The world of IT security can confuse all the different vulnerabilities, exploits and newly emerging trends. In this article, we summarise and shortly explain the top 6 most important web vulnerabilities that managers need to be aware of and tackle constantly.
Within the last few years, we saw a shift in the attention of IT security matters. Especially since major security breaches like Wannacry or NotPetya in 2017, managers are more aware of their IT landscape and the measures that need to be taken to secure a website. However, many managers and employees still lack a sufficient level of IT security knowledge. Even though being avoidable, employees are still the biggest source of security breaches all over the world.
As it usually is not your job to fix the vulnerabilities, we don’t just want to give you a list of critical vulnerabilities (…you can google that) — we want you to understand the impact web vulnerabilities can have on your business (even if you’re not a tech person). According to the Common Vulnerability Scoring System (CVSS), we will also rate each vulnerability based on the probability that the vulnerability is exploited and its impact on the application (meaning how much the hacker can do) the overall risk of exploitation. Plus, we will give you a link to our knowledge base, where you can get further technical information on each vulnerability. So let’s get straight to it!
An SQL Injection is a way for attackers to inject code instead of text into an input field on a website to access the back-end database. This can be the log-in field, giving the hacker access to your client base or another field where the customer enters confidential data. That way, the hacker can access data (such as passwords or usernames) and modify or delete it. This means both your customer and business data aren’t saved anymore. Being so easy to exploit, it is an extremely critical breach commonly used by the hacker.
Through an SQL Injection, hackers could, for example, steal credit card information from an online shop, which can then be shared with everybody. As a result, users lose trust in your company, which can harm your business since this would lead to fewer users on your application.
SQL Injections can be prevented by masking all forms on a website and validating any input that users can enter on a web application. To find out more about SQL Injections and how to fix them, have a look at our wiki or check out the topic in our webinar series.
A Command Injection is an attack where the hacker executes arbitrary commands on the host operating system. Using this technique, hackers can do virtually anything on a website to take over the entire web. As you can imagine, this can have a catastrophic impact on your business since it makes your whole web presence vulnerable to attacks.
Hackers can exploit a website through command injections if their input is not filtered and leads directly to parts of the system that allow major changes (e.g. exec() or system()). Here you can check on how to mitigate and fix command injection attacks.
A file inclusion allows the attacker to include arbitrary files into a web application, enabling the attacker to expose sensitive files. In an extreme form, the attacker may execute malicious code on the webserver and take over the entire system. Again, taking over your entire system can impact every part of your application and drastically reduce your customer trust.
Like other critical vulnerabilities to prevent a file inclusion, any input must be thoroughly checked and validated. For more information on File Inclusion attacks, you can check out the corresponding article.
Cross-Site Scripting (XSS)
Cross-Site scripting is the injection of malicious scripts into a web application by a user. These scripts are executed in the browser and allow the hacker to steal user sessions and monitor or alter other users’ actions. As a result, customer data can be stolen, and users will feel uncomfortable using your application.
This security breach is possible if user code is not sufficiently validated and encoded, so similar to injection attacks, this can be prevented through validation and supervision of any user input. How this is technically executed can be seen in our wiki.
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery allows hackers to execute any action in the context of another user. This is because the application does not verify whether the action is supposed to be executed by that specific user and therefore executes it. An attacker could use this to force users to do something they didn’t intend to (e.g. signup for a subscription, buy something etc.). So if your application is vulnerable to CSRF, any user action can be altered. This results in user confusion, mistrust and (if publicly known) an immense deterioration of your company’s reputation.
Basically, this happens through people opening phishing emails and websites that include malicious code. When a user opens such a website without even doing anything else, the CSRF sends an HTTP request. The hacker can access, modify, or even delete customer or business data. If you’re interested, you can see how the risk of a CSRF attack can be mitigated in our wiki.
Insufficient Transport Layer Protection (SSL)
Many websites use SSL/TLS protection for the Login of users. Still, if website hosts don’t cover their entire application with these keys to encrypt and protect the traffic on that application, data can be intercepted from that web application. Your business data in the wrong hands can slow down or even stop your operations, and your customer data publicly shared or sold has an incredible impact on your company’s public reflection and success in the long run.
Again, the magic rule to security is validating any user input that touches the application’s surface.
As the security assessment for this vulnerability can have different implications depending on what has been configured, there is no one solution for all cases. Still, you can look up the variations of cryptography in our knowledge base.
..so, where do I begin with IT security?
We have shown you some vulnerabilities that we think are crucial to cover for every web application. As you might not be the one fixing these vulnerabilities, what can YOU do?
Luckily, many vulnerabilities can be easily avoided. For an overall better security status, we recommend you to do the following:
- Educate every employee on basic security practices (e.g. phishing avoidance)! An effective tool for this is IT Seal, which can help you raise security awareness.
- Don’t simply trust, but validate every input!
- Implement continuous security and be safe at any given time!
For more security best practices, you can also have a look at our White Paper!
You don’t have the knowledge or resources to prevent security breaches at all times? Then we have good news for you: You don’t need to!
Implementing automated security doesn’t only give you the certainty of being secure at all times, but it also saves you a lot of money. Regular penetration tests take much more time and money than running an automated security test over a website every week.
The Crashtest Security Suite offers a fully automated security scanner that will point out the vulnerabilities found on your web application as well as information on how to remediate these. An additional dashboard will give you the current security status in a single view so that you don’t have to dive into the technical topics. You can start using automated security with a free 14-day trial on the Crashtest Security Suite.