Crashtest Security Blog

5 Ways to Screw Up Your Website Security

Oct 29, 2020 3:00:00 PM / by Leon O'Neill

This was a lot of fun. Ask a DevSecOps engineer “how do I screw up my website security?” and you better take a seat, because the answer will take a while. In short there are lots of ways your security can go wrong. Some mistakes are more critical than others and while many of the pitfalls are widely known, nothing stays still - new vulnerabilities are discovered each day.

If you are not a developer, some of these issues may be too technical, some basic starting points would be HTTP vs HTTPs, we have also written a piece on the cyber security basics. This is also only a distilled version, if you have any other ways to screw up your website security please let me know, I'd love to hear! 

 

So here it is 5 ways you can screw up your website security: 

 

  1. Using Wordpress without thinking about security
  2. Arbitrary File Download
  3. Unrestricted File Uploads
  4. Insecure Deserialization 
  5. XML External Entitiy (XEE)

 

1. Using WordPress without thinking about Security

Wordpress has made it extremely easy to create a website. For developers and non developers alike it grants the ability to scale  with an endless amount of plugins and templates to complement whatever type of website you’re building. However the accessibility wordpress creates opens it up to some pretty severe vulnerabilities not to mention any vulnerabilities potentially lurking in plugins or themes you are using within your site.

Here are just a few examples: 

Exploiting the xmlrpc.php on all WordPress versions
XML-RPC on WordPress is actually an API that allows developers who make 3rd party applications. XML-RPC is included on all standard wordpress packages but opens up two kind of attack vectors: 
  • XML-RPC pingbacks
  • Brute force attacks via XML-RPC

Unpatched DOS flaw could help anyone take down your website - This vulnerability affects all versions of wordpress and can be considered critical. 

“The vulnerability resides in the way "load-scripts.php," a built-in script in WordPress CMS, processes user-defined requests. However, to make "load-scripts.php" work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.”

- The Hacker News

Using a simple script you can begin to force load-scripts.php to call all JavaScript files in one go. In short it’s a lightweight DOS attack that has the ability to take down your website with minimal effort. 

Is your site powered by Wordpress?

For small business with limited resources, covering the basics (updating versions, patches, only using reputable plugins) should be a good start - more advanced developers & cybersecurity professionals should treat wordpress like any software tool and stay up to date with the latest patch releases and news on CVEs.

If your site is powered by Wordpress, our scanner will pick up any CVEs associated with versions, a free quick scan only takes a minute!

 

More Resources to get started:

https://www.codeinwp.com/blog/secure-your-wordpress-website/

https://secure.wphackedhelp.com/blog/wordpress-security-tips-2019/

 

2. Arbitrary File Download

There is a strong possibility that your website provides a download link for some form of content (e.g brochure, whitepapers etc.). If the requested file isn’t checked by the web application then this functionality can be used to download all types of files, including your most sensitive ones. 

Arbitrary File Download

- Infosec institute

 

Infosec institute has a comprehensive guide on Arbitrary file download and how to prevent it here

 

3. Unrestricted File Uploads

Uploading functionalities can also expose you to critical vulnerabilities. With an unrestricted file upload an attacker could upload a web shell. With a webshell the attacker can execute any command on the system. Weevely3 is an example of such a web shell. 

The consequences range from bad to the very worst, system takeover, defacement, overloaded database are all potential outcomes. 

The OWASP guide has a wealth of knowledge on potential attack vectors and steps to protect yourself from unrestricted file uploads.

4. Insecure Deserialization

Insecure Deserialization is an attack where a manipulated object is injected into the context of the web application. It is not a particularly common vulnerability but if exploited then it can lead to remote code execution, which is one of the severe attacks your web application can face.

Security Assessment of insecure deserialization

Security assessment of Insecure Deserialization

Thankfully you can scan your web application for insecure deserialization using the Crashtest Security suite, when testing for insecure deserialization vulnerabilities it is best to scan your application in a dynamic state. As a DAST (Dynamic application scanning tool) we view your application in the exact same way an attacker would. 

Read more about insecure deserialization, remediation and prevention tips on our wiki here.

5. XML External Entity (XXE) Processing

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URl handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

OWASP has produced an XML External Entity Cheatsheet to help you prevent what could be a critical vulnerability. You can also detect XXE vulnerabilities with the Crashtest Security Suite. 

 

Crashtest Security is designed to give you enterprise grade scans and results with easy functionality. Saving you and your Dev team a lot of time and hassle. Try a completely free 14 day trial and secure your web applications. 

 

Leon O'Neill

Written by Leon O'Neill

Marketing @ Crashtest Security

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics