top of page
Search
  • benjaminhills

Three common vulnerabilities in web applications may be solved with one simple solution.

Contents:



Savvy attackers constantly seek to exploit web apps


Introduction to Common Web Application Vulnerabilities

In today's digital landscape, web applications play a vital role in our everyday lives, handling everything from online banking and shopping to communication and entertainment. However, these applications are not without their security vulnerabilities, and savvy attackers constantly seek to exploit these weaknesses for nefarious purposes. Fortunately, many of these vulnerabilities can be mitigated by employing simple yet effective security measures.


This article will delve into three common web application vulnerabilities that the IT security professionals at Spartans Security frequently encounter:


  • Clickjacking

  • Cross-Site Request Forgery (CSRF) and

  • Cross-Origin Resource Sharing (CORS) Misconfiguration

We will break down these vulnerabilities, explain their potential consequences, and explore straightforward solutions that can significantly enhance web application security.


Clickjacking

In a clickjacking attack, the attacker overlays invisible or disguised elements on top of legitimate web content or buttons. When the user interacts with what they see on the screen, they are actually interacting with the hidden elements, unknowingly performing actions without their consent, for example:


Sarah, always seeking the latest tech at the lowest price, stumbled upon a Facebook ad for an unbelievable deal on the newest iPhone. It was almost half the standard price! The deal even promised overnight shipping. Without hesitation, she clicked on the link.


The link took her to a site that looked remarkably similar to a reputable online electronics store. The iPhone, in the model and colour she wanted, was front and centre. But behind this legitimate-looking facade was the work of a hacker named Mike.


Mike had noticed a vulnerability in a common bank web application, not only did the transfer page take parameters from the GET http method, but it was also vulnerable to clickjacking attacks. In fact, the online electronics store webpage was created by Mike, and there was a copy of the bank’s transfer URL loaded in a frame behind the colourful deals, entirely hidden thanks to using the “iframe opacity” setting.


The moment Sarah clicked the tempting “Buy Now” button, she was in actuality clicking through that button, and clicking “Confirm Transfer” on the bank’s web application.

As Mike had prefilled this URL with his bank account details and a sizeable transfer amount, and Sarah was already logged into her Bank account earlier in her web browsing, the transaction was a success.


A few hours later, still excited about her incredible deal, Sarah checked her bank account. To her dismay, she found a significant chunk of her savings missing.  It was only then she began to realise the iPhone deal wasn't real. This story illustrates the dangers of clickjacking attacks specifically designed to capitalise on impulse decisions and too-good-to-be-true offers.


Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) attacks occur when an attacker tricks a user into performing actions on a website they are logged into, for example:


Maya, an avid cat lover, regularly browses the "Purrfect Pals" website to adopt rescued felines. One day, she receives an email from "Purrfect Pals" with the subject line "Meet your purrfect match!" Eager to find her furry friend, Maya clicks the link in the email.


The link takes her to a seemingly legitimate "Purrfect Pals" page showcasing a fluffy kitten named Mittens. However, this page is cleverly crafted by a hacker named Alex. Unbeknownst to Maya, the page contains a hidden script that automatically submits a request to the real "Purrfect Pals" website.


Attackers exploit CSRF vulnerabilities to gain unauthorised access to user accunts

Since Maya is already logged into "Purrfect Pals" in her browser, her cookies containing her login information are automatically sent with the request. This hidden script, disguised as a harmless image, triggers a form on the real "Purrfect Pals" website, pre-filled with Maya's information and requesting to change her email address to one controlled by Alex.


Unaware of the manipulation, Maya refreshes the page to see more information about Mittens, inadvertently submitting the form and allowing Alex to take control of her "Purrfect Pals" account. This could allow Alex to:

  • Change Maya's password and lock her out of her account.

  • Adopt cats in Maya's name, potentially directing them to Alex.

  • Access and potentially misuse Maya's personal information associated with the account.

This story highlights how attackers can exploit CSRF vulnerabilities to gain unauthorised access to user accounts and perform actions on their behalf, emphasising the importance of website security measures and user awareness to stay protected online.


Cross Origin Resource Sharing (CORS)

Cross Origin Resource Sharing (CORS) is a facility whereby web applications can inform web browsers whether to trust resources from domains other than the web application itself. Misconfigured CORS can lead to web applications trusting malicious resources, for example:


Jim, a software developer, maintained a popular blog where he shared coding tutorials and tips. To boost engagement, he often included interactive code examples using a simple JavaScript library hosted on a public content delivery network (CDN).


