In this article, technical experts from our partners Appcheck are looking at five of the most common IT security vulnerabilities and how to avoid them.
Remote Command/Code Execution (RCE)
We thought we would start off with a topical one with recent discussions around critical vulnerabilities within SaltStack infrastructure automation software.
Two CVE’s were discovered in popular infrastructure software, SaltStack and we are now seeing attacks in the wild. CVE-2020-11651, an authentication bypass vulnerability, may allow minions to run arbitrary commands as root. CVE-2020-11652 is a directory traversal flaw, whereby input is not sanitised correctly allowing the attacker access to files.
Using this pair of vulnerabilities an attacker can perform full remote command execution (RCE) as root on both master and associated minions, which may lead to full system takeover.
RCE can be classified as an injection vulnerability, which earns it a top slot in the OWASP Top 10. The aim of this attack is for a hacker to allow themselves to execute commands on a host operating system via a vulnerable application. An attacker can then use this to up their privileges and even take full control of your systems.
The easiest way to avoid these vulnerabilities is to keep up to date with your patching and conduct regular vulnerability scanning.
URL Vulnerabilities
URL vulnerabilities may be simple, but this also means they are simple to discover and exploit and there are several ways an attacker can exploit a URL.
For example something as simple as guessing URL paths may produce a config file with credentials in it or log file with sensitive data about users or even the source control meta files (e.g .git/config) allowing a hacker to download the whole source code.
Other ways a URL can be exploited include; changing parameters, direct object referencing, open re-direction, XSS, Server-Side Request Forgery (SSRF), URL Parsing leading to authorisation bypasses, path traversal and file uploads. If executed correctly this final route can allow an attacker to upload a directly executable file, overwrite an existing file’s contents to elevate access levels or attack another user.
There are a few things you can do to avoid these simple mistakes. Make sure your application deployment process considers simple mistakes and strip out or restrict web server access to these kind of development/deployment files. Pay close attention to where a user’s input may be used to access file systems. Be careful when making server-side requests with URLs that include user-controlled input, to avoid nasty SSRF vulnerabilities.
A1: Injection
Injection attacks are the most common types of vulnerabilities found in web applications.
Usually injection attacks are the result of unfiltered user input being directly included into command executions or database queries.
As you can see, Injection attacks come in a lot of different variables:
• SQL Injection
• NoSQL Injection
• XPath Injection
• Code Injection
• Command Injection
• LDAP Injection
• Expression Language Injection
Impacts of these vulnerabilities can include stealing of database data, takeover of servers and turning attacks on your users.
Injection vulnerabilities are broad, and so it is hard to offer a simple fix on this one. Things you can do to reduce the impacts of these attacks include; restricting privileges, keeping systems up to date and input validation. It is also worth regularly reviewing your source code and completing regular vulnerability scans (whether manual, automated or both).
Broken Authentication
In second place on the OWASP Top Ten list. OWASP describe this vulnerability as “Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.”
Once an attacker has gained credentials into your system you can imagine the impact. You can avoid these vulnerabilities by implement multi-factor authentication, avoiding the use of weak credentials (e.g. username: admin, password: admin), limit failed log-in attempts and implement weak password checks. Having robust security policies in place within your business can be a real win here.
Cross-Site Scripting (XSS)
Cross-Site Scripting is another very common vulnerability. It is a type of injection attack where by an attacker is able to inject JavaScript content into an application that runs in a user’s browser. Often thought of as an attack against the users of an application rather than the application itself, some more complicated XSS attacks target the administration and backend systems of an application (2nd order attacks).
XSS attacks can result in:
• Capturing user input such as passwords via a key-logger
• Sending cookies, tokens and other cached data to a third party
• Performing network requests and system operations that the user hasn’t requested
• Forcing downloads of files to the end user PC
The best approach to protect your website against XSS and other linked vulnerabilities is to ensure that all input data is treated as raw data/text and doesn’t allow the data to be interpreted as code and context-jump into an executable command. In practice this means performing some combination of:
• Sanitisation of any data received from an external context or user; and
• Encoding of any data output to another component
Detect these vulnerabilities with an automated tool
We have partnered with AppCheck who offer a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and Infrastructure.
The AppCheck scanner Detects SQLi, XSS, RCE, zero-day vulnerabilities plus 100,000+ known vulnerabilities and allows you to centrally manage vulnerabilities with easy to use and customisable dashboards. You can schedule automated scans for out of hours scanning and full visibility with back-to-back scans. Best of all it is developed and maintained by leading security experts.
Free vulnerability assessment
If you would like to complete a free vulnerability assessment of your critical assets you can take a no obligation complimentary automated penetration test and let our internal consultants provide you a thorough CVSS security report detailing our findings and recommended remediation. Our goal is to uncover all High, Medium and Low risk vulnerabilities, including the OWASP TOP 10.
Just get in touch and we’ll arrange your free scan.