Top Web Application Vulnerabilities - Beyond Security

Never-ending Vulnerabilities

The digital age has opened the door for a seemingly endless number of cybersecurity vulnerabilities.    In order to keep track, Open Web Application Security Project® (OWASP),  provides a top 10 list of known and newly discovered vulnerabilities. Focused on software security, OWASP is an online community that provides documentation and other reference tools to help IT Professionals stay up-to-date on web security trends, It is well known for its OWASP Top 10 list, which features what are broadly agreed to be the most critical web application security risks. 

The sheer volume of vulnerabilities makes an adaptable, layered cybersecurity solution more important than ever.  While some vulnerabilities are latent and low on the scale of exploitation, we do keep a list of active and highly exploitable vulnerabilities.

Broken Access Control

Access control is a security setting that grants permissions for users of a certain security level. Broken access control lets attackers impersonate or bypass user permissions and access high-level, sensitive information and data that’s above their permission setting. This leads to data corruption, loss, and modifications. 

Cryptographic Failures and Sensitive Data Exposure

 A sensitive data exposure happens when a company exposes its sensitive data unknowingly. This data exposure can lead to sensitive data being destroyed, tampered with, or illegally leaked. This type of exposure occurs when there is faulty database protection, access misconfigurations, and incorrectly used data systems.  

Sensitive data exposure can be: 

  • Confidentiality breach, which is unauthorized disclosure of sensitive data. 
  • Integrity breach, where sensitive data undergoes alteration. 
  • Availability breach, when sensitive data is temporarily or permanently destroyed, unavailable, or inaccessible. 

Injection Vulnerabilities and Cross Site Scripting

An injection vulnerability is a weakness in an application where an attacker can inject coding or partial code and compromises backend systems and clients connected to that application. 

This attack can allow a cybercriminal to target and execute system calls on connected machines, compromise backend data storage, hijack user sessions, and/or imitate or force actions as other users. These attacks are not difficult to use against an application. Application scanning during development and after launch helps detect known and unknown flaws that can be corrupted. 

Cross Site Scripting

Cross-Site scripting, also known as XSS, is a type of code injection attack, malicious scripting is injected into a trusted website. A web application sends this malicious code, typically as a browser side scripting, to an end user. The weaknesses this code creates a site-wide attack range, whenever this specific web application is being used as an input point for users on the website. 

The end user doesn’t see the malicious XSS script, and their browser believes it’s coming from a trusted source, executes the script, and then that attack script can access cookies, session tokens, and other sensitive data that is being stored in that browser.

Insecure Design

Insecure Design represents a large variety of weaknesses.  Factors that make a design insecure are the lack of business risk profiling within the software and system being developed, which leads to weaknesses depending on the level of security required in the design.  Insecure Design is listed as “missing or ineffective control over design”.  Insecure design is different from Insecure Implementation because design flaws aren’t in the same category as implementation defects.  The base causes for each weakness requires a different remediation solution.  Secure design can still have implementation defects and insecure design isn’t fixed with perfect implementation. 

Security Misconfiguration and XML External Entities

Security misconfigurations are when there are no security settings implemented or the ones that have been put in place have errors within the settings. Many security errors happen when a system admin doesn’t update, change, or enable a device or application security system. 

Leaving security settings in the default position, not engaging them, or not reverting temporary configurations can leave easy vulnerability access. Other errors that can leave security settings wide-open are unpatched flaws, unused pages, unnecessary features, inadequate control access, disabled antivirus, vulnerable XML files, and poor hardware management. 

XML External Entities

An XML External Entity attack occurs when an application uses an XML input that has a weak configured parser. An XML entity is a type of data storage system that can access remote and local data through a system identifier. This type of attack is part of the application processing the XML file, an attacker uses the application’s trust to maliciously redirect to other unprotected internal systems. A successful breach can expose confidential data, create a denial-of-service error, expose server-side forgery requests, and parser machine port scanning. 

