This blog previously looked at the fundamental concepts behind application security testing and which methods work for which threats. Now that you know what those are, let’s look closer at the threats themselves, based on the Open Web Application Security Project 2013 Top Ten.
You can familiarize yourself with the list on the organization’s official website here. Studying it will help your organization learn more about the most common threats applications face. It’s important to distinguish between each of these problems, especially when some of them may have overlapping characteristics:
- Injection: This type of attack focuses on external programs, a feature in all web application environments. They are also known as SQL injections, and other variations include code, command and log injections. Since they prey on such a common aspect of web apps, they pose a complex threat to many.
- Broken Authentication and Session Management: Applications suffering from these flaws may have security measures in place but are unable to execute them for some reason. Examples include password recovery breaches or unencrypted credentials. Failing to do so may lead hackers to access user accounts, as in the VTech hack.
- Cross-Site Scripting: Referred to as XSS for short, this is another injection attack that lets a hacker take command of a browser. Yahoo was the victim of such an attack in 2013, with email users sent to a malicious site. Some variations are reflected, stored and DOM-based attacks, as well as the “confused deputy” version or cross site request forgery.
- Insecure Direct Object References: These holes in an application’s structure can lie behind a password or some other security measure, making it seemingly surprising when they emerge. When the hacker exploits this flaw, they can gain access to important objects relatively quickly despite being an unauthorized user.
- Security Misconfiguration: With a wrong configuration or inefficient software, attackers can cause damage while not having to do much on their own. Looking at this flaw requires examination of each aspect of the application stack for vulnerabilities.
- Sensitive Data Exposure: A very visible problem in the modern data landscape, this simply refers to unprotected material within the app. Last year’s Office of Personnel Management Hack stemmed from a fundamental lack of database encryption, putting sensitive data like Social Security Numbers at risk.
- Missing Function Level Access Control: Consistency makes function level access checks more effective and best serves the application as a whole. While the name may be confusing, this term concerns a lack of regulation regarding who can adjust important app measures.
- Cross-Site Request Forgery: Victims of this attack participate in malicious actions online without realizing it, as the hacker takes advantage of their legitimate credentials. OWASP notes several other synonyms, such as “session riding,” a “one-click attack” and XSRF. According to Naked Security, this can also be a concern for the Internet of Things, or at least was in the case of one digital recorder.
- Using Components with Known Vulnerabilities: All components within an app need to be assessed for individual security potential. As with other vulnerabilities, this can arise from developer negligence as much as a willful outside attack. A recent Forbes piece found that Samsung technology contained a weak rejoin procedure that allows hackers to take advantage of encryption key requests.
- Unvalidated Redirects and Forwards: Also known as open, cross-site or cross-domain redirects, unvalidated redirects abuse the traditional means of linking by sending users to dangerous sites, exposing them to further risks. It can be linked to phishing activities, still a common means of gaining user login information.
PSC will help your company mitigate the risks associated with each of these threats. Whether you’re a victim of these problems or you don’t want to become one, you can contact us today to start discussing the best counteractive steps for you.Share