Patches and vulnerabilities
Patches are pieces of code designed to fix ‘bugs’, enable additional functionality or address security flaws in operating systems and applications. Timely installation of patches on web servers and applications is generally recognized as critical to the success of website availability and security, especially considering the speed at which exploits are discovered. This is further highlighted by the fact that in recent years a lot of major attacks have targeted known vulnerabilities for which patches existed long before. Having said this, patching a machine that needs to be up and running all the time is a difficult and costly process for any organization.
Vulnerabilities are weaknesses that can be exploited to gain unauthorized access to, or perform malicious activities on, a computer system. Because not all vulnerabilities have associated patches, administrators should be aware of other methods of remediation such as configuration changes and user education to limit the exposure of their systems to vulnerabilities.
To help alleviate this problem, organizations should have a systematically documented process for limiting exposure to vulnerabilities through the timely deployment of patches. While this process is critically important, it would be wise to be aware of the other risks which patching servers doesn’t cater for.
Web application security risks
Every organization faces their own challenges when it comes to web application security. The level of risk will depend a lot on the type of business, the level of investment in security, the experience of the developers, as well as the technologies and methodologies used. However, there are some common internal and external factors that can contribute to web application security risks irrespective of organization. These include the following:
- Short time to market. Pressures from management, and the marketing or sales teams lead to rapid application releases and an ever increasing feature set, resulting in less time to assess the application for security vulnerabilities.
- Legacy applications. Older applications that weren’t necessarily built to be web-based but now have a web front-end could be exposed to underlying security holes.
- Internet dependency. The dependency on Internet-facing services driven by more and more mission critical processes potentially increases your exposure to web application security vulnerabilities.
- Lack of standardization. Web applications, whether developed in-house, outsourced, or both are sometimes difficult to standardize and human error is always possible.
- Lack of security awareness. Security is sometimes overlooked or not given enough attention throughout the software development lifecycle (SDLC).
What makes web application vulnerabilities so common? One theory is that because of the immature nature of the web application code an attacker may, for example, choose to exploit the web interface by taking advantage of parsing and validation oversights (that should perhaps have been caught as part of the SDLC). Another theory is that the number of protocols and services used by web applications (e.g. HTTP, HTTPS, SOAP) leaves you more exposed and gives the attacker more avenues to exploit. Whilst many developments have been made in finding solutions to vulnerabilities in network protocols and enhancing firewalls and IDS/IPS systems, unfortunately web applications have not had the same scrutiny.
Web applications and web servers are attractive to an attacker for a number of reasons. Typically web servers are of high value to attackers because of the sensitive content they hold or the fact that they may be used as a stepping stone to other areas of the network. By their very nature, web applications have a greater reach than traditional applications. A lot of them interact with databases that may contain customer or financial information – attackers see these web applications as a means to gaining access to the data.
Below are some of the common web application security risks that can potentially be exploited irrespective of how well your servers are patched.
- Security misconfigurations
- Lack of sufficient validation
- Cross-site request forgery (CSRF)
- Cross-site scripting (XSS)
- SQL Injection
- Insufficient use of transport layer encryption
- Backdoors (e.g. exposed management interfaces, legacy users still in the system, etc.)
General web and application server administration tasks also add security concerns. Using default configurations, weak passwords, and running unnecessary services are just some of the poor practices that are still happening in organizations today. The good news is that most of these bad practices can be easily mitigated.
Mitigating the risks
There are a number of steps you can take to help alleviate some of these security risks.
- Patch your servers! Good web server security maintenance involves patching your servers and applications in a timely manner.
- Scan your web apps! While highly recommended, patching servers is not enough. Identifying potential security flaws in your web application is just as critical. A web application security tool can identify weaknesses and suggest improvements that can be made to lock down the server or limit exposure to common vulnerabilities.
A web application security tool like Acunetix offers an advanced in-depth SQL Injection and XSS testing feature, penetration testing tools, support for multiple authentication mechanisms, a website crawler, a web server port scanner and a network services checker, all of which allow you to audit your web server and web application.
In addition to the above, good web application security practice includes increasing awareness at a development, testing and user level, performing a security code review, standardization for development methods used across the organization, and thorough application testing.
On the server side, you should also be sure to review if you really need all the services that are running, enable only relevant ports, use strong passwords, and limit access to the server.
Figure 1 shows the Acunetix Web Services Scanner feature which allows you to launch automated vulnerability scans against Web Services. Using the scripting tool you can also create your own web vulnerability checks.Figure 2 shows the Web Scanner which crawls the target website to enumerate the site’s structure and runs a series of web vulnerability checks against each file in your web application. Figure 3 shows the Blind SQL Injector which makes use of blind SQL injection techniques to enumerate databases, tables, dump data and read files from the web server if an exploitable security vulnerability is found. You can also run custom SQL queries against the database.
With attackers nowadays focusing on web applications and web servers as a means of gaining access to sensitive information within backend databases it becomes ever more important that your organization implements a solid security policy. Security awareness and better coding practises (e.g. implementing user input validation before processing) are a good start, but a multi-level approach is needed. Solutions such as database auditing and activity monitoring tools as well as using a web application scanner like Acunetix can help decrease vulnerability risks.