Vulnerable Outdated Components

Open-source applications can contain known vulnerabilities and organizations that utilize these components can have weaknesses they’re unaware of.  Cyberattackers search for these applications and APIs and create an easy target without creating a new, specific attack.  Staying up to date on the latest updates and patches along with the right cybersecurity can help eliminate these unknown threats. 

Identification and Authentication Failures and Broken Authentication

Broken authentication attacks try to use an existing account to give the attacker high-level privileges to enter higher secure data areas. Authentication is broken when passwords, session token keys, account information, or user identities are compromised. 

Poorly implemented session and authentication management are the top reasons this vulnerability is widely exploited. If the access controls have predictable login credentials, unprotected authentication credentials, exposed session IDs, no logout time outs, or login information that’s transmitted over unencrypted connections, then there’s a chance an attacker and use any of these credentials to bypass security and access sensitive data.  

Software and Data Integrity Failures and Insecure Deserialization 

Considered one of the biggest critical security vulnerabilities, insecure deserialization bugs are one of the most dangerous and difficult to defend against.  Insecure deserialization is created by an attacker that manipulates a serialized object to cause unpredictable consequences within programming.  This code can be remotely executed and can grant cybercriminals a wide range of capabilities with that application. 

There are multiple factors to prevent this type of attack, unique to the organizational security implemented.  There is no “one size fits all” in security, but, creating a layered offensive security bundle is the best way to ensure strong security against this attack. 

Security Monitoring and Logging Failures and Insufficient Logging and Monitoring

Security admins use logging and monitoring to help detect potential threats through analyzing patterns and finding abnormal ones. This is the basis for all cybersecurity. However, with insufficient logging and monitoring, an organization is left wide open to an attack. Attacks that can circumvent insufficient logging and monitoring rank incredibly high when it comes to the considerable damage that can be caused. Almost every major security incident that occurs from an exploitation like this is major. Without sufficient logging and monitoring, the attack surface area is wide-open leaving multiple targets vulnerable to maximum damage that’s nearly undetectable. 

Server-Side Request Forgery (SSRF) NEW 2021

Server-Side Request Forgery (SSRF) happens when a web application fetches a remote resources and doesn’t validate the given URL.  Attackers can use this URL application to send a customized request that sends the request to an unexpected destination.  Firewall, VPN, and other types of network access cannot protect against this type of cyberattack. 

Modern web applications have convenient features that direct end-users, which makes an SSRF attack much more commonplace.  The severity of an SSRF attack is incredibly high because of the complexity of cloud features and services.

Vulnerability Solutions

There’s no single quick fix for security vulnerabilities.  It may be necessary to have a suite of scanning and assessment solutions, depending on the application development cycle.

BeSECURE is a powerful yet flexible vulnerability management solution.  Designed with simplicity in mind, it balances speed and accuracy so your IT department can maximize their time prioritizing the biggest security threats.  

BeSTORM is a dynamic application security tool (DAST) that includes a Black Box Fuzzer, enabling it to attack your network and applications the same way a criminal would.  Black Box Fuzzing creates real-world scenarios before a product is launched, so weaknesses can be found in the developmental phase, and remediate before deployment.   

BeSOURCE is a static application security tool (SAST) that can be integrated into the DevOps and SecOps.  SAST security tests differently than DAST, instead of real-world attacking capabilities, it’s a guided, planned route attack strategy.  Adding a guided security solution into the continuous integration/continuous delivery development function helps discover known scanned application vulnerabilities before a product is released. 

Frontline Web Application Security (WAS) scans web application data and transactions, keeping them secure.  Frontline WAS delivers unrivaled accuracy and has minimal resource usage.  Frontline WAS is easy to deploy and maintain, making it a favorite of security professionals.  The accurate scanning results and simplicity makes it one of the best web application scanning tools. 

Frontline Web Application Penetration Test (WAPT) tests web applications that have been internally developed and third-party applications to identify and discover potential weaknesses.  Not just a software scan, Frontline WAPT uses a variety of automated tools to detect SQL insertion, improper character filtering, cross-site scripting, buffer overflows, and more.

