Chapter 1. Today’s Threat Landscape
In this chapter, we examine today’s web application threat landscape, focusing on the major vulnerabilities and threats that cost businesses, and ultimately their customers, billions of dollars per year. We also look at an organization and its members who have taken on the task of gathering threat data and helping businesses prevent web application vulnerabilities. Finally, we discuss the current business impact that these threats have on revenue and reputation.
How We Got Here
In the early days of personal computing, boot sector viruses took the title of top threat to security. As the internet matured, so did the threats to privacy, to raw data, to financial data, and to money itself. The cybersecurity threat landscape looks very different today than it did just five years ago. And if you look at the numbers, the threat landscape has evolved even further from what it was just two-and-a-half years ago when ransomware was the most feared of all malicious cyberattacks. But the one threat that has remained since the beginning of the internet until today is web application attacks.
Cybersecurity Experts Respond to the Growing Threats
In the 2018 SANS Institute Incident Response Survey, business applications, which includes web applications, are the top system type involved in breaches (at 62.1%). Web application security is such a high-profile topic that in 2001, computer scientist and cybersecurity expert Mark Curphey founded the Open Web Application Security Project (OWASP) to provide unbiased information about application security. OWASP tools and documents are free and open to anyone interested in improving application security.
Web security remains one of the top concerns of businesses of all sizes. Add the ongoing threat to web security to the new landscape of cloud-based, Everything-as-a-Service (XaaS) offerings, and it’s clear that the threat landscape is as big and diverse as the internet itself. The wave of public compute, storage, and other cloud assets moves the integrity of hub-and-spoke datacenters of the 1990s and 2000s with strict governance to a world in which cloud definitions can be defined differently per provider. From a technical perspective, security breaches are expensive to mitigate. The Ponemon Institute’s 2018 Cost of a Data Breach Study: Global Overview reveals that the average cost of a data breach is $3.86 million and the average cost per lost or stolen record is $148. A company that suffers a data breach, on any scale, should prepare for significant revenue losses from legal fees, free or discounted services to affected customers, and reputation damage.
OWASP is a not-for-profit international entity that is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
There are risks associated with exposing any application to the internet or even to internal users via corporate intranet portals. Security researchers, hackers, nation states, and various other malicious attackers continuously search for vulnerabilities and exploits for those vulnerabilities. According to Verizon’s 2018 Data Breach Investigations Report, web applications top the list for types of breaches. Maintaining vigilance, keeping systems and applications patched, and providing best available perimeter protection still does not guarantee 100% security for any environment. Although these measures certainly don’t hurt security, new vulnerabilities can still arise with every code upgrade, update, and patch.
Security professionals know that cybercriminals can take many paths to breach data, exploit vulnerabilities, and compromise security. Web-based applications are especially vulnerable because of the many support layers beneath the application: operating systems, web servers, database servers, application servers, and services not associated with the application at all. Developers and support personnel alike need to integrate security into every aspect of an application. Securing the application and the data behind it must take top priority at every step in the process.
To illustrate the extent of the focus on web security, the O’Reilly/Oracle Dyn survey “AI brings speed to security” (May/June 2018) reveals that 64% of the 445 respondents list “Hackers gaining access to our data via our websites, applications, or APIs” as their top concern. 37% of the respondents listed “Web application attacks and vulnerabilities” as their second greatest security concern. And in a close third place, 34% report that denial of service (DoS) and distributed denial-of-service (DDoS) attacks are a top issue.
Current Top Threats to Web Applications
You’ve set up a web application that you believe is secure and released it for public consumption. The service appears to be down. The customer or user becomes discouraged and turns elsewhere for satisfaction. What kind of threats can you expect to bombard that application and threaten your security? The threat landscape has broadened in recent years to cloud-based attacks, DDoS attacks, and massive email phishing campaigns. The web security threat landscape has also broadened with the greater threat landscape. Some of those threats remain constant, but have become more sophisticated, more aggressive, and have increased in frequency. For example, SQL injection (SQLi) attacks have remained the top web application threat for at least the past 10 years (OWASP 2010, 2013, and 2017 Top 10 Lists).
The following discussion provides an overview of web application threats. We’ve highlighted the types of damages caused by each and steps to prevent these attacks. While these attacks affect online shopping and retail businesses, all business types can be affected by similar attacks.
Bots and Botnets
There has been significant coverage of malicious bots and the harm they have caused organizations, even over a short amount of time. A nefarious botnet is a formidable enemy on the internet because it is a highly distributed network of connected bots. Bots are individual malware-infected computers that are not willing participants in botnets. The fact that these bots are random, diverse computers owned by innocent users makes them all the more dangerous. The danger lies in their geographic diversity. Their owners have no idea that their computers and internet connection bandwidth participate in attacks.
