Crashtest Security Blog

The 6 most important web vulnerabilities that managers need to take care of

Sep 28, 2018 11:04:00 AM / by Leonard Basse

most-important-vulnerabilities

 

The world of IT security can get confusing with all the different vulnerabilities, exploits and newly emerging trends. In this article we summarise and shortly explain the top 6 most important web vulnerabilities that managers need to be aware of and tackle on a constant basis.

Within the last few years we saw a shift in the attention on IT security matters. Especially since major security breaches like Wannacry or NotPetya in 2017, managers are more and more aware of their IT landscape and the measures that need to be taken in order to secure a website. However, many managers and employees still lack a sufficient level of IT security knowledge and even though being avoidable, employees are still the biggest source of security breaches all over the world.

As it usually is not your job to fix the vulnerabilities, we don’t just want to give you a list of critical vulnerabilities (…you can google that) — we want you to understand the impact web vulnerabilities can have on your business (even if you’re not a tech-person). We will also rate each vulnerability according to the Common Vulnerability Scoring System (CVSS) based on the probability that the vulnerability gets exploited, the impact it has on the application (meaning how much the hacker can do) and the overall risk of exploitation. Plus, we will give you a link to our knowledge base, where you can get further technical information on each vulnerability. So let’s get straight to it!

 

SQL Injection

 

An SQL Injection is a way for attackers to inject code instead of text into an input field on a website to access the database in the back-end. This can be the log-in field, giving the hacker access to your client base, or some other form field in which the customer enters confidential data. That way the hacker can gain access to data (such as passwords or usernames) and modify or delete it. This means, both your customer and business data aren’t save anymore. Being so easy to exploit, it is an extremely critical breach commonly used by hacker.

Through an SQL Injection hackers could for example steal credit card information from an online shop, which can then be shared with everybody. As a result, users loose trust in your company, which can extremely harm your business since this would lead to fewer users on your application.

SQL Injections can be prevented by masking all forms on a website and validating any input that users can enter on a web application. To find out more about SQL Injections and how to fix them have a look at our wiki or check out the topic in our webinar series.

 

Command Injection

 

A Command Injection is an attack, where the hacker executes arbitrary commands on the host operating system. Using this technique hackers can do virtually anything on a website up to taking over the entire webserver. As you can imagine this can have a catastrophic impact on your business since it makes your whole web presence vulnerable to attacks.

Hackers can exploit a website through command injections if their input is not filtered and leads directly to parts of the system that allow major changes (e.g. exec() or system()). Here you can check on how to mitigate and fix command injection attacks.

 

File Inclusion

 

 

A file inclusion allows the attacker to include arbitrary files into a web application which may enable the attacker to expose sensitive files. In an extreme form, the attacker may be able to execute malicious code on the webserver and take over the entire system. Again, taking over your entire system can have an impact on every part of your application and drastically reduce your customer trust.

Like with other critical vulnerabilities to prevent a file inclusion, any input needs to be thoroughly checked and validated. For more information on File Inclusion attacks, you can check out the corresponding article.

 

Cross-Site Scripting (XSS) 

 

Cross-Site scripting is the injection of malicious scripts into a web application by a user. These scripts are executed in the browser and allow the hacker to steal user sessions and monitor or alter actions of other users. As a result, customer data can be stolen and users will feel uncomfortable using your application.

This security breach is possible if user code is not sufficiently validated and encoded, so similar to injection attacks this can be prevented through validation and supervision of any user input. How this is technically executed can be seen in our wiki.

 

Cross-Site Request Forgery (CSRF)

 

Cross-Site Request Forgery allows hackers to execute any action in the context of another user. This is because the application does not verify whether the action is supposed to be executed by that specific user and therefore just executes it. An attacker could use this to force users to do something, they didn’t intend to (e.g. signup for a subscription, buy something etc.). So if your application is vulnerable for CSRF, any user action can be altered. This results in user-confusion, mistrust and (if publicly known) in an immense deterioration of your company’s reputation.

Basically this happens through people opening phishing mails and websites which include malicious code. When a user opens such a website without even doing anything else, the CSRF sends an HTTP request and the hacker is able to access, modify or even delete customer or business data. If you’re interested you can see in our wiki how the risk of a CSRF attack can be mitigated.

 

Insufficient Transport Layer Protection (SSL)

 

Many websites use SSL/TLS protection for the Login of users, but if website hosts don’t cover their entire application with these keys to encrypt and protect the traffic on that application, data can be intercepted from that web application. Your business data in the wrong hands can slow down or even stop your operations and your customer data publicly shared or sold has an incredible impact on your company’s public reflection and success in the long run.

Again, the magic rule to security is the validation of any user input that touches the surface of the application.

As the security assessment for this vulnerability can have different implications depending on what has been configured, there is no one solution for all cases, but you can look up the variations of cryptography in our knowledge base.

 

..so where do I begin with IT security?

We have shown you some vulnerabilities that we think are crucial to cover for every web application. As you might not be the one fixing these vulnerabilities what can YOU do?

Luckily, many vulnerabilities can be easily avoided. For an overall better security status we recommend you to do the following:

  • Educate every employee on basic security practices (e.g. phishing avoidance)! An effective tool for this is IT Seal, which can help you raise security awareness.
  • Don’t simply trust, but validate every input!
  • Implement continuous security and be safe at any given time!

For more security best practices you can also have a look at our White Paper!

 

Automated Security

You don’t have the knowledge or resources to prevent security breaches at all times? Then we have good news for you: You don’t need to!

Implementing automated security doesn’t only give you the certainty of being secure at all times, but it also saves you a lot of money. Regular penetration tests take much more time and money than running an automated security test over a website every week.

The Crashtest Security Suite offers a fully automated security scanner that will point out the vulnerabilities found on your web application as well as information on how to remediate these. An additional dashboard will give you the current security status in a single view so that you don’t have to deep dive into the technical topics. You can start using automated security with a free 30-day trial on the Crashtest Security Suite.

Topics: SecurityManagement

Leonard Basse

Written by Leonard Basse

I write about IT Security news, practices and events.