Most Common High Risk Vulnerabilities:

  1. Microsoft Windows HTTP.sys Code Execution Vulnerability
  2. OpenSSH Trusted X11 Cookie Connection Policy Bypass Vulnerability
  3. OpenSSH Privilege Separation Monitor Weakness
  4. OpenSSL Running Version Prior to 0.9.8zc POODLE
  5. Mountable NFS Shares
  6. Apache APR apr_palloc Heap Overflow
  7. .NET Framework and Microsoft Silverlight Allows Code Execution (MS11-039)
  8. Combined Security Update(MS12-034)
  9. Internet Explorer 8 Allows Code Execution(KB2847140)
  10. Cisco SSH Malformed Packet DoS
  11. Insecure Library Loading Allows Code Execution (KB2269637)
  12. Vulnerabilities in Windows Kernel-Mode Drivers Allow Elevation of Privilege (MS12-047)
  13. Vulnerabilities in Elevation of Privilege Using Windows Service Isolation Bypass (982316)
  14. PHP Running Version Prior to 5.2.15
  15. Unauthorized Digital Certificates Allow Spoofing (KB2728973)
  16. VMware ESX Running Version Prior to 4.1
  17. OpenSSL Running Version Prior to 1.0.1i
  18. Oracle Java SE Multiple Vulnerabilities (October 2010 CPU)
  19. Oracle Java SE Multiple Vulnerabilities (June 2011 CPU)
  20. Multiple Vendor IPMI ‘cipher zero’ Authentication Bypass Vulnerability
  21. Vulnerabilities in MySQL Unsupported Version Detection
  22. Vulnerabilities in Server Service Allows Code Execution (MS08-067, Network)
  23. Vulnerabilities in Group Policy Allows Code Execution (MS15-011)
  24. Vulnerabilities in Apache Running Version Prior to 2.2.28
  25. Vulnerabilities in PHP CGI Query String Code Execution
  26. Vulnerabilities in SQL Injection
  27. Vulnerabilities in Cross Site Scripting
  28. Vulnerabilities in Custom Web Code
  29. Vulnerabilities in VMware ESXi 3.5
  30. Vulnerabilities in PHP Running Version Prior to 5.3.11
  31. Vulnerabilities in NSClient Default Password
  32. Vulnerabilities in PHP Unsupported Version Detection
  33. .NET Framework Allows Code Execution (MS11-044)
  34. .NET Framework Allows Code Execution (MS11-028)
  35. Vulnerabilities in Microsoft XML Core Services Allows Code Execution (KB2719615)
  36. Vulnerabilities in Microsoft SQL Server Allows Code Execution (MS09-004,KB959420)
  37. Vulnerabilities in PHP Running Version Prior to 5.3.26
  38. Vulnerabilities in PHP Running Version Prior to 5.3.22
  39. Vulnerabilities in .NET Framework and Microsoft Silverlight Allow Code Execution (MS12-016)
  40. Vulnerabilities in Flash Player Running Version Prior to 10.3.183.75 / 11.7.700.169 (APSB13-14)
  41. Vulnerabilities in Remote Portmapper Forwards NFS Requests
  42. Flash Player Running Version Prior to 11.7.700.232 / 11.8.800.94 (APSB13-17)
  43. Windows 2000 Unsupported Installation Detection
  44. Flash Player Running Version Prior to 10.3.183.68 / 11.6.602.180 (APSB13-09)
  45. Flash Player Running Version Prior to 10.3.183.75 / 11.7.700.169 (APSB13-11)
  46. Flash Player Running Version Prior to 10.3.183.15 / 11.7.102.62 (APSB12-05)
  47. Flash Player Running Versions Prior to 10.3.183.15 / 11.1.102.62 (APSB12-03)
  48. Flash Player Running Versions Prior to 10.3.183.10 / 11.0.1.152 (APSB11-28)
  49. Flash Player Running Version Prior to 10.3.183.67 / 11.6.602.171 (APSB13-08)
