Vulnerabilities in web applications can occur in several areas including DBA tools (e.g., phpMyAdmin), SaaS applications, and content management systems, such as WordPress. With web apps being an integral part of business processes, insecure web applications make an easy target, potentially resulting in damaged client relations, rescinded licenses, or even legal actions.
Based on Imperva’s experience, the nine vectors listed below are commonly used by competitors and bad actors to steal data or disrupt web applications.
- Web Scraping – Probing website data is useful in several ways, including conducting market research and page ranking by search engines. But in some cases, there’s a grey area where illicit web scrapers deploy bots to steal database information. In a competitive business category, bot operatives are able to duplicate your site content elsewhere using their name. E-commerce sites are especially vulnerable, and it’s not uncommon for scrapers to set up their site to constantly underbid your pricing.
- Backdoor Attack – Being a form of malware, a backdoor circumvents login authentication to enter a system. Many organizations offer employees and partners remote access to application resources, including file servers and databases. This enables bad actors to trigger system commands in the compromised system and keep their malware updated. The attacker’s files are usually heavily cloaked, making detection problematic. We all heard about WannaCry, Petya, Locky, among other ransomware that emerged after 2010 and took over hundreds of thousands of computers around the world. While most of the attacks required the victims to pay a ransom in exchange to recover back their data, there were others that went beyond and also provided a backdoor access to the companies’ systems.
- SQL Injection (SQLI) – SQL injection relies on SQL code to manipulate database back-ends. It gains access to data your organization didn’t intend to make public, such as secure company data, user databases, or customer information. Unwanted file deletion is also a possibility in some cases. The perpetrator can even grant themselves admin rights. Here are some examples here that just happened in 2017: WordPress, Hetzner South Africa, GoDaddy, and of course, Equifax. Just counting the last one, around 145 million records were compromised.
- Cross-Site Scripting (XSS) – Cross-site scripting is a common vector that inserts malicious code into a web application found to be vulnerable. Unlike other web attack types, such as SQLI, its objective isn’t your web application. Rather, it targets its users, resulting in harm to your clients and the reputation of your organization.
- Reflected XSS – Reflected XSS assaults (a.k.a., non-persistent attacks) use a malicious script to reflect traffic to a visitor’s browser from your web application. Initiated via a link, a request is directed to a vulnerable website—possibly yours. Your web application is then manipulated to activate harmful scripts.
- Cross-Site Request Forgery (CSRF) – Also known as XSRF, Sea Surf, or session riding, cross-site request forgery deceives the user’s browser—logged into your application—to run an unauthorized action. A CSRF can transfer funds in an authorized manner and change passwords, in addition to stealing session cookies and business data.
- Man in the Middle Attack (MITM) – A man in the middle attack can occur when a bad actor positions himself between your application and an unsuspecting user. MITM can be used for eavesdropping or impersonation— nothing appears amiss in the latter. Meanwhile, account credentials, credit card numbers, and other personal information can easily be harvested by the attacker.
- Phishing Attack – Phishing continues to be a favorite of social engineering practitioners. Like MITM, it can be set up to steal user data—such as credit card and login information. The perpetrator, posing as a trustworthy entity, fools their prey into opening an email, text memo, or instant message. The latter is then enticed to click a link that hides a payload. Such an action can cause malware to be surreptitiously installed. It’s also possible for ransomware to freeze the user’s PC, or for sensitive data to be passed. One of the top examples here is the Target data breach that exposed more than 40 million payment cards during the holidays. The simplicity about this attack was that it just needed to steal the credentials of a third-party contractor who was in charge of Target’s HVAC systems. In order to perform remote maintenance on air conditioners the contractor had access to Target’s contractor network, giving the perpetrator access once its account was hacked.
- Remote File inclusion (RFI) – Remote file inclusion (RFI) exploits weaknesses in those web applications that dynamically call external scripts. Taking advantage of that function, an RFI attack uploads malware and takes over the system.