Web Application Threats: Mapping Out Your Attack Surface

Navigating the murky world of modern web applications can be a minefield from a cybersecurity standpoint. Many of these critical applications contain a labyrinth of layers, and if not designed with security in mind, they can be a breeding ground for vulnerabilities.

Therefore, it is essential for organizations to locate and understand any aspect that may be exploited as an entry point by an experienced hacker. In order to do this, security teams must gain a better understanding of weakness in their application architecture in order to reduce their overall attack surface.

Usually, the web application is where customer personally identifiable information (PII), and privileged financial data is collected and stored. This information is not only incredibly valuable for day to day business operations, but are also protected by international cross-regulatory requirements and, failure to comply can result in hefty fines as well as substantial loss of customer trust and negative publicity.

Furthermore, as the majority of businesses prioritized operational continuity in the wake of the “new normal” of working from home, many applications were left under-secured due to restraints on resources and time.

However, this misguided approach may directly correlate with the rising trend of poor cybersecurity hygiene amongst remote workers in the UK. When you combine this security-apathy with the determination of cyber-criminals, you have a dangerous concoction.

Cyber-criminals are always advancing their tactics to break into web applications to extract personal data. Some may think that basic user controls and web application firewall (WAF) alone will prevent a disastrous scenario, but unfortunately no one is immune from these simple application exploits.

It has been documented as to how dangerous web application attacks can be for businesses, with more than two-fifths of all data breaches (43%) in 2019 linked to this threat. Furthermore, they are the single greatest cause of data breaches according to the Verizon DBIR 2020 report.

Cyber-criminals are known for carrying out their due diligence and will go to great lengths when selecting a target, meticulously gathering information on their potential victim, isolating weak spots in the systems before initiating an attack. Businesses that fail to address potential issues within their online infrastructure are underestimating the will of the modern hacker.

Even the slightest error could give a hacker a foothold in your system, or within sight to your pot of gold without you noticing.

It is important to remember that there is no one-size-fits-all solution when it comes to patching web applications, so an intrinsic understanding of the key infrastructure is essential for protecting sensitive information.

Attack Surface Mapping and Mitigation

So, how might security teams successfully map the entire attack surface of the web application and identify the critical attack vectors before it’s too late? This can be broken down into three key stages, starting with application discovery. Organizations should have an inventory of what critical web apps they own, and where they are most likely to be exposed.

Here in lies a problem as the number of apps and associated vulnerabilities could easily be in the thousands, especially in larger organizations where shadow IT is more prevalent, so it’s vital to locate the publicly exposed web apps at a regular cadence to shed light on potential blind spots.

The next course of action is to review the risk level of web applications identified against the seven most frequently exploited attack routes that hackers use against software vulnerabilities:

  • Firstly, you have security mechanisms, which determines how web traffic between users and the application is secured.
  • Next, comes the method in which the page was created as depending on what coding language and web design program is used, could reveal more security issues.
  • The third attack route is named the degree of distribution and correlates to the number of pages created as the more pages made equates to there being more potential to encounter issues and so all pages must be monitored.
  • Authentication spoofing is at four and states verification of the identity of a legitimate user accessing the web application is necessary with all access privileges reviewed and should be restricted to only those that need it otherwise anyone can gain entry.
  • Input vectors are also an issue with the more input fields, the greater likelihood the attack surface will increase which can lead to cross site scripting attacks.
  • At number six we have active contents which are used when applications run scripts, it initiates active contents and depending on the way those scripts have been implemented, the attack surface could increase if a website has been developed using multiple active content technologies.
  • Lastly, the seventh attack vector is cookies, which are needed to allow for real time application security to monitor for session activity, which is beneficial in order to mitigate unauthorized access, especially against cyber-criminals.

Securing the Crown Jewels

When the web applications have been corroborated against the seven vectors discussed above, one must correlate the results against temporal (business criticality) and environmental (frequency of updates) in order to determine the overall risk posture. When the knowledge regarding the total addressable attack surface is obtained, including areas of weakness and strength, security teams will have the ammunition required to put in place the security controls.

Security teams will then have the necessary data, once the risks scores have been mapped, to implement effective and continuous application testing within the security defense and deliver return on investment.

What’s Hot on Infosecurity Magazine?