Bad bots account for more than one-fifth of all internet traffic.1
Small to mid-sized companies face the same challenges as do larger ones, but without the equally large budgets to address them. These companies must do the best they can with what they have, and malicious actors know this and take advantage of it.
Botnets carry out attack campaigns such as massive spam floods, shopping cart and credit card frauds, DoS and DDoS attacks, brute-force hack attacks, identity theft, click fraud/digital ad fraud, web scraping, competitive data mining, account takeover, and credential stuffing.
Attacks can last from hours to days against a target and are generally aimed at extorting funds from the target. This section examines bot-related attacks associated with web applications.
Industries among the most vulnerable include gambling, airlines, finance, health care, ticket vendors, insurance, financial services, and tech.
Some industries are hit harder than others, but it’s clear that none are safe. Over the past three years, analysis of empirical data for web traffic over hundreds of sites shows that between 54.4% and 61.3% of all web traffic is from actual human users. The rest is comprised of bots.
“Not all bots are malicious. For example, the bots used by internet search engines find and index web content to make it easier and more convenient to find the things we’re interested in. The bad bots are the ones to be concerned about—and they accounted for between 18.6% and 21.8% of all web traffic over the last three years.”2
Ecommerce Shopping Cart and Credit Card Fraud
Retail and online shopping sites are the most susceptible to cart fraud from bots because items selected for pending transactions are removed from inventory so that an item isn’t sold twice. Because the transactions are fraudulent, inventories look lower than they are, causing legitimate customers to look elsewhere. When the transaction goes stale from a “no sale” status, the item returns to inventory. There are two reasons why cart fraud is costly: lost sales and inventory understock/overstock issues.
Bots that perpetrate credit card fraud (carding bots) often attempt a small, random charge that might go unnoticed by some. Charges for amounts such as $1.01 are probes to check the validity of a card before larger purchases are made.
There’s a threat that’s almost as rampant as credit card-related theft: price scraping. This occurs when a bot places items into a shopping cart to reveal prices and discounts given on a dynamic basis. Dynamic pricing is an important online sales strategy used by ecommerce portals to influence consumer-buying behaviors.
Content and price scraping not only leads to the aforementioned inventory problem, but it also allows competitors to capture (scrape) pricing and discount levels, which can give them a significant advantage. The data scraper analyzes the site’s dynamic pricing intelligence and can override this strategy to strengthen its own pricing and gain an unfair advantage over victims. The content part of the equation is about gathering a company’s product catalog so that the scraper can offer the same exact product at a lower price.
There are proprietary tools to prevent price and content scraping that allow you to post prices and content without fear of unauthorized access or theft. Most of the tools available are so-called bot protection tools. Behind the scenes, these tools recognize “bot patterns” that attempt to mimic human interactions.
Click fraud has multiple definitions. One definition is when someone increases their online popularity by buying “likes” or clicks on a web posting. The other definition—the one we use for the purposes of this report—is using a botnet to rack up ad costs with fraudulent ad clicks. Bots are especially effective at clicking an ad to record an “impression” and incurring an ad charge. There are multiple ways in which this type of fraudulent behavior can financially harm its victim (although there is generally no financial gain for any of the malicious parties involved):
- Malicious intent
Malicious actors can launch a campaign to increase charges to an innocent advertiser.
- Friends helping friends
Friends attempt to help a publisher by clicking ads to boost revenue to the publisher. When discovered, the publisher is often accused of click fraud.
These fall into two groups: advertising competitors and publishing competitors. Advertising competitors want the advertiser to pay for irrelevant ad clicks. In the case of publishing competitors, the competitor wants the publisher to be accused of click fraud.
The use of botnets for this type of activity is obvious—the difficulty is in tracking down the perpetrator. The only party who suffers is the one who pays for the advertising to drive traffic to a site. The advertising party pays regardless of whether the clicks are valid, which hurts business and profits, and the advertising party could be accused of click fraud, which would result in reputation damage. These bots invoke fraud, which could mean thousands of pretend clicks for which the advertiser must pay.
Similar to other types of attacks in this section, a botnet prevention solution is necessary. Examples of botnet prevention include antimalware software installed on every endpoint, enabled host-based firewalls, disabled autorun features (Microsoft Windows), disallowed automatic trusts between computers, virtual local-area network (VLAN) implementation, and implementing the principle of least privilege for all accounts—especially service accounts.