  50. Flash Player Running Version Prior to 10.3.183.51 / 11.5.502.149 (APSB13-05)
  51. Flash Player Running Version Prior to 10.3.183.50 / 11.5.502.146 (APSB13-04)
  52. Sun Java JRE Unsupported Version
  53. Flash Player Running Version Prior to 10.3.183.7 (APSB11-26)
  54. PHP Running Version Prior to 5.3.13
  55. Flash Player Running Version Prior to 10.3.183.43 / 11.5.502.110 (APSB12-27)
  56. Flash Player Running Version Prior to 10.3.183.48 / 11.5.502.135 (APSB13-01)
  57. Flash Player Running Version Prior to 10.3.183.43 / 11.5.502.110 (APSB12-24)
  58. Flash Player Running Version Prior to 10.3.183.24 / 11.4.402.279 (APSB12-22)
  59. Flash Player Running Version Prior to 10.3.183.23 / 11.4.402.265 (APSB12-19)
  60. PHP Running Version Prior to 5.3.14
  61. Flash Player Object Confusion Vulnerability (APSB12-09)
  62. Flash Player Running Version Prior to 10.3.183.19 / 11.3.300.256 (APSB12-14)
  63. Flash Player Running Version Prior to 10.3.183.5 (APSB11-21)
  64. Flash Player Running Version Prior to 10.3.181.26 (APSB11-18)
  65. Flash Player Unspecified Memory Corruption (APSA11-01)
  66. Flash Player Running Version Prior to 10.3.181.14 (APSB11-12)
  67. Flash Player Running Version Prior to 10.2.152.26 (APSB11-02)
  68. PHP Running Version Prior to 5.4.17
  69. Flash Player Unspecified Code Execution (APSB10-22)
  70. Adobe Flash Player Multiple Vulnerabilities (APSB10-26)
  71. Adobe Flash Player Multiple Vulnerabilities (ASPB10-14)
  72. Vulnerability in .NET Framework and Microsoft Silverlight Allow Code Execution (MS11-078)
  73. Vulnerability in HTTP.sys Allows Remote Code Execution (MS15-034, Network Check)
  74. OpenSSH Running Version Prior to 7.0
  75. Obsolete Web Server Software Detection
  76. Lighttpd ‘hostname’ Directory Traversal and SQLi Vulnerabilities
  77. .NET Framework Allow Code Execution (MS12-035)
  78. Samba CAP_DAC_OVERRIDE File Permission Security Bypass (Network)
  79. PHP Running Version Prior to 5.3.15
  80. Vulnerability in Microsoft Malware Protection Engine Allows Code Execution (KB2846338)
  81. Microsoft Malware Protection Engine (MMPE) Privilege Escalation (2491888)
  82. Dropbear SSH Server Channel Concurrency Use-after-free Code Execution
  83. Proxy Allows Gopher:// Requests
  84. Cisco IOS Software Processing of SAA Packets Flaw
  85. SNMP Disclosure of HP JetDirect EWS Password
  86. Dabber Worm Detection (MS04-011)
  87. PHP Running Version Prior to 5.3.2_5.2.13
  88. Flash Player Multiple Memory Corruption Vulnerabilities (APSB12-07)
  89. Microsoft Windows SMB2 ‘_Smb2ValidateProviderCallback()’ Vulnerability (MS09-050, Network Check)
  90. Microsoft SQL Server Blank Password
  91. statd RPC Format String
  92. HP StorageWorks MSA P2000 Hidden ‘admin’ User Default Credentials
  93. Vulnerabilities in .NET Framework Allows Code Execution (MS12-038)
  94. radmin Detection
  95. Vulnerabilities in .NET Framework Allow Code Execution (MS12-074)
  96. Flash Player ActionScript Predefined Class Prototype Addition Code Execution (APSB11-07)
  97. NFS Shares World Readable
  98. Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program (KB3097617)
  99. NVIDIA Display Driver Service Stack Buffer Overflow (Registry)
  100. Flash Player Memory Corruption (APSB13-16)

