Web App Vulnerabilities Flying Under Your Radar

  /     /     /  
Publicated : 23/11/2024   Category : security


Web App Vulnerabilities Flying Under Your Radar


A penetration tester shows how low-severity Web application bugs can have a greater effect than businesses realize.



Organizations could face big problems from seemingly small Web application vulnerabilities. The problem is, many of these bugs fly under the radar because theyre not considered severe.
Shandon Lewis, senior Web application penetration tester at Backward Logic, discussed a few of these bugs in his presentation Vulnerabilities in Web Applications That Are Often Overlooked at last weeks Interop conference. Lewis emphasized the importance of focusing on the bugs attackers are likely to use beyond the zero days that typically make headlines.
In his early days as a red team member, Lewis said he learned zero days were not the way we get in. The media often focuses on zero-day and stack attacks, he explained, but the most credible threats against a business usually dont come from cybercriminals writing their own bugs. He cited three key ways to virtually guaranteeing success when breaking into a target: phishing attacks, physical intrusion (walking into a building and planting a device), and weak passwords.
The latter is easier, more cost-effective, and safer for the adversary, Lewis said. In a typical red team operation, he would first identify the attack surface, locate authentication protocols, password spray, and access the enterprise with discovered credentials. If you have an authentication portal on the edge and somebody logs in with valid credentials, how do you know theyre not the user? he said, adding he had yet to see a business that could verify this.
There are two components to weak credentials: passwords and usernames. If an attacker doesnt know which format a business uses (firstname.lastname, for example), his first step is to create a list of popular usernames and passwords. Lewis has found the most common passwords are time-based. Because employees are prompted to change their passwords every few months, they tend to choose time-based options. Spring2018 and Spring18 were popular.
Laziness has gotten a little bit smarter about how its supposed to be lazy, Lewis joked.
User enumeration, a facilitator vulnerability, enables attackers to guess or confirm valid users on a system. Its typically a Web application vulnerability but can exist on any system that requires people to log in, Rapid7 researchers
explain
. Attackers hunt for differences in a servers response based on whether the credentials they entered were legitimate. Once they know how the system responds to invalid credentials, they can brute-force usernames and passwords until they unlock the combination that will grant them access to the business.
Just because its informational doesnt mean it has zero impact, Lewis said. Informational vulnerabilities, which fall low on the severity scale, provide some information to users that wasnt designed to be released but doesnt have a specific impact. As Venafi researchers
put it
, informational bugs can provide attackers with additional information about the operational environment, but rarely result in additional compromise of information or resources.
This wasnt the only bug Lewis discussed in his presentation. Other examples of Web application vulnerabilities included rate limiting, which he said was a fairly unknown bug among those who havent been in the industry a long time. This happens when an app performs a function but fails to realize it has already done it, or performs it repeatedly. This is a very prevalent problem, he explained, but one that most businesses dont care much about.
Related Content:
7 Recent Wins Against Cybercrime
NSS Labs Admits Its Test of CrowdStrike Falcon Was Inaccurate
How Security Vendors Can Address the Cybersecurity Talent Shortage
Researcher Publishes Four Zero-Day Exploits in Three Days

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Web App Vulnerabilities Flying Under Your Radar