Application – INDIA NEWS https://www.indiavpn.org News Blog Thu, 28 Mar 2024 14:10:45 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 Avoiding Application Security Blind Spots with OPSWAT and F5 https://www.indiavpn.org/2024/03/28/avoiding-application-security-blind-spots-with-opswat-and-f5/ https://www.indiavpn.org/2024/03/28/avoiding-application-security-blind-spots-with-opswat-and-f5/#respond Thu, 28 Mar 2024 14:10:45 +0000 https://www.indiavpn.org/2024/03/28/avoiding-application-security-blind-spots-with-opswat-and-f5/ [ad_1]

Mar 28, 2024The Hacker NewsApplication Security / Webinar

Considering the ever-changing state of cybersecurity, it’s never too late to ask yourself, “am I doing what’s necessary to keep my organization’s web applications secure?”

The continuous evolution of technology introduces new and increasingly sophisticated threats daily, posing challenges to organizations all over the world and across the broader spectrum of industries striving to maintain reliable defenses. 2024 promises to be no exception. Threat actors continue to adapt their tactics, techniques, and procedures to exploit vulnerabilities in innovative ways, injecting malicious content into files that bypass traditional antivirus solutions and advanced, AI and ML-powered solutions alike.

Therefore, organizations must assess and continually reinforce their security measures. One critical aspect that organizations often grapple with is identifying and addressing security blind spots. These are areas within the infrastructure where vulnerabilities exist but may go unnoticed—for example—only 63% of companies scan all files for malware with multiple antimalware engines and only 32% disarm files to remove embedded threats.

In our webinar, we’ll shine a light on blind spots like these and discuss best practices for eliminating them, emphasizing the importance of continuous monitoring, defense-in-depth cybersecurity strategy, threat intelligence integration, and regular security audits.

Our experts will cover:

  • Insights into the current security landscape, its challenges, and effective cyber defense approaches.
  • How developing a comprehensive application security strategy can help your organization stay compliant with key global regulations.
  • An overview of threat detection and prevention technologies, their benefits, and integration into your technology stack.
  • Understanding the shared responsibilities model and how a defense-in-depth approach enhances your current defense strategies.
  • Strategies to enforce comprehensive cybersecurity across all environments: on-premises, in the cloud, and in K8S—even within SSL-protected environments.
  • How F5 and OPSWAT’s practices align with OWASP guidelines for comprehensive application security.

Join our panel of industry experts, Buu Lam, Community Evangelist, F5 DevCentral; George Prichici, VP of Products, OPSWAT; Adam Rocker, Director, Product Management, OPSWAT; and James Azar, CISO & Moderator for THN for an engaging webinar that will arm you with information to strengthen your organization’s web application security.

Register for the From Blind Spots to Bulletproof: Secure Your Applications with OPSWAT and F5 Webinar now

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

]]>
https://www.indiavpn.org/2024/03/28/avoiding-application-security-blind-spots-with-opswat-and-f5/feed/ 0
Bug or Feature? Hidden Web Application Vulnerabilities Uncovered https://www.indiavpn.org/2023/12/26/bug-or-feature-hidden-web-application-vulnerabilities-uncovered/ https://www.indiavpn.org/2023/12/26/bug-or-feature-hidden-web-application-vulnerabilities-uncovered/#respond Tue, 26 Dec 2023 04:14:14 +0000 https://www.indiavpn.org/2023/12/26/bug-or-feature-hidden-web-application-vulnerabilities-uncovered/ [ad_1]

Web Application Vulnerabilities

Web Application Security consists of a myriad of security controls that ensure that a web application:

  1. Functions as expected.
  2. Cannot be exploited to operate out of bounds.
  3. Cannot initiate operations that it is not supposed to do.

Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet spaces in recent years.

As the applications consume and store even more sensitive and comprehensive data, they become an ever more appealing target for attackers.

Common Attack Methods

The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control.

Injections

SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal business records.

A SQL Injection is an attack that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.

The starting point for this, is a command such as the one below:

Web Application Vulnerabilities

This will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. Going further with this, this method will also return passwords if there are any.

Picture an attack like this being performed against a large social media company, or a large e-commerce business, and one can begin to see how much sensitive data can be retrieved with just one command.

Broken Access Control

Broken Access Control (BAC) has risen the ranks on the OWASP top ten from fifth to the most common Web Application Security Risks. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category during OWASP’s recent testing.

The most common types of BAC, is Vertical and Horizontal privilege escalation. Vertical privilege escalation occurs when a user can elevate their privileges and perform actions, they should not have access to do.

The CVE-2019-0211, which was an Apache Local Privilege Escalation. This critical vulnerability, from 2019, affected Apache HTTP servers running on Unix systems, especially those utilizing the mod_prefork, mod_worker, and mod_event libraries.

