(Second part of the Indusface OWASP vulnerability educative series. Read Part 1)

Have you heard of the times when Fantastic Frank from Randomland was furious? Money and critical data was being stolen from his Fishery of Randomland’s website. That is when he called this security ace Ralph to find out what was wrong.

OWASP Top 10 Attacks on Your Website

Ralph indeed had a big list of problems. He explained the five of 10 severe OWASP vulnerabilities and this is what happened next.

A6- Sensitive Data Exposure

“How secure is your data,” asked Ralph.

“What data?” hesitant Frank replied. There was so much going around that he wasn’t sure of anything now.

“Everything. Data being sent to the users, your backups, password logs, everything,” he probably knew the answer but asked anyway.

Judging by the lack of confidence around, Ralph guessed that encryption wasn’t a priority at Fishery of Randomland. So, he went back to the computer, which apparently had more answers.

Unsurprisingly, Frank’s team was storing user passwords, credit card details, and other pieces of critical information in pure text files.

OWASP Top 10 Attacks on Your Website

“La force d’un secret,” he turned back and said as everyone looked amazed, “It’s French for ‘The Strength of a Secret’. If you don’t know the language, what is said is of no use to you.”

Frank and his website admin team were uncertain if he was being sarcastic or simply playful.

“That’s how you should store or transmit the data. Encrypt it, obviously not in French but with cryptographic algorithms. Even if the passwords or credit card details are stolen, make sure that hackers cannot do anything with it,” he cleared the point.

It’s critical to keep the data encrypted in such a way that only authorized keys or algorithms unlock it.

Business Risks: Consider everything that comes with loss of sensitive data. Loss of passwords, credit card information, addresses and bank statements might bring serious repercussions. Recently, Uber accidently revealed driving licenses for more than 100 of drivers.

A7- Missing Function Level Access Control

“Admin function controls are the most important ones and should be restricted. Right? What if non-admin users can access it too? Do you regularly check for these misconfigurations? Make sure that you do,” he explained further.

Ralph’s question reveals a lot. Most companies do not bother reassuring that only authorized accounts access privileged information. What if someone with network level access can change privileges or URLs?

Business Risks: Once the attacker gains admin access, he/she can change a lot things including application data and settings.

A8- Cross-Site Request Forgery (CSRF)

“Here’s a malicious link hidden in an image that your customer visits on random webiste,” Ralph typed in his notepad.

While “rfish” is the real website for Fishery of Randomland, fraudsters have altered the URL for the customer to initiate a command that he/she doesn’t even know about.

OWASP Top 10 Attacks on Your Website

<img src=”http://rfish.com/purchase-tuna?account=bob&number=1000&for=Fred“>   

“Now your customer doesn’t even know but the attacker has initiated a transaction of 1000 tunas to be delivered to Fred. Every time he visits such a malicious website, similar requests will be passed to your website with all the authenticated details,” Ralph revealed a much serious flaw.

“You mean all those customer complaints about random orders were real? God, they hate us,” frustrated Frank pulled a chair hoping that it was the end of bad things on his website but of course it wasn’t.

Business Risks: Rogue requests, purchases, and money transfer. You will never be sure if it’s a genuine requests and customers will gradually lose trust in your website.

A9- Using Components with Known Vulnerabilities

“Hey Frank, what happens when you mix unknown construction material while building a house,” Ralph wasn’t finished yet.

“Well, it might not be strong enough? Who knows what’s in there?”

“Exactly my friend. Applications are the same. Your developers use open source projects with God knows what loopholes. Most of the time they don’t even know what code library came from where,” he explained.

Business Risks: Unknown application codes bring unknown risks. XSS, injection risks, and business logic loopholes are just some of the examples. Such vulnerability brings data breach, access control, defacement, and theft risks.

A10- Unvalidated Redirects and Forwards

“Coming to the last one; this is another weakness where you lose customer trust,” Ralph said as he pulled the keyboard to show how it was easy to plant a spam redirect in the URL to take customer to a page of his choice. He simply used the ‘URL’ parameter to change it as explained in the example below.

“See now that the customer has clicked on the link but does not know that I am taking him to a website that looks exactly like yours but it isn’t. He will go about his business while I can get all the information I need,” Ralph concluded.

Most websites don’t even know about such unauthorized redirects that look genuine. While customers should be more careful about phishing, how could someone suspect that they’ll be redirected to gettingrobbed.com that looks exactly like rfish.com

OWASP Top 10 Attacks on Your Website

http://www.rfish.com/redirect.jsp?url=gettingrobbed.com       

It comes down to website owners to ensure that customer is not redirected to frauds by restricting and controlling URL parameters.

Business Risks: Attackers can install malware or access user accounts with phishing. Customers lose trust in attacked website forever.

OWASP Top 10 Resolution

“Ralph, that’s like a list of thousand variables. You want us to look at it every day and crosscheck if everything is fine with the website? How about I just close everything and sell fish at my shop in Downtown,” Frank wasn’t sure of his website anymore.

“Not at all,” Ralph smiled, “I know you people have business to take care of and that’s why we have things that check every weakness on your website.”

“Things?”

“Well, back in the office we call them Web Application Scanning and Web Application Firewall,”

“And what do they do exactly?”

“See this Web Application Scanning has parameters to find OWASP 10 weaknesses automatically. It does that daily and lets you know issues to be taken care of. That’s obviously better than your development team digging in every single day,”

“And this firewall? We already have that right Bob?” Frank looked at one of his employees.

“No, no it’s different. This Web Application Firewall is for OWASP 10 vulnerabilities. Say you find three weaknesses through scanning and at the same time it’s the big sale day on your website. What will be your priority? Should your team sit and correct the code or focus on keeping website running? Web Application Firewall prevents OWASP attacks until you can fix the issue,” Ralph cleared the difference.

OWASP Top 10 Attacks on Your Website

That was probably the last time Frank had to get furious over data breach risks. Ralph was now a necessary part of his team, for things he couldn’t bother to get into as Christmas was around and his target was getting to the number 1 fish selling spot. But did they miss the mobile app completely? Weren’t they worried about that? Was he Christmas spoiled for him?

Part 3 on OWASP Mobile Vulnerabilities

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.