Distributed Denial-of-Service Attacks
A DDoS attack is typically a flood of legitimate-looking requests that tie up computer resources to the point where legitimate requests go unanswered. DDoS attacks are not like other attacks in that they are not vulnerabilities in the traditional sense. A “normal” vulnerability is one that is present through an error in coding or configuration. The DDoS attack takes advantage of a different kind of vulnerability—changing the signal-to-noise ratio in favor of noise. For example, during a college football game a few years ago, the home team fans were so loud that the opposition’s players couldn’t hear the plays correctly and subsequently lost the game. After the game, the opposing coach commented that the fans were truly the “twelfth man” on the field. The action by the fans was a type of DDoS attack against the opposing team. They made so much noise that the signals couldn’t get through.
DDoS attackers commonly use bots to act as their agents. Bots comprise systems that unknowingly participate in botnets that might include thousands of systems.
DDoS attacks can take the form of distraction attacks, meaning that the DDoS attack is a big fire to put out when the real menace lurks just below your radar, compromising systems or services.
DDoS attackers disrupt your service until the malicious payload successfully infects your systems, and then they disappear back into the internet’s traffic stream. You might not realize that another attack has occurred for months.
Sometimes attackers will launch a DDoS attack to draw attention away from another attack. While security focuses on the noisy DDoS issue, attackers successfully exploit some other vulnerability, using the DDoS attack as a smokescreen.
In a credential stuffing attack, a malicious actor purchases or extracts a set of user credentials and then employs a botnet to test those credentials against websites. This attack succeeds because people tend to reuse usernames and passwords on multiple sites. Open web forms are the most vulnerable because they don’t offer any other validation such as a human verification or a two-factor option. These types of forms are highly vulnerable to credential stuffing.
The financial sector is a prime target for fraudsters. A June 2018 Ponemon Institute report (“The Cost of Credential Stuffing: Asia-Pacific”) states that there were more than 30 billion malicious login attempts from November 2017 to June 2018. The attacks mostly originated from the United States, Russia, and Vietnam.
Retail sites are also vulnerable because most do not implement multifactor authentication. Multifactor authentication is a basic defense against these types of attacks. Attackers depend on sites that only use username and password authentication. A second factor, no matter how simple, is a good deterrent.
According to respondents to the Ponemon study, credential stuffing attacks lead to costly application downtime, customer loss, and expensive IT and security team remediation tasks.
Here’s a quick summary of the Ponemon study:
Companies experience an average of 12 credential stuffing attacks each month in which the attacker successfully identifies valid credentials.
The volume and severity of credential stuffing attacks are increasing.
It’s difficult to differentiate criminals from legitimate users.
Participants feel that cloud migration leads to increased risk of attacks.
Companies have insufficient technologies or solutions for preventing and containing credential stuffing attacks.
Other Common Web-Based Attacks
The ecommerce-related attacks we’ve covered thus far, while common, are higher profile than the ones listed in this section. These attacks are just as common, but they receive little press even though they are no less significant in terms of financial losses due to stolen records and damaged reputations. A DDoS attack, for example, is big news, but SQL injection attacks rarely make media reports.
These types of attacks do hit news feeds when the size of the stolen or compromised data set is large enough to warrant it. Rarely, if ever, do the standard news outlets mention the mode of compromise to include terms such as SQL injection, XSS, or session hijacking. This section familiarizes you with these very dangerous but preventable exploits.
SQL injection is an attack resulting from poor user data entry validation or other poor coding practices (e.g., a web form that allows a user to input untrusted data, tricking the application into executing unintended commands). Injections can be SQL queries, PHP queries, lightweight directory access protocol (LDAP) queries, and operating system commands.
Malicious users allowed to enter open-ended input into a web form, without any coding protection or input sanitizing, can launch injection attacks that result in data theft, data exposure, data loss, data corruption, denial of access, and host takeover. Security researchers find that injection flaws are very prevalent, especially in legacy code. Attackers find and exploit vulnerable code using scanners and fuzzers, which are software applications specifically designed to find such coding flaws.
A cross-site scripting (XSS) attack is a type of injection that involves placing malicious scripts into websites. The attacker uses a web application to send malicious code to a user in the form of a browser-side script. XSS is the second most prevalent issue in the OWASP Top 10 Report for 2017. It’s found in close to two-thirds of all applications. If you choose to rely on automated tools for detecting this vulnerability, realize that they will detect only some XSS problems—generally limited to those in PHP; Java 2 Platform, Enterprise Edition (J2EE); JavaServer Pages (JSP), and ASP.NET technologies. However, automated exploit tool frameworks can detect and exploit all three types of XSS. Exploitation frameworks and tools are readily available and many are free of charge and open source.
