What our attack surface study says about top retail applications

With data breach rife and leading to hefty regulatory fines it’s crucial for retail security teams to look under the hood of their web applications and gain a true view of their risks before it’s too late. In this blog we’ll highlight the key findings from our Web Application Security for Retail Report on how hidden and preventable attack vectors in retail applications, if left un-attended, can turn into serious security vulnerabilities providing an open pathway for potential application attacks.

Our research puts the top 20 retail applications in the world through our attack surface discovery tool Scout, to provide a snapshot of their risk profile and compare how leading brands such as Walmart, Tesco and Amazon are managing application security risks across the Atlantic.

US retailers more vulnerable to web application attacks

To understand what causes data breaches we analyzed top retail applications as identified in the Deloitte Global Powers of Retailing and found:

• US retailers have a larger web application attack surface with an average risk exposure score of 35.1 (out of 42.33)* vs an average score of 30.8* for EU retailers
• Digital footprint
  • US retailers run 3,357 web applications over 401 domains, with 8% of them considered as suspect (e.g. test environment) and 22% of them running on old components containing known security vulnerabilities
  • EU retailers run 2,799 web applications over 509 domains, with 4% considered as suspect (e.g. test environment) and 27% of them are running on old components containing known security vulnerabilities
• Security mechanisms, active content and degree of distribution are the top three attack vectors identified across US and EU retail applications
• 90% of the top 10 EU retail applications are running outdated jQuery vs 50% for US retail
• Other common issues detected include authentication and use of insecure servers

As we know hackers are masters of reconnaissance and incredibly opportunistic, especially during times of unprecedented market unrest increasing the attack surface. They will go to great lengths to identify a target by looking at all layers of an application including how many pages there are, if they’re using outdated software and what CMS and associated vulnerabilities it’s built on to find an easy opening to launch their attack – these are all areas a canny hacker will look for.

Hackers typically identify their targets using automated tools to find the lowest hanging fruit like unpatched or outdated software enabling file injection and remote code execution into the complex makeup of your application. This is where they can shift away from your authentication process and enter your system. As a result, remote access is gained to resources within your critical application, such as databases and servers. Offering hackers, the ability to remotely issue malware and gather the information they want to launch further attacks like ransomware from shadow IT.

*the retail study was done in summer 2020 using Scout v1, the model has since been updated in 2021 to a maximum AS score of 58.24 instead of 42.33, so all new studies in 2021 will be moved to the new scoring model, using proportional calculation for the benchmark.

Retail applications are bringing shoppers (and hackers) in

Our findings have demonstrated how important application security is for retail enhanced by the 30% rise in online sales during the pandemic. Since these retail web applications analyzed are publicly available and drive vast volumes of keen shoppers (and hackers) for their business, retailers must understand the most prevalent security threats in order to secure their web assets and ensure customer data is protected for compliance reasons.

Whilst ecommerce applications have been a lifesaver for retailers, they have introduced an extra cyber-risk – 43% of breaches (Verizon) in 2020 and web applications are the number one attack vector for the retail industry, with customers data exploited in about half of all breaches, a worrying statistic for security teams.

Attack Surface assessment helps you combat this by:

• Identifying the high risk areas in your applications by testing against the seven common web application attack vectors
• Providing a digital blueprint of your attack pathway from a hacker’s perspective through risk rating
• Detecting security weakness (e.g., outdated software and lack of encryption within a HTTP website) that require immediate attentions

Debunking the retail attack surface

The total number of different attack points can easily add up as identified in our retail attack surface analysis. To make this manageable you can debunk the different threats with our automated tool and use the risk score to prioritize testing efforts and locate the flaws for proactive remediation.

In this spider map from our Web Application Security Retail Report you can see the average weightings against the top web application attack vectors. Security Mechanism (SM), Active Content Technologies (ACT) and Degree of Distribution (DOD) pose the biggest threats to the retail apps we analyzed:

The biggest threats, security mechanism (95), or the lack of it, demonstrates many of the retail applications we scanned didn’t include sufficient encryption and access restrictions to defend against a potential reconnaissance mission looking for an easy way in like a credential stuffing attack.

Therefore, it’s critical for security teams to take an analytical view of their critical web application and create an inventory of what they own and where they are most likely to be exposed to reduce their attack surface and targets on their back. It’s vital to locate all internet-facing web apps at a regular cadence to gain visibility on potential blind spots and remediate before they can be exploited.

Authentication was also another key factor for concern for EU retail applications with only 20% authentication in place compared to 90% of US applications. Authentication is needed when a customer checks out or updates the contents on the app and it’s key for retailers to keep unauthorized users out.

In addition, we also found up to 90% of EU retailers vs 50% US retailers to be running outdated jQuery versions. By using an older version of jQuery, it’ll open the retailer up to exploitable vulnerabilities in jQuery’s like cross site scripting (XXS) attacks.

How retailers can protect their web applications

Attack surface analysis is broad and complex, it’s challenging to even begin to understand where your biggest risks lie. Our tool simulates the multiple discovery technique hackers used during reconnaissance and assess the plethora of code and multiple layers within applications.

Good for security

This way security professionals can build a picture of their attack surface and quickly understand the risk level for their applications (even legacy applications you didn’t know existed) to guide where to apply additional security controls, benefitting from cost and time saved by automating the identification of the biggest security flaws and prioritization of remediation

Good for developers

Having a visual attack surface analysis like this will also help instill your developers and third parties with a security mindset when building new applications. With a greater understanding of what causes your application attack surface to increase, developers can use the knowledge to create safer applications in the future to ensure security flaws don’t end up costing you

More information about the attack vectors: