Ten most common web security vulnerabilities

Ten most common web security vulnerabilities

Andre Reitenbach, CEO, Gcore, highlights the weaknesses that organisations may become susceptible to if thorough cybersecurity is neglected, and discourages complacency among developing cyberthreat tactics.

As our reliance on websites and applications has grown, so too have the security stakes for organisations. Cyberattacks are increasing and companies need to be hyperaware of the potential web security vulnerabilities in their IT systems.

Web security can be vulnerable to attack if an application has a weakness or misconfiguration that is open to a hacker. These can exist in any part of the web application from the server or host through to the application software, but they are a prime target simply because users interact with them frequently across various networks.

Let’s look at some of the most common web security vulnerabilities:

  • Broken access control

This occurs when users can access data or resources they shouldn’t, due to poor permissions management. Privileges may have been inaccurately assigned, or there are inconsistencies in permission settings. If there are weaknesses in authentication mechanisms, such as weak passwords, or a lack of Multi-Factor Authentication, these can be exploited. Security controls should be properly configured so they can’t be bypassed by an attacker, such as if a security configuration is left on default settings or there are misconfigurations in firewall rules or access control lists. Combatting this means putting in place strong authentication practices and implementing regular auditing of defined access permissions. 

  • Cryptographic failures

If the implementation or usage of cryptographic measures falls short in delivering necessary security, it can lead to compromised confidentiality, integrity, or availability of the data that the cryptography should have protected. The result is unauthorised account access, identity theft and data breaches. Sensitive data such as profile information, health or credit card data, if stored without adequate encryption, will become an attractive target for malicious actors. The main vulnerable object in this scenario is the application database where the data is stored.

  • Injection flaws

Attackers can inject malware into a command or query that is subsequently processed by an application, resulting in untrusted data being delivered to an interpreter or a service without validation or sanitation. A common example is SQL injection, where the hacker injects malicious SQL code into a web application. LDAP injection and Cross-Site Scripting are other forms. To guard against this kind of attack organisations must ensure that untrusted input received by an application is filtered, preferably using whitelisting. SQL databases must be appropriately configured.

  • Insecure direct object references

These arise when a web application exposes internal objects – files, directories, database keys – through URLs or form parameters. If the user input is blindly trusted, it can result in unintended exposure of sensitive information and potentially give attackers access to other objects not initially exposed. The vulnerability of IDOR can lead to data manipulation, exposure of user account information and potentially damage the overall security of the application.

  • Server-Side Request Forgery (SSRF)

SSRF occurs when a web application fails to properly validate user-provided URLs when accessing remote resources. Attackers manipulate vulnerable applications to send crafted requests to specific URLs, bypassing access controls such as firewalls that typically block direct connections to the target URL but grant access to the compromised web application. An example of SSRF was the Capital One hack, in which 140,000 social security numbers and 80,000 bank account numbers were stolen and the crime remained undetected for months.

  •  Cross-Site Request Forgery (CSRF)

CSRF involves a malicious entity deceiving a user’s browser into performing actions on a trusted website without their knowledge or consent. User’s will typically be already authenticated allowing the attacker to manipulate user profile information, change status updates, or even create new users on behalf of administrators. An attack might happen on a frequently used e-commerce website, for example, allowing the cybercriminal to trick the browser into making purchases on a different website and by embedding malicious code into that website, utilising the victim’s saved payment information to make purchases.

  • Outdated or vulnerable web application components

Threat actors deliberately inject malicious or vulnerable code into widely used libraries and third-party dependencies, creating a potential entry point. Organisations that lack visibility into their external code and fail to promptly apply necessary security updates are at risk.  A recent example was the outdated WordPress plugins that were unpatched for prolonged periods leading to severe security breaches, service disruptions and reputational damage.

  • Security misconfigurations

If components of a system are not set up correctly, vulnerabilities can be exploited. Most security breaches stem from human error and can be thwarted by regularly updating and patching systems, frameworks and components. Companies can address simple things such as an application server’s admin console being left with default settings and unchanged passwords.

  • Unvalidated redirects and forwards (URF)

Vulnerabilities like these come up if applications redirect or forward users to URLs provided by users themselves. Bad actors abuse URF vulnerabilities to redirect users to malicious sites, which can result in data theft and malware installation. These vulnerabilities occur when developers fail to properly validate user input, enabling attackers to inject malicious code into URLs or query strings.  

  • Software and data integrity failures

If the integrity of critical data and software updates is not verified before being added to the delivery pipeline it can lead to integrity failures. Faulty assumptions, outdated software, insufficient vulnerability scanning, erroneous input validation, missing patches, missing unit tests, or insecure component configurations are all causes. One common manifestation of software and data integrity failure is an attacker tampering with input payloads during deserialisation, coercing the application to execute malicious code or alter its logic.

Conclusion

Web-based communication is essential to organisations’ future success and proactivity is the key to countering the 10 common web security vulnerabilities. This means regular security updates and patching, robust authentication mechanisms, secure coding practices, thorough input validation, strict configuration management and comprehensive security testing.

Staying informed about emerging threats, encouraging a culture of vigilance and prioritising web security allows organisations to protect sensitive data, maintain customer trust and preserve their reputation in today’s digital landscape.

Browse our latest issue

Intelligent CISO

View Magazine Archive