To illustrate how prevalent XSS attacks are, high-profile companies such as Facebook, Google, and PayPal have been focused on addressing this threat with their R&D to protect customers. Even though XSS is a type of injection, it does not attack the web application itself, as do regular injection attacks. Rather, the XSS attack infects web application users. These types of attacks target users to steal their credentials.
There are three types of XSS, and they typically target users’ browsers:
- Reflected XSS
The application or API includes unvalidated user input as part of HTML output.
- Stored XSS
The application or API stores nonsanitized user input that is viewed at a later time by another user or by an administrator.
- DOM XSS
Trusted User Session Hijacking
Session hijacking is a variant of the man-in-the-middle attack in which the attacker has access to the network via a rogue connection or through a compromised system. This type of attack is an active rather than a passive attack. This means that the attacker not only uses tools to collect data through network sniffing, but also must take an active role in using that information to disrupt an ongoing session—hence the term “hijack.” There are two types of session hijacking: application and network. Application hijacking occurs when an attacker steals or predicts the valid session token. The attacker gathers (sniffs) HTTP network traffic to find a valid ongoing web session.
Prior to an actual hijack session, which can be labor-intensive and can increase the risk of exposure, the attacker sniffs the network for unencrypted protocols such as FTP, HTTP, Telnet, and the Berkeley r-commands such as
rexec. These protocols send information in plain text, which is human readable as it’s sniffed from network traffic. These protocols are low-hanging fruit that attackers use because they don’t need to do any real work to gain access to a username and a password.
There are monitoring tools that detect new application installations on workstations, but they don’t find and identify so-called “portable” applications that run without the requirement for a formal installation. An attacker can download portable applications and freely run them without detection because they are standard network tools available to anyone. One example is Wireshark Portable, a cross-platform network protocol analyzer that is useful in network troubleshooting. But like any good tool, malicious users and attackers use its powerful capabilities to do reconnaissance on networks to find exploitable weaknesses.
Session hijacking is the act of taking over an ongoing, active connection between two nodes on a network. It requires that the intruder have access to the network because session hijacking requires a combination of sniffing and spoofing tools. User session hijacking is also known as cookie side-jacking.
Threats and Impacts to Business
You don’t need to look far to find victims of any of the web application attacks previously described. Large retail businesses, financial institutions, government entities, medical facilities, and even security companies have fallen prey to these attacks. Every victim has something significant to lose when a breach occurs. Retailers lose revenue due to down time. They lose customers because they’re seen as vulnerable. And the losses can pile up over time as more investigations take place that uncover stolen customer credit card data, personnel information, and damages to systems. The resulting losses can grow to tens of millions of dollars.
Likewise, financial institutions, government sites, and medical facilities all have experienced huge reputation damage and tremendous personally identifiable information (PII) theft. Stolen PII can result in identity theft and fraud that costs businesses and consumers billions of dollars each year. A few high-profile security companies have shuttered their doors due to embarrassing hacks and data exposure.
The losses to businesses and consumers alike are significant. The dollar-per-incident costs are overwhelming. And the damage to reputation is often irreversible.
Web application security is so important to an internet-based society that global groups have formed to focus on protecting businesses and consumers from attacks, fraud, and breaches. When the average cost of a breach is $3.86 million, it doesn’t take too many to add up to disaster for businesses and shareholders. Retailers pay a direct cost in loss of revenue and customer loyalty. Other businesses and government entities can experience both direct and indirect costs from breaches. Some indirect costs come in the form of identity theft, credit card fraud, and the release of confidential information. The potential for these types of costs exists as long as the data is available to the highest bidder.
Some less obvious costs to businesses occur through the purchase of new hardware, new software, and new services to mitigate, remedy, or deter future losses from breaches. Cleanup operations might take several months to a year or more and consume precious resources from other areas of a business.
By now, you understand the direct and the indirect financial burdens that breaches cause. You also have a feel for the scope and the depth of the threat landscape facing internet web applications. After the lid is off our data, putting it back on is costly, time-consuming, and has far-reaching implications for customer loyalty and business reputation.
The web application threat landscape is large, complex, and ever-changing. To stay ahead of new threats, security professionals must continuously work on addressing vulnerabilities and protecting against the methods attackers use to steal data and disrupt commerce. Unfortunately, we can’t depend on any single entity to protect our web applications and our data. We must use a multilayer approach to security inside and outside of the corporate network. The next chapter explores some of these protection strategies.
1 Source: 2018 Bad Bot Report: The Year Bad Bots Went Mainstream by Distil Networks