Cyberattacks have only grown in strength and frequency over the last few years. It’s projected that, by 2025, the annual profits boasted by cybercriminals will surpass that of even the global drug trade. A large component to this constant increase is the growing complexity of our tech landscape.
For instance, top web app vulnerabilities continue to see slight adaptations that evade and negate endlessly-overworked security teams. Easing this burden requires a solid foundation of security protocols throughout all industries. Below, we explain what is WAF and how can similar systems help defend against an evolving threat.
Year of the Superbreach
2020 saw large-scale shifts throughout the digital landscape. Across work and leisure, the attack surface faced by organizations and individuals alike swelled to never-before-seen proportions. Thanks in part to the shift toward cloud-based, remote and hybrid working patterns, the sudden shattering of the traditional security perimeter paved the foundations for one of cybercrime’s most profitable years on record. The 15% annual growth rate of the illicit cybercrime market has far outperformed most major Western economies, with an expected profit of $10.5 trillion by 2025.
The higher profit boasted by attackers is matched by a key indicator of their success: data breaches. In 2021, researchers analyzed over 800 breaches, identifying over 4.6 billion pieces of personally identifiable information and 1.5 billion stolen credentials. Breaches are evolving with increasing ferocity, as cloud and hybrid databases are plundered for increasingly valuable intel and credentials.
It’s not just the quantity of breaches that look to be growing, but the very architecture of a data breach has shifted significantly throughout the last few years. The overlap between personal and corporate data involved in each breach has never been stronger, as 77% of remote employees have consistently been relying on non-organizational, individual devices. The ‘Bring Your Own Device’ nature of remote work has paved the way for the modern breach’s shotgun-style blast radius. As personal devices are used to log on to corporate networks, the data of the individual can be just as exposed as the organization’s databases in the event of a breach.
Cementing the sheer recurrence of breaches is the rise of ‘superbreach’ incidents. Countless sites such as Cit0Day offered private services for cybercriminals, providing access to a wide collection of hacked databases and leaked credentials. For a monthly sum, hackers were granted access to this.
In November, however, Cit0Day’s tens of thousands of cracked databases were stolen and leaked for free across multiple hacking forums. Packaging older leaks into a singular superbreach means that even old, leaked credentials can be bought back with a vengeance. It also becomes nigh impossible to track the source of where these credentials were stolen from.
With breaches on the rise, it’s vital that organizations protect both employees and customers by recognizing the most prolific web app vulnerabilities.
2023’s Top Vulnerabilities
While OWASP’s Top 10 presents the most in-depth guide to the worst security flaws throughout the industry, there are 5 recurring weaknesses that continuously trip unsuspecting web app developers up.
#1. SQL Injection
SQL is a language that allows a device to refer back to a third-party database. It – and similar syntax – forms the foundation of today’s hyper-agile, interconnected world. However, attackers are always looking for a way into such databases; SQL injection sees an attacker use this language to execute malicious scripts within the database, turning the server itself into a backdoor into deeper internal systems.
#2. Cross Site Scripting
Cross-site scripting (XSS) sees an attacker use legitimate websites as a way into the end-user’s device. Here, an attacker attaches a malicious script to a URL that – when processed by an application or browser – executes without the user’s knowledge. This malicious URL can point the end-user’s device toward an attacker-controlled server bristling with malware nasties, including ransomware and keyloggers.
#3. Path Traversal
The context of application development is often rapid, with time-to-markets being pushed to minimum possible lengths. Attackers are always willing to make use of any oversight within complex apps; a key one of which can lead to path traversal.
While an app can often require local resources from the client’s computer, any user-input field risks the chance of an attacker manipulating file-referencing variables. This can look like opportunistic “dot-dot-slash (../)” sequences or absolute file paths, and allows an attacker to access arbitrary files and directories, including application source code. Even error messages can help an attacker guess precisely where critical data is stored.
#4. Broken Authentication
A broader term that connotes several distinct vulnerabilities, broken authentication remains one of the most severe concerns this year. It allows an attacker to impersonate the app’s legitimate users – often allowing them complete free reign over an app’s innards. Broken authentication manifests as a severe weakness within an app’s credential or session management.
Session IDs describe how web applications distinguish between each individual user and visit. This forms the basis for how an app communicates with that individual. If not securely configured, session IDs such as cookies can be stolen, allowing an attacker to hijack the vulnerable session. This is as serious as full-blown credential theft.
#5. Security Misconfigurations
On the surface, just patching your way out of flaws, outdated software, and misconfigurations all appear an obvious solution. However, security teams are drastically overwhelmed and overworked. Partially thanks to the complexity of modern enterprise tech stacks – and partly due to the continuous agile nature of today’s development cycles – security struggles to rapidly implement every patch. This further feeds into the last 4 issues, as once a patch goes public attackers are essentially notified of an exploit.
Keeping Web Apps Secure Pre-Patch
Traditional patching is broken. Certain security tools can still help fend off exploitation attempts even before a patch is installed, however. A key example is the Web Application Firewall (WAF). This tool sits between an app and the public-facing internet, and operates off either a positive or negative security model. The first of these filters traffic based on a list of permitted actions and behaviors. Any behavior outside of these lists see that action be blocked, helping eradicate instances of XSS and SQL injection. The other version of the WAF, operating off a negative security model, specifies certain activities that are to be blocked. Offering similar protective qualities and with lesser impact on genuine users, this form of security does require slightly more maintenance.
Regardless of the model, a WAF can significantly reduce the chance of opportunistic attackers harming employees or customers, while helping an organization develop their security stance into the future.
