Wondering how to fix web security vulnerabilities? Scan regularly with tools like Detectify, do in-depth fixing and establish a security directed culture. This is easier with DevOps tools.
Web applications can have multiple vulnerabilities that are difficult to discover manually. Here you will get an overview of the most common security issues, how to check your application status, and get a security researcher’s best security advice.
To you, it is probably old news: every web application can have vulnerabilities, whether it’s linked to a major kernel system or a single web site based on a popular CMS solution.
Many applications are developed over long periods of time with contributions from different environments and people. If you have been programming yourself, you know that the goal is usually to fix a fault or get something to work. When everything is solved after many hours of work, it is easy to just launch the application as it is, and avoid thinking about security concerns.
«The biggest security mistake of them all is to skip vulnerability detection work. Another issue is actually being aware of vulnerabilities and doing nothing. This is more common than you can imagine. Typically, major security vulnerabilities are fixed while smaller ones remain. Multiple low-risk issues quickly add up to a major security issue,» says Linus Särud, Security Researcher at Detectify.
So, what is the security advice that beats all others? Make security an integrated part of the business culture and application development.
This might be a challenge because typically, security is an addition to everything else and is hard to prioritize.
«From the starting point of a new web application project, you can establish security as an integrated part of the process. This applies particularly to DevOps processes where everyone from development to the IT management department works on the same platform.» he says.
He continues: «However, starting over is not always that easy. Most developers navigate in complex solutions built by multiple applications and integrations. In such cases, you must analyze vulnerabilities, repair and leverage security in the existing structure. Fixing is great, but you must dive deeper into the structures to be better prepared against future threats.»
What are the most common web security vulnerabilities? Typically, hackers will exploit vulnerabilities until they are patched and move to the next in line. Therefore, the security vulnerability field is constantly changing.
Here are four approaches to cyber security you should dedicate some time to right now.
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit, charitable organization focused on improving the security of software.
The OWASP’s mission is to create awareness of software security and make it a priority. This is reflected in the top 10 series.
Basefarm’s web application vulnerability assessment partner Detectify has developed an OWASP Top 10 list and a scanner that lets you test your website for vulnerabilities. The list includes code injection, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration and more.
Attackers can intercept requests from shopping cart to server and currency. Changing the currency from USD to WON would make the order a thousandth of the price cheaper. Luckily, simply changing the price had its peak some years ago and usually does not work anymore.
Transferring funds between gift cards can be done through a vulnerability class called race condition. This was successfully tested on where it was possible to make several USD 5 transfers from one card holding USD 5 to two other cards.
Gift cards using incrementing IDs make it easy to guess and use gift card numbers. A similar exploit is to test for example the coupon code «superCheap_50» when you already know that «superCheap_10» gives you 10 per cent off.
Want to know more? Read the Detectify blog where 7 common e-commerce security mistakes are explained.
HTTPS is one of the simplest security measures you can implement. Strangely, many applications ran vulnerable HTTP sites until Google prioritized HTTPS sites in its search engine results. This combined with security concerns boosted the use of HTTPS.
Detectify has developed a website vulnerability scanner that performs fully automated tests to identify a 1000+ vulnerabilities. It is continuously updated by a crowdsourced community of 150+ white-hat hackers.
For someone not used to working with security, it can feel overwhelming and hard to understand what to prioritize in a report. Luckily, a service provider with security experience such as Basefarm can assist with this. Read more about our services on our website or contact us directly to learn more!
BIO
Linus Särud (Twitter: @_zulln), 19, already had an interest for IT security when he was only 13 years old. At 14, he got into ethical hacking and discovered severe security vulnerabilities in Google applications as well as contributed IT security articles for IDG Sweden. Today he works as a security researcher for Detectify, a Swedish web security company. At Detectify, Linus is conducting extensive security research, managing the Detectify Labs blog and coordinating 150+ ethical hackers that are part of Detectify’s Crowdsource network.
What should you focus on in order to take the next step in your company’s cloud journey?
With help from over 200 IT professionals and a Cloud Maturity Ladder, this report will help you to focus, prioritize and it will guide you to the next level.
Find undiscovered secrets in your data and on the web: intelligent algorithms provide you with unique knowledge about your customers and your business.
Published: 2020-07-01MITRE CVE-2020-5902 “The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.” “This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create […]
Published: 2020-06-25MITRE CVE-2020-11996 “A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.” CVSS Base score: 7.5 (or 5.9 if Attack Complexity turns out to be High)CVSS Temporal Score: 6.5 as of […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) ESET researchers are warning about targeted phishing attacks agains high-profile aerospace and military companies in Europe. The attacker will approach individual personnel about possible job vacancies, some file-sharing then commences with the pretense of […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) Zoom has become very popular as people are working from home and unable to travel, but faced backlash after multiple security vulnerabilities was discovered earlier this year. Now Cisco Talos discovered two more security […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT) It wasn’t really a news that Thunderbolt technology (USB-C) was vulnerable from years before, but now we got a demo from researcher which shows how Thunderbolt flaw allows access to a PC’s data in […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). According to Google’s project zero there are vulnerabilities in Apples operating systems media managements. The vulnerabilities could let an attacker gain access by sending a specially crafted image or video to a target and […]
Published: 2020-04-24 MITRE CVE-2020-4415 “IBM Spectrum Protect server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. This could allow a remote attacker to execute arbitrary code on the system with the privileges of an administrator or user associated with the Spectrum Protect server or cause the Spectrum Protect server to crash.” […]
There has been discovered a vulnerability in the default mail application (MobileMail) for iOS. The vulnerability allows an attacker to send an email to a victim (you) and without any action from you, the email will launch code prepared by the attacker on your device. The fix for this is not released yet, it has […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). The use of the Zoom video conference application has exploded in popularity amid the ongoing coronavirus pandemic but this has lead to the importance of scrutiny from a security and privacy perspective which as […]
This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT). Criminals continue to use the covid-19 pandemic for personal gain and according to Barracuda networks the amount of phishing emails have spikes by over 650% since the end of February. But even as the […]
Half of Execs Feel Unprepared to Respond to a Cyber-Incident. 
Image by David Mark from Pixabay
"Soldier Holding Rifle" at Pixabay
Image by OpenClipart-Vectors from Pixabay
Image by Niek Verlaan from Pixabay
