Reasons behind attacks on HTTPS web applications

Most of the people see green lock and a text saying “Secure” and think this site is 100% secure but that is not the case.

Always remember “HTTPS will not help prevent that your website will not be hacked. It will also not protect you from malware or DDoS (Denial of Service) attacks. It will, however, ensure that you are securely transmitting information to and from a website – typically used when entering sensitive information for banking transaction or online shopping.

So the question is why attack happens inspite of site being secure by SSL?

The core problem is Users can interfere with any piece of data transmitted between the client and the server, including request parameters, cookies, and HTTP headers. Any security controls implemented on the client side, such as input validation checks, can be easily circumvented.

Users are not restricted to using only a web browser to access the application. There are many tools available alongside, or independently of, a browser to help attack web applications. These too are capable of generating huge numbers of requests quickly to find and exploit problems.

The details of the web application security landscape are not static, even though old and well-understood vulnerabilities such as SQL injection and Cross site scripting (XSS) continue to appear, their prevalence is gradually diminishing but at the same time constant research is going on for developing advanced techniques for attacking more subtle manifestations of vulnerabilities that a few years ago could be easily detected and exploited using only a browser. That is why it is said application layer is the hardest to defend.

Most of the attacks occur due to defects in business logic, failures to properly apply access controls, and other design issues and such attacks continue to arise.

Below are few common attacks that are mostly observed:

1. Injection

As the all-time favorite category of application attacks, injections let attackers modify a back-end statement of command through unsanitized user input.

Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

2. Broken Authentication and Session Management

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

3. Cross-Site Scripting

Cross-site scripting is a type of vulnerability that lets attackers insert Javascript in the pages of a trusted site. By doing so, they can completely alter the contents of the site to do their bidding — for example, they could send the user’s credentials to some evil server.

4. Insecure Direct Object References

A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Such flaws can compromise all the data that can be referenced by the parameter. Unless object references are unpredictable, it’s easy for an attacker to access all available data of that type.

5. Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

The system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time. Recovery costs could be expensive.

6. Sensitive Data Exposure

This category deals with a lack of data encryption in transport and at rest. If your Web applications do not properly protect sensitive data, such as credit cards or authentication credentials, attackers can steal or modify the data to conduct credit card fraud, identity theft or other crimes.

7. Missing Function Level Access Control

This category covers situations in which higher-privilege functionality is hidden from a lower-privilege or unauthenticated user rather than being enforced through access controls.

Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.

8. Cross-Site Request Forgery

This type of attack is used in conjunction with social engineering. It allows attackers to trick users into performing actions without their knowledge.

Attackers can trick victims into performing any state changing operation the victim is authorized to perform, e.g., updating account details, making purchases, logout and even login.

9. Using Components with Known Vulnerabilities

This category is about using unpatched third-party components. Attackers can easily exploit old third-party components because their vulnerabilities have been publicized, and tools and proof of concepts often allow cybercriminals to take advantage of these flaws with ease. Any script kiddie can conduct an exploit.

10. Unvalidated Redirects and Forwards

This category of vulnerabilities is used in phishing attacks in which the victim is tricked into navigating to a malicious site. Attackers can manipulate the URLs of a trusted site to redirect to an unwanted location.

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *