Attacks on web applications were one of the top concerns regarding data disclosure in the Verizon 2014 Data Breach Investigations Report (DBIR). These incidents were carried out primarily through exploits of vulnerabilities in input validation and authentication affecting common content management systems like Joomla!, WordPress, and Drupal.
The report notes that these types of attacks are not only a reliable method for hackers, but also fast with 60% of the compromises taking a few minutes or less. With web applications commonly serving as an organization’s public face to the Internet, the ease of exploiting web-based vulnerabilities is alarming.
The DBIR report recommends fixing the vulnerabilities before attackers find them, but how do you find these vulnerabilities before the bad guys do are off with your data in a matter of minutes? One approach to identifying web application vulnerabilities is the Open Web Application Security Project (OWASP) Top 10 document that aims to raise awareness around the top 10 most critical security flaws in web application.
Right at the top of the OWASP Top 10 you’ll find “Injection,” as in the SQL injection called out in the DBIR. Injection vulnerabilities are a very common security weakness and extremely easy to exploit without tools by using simple text based commands.
The best way to avoid web based attacks like SQL injection are secure programming practices to prevent the vulnerability in the first place, but secure programming must take place during development of the web application. What about web applications that are already in production that may contain vulnerabilities like SQL injection?
Vulnerabilities in widely used web applications like WordPress or Drupal will likely receive attention by security researchers, and vulnerability management vendors will likely include checks in their products.
However, traditional vulnerability scanners are unlikely to find vulnerabilities in lesser known and bespoke web applications if security research teams aren’t paying attention to them (or don’t know of their existence, in the case of web apps built in-house).
Using a vulnerability management solution like Tripwire WebApp360 that includes coverage in each area of the OWASP Top 10 can help identify vulnerabilities in web applications in production environments, even for custom or lesser-known web applications.
Unlike traditional vulnerability checks, web app vulnerability scanners take a heuristic as opposed to rule-based approach to finding undocumented vulnerabilities in web applications. The result is finding these issues on your network before the hackers do so you can take steps to remediate or mitigate the risk.
- Verizon DBIR: 2013 Data Breach Review
- Verizon 2014 DBIR: Hide Your Servers and Call the Cops
- Stopping the Heartbleed
- Detecting Heartbleed Exploits in Real-Time
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock