Web applications are computer programs that are accessed over a network such as the internet or an intranet. Increased information sharing through social media channels and wide use of the internet as a means of doing business and delivering services, has been one of the reasons for websites or web applications being attacked directly. Recent studies indicate most web applications contain critical security flaws, and it is not limited only to the banking sector. Thus, security has become a big issue because of common vulnerabilities found in the web applications.
Gartner’s Security and Risk Management Summit 2016 predicts “ by 2019, enterprises will spend over $1.2 billion on application security, doubling the $600 million spent in 2014”.
With hacking of websites both large and small increasing each day, the world is giving focus and considerable attention towards the security of web applications. Still, many are unaware of the common vulnerabilities or threats related to an open web application.
The ten most critical web application security risks are:
- Injection
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery (CSRF)
- Using Components with known Vulnerabilities
- Unvalidated Redirects and Forwards
By conducting thorough security tests and identifying vulnerabilities, Synerzip has helped many clients in different domains to assess their web application vulnerability and give possible solutions to minimize risks and increase security.
A client of Synerzip in the Supply Chain Management domain needed a vulnerability assessment for their web application. Being a transportation management solutions company, various entities were involved within the web application, i.e., people, companies and nations. Due to increasing business and geographical expansion, the portal security was utmost important and much needed. Understanding its importance, a few of the client’s customers had also requested a vulnerability assessment, as many URLs are exposed to the outside world.
Synerzip suggested a multi-tool scan with manual verification. The solution was implemented by setting of HttpOnly flag for session cookie (preferably all cookies) which helped to prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. The suggestion was given to implement input validation strategy, such as the whitelisting of acceptable inputs that strictly conform to specifications and reject all others that don’t not conform to specification.
Recommendations were also made to use custom error pages and display a unique error message on the client browser. This helped to avoid exposure of server and technology details, which otherwise could have been used to collect information for exploitation. Disabling of directory browsing was also requested to make it difficult to survey the website for vulnerabilities.
Synerzip followed these guidelines as part of their Vulnerability Assessment procedure:
- Target understanding – Understanding and identification of the target website was carried out, which helped to determine the exact scope and catch possible entry points.
- Enumeration and discovery – Other than the base URL, other URLs not explicitly advertised, with non-standard port scan, along with services discovery.
- Automated and Manual Scan – Various tools mentioned below were used for vulnerability scan in passive and active mode. Manual Scan was performed after authenticating the application.
- Eliminate false positive – Vulnerabilities reported by the tool were validated.
- Reporting vulnerabilities – Consolidated reports were prepared with data from automated run and manual tests. High risk vulnerabilities were highlighted.
- Remedial measures – Possible solutions were provided for rectification of the issues.
All this helped in reducing the vulnerability risks associated with the client’s web application, which helped the client gain confidence to showcase and market their product further to increase their business and revenue.
Tools and Technologies used:
- OWASP ZAP – Used as vulnerability scanner and proxy
- Burp Suite – Used as intercepting proxy
- Web Application Attack and Audit Framework (w3af) – used for scanning
- Ironwasp – Used as vulnerability scanner
- Nmap/Zenmap/Ncat – Used for service and port discovery
- Wireshark – Used for packet capture and analysis
- Sqlmap – Used for detection and exploitation of SQL injection vulnerabilities
- Subgraph Vega – Used as a web application scanner
- Whois – Used for IP and domain lookup
In a nutshell, the Synerzip team is capable of finding vulnerabilities using automated tools and manual procedures to prevent major and minor threats by providing apt remedial measures. Synerzip can also help in managing complete security lifecycle of a product, thus enabling client’s a sigh of relief in terms of a secure business.
The client, in turn, gained:
- Risk Benefits – Post analysis, Synerzip gave solutions to the client to enhance its web application security, thus making it less vulnerable to the outside world.
- Cost Advantage – Synerzip suggested some cost effective measures to the client to have a risk-free web application.
- Client Satisfaction – Vulnerabilities, impacts and potential risks were found with minimum interruption to the client’s system and deliverables.
Stay tuned for our next post on “Top ten most critical web application security risks”.