One evening, Jim received an email from a reader named "Elizabeth." Elizabeth praised Jim's work and suggested integrating a new, cutting-edge code animation library she stumbled upon online. The email included a link to the library's website and a code snippet demonstrating its impressive effects.


Always eager to improve his blog, Jim decided to try the library. He copied the provided code snippet and added it to his blog's script section. The library's animations did look impressive, and he was excited to share them with his readers.


However, Elizabeth was not a genuine reader but rather a malicious hacker. The library she suggested was a cleverly disguised trap. The code snippet Jim added to his blog was designed to collect information from visitors to his website. Here's how the malicious library worked:


Jim's blog, trusting the code snippet that came from a different source, unknowingly granted the ability to execute scripts from that source.


The seemingly harmless animation library, when run on Jim's blog, contained an invisible form that submitted data every time someone visited a blog post.


This data, unbeknownst to Jim, included his readers' cookies. Some of those readers were logged into other sensitive websites like banks and online stores.


Now, whenever a reader visited Jim's blog, the malicious library collected their cookies and relayed them to Elizabeth.  With these cookies in hand, Elizabeth could:

  • Impersonate Jim's readers on other websites, potentially accessing their personal information, financial accounts, or making purchases in their name.

  • Launch targeted phishing attacks against his readers, knowing what other websites they frequented.

  • Damage the reputation of Jim's blog by compromising the security of his audience.

Jim only discovered the breach weeks later when he started receiving concerned queries from his readers about fraudulent activities on their accounts.


The Solution

The vulnerabilities explored in this article, Clickjacking, CSRF, and CORS misconfiguration, highlight the importance of implementing robust security measures to protect web applications and their users. While each vulnerability carries distinct risks, they share a common thread: attackers exploiting incorrectly configured HTTP security headers.


These vulnerabilities can all be mitigated via the use of HTTP headers; these security headers are additional parameters sent by a web server along with a web page to enhance the security of the web application and protect against various types of attacks. These headers instruct the browser on how to behave when interacting with the web application. The scenarios described in this article could have been prevented via the use of these security headers.

  1. X-Frame-Options: By setting the X-Frame-Options of a web application to DENY, or SAMEORIGIN, web developers can prevent other web applications from being able to render their web application within a frame on a different web site.

  2. Set-Cookie: Setting the Set-Cookie header to "Strict" restricts cookies to the website that issued them, preventing unauthorised sites from making requests on behalf of authenticated users.

  3. Access-Control-Allow-Origin: This header informs the browser which sources resources can be trusted from, by checking against the provided sources in the header. This allows a web application to provide a list of URLs the browser can trust resources from

These solutions offer a practical and straightforward way to mitigate these common vulnerabilities in web applications.


How Spartans Security Can Help

Spartans Security is dedicated to comprehensively understanding the unique needs of your organisation and stay up to date with emerging security threats. Our approach involves tailoring recommendations to provide the best-suited solutions for your specific requirements. We not only identify the most fitting security solutions but also offer practical advice on successful implementation. Our commitment lies in ensuring that your organisation not only achieves its security goals but does so with a seamlessly implemented and practical strategy for success.


Furthermore, seeking assistance from qualified IT security professionals like those at Spartans Security can be invaluable in implementing and maintaining effective web application security measures. By testing against resources such as the OWASP Top 10 and MITRE CWE Top 25, coupled with their expertise in vulnerability assessment, penetration testing, and security best practices can ensure that your web applications remain protected against evolving threats.


Conclusion

It's crucial to remember that ongoing vigilance is essential in the ever-evolving cybersecurity landscape. Regular penetration testing and vulnerability assessments can help identify and address potential security weaknesses before they can be exploited by attackers. Building security by design into your development cycle can help solve these issues before they become a problem. Additionally, fostering a culture of security awareness within organisations, through employee training and education initiatives, plays a vital role in mitigating the impact of social engineering tactics often employed in conjunction with these vulnerabilities.


If you have any questions or need help in implementing web application security for your business, then feel free to reach out at info@spartanssec.com

48 views0 comments

Comments


bottom of page