The way businesses look at web applications has changed dramatically over the decade. What was limited to develop-and-forget, is now the powerhouse that runs businesses across the world. Web applications account to multiple changes, especially in sectors that are largely dependent on online transactions. So, does it change anything in the overall security outlook? As a matter of fact, it does.
So what are the best ways to deal with the both? Should you look into automated web application scanning or manual penetration testing? What are the testing best practices?

Businesses must thrive to stay ahead of the competition, a large part of which includes enhancing user experience and interface with frequent changes. Problems start to surface when there is not enough time and resources to test these applications, especially for vulnerabilities that lead to potential breaches into the server. Additionally, there are business-specific flaws that get trapped into logic paradoxes and offer unintentional breach opportunity to hackers.

Web Application Testing Issues

Before you can look into web application scanning, it is important to understand why it is so important to secure applications. With a constant rise in the number of applications being developed and used for critical business processes, they have also become primary targets for hackers. In fact, it has been estimated that over 75% of the breaches today happen at the application layer. Here are some of the top threats that you might want to look into.

1. Known Vulnerabilities

With decades of work and knowledge, a pool of information security experts from OWASP and WASC lay out multiple known application vulnerabilities yearly that can be exploited to breach security. Although these vulnerability lists are not exhaustive, they are often referred to as the foundation to start securing applications.

Currently, according to various application security experts, Injection Flaws tops the list of vulnerabilities. In fact, 91% of the websites detected with ‘Critical’ level vulnerabilities tested by our IndusGuard Web had SQL Injection vulnerability. Hackers often look for this vulnerability on the website and then use input mediums like forms and URLs to make the server execute certain commands. You can read more about it on “All You Need to Know about SQL Injection

Recently, the user database from a leading song portal was breached reportedly through SLQ Injection. The database showed records for millions of users of the website users, but the hacker didn’t compromise them.

Similarly, websites for major online taxi-for-hire services were also hacked exposing credit card transactions and vouchers codes.

Following is a list of some of the web application vulnerabilities listed by the Open Web Application Security Project.

Blog Web Application Testing

2. Business Logic Flaws

As the web applications get complex and multi-dimensional in nature, vulnerabilities are not just limited to universally known factors. At times, there are issues that result from multiple logic flaws and end up loosening security.

A business logic flaw is an application vulnerability, which arises by circumstantial security weakness. As one-of-a-kind problem, it does not have universal solution and cannot be detected by automated web application scanning either. Here is a simple way to understand this.

“Only those who understand your business will be able to detect your business logic flaws.”

Here’s an example to understand business logic flaws.

A renowned stock broking firm wanted its customers to trade online. Their dummy online trading platform focused on increasing participation and making transactions faster in a two-step process.

Step 1: Users could pick stocks of their choice, number of shares, and click on ‘BUY’. The application then calculated the total value of the transaction and asked users to ‘PLACE ORDER’.

Blog Web Application Testing

Step 2: After Step 1, users can choose to either proceed with the order or cancel the transaction.

The Problem:

The web application scanning session showed that the application was clean of any OWASP or WASC vulnerability, but problems existed. An attacker could actually take informed decisions and make huge profits without administrators knowing about it. The attacker had to select stock at current price and freeze the process at confirmation dialog box. If the next day, prices for that particular stock shoot up, he could confirm the frozen trade and get the stocks at older value.

3. Zero-day Threats

Zero-day threats come from vulnerabilities that came into public recently and remain unpatched. There are also ‘less than zero-day vulnerabilities’ that are passed onto hackers ranks for exploitations and are unknown to the world. Over the years, number these unknown vulnerabilities has increased with the likes of Heartbleed, POODLE, and FREAK wreaking havoc all across the world.

In fact, just a couple of months ago, WordPress was dealing with dual zero-day vulnerability that allowed Cross-Site Scripting (XSS) on thousands of websites globally. This attack targeted the then-latest version of WordPress. Attackers could exploit the vulnerability by sending injected HTML messages to site admins. From there attackers could create accounts and changes passwords, or pretty much everything that the targeted admin could do.

Blog Web Application Testing

Although WordPress released patches for these vulnerabilities soon after, it gave plenty of time to the underground world to target several multiple websites at a time. In fact, a number of zero-day vulnerabilities have repeatedly rocked the boat for Adobe and Java. Transport Layer Security (TLS) and Secured Sockets Layer (SSL) have also suffered encryption breach in recent months.

Integrated Web Application Testing

As more and more companies are shifting their business processes and data storage online, they spend a lot of time and energy looking for vulnerability assessment programs too. Inevitably, the choice comes down to automated and manual testing with their unique features.

On one hand, it is impossible to allocate dedicated time and personnel to testing after every little web application change, a task at which automated web application scanning is good at. On the other hand, business logic flaw detection requires human thinking and manipulation to penetrate in rather unconventional ways. This leaves companies at the helm of what decision makers find feasible.

Our question is: Why can’t you get the benefits of both in one integrated web application scanner? Why can’t it offer both automated testing for OWASP Top 10 and manual penetration testing for business logic flaws?

Indusface Scanning does it with managed web application scanning. It audits app security by detecting OWASP vulnerabilities and malware while security experts perform penetration testing to find out business logic vulnerabilities. It also provides additional features like malware and blacklisting detection, defacement protection, and unlimited attack demonstrations. And for zero-day vulnerabilities, there’s proactive support and remediation guidance from experts.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.