- additionally,
Last update: 25 January 2022
Web applications are an essential component of any modern business. They can help convey the company vision, advertise services and deliver content to customers.
Regardless of their use, they are a necessity to make oneself or a business known to the world. However, as beneficial as they can be — they are also vulnerable to compromise.
This post discusses the five deadliest web application attack vectors to watch out for in 2022 and how they can be detected (and then remediated) through web application testing.
Vector 1: Injection Attacks
Injection attacks are a class of vulnerabilities that exploit the lack of input validation. If a web application accepts all user input as valid or places minimal restrictions, an adversary can inject arbitrary commands, queries or code into the browser, or the back-end systems connected to the application (i.e. the database or hosting server).
Depending on the context, the impacts of injection attacks differ drastically, for example:
- An adversary could Hijack a victim’s session
- An adversary could force other users to perform malicious actions of their choice
- An adversary could execute operating system commands on the hosting server and potentially access information stored
A comprehensive web application test would identify instances of injection attacks, alongside the security controls or (lack thereof) that fail to prevent them. For example, in the case of cross-site scripting, a consultant would look for whether they can inject JavaScript and whether they could successfully leverage it, (i.e. to steal a user’s session cookie).
Vector 2: Broken Access Control
Broken access control is where an applications security policy fails to adequately prevent unauthorised users from accessing sensitive functionality and/or information. An example of an access control vulnerability is where an insecure unique identifier is used by an application to distinguish between user accounts. Let’s say user 1 has an ID of 49.
User 1 could tamper with this parameter and change it to 50, allowing this individual to view the information of user 2’s account. This is referred to as an Insecure Direct Object References (IDOR).
Common impacts of broken access control vulnerabilities can result in:
- Unauthorised information disclosure
- Unauthorised modification or destruction of data
- Privilege escalation
Web application testing identifies instances of privilege escalations, functional level access control issues and other vulnerabilities which allows a user or malicious actor to circumvent access control and or escalate privileges.
Vector 3: Cryptographic Misconfigurations
Cryptographic misconfigurations are vulnerabilities that affect the security of information at rest or in transit. They are among the most common vulnerabilities out there.
Well-positioned adversaries can potentially abuse these vulnerabilities to downgrade the protections of a cryptographic channel to that of an unencrypted channel and intercept user credentials, including those of privileged accounts.
There are many types of cryptographic misconfigurations. For example, a digital certificate can use algorithms and ciphers that are deprecated and considered insecure. One of the most common offenders we see at Risk Crew is the usage of the Transport Layer Security (TLS) protocol versions 1.0 and 1.1 that are deprecated.
Conducting a web application security test will identify these types of vulnerabilities in the initial reconnaissance phase. These vulnerabilities are exceedingly common and can potentially result in the disclosure of sensitive information, which an adversary could take advantage of.
Vector 4: Vulnerable Software components.
Both custom-built and third-party applications can contain vulnerable software components. This vulnerability arises when a Common Vulnerability and Exposure (CVE) is discovered within a library. Or dependency is used by thousands of other applications as part of a framework, content management system, library etc.
This vulnerability can encompass:
- Client and server-side components, including nested dependencies (additionally, components inside an application can often use vulnerable components themselves)
- Unsupported and or out of date software, including the applications DBMS (Database Management System)
Once again, a web application penetration test will identify instances of vulnerable components associated and establish the level of risk they pose to the application.
Vector 5: Broken Authentication
OWASP 2021 has essentially combined multiple related vulnerabilities into one category.
However, this can complicate matters, especially when the official title is now ‘Authentication and Identification’. This class now includes certificate validation issues and elements of session management configuration vulnerabilities. The former could be part of more than one OWASP entry on the list and the latter could be considered a vulnerability class of its own. To avoid confusion, we will focus solely on Broken Authentication vulnerabilities.
Vulnerabilities in the authentication functionality can allow an adversary to circumvent the protections and masquerade as if they were a legitimate user. This can result in the application becoming completely compromised if the user in question has administrative privileges.
Comprehensive web application testing can discover vulnerabilities in an application’s authentication functionality. For example, testing can reveal issues such as a lack of mitigations against low complexity attacks such credential stuffing to more complex vulnerabilities like subtle logic flaws.
These can result in authentication bypasses and in some cases, even privilege escalation. Logic flaws often go unnoticed and can pose considerable risk to an application and its users.
Prevent Web Application Attacks
To conclude, these are 5 of the deadliest attack vectors to watch out for during 2022. Whilst these are not the only vulnerabilities to be aware of, the result of a breach is the same regardless of the vulnerability. We recommend web application testing be conducted once a year or when any major changes are made to the site to avoid these vulnerabilities.
The Risk Crew is here for you. Our CREST accredited security engineers can help you ensure that your web application(s) are secure.