous cyber threat assessment, design and development of web applications to prevent the implementation of various cyber attack methods.
Threat modelling should be integrated into refinement sessions, which should address changes in data flows, access controls, and security measures. When developing the user story, the correct web application workflow and error handling methods should be formulated and agreed upon with responsible and interested parties. In addition, error analyses should be performed and initiatives should be proposed to improve the product.
Secure development requires implementation of software development lifecycle, secure design patterns, methodology, library of secure software components, secure development tools, threat modelling tools. To improve application security, the concept of ‘shift left’ should be used to consider cyber risks from the earliest stages of web development.
5. Configuration flaws (A05:2021-Security Misconfiguration)
A web application will be vulnerable when security measures are missing from the technology stack used by the application, permissions are incorrectly configured in cloud services, redundant functionality is installed or activated (e.g., unnecessary network ports, services, pages, accounts, privileges), default accounts and passwords are enabled and left unchanged, error messages contain redundant technical information, updated security functionality is disabled or not configured when the web system is upgraded, settings on the server are disabled or not configured. It is emphasised that without a consistent, repeatable process for secure application configuration, web systems are at increased risk.
6. Vulnerable and Outdated Components (A06:2021-Vulnerable and Outdated Components)
Web applications for which the versions of all components used (both client and server), including the directly used components and software dependencies, are unknown will be exposed to this vulnerability. It is also dangerous to use vulnerable, unsupported, outdated software, including operating systems, web and application servers, DBMSs, applications, APIs, runtime environments, and software libraries. It is important to conduct regular vulnerability scans and receive vulnerability bulletins for the components used, and to promptly update the platforms, frameworks, and dependencies used using a risk-based approach. In addition, it is important for developers to perform compatibility testing of updated libraries, and to ensure secure customisation of application components.
7. Identification andAuthentication Failures(A07:2021-Identification and Authentication Failures)
Confirmation of user identity, authentication, session management is critical to counter attacks on authentication processes. Identification and authentication vulnerabilities can occur when an application is susceptible to credential stuffing attacks, is not protected against bruteforce or other automated attacks, allows the use of default, weak or well-known passwords, uses a weak or inefficient password recovery process, allows passwords in the clear or uses weak password encryption and hashing algorithms, does not use or uses ineffective multi-factor authentication tools, displays a session ID in a URL, allows reuse of a session ID, does not properly revoke session IDs or authentication tokens after a user logs out or after a period of inactivity.
8. Softwareand Data Integrity Failures(A08:2021-Software and Data Integrity Failures)
Software and data integrity failures are caused by source code and infrastructure that do not protect against integrity violations. An example would be an application that uses plugins, libraries, modules from untrusted sources and repositories. The use of an insecure CI/CD pipeline can be a source of unauthorised access, malware injection, and system compromise. Additionally, applications can use the install functionality of automatic updates that are downloaded and installed without the necessary integrity checks, and attackers can potentially download modified updates that are then propagated and run on all installations of the application. Another example of an integrity error is insecure data deserialisation, where serialised or encoded data is unprotected from modification by an attacker.
9. Security Logging andMonitoring Failures(A09:2021-Security Logging and Monitoring Failures)
To detect and respond to cyberattacks, it is important to employ mechanisms for logging and monitoring security events. Without these mechanisms, dangers such as login attempts and high-risk transactions, incomplete or non-existent warnings and error alerts, and dangerous application and API activity can go undetected. It is a dangerous practice to store logs exclusively locally (e.g. without a centralised collection system), and to have no or ineffective processes for responding to alerts and alerts. A sign of logging failures is the lack of alerts when pen tests and scans are performed by dynamic code analysis tools, as well as the inability of an application to detect and warn of active cyberattacks in real time. In addition, we should not forget that if logs or alerts are available for viewing by any unauthorised or potential attacker, there is a vulnerability of the ‘Access Control Failure’ type described at the beginning.
10. Server-Side Request Forgery(A10:2021-Server-Side Request Forgery)
A Server-Side Request Forgery (SSRF) vulnerability can occur when a web application receives data from a remote resource without verifying the URL passed by the user. This behaviour gives attackers the opportunity to force the application to send their generated request to an unintended address, bypassing security solutions, and then return the response to the attackers. A successful SSRF attack can result in bypassing established network restrictions and access rights, extracting sensitive information and reading local files on a web server, scanning and gaining access to the internal network. The danger of SSRF attacks is that modern web applications often provide users with the ability to download data from third-party resources, and the complexity of modern infrastructures and the widespread use of clouds leads to an increased likelihood of SSRF vulnerability discovery and exploitation.
