Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12:00 PM
Ilia Kolochenko
Ilia Kolochenko
Connect Directly
E-Mail vvv

Modern Web Apps: Not The Risk They Used To Be (They’re Worse!)

Even a tiny Web application without a single byte of confidential data can expose your corporate crown jewels to cybercriminals.

The role of a cybersecurity team is to properly implement, maintain, and monitor the efficiency and effectiveness of security controls designed to mitigate security risks defined by management. But, within organizations - there is always a certain amount of permissible --- the so-called residual risks, which ISACA defines as the risk that remains even after implementing a risk response. These are the risks that companies accept to tolerate because of their low level of impact or probability.

Today many large companies seriously underestimate the risks of vulnerable Web applications and move them into the residual risks group, or in the best-case, mitigate only the most critical threats for the most sensitive Web apps. In reality, any insecure Web application is a universal armor-piercer of your corporate defense.

What’s the easiest way to conduct an APT today? Compromise the victim’s website, place an exploit pack on a specific page, and send spear-phishing emails to few employees. In the vast majority of organizations, the corporate website will be whitelisted on many internal security systems, the employees will blindly trust their own website, and then bravely click on the link. Once clicked – the attackers are in your network. There is no need to purchase a one-million-dollar iOS exploit, when you have an insecure Web application and much less expensive Adobe Flash zero-days. Moreover, many companies still fail to update their internal users in a timely manner, and hackers may break in even with a private exploit for a public vulnerability, costing just few thousand dollars on the Dark Web.

Let’s take a look at a few recent cases that led to costly consequences when companies underestimated the risk of compromised Web applications.

Even a single web app can cause serious reputational harm

The hacking of a small Swiss bank last year serves as an unfortunate example of the dangers of underestimating the risks of insecure Web applications. One of the bank’s “insignificant” Web applications was hacked by cybercriminals demanding a ransom. When the bank refused the ransom, cybercriminals published personal data stolen from the website. Even though the majority of the exposed personal records were not from bank customers, the incident made headlines in both international and local media, causing significant reputational damage due to one tiny Web application on a forgotten subdomain.

RBAC, 2FA & change control may not save you

A first hand example I witnessed recently involved a private European clinique, which discovered a large amount of money sent to a forged bank account. Security controls included two-factor authentication (2FA) for external access to the corporate web-based ERP system with RBAC (Role Based Access Control), change control and monitoring. Yet, criminals successfully exploited a zero-day RCE [via local file inclusion] vulnerability in the ERP, located in the area accessible to non-authenticated users.

The hackers gained access to the funds by changing several bank account numbers stored in the RFP financial Wiki, designed for part-time and newly-hired accountants. Because it was a direct modification in the database, change control, implemented on the application level, didn’t trigger any alert. This type of vulnerability (unlike more complicated ones) could have been easily mitigated by a WAF they considered “useless” due to the above-mentioned security controls already in place.

Segregated secure storage may let you down

In another case, one financial institution my colleagues worked with in the past, decided to minimize costs by splitting their Web applications into sensitive and non-sensitive categories. Sensitive apps processed, stored or accepted client-related data, while non-sensitive apps were mainly designed for marketing purposes. Applications were hosted in different physical locations: secure in-house data-center and rented virtual private servers, respectively.

As you might expect, great attention was given to the sensitive apps, while the others were practically abandoned after their average lifecycle of less than a year – for example, a website dedicated to music festival sponsorship). Web developers were using an external backup service to host the code for all web applications under isolated accounts.

Once, one of the developers was debugging the backup for a non-sensitive Web application designed for a charity project. He tried to connect to the backup server with another account of a sensitive Web application. After the backup was finally working, credentials for the sensitive app were left [commented] in the configuration file. Few weeks later, the charity Web application was hacked via a new WordPress vulnerability. Attackers managed to get access to all the files (including the backup config), connect to the backup of the sensitive Web application and extract all source codes and hardcoded databases credentials.

These simple but painful examples are proof positive that even a tiny Web application, with not a single byte of confidential data, may open access to your crown jewels. Companies need to maintain up-to-date inventory of all their websites and Web applications, and pay close attention to every Web application security that is accessible externally. A good place to start is with ISACA’s 10 Important DevOps Controls, and apply the most appropriate ones, such as regular vulnerability scanning, WAF and continuous monitoring, on every externally accessible Web application. 

Related content:


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ilia Kolochenko is a Swiss application security expert and entrepreneur. Starting his career as a penetration tester, Ilia founded High-Tech Bridge to incarnate his application security ideas. Ilia invented the concept of hybrid security assessment for Web applications that ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
2/29/2016 | 1:42:32 PM
serious reputational harm
Its difficult to associate a monetary value to reputational harm but trust me when I say even though the calculation between repurational harm and montery cost is difficult, the correlation between reputational harm and cost is present.
User Rank: Ninja
2/29/2016 | 1:46:37 PM
24% annual growth is large but I have yet to see WAF as a major utilization point. Who are some organizations that have incorporated WAF and outside the obvious what type of functionality does it provide?
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.