To most, the Internet is a brightly lit wonderland of applications and services which enhance our daily lives online. From banking to streaming and everything in between, there's a fancy responsive webpage for everything. However, behind the curtain lies a tightly wound web of computer networks which is ultimately managed by people. People are fallible and just like the device you are reading this article on, these machines require love, care, and software updates which, unfortunately, are not always applied by their forgetful administrators. This situation is all too familiar to the seasoned cyber security professional: a critical vulnerability in a public web application left unpatched and forgotten in the corner of the external network is an open door for attackers. You may be thinking:
‘Horangi, I don’t run any Web Apps, my company doesn't serve any customers a service.’
Are you sure about that? Are your staff logging in through Citrix or a VPN gateway? Do you have an SSO portal published? Anything that bridges the gap between the Internet and your internal network could be considered a web app, because well, it's on the web and most probably serving a portal to someone over Port 80 or 443.
A great example of an obscure web app vulnerability can be found in the recent public disclosure of unauthenticated remote code execution in Citrix Netscaler appliances which allowed anyone to traverse outside to inside with a few simple commands. Forgetting to patch such a vulnerability could be catastrophic. It goes almost without saying that this isn't a great example of a traditional web app vulnerability but we hope it goes to show that vulnerabilities in Internet-facing systems can appear where you never expect them to.
Just because you aren't running what would be considered a traditional Web App does not necessarily mean that you are immune from their dangers. Stepping back inside the box to traditional Web Apps may be more appropriate for the scope of this post, so let's consider a Web App that in some way serves your customers. It, at the very least, requires a front end and most likely connectivity back into your network.
Attacks and Its Many Forms.
Thankfully, there are people out there who devote their lives to cataloguing information on common web application attacks which makes the defender’s job slightly easier. The most notable group without question must be OWASP. Their project tracks the top ten Web App vulnerabilities and posts detailed information for defenders and developers alike. Using the information that is open-sourced from the project gives us a peek behind the curtain at what to expect from attackers. All of the classics are there: injection, bad authentication, data leakage, poor xml handling...the list goes on. All in all, at some point along the kill chain, exploiting one of these weaknesses will give the attacker data you wanted to keep private (think user/staff information) or allow the attacker to traverse. A bad experience for everyone all around. But it doesn't have to be this way. What if you could find the vulnerabilities before the attackers do?
There are many schools of thought around mitigating web application vulnerabilities. In our opinion, a combination of techniques is required a.k.a. an in-depth defence strategy. Firstly, security should be kept in mind during the development and early implementation of any platform. If the app is being built internally, someone needs to be the voice of securityvoice of security for the project. Without such a voice, it is common for security initiatives to fall to the wayside and become an afterthought as the implementation can be time-consuming and costly. Secure development lifecycle processes are also important. Following best practices prescribed by leading development organizations and standard bodies can help weave security into the very fabric of software.
In addition to early considerations for security, we should also aim to look for vulnerabilities which evolve over time post-implementation. Just because our app is secure on release day does not mean it will be secure on day thirty. As we mentioned earlier, computer systems need updating and maintaining, and the infrastructure behind most web applications isn't an exception. To illuminate issues that arise post-deployment, a Web Application Scanning process should be constructed. The process should be documented in simple terms (a one pager should do it) and followed by staff on a regular basis - the more automated the better. For example, running a vulnerability scan against the app periodically or when there’s a major change to the application code base from an external network to best simulate the position of a would-be attacker. Once completed, a report is generated which details all of the changes required to make things safe again.
There are many platforms available for enterprises and consumers alike, some are even open-source. Most vendors offer a cloud-hosted solution that makes Web App testing a breeze. With that being said, you can’t beat the human mind (at least not yet) and there is of course still room for human-ran web application penetration tests which will most likely identify holes that automated scanning simply can't. In some test cases, there are things like business logic that cannot be picked up by most web application scannersweb application scanners because it cannot understand the “context” of what the application does. This is where bringing in a human tester is important to find more complex vulnerabilities in a nuanced context. Putting your development and security team in a (possibly virtual?) room together with some seasoned Horangi hackers will bring knowledge, engagement, and of course security to any technical roundtable.
Whilst all of this sounds costly and time-consuming, the investment surely outweighs the cost of a devastating cyber attack and brand reputational ruinbrand reputational ruin after an attacker halts your business and leaks user or staff data for the world to see or the highest bidder to take.
How Can We Help?
Horangi runs web application penetration tests in a handful of varieties and each test is catered to the client. Generally, our team can be given a target and start attacking almost immediately. Our analysts will perform a wide range of reconnaissance probing and attacks from the Internet as a normal attack would. Then a helpful and easily understandable report will be handed over which carefully explains the weaknesses Horangi finds and advice on how to fix them.
We are happy to also help you in any of the other stages outlined earlier in this post. If your team needs advice around the secure development lifecyclesecure development lifecycle, secure code review or even a cloud security scannercloud security scanner, we can help. We can even provide all these services as an overarching package to help your business weave security into every fiber of your web applications from beginning to end. Horangi can help your organization conquer web application security by creating understandable, digestible, and actionable information for your teams.
Contact us today for a friendly commitment free conversation about how we can tailor services to your requirements and keep out the bad guys. You can also visit our Penetration Testing pagePenetration Testing page to find out more about this service.