What do things look like on the outside? That’s the main focus we have as human beings. But beauty is only skin deep. As with relationships and leaked NSA documents, we quickly discover that what’s on the inside is just as, if not more, important. It’s often not very pretty. This is especially true for web application security.
Insider threats are everywhere, right before our eyes. Consider the story behind Edward Snowden and how he was able to access the classified NSA documents via an internal website.
Such internal sites are often ripe for attack and abuse in large part because they’re not adequately tested. That’s been my experience at least. The scoping of an internal security assessment often bypasses these critical systems housing intellectual property, credit card information, and protected health information. The belief is “They’ll be okay, our employees will do the right thing.”
Interestingly, I often finding the largest number of critical vulnerabilities on internal-facing web applications. Things like:
- SQL injection
- Weak or blank passwords
- Command injection
- Session manipulation
They’re run-of-the-mill web flaws; but the difference with them being in the internal web environment is that odds are no one’s watching for malicious use. Textbook case of you cannot secure what you don’t acknowledge.
A web vulnerability exploited on the internal network looks like nothing more than trusted transactions. That is unless you’re inspecting SSL and specific application workflows and database accesses for malicious behavior. But what’s that saying: Ain’t nobody got time for that. At least none of the IT managers, admins, and developers I speak with have that kind of time. Even a well-tuned WAF can create a serious false sense of security. But how many businesses are running one of those internally? Not many.
You can even have vulnerabilities below layer 7 that can be exploited using free and relatively simple tools to obtain remote command prompts, copy files, setup backdoor user accounts and so on. And no one will ever know about it – until it’s too late – because of a general lack of internal system logging and monitoring.
Likewise, internal audit controls, server patching, system hardening – you name it, can all be neglected when systems are inside the “trusted” realm being accessed by only “trusted” users (as far as you know).
Never forget that just because someone has access to an internal web application doesn’t mean they need access. Likewise, in the case of Snowden, just because someone has passed a background check, obtained a security clearance, or has good references doesn’t mean he or she is not capable of doing harm.
Test your most critical internal web applications first and as time and money permit move on down the line – all the way to those seemingly harmless network-based cameras and physical access control systems. You might be surprised by what you uncover.