Skip to main content

Insight into Web Application Security Breaches

17.Jul.2018
Outpost24 France
Web application vulnerabilities are some of the most common flaws leading to modern data breaches. SQL injection (SQLi) and Local File Inclusion (LFI) attacks represented for 85% of Web Application attacks, XSS counted for only 9%.

 

Web Application Security Breaches

 

Today, cloud computing is driving market demand away from perpetual licensing and toward next generation pay-per-use based services in the form of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and other subscription models that base pricing on actual service usage. Many e-commerce websites have increased the use of web-application. However, nothing is ever safe in this new model due to the shared responsibility model. And with the DevOps approach always pushing to improve apps, security remain one of the companies' biggest challenge.

 

Web app situation in 2019

According to research, the number of web application attacks increased by 52% in 2019. While SQL injection (SQLi) attacks represented nearly two-thirds (65.1%) and Local File Inclusion (LFI) accounted for 24.7% of those, XSS counted for only 9%.

The number of confirmed breaches by web applications differs a lot in regard of industries. Indeed, companies with sensitives data are a better target for hackers.

Retail is the sector most affected, as the Verizon 2019 Data Breach Report reveals 39% of reported incidents 62% of breaches were caused by web application attacks.

The main point is to know that organizations with many critical web applications are likely to be more at risk to be breached. Simple vulnerabilities are the most often used by hackers to attack business. In the following part, some attack vector that you need to pay attention to.

 

Web Application security breaches review

Due to various flaws in the making and development of the applications, it is easy to breach web applications. There are many kinds of web-app vulnerabilities, the major listed by the OWASP in his Top 10. This ranking has not changed too much this past years, but web app vulnerabilities stay a major threat.

We already discussed about OWASP top 10 vulnerabilities in previous blog post, but here are some other common web applications ones:

  • Buffer Overflow: This is one of the most common issues faced by web applications. Buffer overflow is the phenomenon where the application buffers contain more information than it can handle. With increased flow of information, the application malfunctions overwrite the adjacent memory, which causes the application to crash or even the all system.

  • Cross-Site Request Forgery (CSRF): This is one of the deadliest attacks that any web application’s security can face. CSRF make the client do something they did not intend. With access to their authenticated browser, the attacker programs the attack in such a manner that the client is tricked into accepting an invitation from a third-party website. Once the client is tricked into agreeing to the invitation, the attacker has competed for access to the user details. This type of attack is most common for internet banking, in-email banking or clients, email and social media apps.

  • Security Misconfiguration: Web-applications promise to keep the identity of the client safe and secure. However, if the applications are not maintained and are left as they are, attackers and hackers can access the identities of the clients. Furthermore, this type of vulnerability gives the attacker complete access to the database server, web server, etc. which leads to a complete compromise of the application. And misconfiguration is one of the biggest offenders in our 2020 study

  • Denial of Service: This type of attack aims to make a website, an application or another resource unavailable. Today, DoS attacks are made with various sources, that is why they are called DDoS for Distributed Denial of Service. Attacks can be made by overloading a network to prevent its running, disrupting connections between two machines or blocking access. Denial of Service attack can also block a file server or make it impossible to access a web server for example. How DoS and DDoS could be dramatic for an e-commerce website for example if its customers access is unavailable.

  • Cross Site Scripting (XSS): This type of breach is directed at the client’s device. Attackers make use of a code, such as JavaScript, to deliberately change the web application’s appearance. Other than this, XSS is used to deface websites, alter the content, and hijack client sessions and to redirect the client to malicious and unsafe websites. XSS attacks are used to steal sensitive data, such as credentials or commercially valuable data. Cross-site scripting accounted for 8 % of all web application attacks according to an Akamai report (in Q3 and Q4 2017 and also in Q1 2018). For more information on XSS vulnerabilities and how to avoid them, you can read our past blog post on the subject.

  • Local File Inclusion: Another common web application vulnerability, Local File Inclusion, also called LFI, is the inclusion of a file which is already in the company server via an input. LFI vulnerability was used in 34% of web application attacks (between November 2017 and April 2018 according to Akamai). If conducted successfully, attackers can trick the application and forces it to load other files that the attacker is not authorized to access. It might allow them to read sensitive information, access configuration files or even execute system commands remotely. More technical insights in our previous article.

 

To make sure that your web-application is free of such vulnerabilities and offers a seamless experience to your clients, you should code rigorously or opt for a serious website development company. And to continuously remain secure, pay attention to new vulnerabilities discovered by the CWE or use specific cybersecurity solutions to keep your applications as secure as their speed of development and improvement.

 

 

Discover your attack surface

 

With the Junaid Ali Qureshi' participation.

 

Sources:

Q3 2017 State of the Internet Security Report

2017 Data Breach Investigations Report

Looking for anything in particular?

Type your search word here