Most Common Medium Risk Vulnerabilities:

  1. SMB Listens on Port
  2. Windows Terminal Service Detection
  3. Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure
  4. SMB Signing Disabled
  5. Deprecated SSL Protocol Usage
  6. Source Disclosure
  7. Shared Directory Access (Login)
  8. SSL Medium Strength Cipher Suites Supported
  9. Default Community Names (SNMP Agent)
  10. Microsoft’s SQL TCP/IP Listener
  11. SNMPwalk Port Scanner
  12. VNC Security Types Detection
  13. AutoComplete Not Disabled
  14. Unencrypted Telnet Server
  15. Obtain Network Interfaces List via SNMP
  16. SSL Suites Weak Ciphers
  17. SNMP Agent Default Community Name (public)
  18. SSL Certificate Expiry
  19. Database Reachable from the Internet
  20. Non-SSL Login
  21. Vulnerabilities in SQL Server Allows Elevation of Privilege (MS12-070, Network)
  22. Microsoft IIS Tilde Character Information Disclosure Vulnerability
  23. LDAP Null Directory Bases
  24. Appweb Insecure SSL Renegotiation
  25. Web Server Cross Site Scripting
  26. DNS Server Allows Recursive Queries
  27. WebDAV Detection
  28. Linux Kernel UDP Implementation IP Identification Field OS Disclosure
  29. SSH Protocol Version 1 Detection
  30. MS SQL Server Resolution Service Amplification Reflected DRDoS Vulnerability
  31. SMB Shares Enumeration
  32. Apache HTTP Server Range Header Denial of Service Vulnerability (DoS)
  33. PHP expose_php Information Disclosure
  34. Apache HTTP Server Byte Range DoS
  35. SMTP Service Cleartext Login Permitted
  36. Apache UserDir Sensitive Information Disclosure
  37. Obtain Processes List via SNMP
  38. Remotely Accessible Registry
  39. OpenSSL Heartbeat Vulnerability (Heartbleed)
  40. Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities
  41. Microsoft ASP.NET Information Disclosure Vulnerability (Network, MS10-070)
  42. Apache Running Version Prior to 2.2.25
  43. Apache Running Version Prior to 2.2.24
  44. Apache Running Version Prior to 2.2.23
  45. Shell Detection
  46. Shared Directory Access (Share Access)
  47. Guest Account Accessible (SMB)
  48. Oracle tnslsnr Version Detection
  49. Apache mod_suexec Multiple Privilege Escalation Vulnerabilities
  50. Credit Card Information
  51. Apache Running Version Prior to 2.2.22
  52. OpenSSH S/KEY Authentication Account Enumeration
  53. ntpd Mode 7 Error Response Packet Loop DoS
  54. Enumerate LANMAN Services via SNMP
  55. Apache Running Version Prior to 2.2.27
  56. Enumerate LANMAN Users via SNMP
  57. OpenSSL Running Version Prior to 0.9.8za
  58. SMB Host SID User Enumeration
  59. OpenSSH Multiple Vulnerabilities
  60. SMB Users Listing
  61. Enumerate LANMAN Shares via SNMP
  62. Passwordless Lexmark Printer
  63. Apache Tomcat Transfer-Encoding Header Vulnerability
  64. Apache mod_proxy_ajp DoS
  65. Users in the ‘Admin’ Group
  66. NFS Server Superfluous
  67. OpenSSH X11 Session Hijacking Vulnerability
  68. Unsupported Microsoft XML Parser (MSXML) and XML Core Services
  69. Apache APR apr_fnmatch DoS
  70. Fraudulent Digital Certificates Allow Spoofing (KB2524375)
  71. OpenSSH ‘ForceCommand’ Directive Bypass
  72. Remotely Accessible Registry (Full Access)
  73. Vulnerability in Microsoft XML Core Services Allow sCode Execution (MS07-042)
  74. IIS Sensitive Authentication Information Disclosure
  75. rsh Detection
  76. Citrix Server Detection
  77. SMTP Server Listening on a Non-Default Port
  78. Source Disclosure
  79. Missing X-Frame-Options Response
  80. HSTS Missing From HTTPS Server
  81. Malformed Bind Request (LDAP Anonymous)
  82. LDAP NT Search Request Information Retrieval
  83. SSL RC4 Cipher Suites Supported
  84. SSLv3 Padding Oracle On Downgraded Legacy Encryption (POODLE)
  85. Web Application Cookies Lack Secure Flag
  86. pcAnywhere Detection
  87. Web Application Cookies Lack HttpOnly Flag
  88. SSL Certificate is a Self Signed
  89. Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials
  90. Microsoft Windows SMB Shares Unprivileged Access
  91. HP System Management Homepage Cross-site Request Forgery
  92. DNS Amplification
  93. OpenSSL Running Version Prior to 0.9.8zb
  94. Microsoft Windows Kernel Win32k.sys PATHRECORD chain Multiple Vulnerabilities
  95. VNC Server Authentication-less
  96. SMB Use Host SID to Enumerate Local Users Without Credentials
  97. Vulnerability in MHTML Allows Information Disclosure (MS11-037)
  98. OpenSSL Running Version Prior to 0.9.8zf
  99. Directory Disclosure
  100. phpCMS parser.php XSS
  101. Chargen Detection
  102. My Little Forum Cross Site Scripting
  103. Keene Digital Media Server XSS
  104. WebCam Watchdog sresult.exe XSS
  105. Faq-O-Matic fom.cgi XSS
  106. Goollery viewpic.php XSS
  107. DCP-Portal Cross Site Scripting Bugs
  108. Apache Jakarta Cross-Site Scripting Vulnerability
  109. PHP-CSL Cross Site Scripting

