Beyond OWASP: Everything You Should Be Worried About (Security-Wise) with Web Applications
If you’re building a website, especially one that interacts with a user, there are a lot of things to think about. One major consideration is usability since people won’t bother with your website if it’s a pain to use. Another major concern is security. Data breaches have become increasingly common, and web applications are the most visible part of your organization.
Securing them is a critical part of your organization’s cybersecurity strategy. A major part of this is deploying a strong web application firewall (WAF), but it’s also helpful to know what that firewall is protecting you against.
The OWASP Top Ten
The OWASP Top Ten is probably the best-known vulnerability list in the cybersecurity field. Developed by the Open Web Application Security Project (OWASP), it’s updated on a periodic basis and is designed to highlight the most common threats found in web applications.
The current list was released in 2017 and includes the following threats:
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring
This is quite a list of potential threats, but, luckily, it’s one with high visibility within the developer and security communities. As a result, a lot of training and most security appliances are focused on avoiding, identifying, and remediating these vulnerabilities. You definitely don’t want them in your web application, but the tools that you need to prevent them are definitely out there.
But Wait, There’s More
Unfortunately, the OWASP Top Ten list isn’t everything that they think you need to worry about for web application security. The OWASP group has also released the OWASP Automated Threats to Web Applications. This is a list of the top 21 automated threats to web applications, and they include the following:
1. Carding: Stolen credit card information may be invalid or outdated. Bots are used to verify that collections of card information are valid.
2. Token Cracking: Using automation to find valid coupon codes.
3. Ad Fraud: Advertisers pay websites based upon the number of views that their ads get. Bots will “view” pages with ads to get revenue.
4. Fingerprinting: Automated collection of data about the web server, application, etc. so that a hacker can find and exploit vulnerabilities.
5. Scalping: Using automation to obtain something in short supply for later resale. Typically used for tickets (concert, movie, etc.).
6. Expediting: Uses automation to speed up slow processes. Used for cheating in games, contests, etc.
7. Credential Cracking: People use bad passwords. Bots can try lists of common usernames and passwords on accounts to try to gain access.
8. Credential Stuffing: Bots are used to check the validity of lists of stolen or cracked usernames and passwords.
9. CAPTCHA Defeat: CAPTCHA is designed to keep bots off of certain pages. In reality, it only works on humans.
10. Card Cracking: Sometimes, card thieves only get the number and name on a credit card. They use bots to guess the date and security code.
11. Scraping: Automated collection of application data for other uses.
12. Cashing Out: Bots are used to extract value from stolen credit card info (i.e. by buying things online).
13. Sniping: Using automation to take action at the last possible minute so other users can’t respond. For example, bidding in an auction one second before it ends.
14. Vulnerability Scanning: Automatically searching for vulnerabilities in a web application.
15. Denial of Service: A group of computers sends a massive amount of traffic to a web server to make it inaccessible to legitimate users.
16. Skewing: Using automation to alter the data that a web application is collecting (i.e. number of views, click-throughs, etc.).
17. Spamming: Automatically adding malicious or useless information to comments, forums, etc.
18. Footprinting: Automatically performing reconnaissance on a web application for use in a future attack.
19. Account Creation: Creation of multiple accounts on a service to be used in the future (see next threat).
20. Account Aggregation: An automated bot uses multiple different accounts on a single service (i.e. for fake likes on Facebook).
21. Denial of Inventory: Items in your cart/basket are reserved for you. Bots will load up carts with items they’ll never buy so that others can’t buy them.
This is the current list of automated threats (as of February 2018), but it’s not a comprehensive list of everything that a bot can do to your website. When designing your web applications, it’s always good to build in defenses against relevant threats, but a proactive defense to protecting your assets is also important.
The main problem with web application vulnerabilities is that they’re not going to reach the “Top Ten” or “Top Twenty” and then stop. The goal of the automated threats list is to be more comprehensive than the Top Ten list (which by definition ignores some threats and buries others in a general category). Running through these lists during the development of a web application and checking them off doesn’t make the app secure.
The best way to defend your web applications is with a web application firewall (WAF) designed to identify and block attempts to exploit these vulnerabilities. When shopping for a WAF, look for one that states that it protects against both the OWASP Top Ten and the Top Automated Threats. In many cases, the automated threats are doing something legitimate (like creating an account) in a way that makes it malicious. A simple WAF may not detect this, so look for one that can.