Consumers have become accustomed to the online “try before you buy” experience. Whether it’s uploading a selfie to see if those “not sold in stores” eyeglasses look good on them, accessing virtual home-for-sale tours, or entering an email address to assess technology through a free trial, users have a greater ability than ever to whittle down their options without directly engaging a vendor.
Vendors know this is an incredibly empowering experience for the user. So in their zeal to drive an even more interactive and unique user experiences, development teams are increasingly challenged to build the latest and greatest while meeting the super-aggressive production deadlines that come with them.
As part of this year’s “Under the Hoodie”report, a compilation of insights and trends from 268 penetration tests, we identified the latest web application security risks companies are facing today and analyzed which vulnerabilities are most prone to exploitation. The objective? To help companies better prioritize their web application security efforts and align security and development teams so production doesn’t have to come at the cost of safety.
User experience over application security assurance
During this rush to production, application vulnerabilities may be inadvertently created and often go undiscovered as security gets left behind. As a result, vendors can draw more than just potential customers—they can also attract attackers. Web applications are complex, use advanced frameworks, change rapidly (think CI/CD), and are a great source of frustration for security teams as the imperative to quickly get these apps into production impairs their own ability to confidently ensure applications are secure.
OWASP Top 10 continue to evade traditional DAST tools
While the issues that plague web applications can vary from app to app, it should come as no surprise that this year’s “Under the Hoodie” report exposed common web application vulnerabilities that have been or are currently on OWASP’s Top 10. Let’s look at three specific application vulnerabilities from the chart below:
1. Cross-site scripting: An oldie but goodie
As you can see above, 32 of our 268 engagements (7.5%) fell victim to cross-site scripting (XSS) attacks. XSS is often performed on areas of web applications where authentication is not required, making it easier for attackers to inject their code to the entire user base and more difficult for defenders to keep them out. While it has been a known attack for over a decade, it continues to stay on OWASP’s Top 10. Since this approach continues to be prevalent, SecOps-driven teams should seriously consider the effectiveness of their discovery methods.
2. Cross-site request forgery continues to haunt
We also discovered that cross-site request forgery (CSRF), otherwise known as “clickjacking,” accounted for 6.1% of web application vulnerabilities encountered. These attacks force end users to execute unwanted actions during their authenticated session and leverages the victims’ legitimate access. Interestingly enough, OWASP removed this vulnerability from its 2017 Top Ten as a result of being found in only 5% of applications. However, considering our “Under the Hoodie” findings, your team should continue to keep this vulnerability on your radar.
3. SQL injections are common, yet potentially devastating
SQL injection (SQLi) attacks are another vulnerability discussed in our report, accounting for 1.6% of exploits. A fairly common attack vector, it allows malicious actors to control a web application's database, often sending the database contents to the attacker for malicious use. While seemingly accounting for a low percentage of our encounters, injection vulnerabilities remain No. 1 on the OWASP Top 10 application vulnerabilities list because of how common they are and the negative impact they can have on an organization.
Don’t dismiss the numbers
While the presence of web vulnerabilities can be perceived as too infrequent to prioritize security over meeting application production goals, consider the fact that 59% of the penetration tests run as part of the report were external, and of those, nearly every malicious attack scenario started from an external-facing asset—most of which were web applications. Closing these vulnerabilities manually or with traditional dynamic application security testing (DAST) tools is next to impossible.
Additionally, pen testers reported encountering “some other vulnerability” more than 32% of the time, usually in combination with at least one of the other, more specific vulnerability categories (56%). This may indicate traditional attacks and attacker behavior are evolving to take a multipronged approach in looking for weaknesses in both your network and apps. To defend against the changing and expanding threat landscape, teams should start thinking of ways to modernize the way they do vulnerability management and application security, and how they can introduce security earlier in the development process.
Capturing the keys to the kingdom—credentials
Ultimately, one of the major goals of exploitation is to capture credentials. The most common place to capture these credentials? You guessed it—web apps. Compromised web applications can serve as a conduit to transfer credentials to attackers, and the issue is amplified when users reuse passwords across accounts. You can bet attackers try hitting different services with a user’s credentials to see how many they can get into.
If you are looking for more information on stolen credentials, check out our recent “Under the Hoodie” analysis blog. The bottom line is that without visibility into the potential weaknesses in your web applications, especially your externally facing ones, you open yourself up to a great deal of risk. Though DAST can provide you with the level of insight and control you need to close these gaps, there are a few big caveats.
The problems with the traditional DAST approach
DAST solutions are a great way to have eyes and ears on your arsenal of web applications, but of the companies that participated in our report, many that were already using DAST were still unable to quickly detect signs of common malicious behaviors like XSS, SQLi, or CSRF. Why? DAST solutions have been around for a while, and because of that, many companies are still using solutions built for static, on-premise applications and not the modern web frameworks that are constantly changing and growing.
Another big problem, as explained in an earlier “Under the Hoodie” analysis, is that most apps today have logged-out and logged-in states. Because vulnerabilities can exist in both, they both must be monitored. Traditional DAST solutions can only scan anything outside of the login functionality. In other words, they’re not designed to get past two-factor authentication (2FA) to scan within the application itself. This is often where the most valuable data lies, and naturally where most attacks are targeted.
Unless you take a forward-thinking approach to application security through techniques that uncover attacker behavior and complement your development lifecycle, you can never know what’s happening in real time, what’s exposed, and what to fix first until it’s too late. Driving application security earlier in your development process through orchestration, automation, and integration in a near-real-time manner is crucial.
Keeping up with production: How modern DASTs can enable SecOps speed
In total, security and development teams have to contend with the dynamic nature of today’s applications in order to keep up with modern vulnerabilities—and to do so, they need modern application security scanning. (Warning: Quick plug ahead!) InsightAppSec, Rapid7’s application security solution, leverages our powerful DAST engine to provide full visibility of your modern ecosystem (including modern web apps and APIs), enable collaboration with development, and scale to any-sized application portfolio. This breaks down barriers between teams and instead brings security and development together so that both functions can drive application security forward faster, with minimal impact on the software development lifecycle (SDLC).
Just as vendors have to keep up with the evolving nature of online buyer and user behaviors, your DAST must also be able to adapt to the changing needs of your team. That’s why we built InsightAppSec to be the most extensible modern DAST, able to adapt to the needs of current and future technologies and security requirements. If you’re interested in giving InsightAppSec a spin to scan for the vulns from this year’s “Under the Hoodie” report, start your free trial today. (Don’t worry, we’ve also tested our own apps.)