Most Common Low Risk Vulnerabilities:

  1.  HTTP Packet Inspection
  2. ICMP Timestamp Request
  3. NetBIOS Information Retrieval
  4. Windows Host NetBIOS to Information Retrieval
  5. rpcinfo -p Information Disclosure
  6. Supported SSL Ciphers Suites
  7. SSL Verification Test
  8. Remote Host Replies to SYN+FIN
  9. Directory Scanner
  10. TCP Timestamps Retrieval
  11. VMWare Host Detection
  12. SSH Server Backported Security Patches
  13. NULL Session Available (SMB)
  14. Identify Unknown Services via GET Requests
  15. VNCviewer in Listen Mode Detection
  16. robot(s).txt Detection
  17. DNS Bypass Firewall Rules (UDP 53)
  18. RPC Portmapper
  19. SNMP Protocol Version Detection
  20. Telnet Detection
  21. IIS Allows BASIC and/or NTLM Authentication
  22. FTP Clear Text Authentication
  23. SNMP Route Enumeration
  24. Device Type
  25. HTTP TRACE Method XSS Vulnerability
  26. Microsoft IIS Default Page
  27. Microsoft’s SQL UDP Info Query
  28. HTTP Server Backported Security Patches
  29. LANMAN Browse Listing
  30. IPSEC IKE Detection
  31. Apache HTTP Server httpOnly Cookie Information Leak
  32. Microsoft .NET Handlers Enumeration
  33. Flash Cross-Domain Policy File
  34. Veritas NetBackup Agent Detection
  35. SLP Detection
  36. VMware ESX/GSX Server Detection
  37. TTL Anomaly Detection
  38. Apache HTTP Server httpOnly Cookie Information Disclosure
  39. SMTP Service STARTTLS Command Support
  40. SLP Server Detection (udp)
  41. IIS Content-Location HTTP Header
  42. Appweb HTTP Server Version
  43. SMTP Authentication Methods
  44. TFTPd Detection
  45. Apache Tomcat Default Error Page Version Detection