The Truth About Zero-day Vulnerabilities in Web Application Security
Zero-Day Vulnerabilities are highly valued in legitimate bug bounty programs and have earned bounties of up to USD 2 million. Since no patches or fixes exist, 0-day attacks/exploits are highly valued even in the underground markets and the dark web. They are sold to the highest bidder within hours of discovery in the black market.
And why not! Zero-Day Vulnerabilities provide an unprotected gateway to threat actors to create exploits and use them to attack the organization. Since security defenses are either ineffective or not in place, the probability of successful attacks is high.
In this article, we delve into what zero-days mean in web applications as opposed to systems and networks and, the general security required to protect against 0-day attacks.
Zero-Day Vulnerabilities, Exploits, and Attacks
Zero-Day Vulnerabilities are gaps/ misconfigurations/ security weaknesses/ flaws/ bugs in software, hardware, firmware, or code that are previously unknown to the involved parties – users, organizations, vendors, and security teams. They become known to developers and organizations only when a successful zero-day attack takes place or is found by security researchers.
Zero-day exploits are codes and/or methods developed by threat actors by leveraging the 0-day vulnerability. The threat actor, instead of carrying out the attack immediately, may strategically wait for the best time to deploy it.
It is a zero-day exploit before and on the day the organization/ vendor is made aware of its existence. From this day zero, the organization/ vendor starts working on the fix for the exploit.
When the threat actors make use of the zero-day exploit, the result is a zero-day attack. This is typically when the vulnerability is recognized by the organization and the public. Typical attack vectors are web browsers, email attachments, exploit kits, phishing/ spear-phishing emails, 0-day malware, etc.
Zero-Days in General Cybersecurity vs Web Application Security
Zero-Days in Cybersecurity
Zero-day attacks in cybersecurity (network security, end-point security, system security, etc.) are particularly dangerous. Here’s why.
If a zero-day is discovered in firmware, physical devices could be compromised. Organizations cannot do much to prevent attacks except disallowing USB drives, blocking the attack vector, and setting up firewalls till the vendor acknowledges and fixes the issue. An example is the Stuxnet virus which targeted computers used for manufacturing purposes. This computer worm was leveraged to disrupt Iran’s Nuclear Program by sabotaging the machinery used in the enrichment plants.
If a zero-day vulnerability is found in your OS or any other software, your systems/ browsers/IT infrastructure remain exposed to the attackers till the software vendor discovers the vulnerability, develops a patch, and releases it in a software update. The longer the vendor takes to discover and fix the issue, the longer your systems exposed and the greater the risks attached.
For instance, attackers exploited an unpatched vulnerability in Adobe Flash Player in 2011 to attack the security company RSA. The attackers sent phishing emails with the subject line ‘2011 Recruitment Plan’ containing Excel Spreadsheet attachments to a small group of employees. The malware contained in the attachment exploited the zero-day Flash vulnerability to install the backdoor – the Poison Ivy Remote Administration Tool – to take control of the computer. Using the backdoor, the attackers snooped around for privileged information and then exported it. They stole sensitive information related to the company’s SecurID two-factor authentication products and compromised its effectiveness.
Zero-Days in Web Application Security
Zero-days in web application security are usually found in newly deployed code. The probability is higher in business applications and systems that are developed and customized in-house. There is no way for anybody to know beforehand or report the vulnerability. In the latter case, there is a lower chance of security weaknesses being reported since a single organization is using the application.
In the cases where the zero-day vulnerability is in the newly-deployed code or customized in-house applications, no external vendor will deliver the patch. The responsibility of discovering and fixing the gaps (before attackers do) lies with the organization and its IT security team. They need to incorporate intelligent scanning tools equipped with automated pen-testing capabilities like AppTrana in the SDLC stages to identify vulnerabilities and gaps in security and fix them as early as possible.
There are exceptions too. Organizations may use popular web applications or open-source libraries, themes and frameworks, third-party components, etc. in building applications. In such cases, the vendor will have to patch the vulnerabilities.
But what if it is a legacy system, end-of-support product, or out-of-business vendor? How does zero-day protection in web application security work in such cases? Virtual patching comes in handy in cases like this. It provides protection to the application and the IT infrastructure where patches are no longer issued or too expensive to deploy (for instance, IoT devices).
The Way Forward
Given their nature, it is impossible for automated scanning tools and scanners based on the now obsolete signature analysis models to discover zero-day vulnerabilities. For effective discovery and protection against zero-day attacks and exploits in web applications, a modern-day, managed and intuitive Web Application Firewall (WAF) such as AppTrana is necessary.