This granted attackers the capability to execute unprivileged scripts, potentially leading to root access and compromising shared hosting services. Exploiting this flaw requires the manipulation of shared-memory regions within Apache’s worker processes, which must be done before initiating an Apache graceful restart.

The below is a screenshot of the POC code. As one can see, a certain level of technical ability is required in this respect, however, vertical privilege escalation can just as easily occur when a user’s permissions are overly permissive, or not revoked when they leave a business.

Web Application Vulnerabilities

This takes us back to the principle of least privilege, a ubiquitous term found throughout the IT world, that is now becoming more commonplace as we realise how crucial web applications have become.

Horizontal Privilege Escalation is when a user gains access to data they are not supposed to have access to, but that data is held at the same level as their own permissions. This can be seen with one standard user accessing the data of another standard user. Whilst this should not be allowed, the privileges are not rising vertical, but spreading horizontally. This is sometimes seen as more dangerous, as it can occur without raising any alerts on security systems.

With BAC becoming ever more present in the last couple of years, it is important to remember:

  • Solely depending on obfuscation is not a sufficient method for access control.
  • If a resource is not meant to be accessible to the public, it should be denied access by default.
  • Developers should explicitly specify allowed access for each resource at the code level, with access denial as the default setting.

Best Practices – Read between the Lines (of code!)

To maintain security, developers need to verify incoming data, implement parameterized queries when interacting with databases, and apply effective session management methods to protect sensitive data. Much of this relies on both the security of web browsers, but also of the back-end security of the web servers delivering web content, leading to a segregation of duties in web security.

The biggest problem that arises here, is that whilst Web Application Firewalls (WAFs), can mitigate these risks, much of the responsibility for secure implementation of web content lands at the feet of the developers who put these sites together. Cybersecurity can often become an afterthought, with functionality being preferred.

Practical Example – Input Validation

Input Validation is the simplest and most effective ways to implement secure coding, in this example to prevent SQL injections.

  1. User Input: The user provides input, for example:
  2. Web Application Vulnerabilities
  3. Sanitization: The user input is not directly inserted into the SQL query. It is sanitized and treated as data, not as SQL code.
  4. Query Execution: The SQL query is executed with the user input as a parameter:
  5. As such, the query enters the backend as below:
Web Application Vulnerabilities

In this code, the (user_input,) is a tuple containing the user’s input. The database driver takes care of escaping and properly handling this input. It ensures that the input is treated as a data value, not executable SQL code.

If the user input contains malicious code, such as “105 or 1=1,” it is not executed as SQL. Instead, it’s treated as a value to be compared to the UserId in the database.

The database driver automatically handles the escaping of the input, preventing it from affecting the structure of the SQL query or introducing security vulnerabilities.

Web Application Firewalls (WAFs)

A WAF operates at layer 7 of the OSI model, and acts as a reverse proxy, ensuring client traffic passes through the WAF before entering the backend server. The rules or policies on the WAF protect against the documented vulnerabilities that are present in these backend servers and filter out malicious traffic.

There are a plethora of WAFs on the market, and these can all provide a strong defence against the more novel attacks, and contribute well to a defence in depth approach, the practice of secure coding is something that ensure the foundations of the web application is secure and will not fall victim to more complex or novel attacks in the future.

WAFs are currently moving towards a mixture of security model that use behavioural-analysis technologies to detect malicious threats, and further mitigate against the threats of more advanced ‘bots’ which have been leveraged for low-effort attacks on websites.

The main drawback of using a WAF, aside from the added latency and HTTP overhead, is the fact that a WAF can be bypassed by using a 0-day exploit against a web application, which secure coding and correct sanitisation can mitigate against more effectively that offsetting all Web application security to a WAF. It is important to remember a WAF is simply a layer of security, and not the entire solution.

Incident Response and Recovery

SecurityHQ’s suggestions to mitigate against attacks:

  1. Employing a WAF as a first line of defence is critical to ensure business can defend against a large volume of attacks.
  2. Ensure up-to-date and strong standard algorithms and protocols are in use, this should be paired with proper key management.
  3. Encrypt data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server. Enforce encryption using directives such as HTTP Strict Transport Security (HSTS).
  4. Enable bot management strategies on websites and have a documented incident response plan.
  5. Ensure secure development practices are in place, with a documented process of testing new features on web applications and ensure input validation is deployed.
    • This should be coupled with ensuring the principle of least privilege.
  6. Regularly test for vulnerabilities, with Vulnerability Management, and Managed Defense with IBM tooling, and keep track of component versions.
  7. Utilise a red application test to uncover vulnerabilities scanners cannot find.
  8. Ensure Developers are regularly trained to keep up with the latest security trends and emerging threats.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

Note: This article was expertly written by Tim Chambers, Senior Cyber Security Manager at SecurityHQ

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

]]>
https://www.indiavpn.org/2023/12/26/bug-or-feature-hidden-web-application-vulnerabilities-uncovered/feed/ 0