Web Application Security

Web applications are often compromised by basic attacks that require only a small number of steps or additional actions after the initial compromise. The attackers are rather focused, for example, on acquiring access to web application data or email data. In other cases they deface the web application or repurpose it for further malicious activities, like DDoS attacks or malware distribution. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), most of such attacks last year were financially motivated [1]. Two main threats for web applications are highlighted in this article.

Use of Stolen Credentials and Brute Force

As Verizon’s DBIR highlights, attackers very often make use of stolen credentials or try to brute force their way through web applications to target corporate mail servers. As a consequence, a compromised mail server may lead to spear phishing attacks, leakage of confidential corporate information, or worse.

In order to defend web applications against these kinds of attacks, the implementation of Multi-Factor Authentication (MFA) is key. In enterprise environments, MFA should be combined with IP allow lists. If MFA can not be implemented for a web application, other measures, like CAPTCHAs or IP block lists, should be implemented to provide a reasonable degree of protection. We recommend to follow OWASP’s cheat sheet [2] when securing your web application.

Exploitation of Vulnerabilities

Vulnerabilities in web applications are often exploited by attackers to deface the web app, which may cause reputational damage to an organization. Exploitation also takes place to install malware for further DDoS attacks, or to distribute malware in the name of an organization.

To harden web applications and improve security it is essential to scan each application for known vulnerabilities on a regular basis. This encompasses all components used, including third party libraries. In addition to these vulnerability scans, a penetration test should be executed during development of a web application and after major changes.

Recommendation

Check if your organization has hardened all web applications:

  • Are vulnerability scans executed to scan web applications on a regular basis?
  • Are penetration tests executed during development of web applications?
  • Are technical measures in place to detect attacks on web applications?

Need help mitigating the risk for the web applications of your organization? Contact us for more information.

Sources