Securing Modern Web Applications: Threats and Types of Attacks
Web Application Firewalls are the most advanced firewall capabilities available to IT teams. Deploying the appropriate WAF is important, especially these days when the security threat landscape is changing so rapidly.
In a previous post, we introduced Web Application Firewalls: Securing Modern Web Applications, a comprehensive eBook that addresses the latest application threats, the types of attacks, the evolution of WAF technology and the various WAF deployment architectures. Its goal is to highlight the specifics of WAF functionality (including adjacent WAF technologies) and clarify how it fits into a network’s overall technology design.
In this post, we summarize the first two chapters: Current Application Threats and Types of Attacks.
Chapter 1: Current Application Threats
Setting the stage in the first chapter, the eBook first describes these current application threats and challenges emanating from the latest methods in application development and explains how bad actors gain access to execute attacks.
Third party libraries – Application developers are increasingly incorporating libraries from open source code, and attackers are constantly looking for vulnerabilities they can exploit in the most commonly used libraries. Keeping track of them from a security and vulnerability standpoint is an increasing challenge due to the exponential increase in the number of libraries used in applications.
Botnets – Attackers are increasingly using these groups of compromised network devices that are geographically dispersed and are under centralized control. Since the botnets contain devices from such a large number of IP addresses, they were initially used to overwhelm DDoS protection that was based on blocking individual or groups of IP addresses. With increased sophistication, multiple botnets are employed in tandem to penetrate a network under cover of a DDoS attack. This is enabled by the availability of botnets whose services can be purchased on the dark web.
Credential Compromise – When credentials are stolen from a hacked site, they are used in credential stuffing attacks, executed via botnets, that attempt access to multiple other sites hoping the user has used those same credentials. These lists of credentials are also available for purchase on the dark web. Once the hacker has gained access to an account, he will seek a vulnerability that will allow escalation to a privileged account that has administrative access to some portion of the system. If successful, the door is open to further access or compromise the system.
Chapter 2: Types of Attacks
Since application layer attacks are inherently more complex than network layer attacks and are becoming increasingly sophisticated, the eBook first presents the OWASP list of top 10 application security risks, which has become the definitive source of application layer security vulnerabilities. We’ve previously detailed the most recent 2017 list. Below are some additional attacks described in chapter 2 of the eBook.
Business Logic Attacks
While many vulnerabilities that represent attack vectors result from implementation bugs, some result from design flaws in application requirements or architecture.
Possible examples of attack vectors resulting from such flaws include:
- Circumventing website navigation. From a site URL such as “http://site.com/initstep=1” before an authentication event, the attacker might deduce that modifying to “http://site.com/initstep=2” will skip to the next step, circumventing authentication.
- Administrator privileges not protected. Some systems or devices, such as home routers, ship with default username and password. When not changed, an attacker can login to the device and assume administrative privilege.
DDoS Attacks from IoT Devices
DDoS attacks were mentioned in the first chapter, and here the focus is on the emerging trend of larger attacks enabled by the billions of Internet of Things (IoT) devices that provide opportunity for hackers to exponentially increase the size of botnets. They are enabled by web sites with databases of IoT devices that show which are online, with IP addresses and their default credentials. Then there is a database with archive of CVE vulnerabilities, that can be exploited on those devices.
In addition, once compromised, the devices themselves are potential sources of critical information.
While the older social engineering phishing attacks are still alive and well, new methods are evolving using the latest technology. Just like chatbots are increasingly utilizing artificial intelligence to automate communication with messaging and voice assistant platforms, an attacker can use the same technology to socially engineer in real time, increasing the likelihood of eliciting a response.
Social media is another vector gaining popularity with hackers. From sites, such as Facebook and LinkedIn, the attacker can gather information about the target in order to more precisely execute social engineering.
Malware can be distributed automatically with the help of huge botnets. This includes ransomware that disables the target device by encrypting its data until a ransom payment is made. A worrisome threat is the ability of ransomware to go a step further and change the date on the device. Imagine such an attack on IoT devices, such as changing a major intersection stoplight at will or disabling the brakes of an autonomous vehicle.
Security During the Design Phase
A best practice to avoid the application attacks described in the eBook is to incorporate security concerns in the software conception and design phases. Teams that work with user stories can incorporate security stories. The security teams then have an opportunity to do threat modeling against the user stories and proposed architecture, which can lead to identifying new security features or stories. As a result, security threats are identified at an early phase, rather than trying to handle security flaws identified in threat modeling just before the release.
In the face of these daunting security challenges, the good news is that much of the same technology is used to effectively defend against the attacks. In an upcoming post we will explain the advances in Web Application Firewalls that provide protection for the wide variety of attacks.