Today’s modern web applications are vastly different compared to those that developers created years ago. Modern frameworks, dynamic content, and higher customer expectations have driven organizations to develop applications that serve multiple business functions. While many organizations have improved network and infrastructure security, application security does not seem to be a focus for most organizations, and flaws continue to emerge. These flaws allow malicious hackers to steal sensitive content and compromise networks. Hackers identified this trend as one of the paths of least resistance to gain access to organizations and their sensitive data. There are three common flaws found in modern web applications that all businesses should be aware of: Authorization Flaws, Injection Flaws, and Framework Flaws.
Authorization flaws manifest themselves in many ways within web applications. These types of flaws break the authorization model of a web application and result in privilege abuse. The authorization model within a web application is used to limit what a user is allowed to do and access in a web application. This is also what is used to keep unauthenticated users from accessing data in the application and out of sensitive areas. Authorization abuse can occur in the way of illegally accessing resources, files, or privileges within an application. Our team recommends conducting web application assessments with multiple user accounts and different privilege levels to discover these flaws. Using this approach can uncover lateral right issues as seen below. The application shown here is designed to be intentionally flawed, allowing one user to access the profile of another user. While this example is contrived, similar issues are commonly found during our web application assessments, exposing organizational data.
Injection flaws pose a serious risk in web applications. Depending on the type of injection, the issue can range from extracting data from databases to running code on the guest operating system. One of the most common injection flaws is Structured Query Language (SQL) Injection. SQL Injection occurs when web application developers improperly allow clients to manipulate data being sent to the webserver that is then interpreted by the backend database. Attackers can leverage open-source tools designed to exploit this flaw and extract sensitive data. Here is an example of data extraction from a recent web application assessment is shown. Sensitive information obtained has been blurred.
Another critical injection flaw found during web application assessments is called Remote Code Execution (RCE). This attack directly injects commands into the underlying operating system that is then executed by the webserver. Allowing an attacker to execute remote commands on the host operating system can have a devastating impact. Many times, attackers access the entire enterprise network once they compromise the webserver. When a web server is not properly segmented into an isolated network, lateral movement is possible after the RCE often leading to most or all of the internal network being exposed. This shows a simple example of an RCE where an attacker can control the input that is then executed by the host operating system (in this case, the network configuration of the host).
Modern web applications are built on top of complex frameworks to allow for rapid development. These frameworks are complex and can contain critical flaws outside of the control of the developers creating the applications that use them. Notable framework flaws include the Apache Struts remote code execution flaw that was discovered in 2018 – (CVE-2018-11776). This issue affected all supported versions of Apache Struts 2 and resulted in several major security breaches. During a web application assessment, the underlying framework used to develop the application would be examined and then feedback provided if risks are discovered due to issues such as misconfiguration and lack of framework updates.
During a recent web application assessment for a software developer, the Elliott Davis Digital Practice discovered an implementation of the Django framework that was used to host an order management system. The order management system allowed for users of the web site to submit orders and track progress. During the assessment, it was discovered that the Django framework was misconfigured in such a way to allow for privilege escalation and account takeover. After taking over the account, our team had complete control of the application, and the customer data hosted within. This impacted numerous deployments of the application and thousands of users. The software developer was able to address the misconfiguration and the outstanding risk across all its applications.
We Can Help
Leveraging decades of experience in web application security, our team has been helping organizations identify and address discovered vulnerabilities. Our goal is to help organizations solve issues before being discovered by hackers. For more information on web application security assessment services for your business, contact a member of the Elliott Davis Digital Practice.