Last updated at Fri, 13 Dec 2019 16:18:03 GMT
Some of the most common web application vulnerabilities tend to be the most exploited because they are difficult to spot, often overlooked by security teams and sought after by attackers. Another reason these vulnerabilities manifest in production environments is because they were never detected while the application was being written, indicating that security wasn’t baked into the development process. Without visibility, security is in the dark and these issues are only detected after the fact—or when an attacker or user finds them.
So, what are the most exploited web application vulnerabilities, and how can you avoid them in your development process? Let’s dig in.
Meet the top 10 commonly exploited vulnerabilities
Every few years, OWASP compiles a list of the 10 most commonly exploited vulnerabilities based on a survey of over 500 industry specialists encompassing more than 100,000 production applications. Vulnerabilities are selected based on exploitability, detectability, and impact. The result is a list that gives us great visibility into what the infosec community is seeing with regards to application security. It’s a great way to assess your appsec posture, prioritize threats, and remediate them.
Learn about each of them below:
1. Injections
Injections have been running rampant for over 20 years because they can take many forms and are ubiquitous across frameworks. According to OWASP, injection flaws such as SQL, NoSQL, OS, and LDAP occur when untrusted data is sent to an interpreter as part of a command or query. An attacker can trick the interpreter into executing commands or accessing data, bypassing any authorization. If exploited, these vulnerabilities can be detrimental.
2. Broken authentication
This includes improper configurations, weak authentication processes, and poor session management. When authentication is broken, attackers can compromise credentials or impersonate users temporarily or permanently. This can be an adversary’s fast-track to gaining access to sensitive and valuable information or systems.
3. Sensitive data exposure
This vulnerability has moved up in the list due to an increase in personally identifiable information (PII) compromises from improper encryption and the valuable nature of the data. According to OWASP, many web applications and APIs don’t properly protect sensitive data like PII or financials, which leads to incidents such as credit card fraud and identity theft.
4. XML external entities (XXE)
Often, older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial-of-service attacks.
5. Broken access control
This occurs when authenticated user access isn’t controlled or enforced properly. This can lead to a larger-than-normal elevated access whereby attackers can exploit these flaws and access unauthorized functionality or data. With an increased attack surface, things like user accounts, sensitive files, and access rights can be at risk.
6. Security misconfigurations
This is the most commonly seen issue across organizations. It’s often a result of insecure, incomplete, or ad hoc default configurations or misconfigured HTTP headers, open cloud storage, or error messages containing sensitive information. This means not only should operating systems, frameworks, libraries, and applications be securely configured, but they also must be patched and upgraded on a regular basis to stay secure.
7. Cross-site scripting (XSS)
XSS is quite common, but shows up lower on the OWASP list due to better browser-based XSS protection these days, making it harder to exploit. XSS flaws occur when an application has untrusted data on a web page without proper validation, enabling attackers to execute scripts in a victim’s web browser to hijack their session, deface websites, or redirect users to a malicious site.
8. Insecure deserialization
This vulnerability often leads to remote code execution or to perform attacks like replay attacks, injection attacks, and privilege escalation attacks. This is usually mitigated by strict validation and control over what is deserialized and/or significant architectural changes.
9. Using components with known vulnerabilities
When was the last time someone in your organization used a component with a known vulnerability? Most organizations don’t know, especially if they’re decentralized. If a vulnerable component like an application or API has known vulnerabilities and is exploited, it can lead to serious data loss or server takeover.
10. Insufficient logging and monitoring
Last but not least, if logging and monitoring capabilities are not integrated with incident response, attackers can often fly under the radar to penetrate deeper into a system, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Given that the time to detect the average breach is over 200 days, a proper vulnerability management program is the only way to ensure nothing goes unseen.
Addressing all 10 vulnerabilities: Modern-day appsec solutions for modern apps
Purpose-built to detect, prioritize, and help remediate application vulnerabilities at any layer, Rapid7’s InsightAppSec can help to address all 10 of these top web application vulnerabilities. It can spot injections and improper configurations, integrate logging, monitoring, and incident response, and detect suspicious user activity. Created with the modern, multi-layer application in mind, it can also detect vulnerabilities that have persisted over time.
To see how InsightAppSec can help you to mitigate and remediate all ten of the top vulnerabilities out there today, sign up for a free trial to give it a spin.