Application Security

Directory Traveral

Photo by Gabriel Heinzer on Unsplash

Also called directory climbing, dot-dot-slash, and backtracking attack, the directory traversal method leverages the way in which an application gets data from the webserver. Generally, Access Control Lists (ACLs) limit user access to specific files within a root directory.

Consider a set of nested folders that follow this order:

  • Root directory: My Very Sensitive Data (MVSD)
  • Inside MVSD folder: Protecting from H@x0rs (PfH) folder
  • Inside PfH folder: My Password is Bad (MPiB) folder
  • Inside MPiB folder: H@x0rs Stole My Info file

Now, you might have an additional set of folders outside that root folder including Pictures, Videos, and Downloads. Unless you have access to each of these other root folders, you can’t access the information they contain.

Web applications organize information the same way, even if you don’t see it. In a directory traversal attack, malicious actors figure out the URL structure that the application uses to request files. Using the hypothetical above, that URL might be:

www.myinsecurewebapp.com/MyPas… “.asp?item=” indicates that this URL pulled the file “H@x0rsStoleMyInfo” from the “My Password is Bad” folder. Now, they know the structure of folders and how to start getting different files.

Using this structure, they add “../” at the end. The “../” indicates moving from one folder to one just above it in the hierarchy. The new request might look like this:

www.myinsecurewebapp.com/MyH@cking.asp?item=../

They keep adding the ../ until they gain access to another file. If they know the name of the file, such as an operating system file name, they might do this:

www.mywebsiteinfo.com/MyPasswordisBad.asp?item=../genericoperatingsystemfile

At this point, they just keep adding more “../” after the equal sign until they get to the folder level and file they want.

June 17, 2023 by Application Security 0

Top 7 SaaS Security Risks
Photo by Lewis Kang’ethe Ngugi on Unsplash

Contemporary enterprises increasingly embrace cloud technology to harness the operational advantages of delegating essential business functions. A study conducted in 2021 discovered that 90% of the organizations surveyed have integrated cloud computing into their operations, including utilizing services like software-as-a-service (SaaS).

SaaS solutions are pivotal in enabling organizations to attain critical objectives like cost reduction and accelerated time-to-market. Nevertheless, akin to other digital transformation tools, they also introduce cybersecurity vulnerabilities.

When organizations become customers of third-party vendors, they ultimately place their sensitive data in their hands, relying on a foundation of trust. However, even with this trust in place, if a data breach occurs due to inadequate data security practices by the SaaS provider, the responsibility for such a breach still falls squarely upon the client organization.

This article delineates the seven foremost cybersecurity risks introduced by SaaS solutions and provides insights into how organizations can proactively mitigate these risks to prevent potential data breaches.

Top 3 SaaS Security Risk

Below is a list of the three primary cybersecurity risks your organization should consider when utilizing SaaS services.

  1. Cloud Misconfiguration

Since SaaS environments operate within the public cloud, organizations must remain vigilant regarding the distinct cyber threats associated with cloud applications. One prevalent concern is cloud misconfigurations, which transpire when the SaaS provider or the SaaS customer neglects to properly secure the cloud environment. These lapses in security management leave organizations vulnerable to a multitude of cyber threats, including:

Cloud Leaks, Ransomware, Malware, Phishing, External Hackers, Insider threats

A prevalent misconfiguration in cloud computing involves the granting of overly generous permissions. This misstep transpires when an administrator bestows excessive access rights upon an end-user, leading to a permissions imbalance. Excessive licenses constitute a substantial security risk, frequently allowing cloud leaks, data breaches, and insider threats to manifest.

An illustrious instance of a misconfiguration by a cloud service provider is Amazon Web Services (AWS) default public access settings for S3 buckets. Beyond addressing misconfigurations from the cloud provider, your organization must introspect and enhance its security protocols. Gartner’s prediction that 99% of cloud security failures will be attributable to the customer’s actions by 2025 underscores the critical importance of internal security vigilance.

Another noteworthy example of a significant software misconfiguration is the Microsoft Power Apps Data Leak. Secuirty Researchers identified misconfigured OData APIs within Microsoft’s Power Apps portals. This oversight led to the inadvertent exposure of a staggering 38 million records spread across 47 different organizations.

2. Zero Day Vulnerabilities

A zero-day vulnerability is an unpatched software vulnerability that remains unknown to developers. Cybercriminals can exploit these vulnerabilities through attacks, often causing data breaches and loss across affected organizations.

Zero-day vulnerabilities are particularly damaging when identified in popular SaaS platforms – many organizations could be affected, causing a mass shutdown of operations. For example, Accellion’s file-sharing system, FTA, was compromised in 2020 by web shell attacks and zero-day exploits to exploit an unpatched software vulnerability. The incident was part of a broader supply chain attack that breached the sensitive data of over 100 Accellion customers, resulting in widespread operational disruptions.

Organizations must be able to rapidly identify existing vulnerabilities in their SaaS apps to prevent further security issues from occurring through delayed remediation. 

3. Third Party Risk

SaaS services generate third-party risk – the risk deriving from any third party in an organization’s supply chain. Third parties can pose different levels of risk to an organization’s information security. For example, an organization will likely consider a contracted office janitor a low-level security threat, whereas a SaaS vendor is likely high-risk. 

Most SaaS apps will access or store an organization’s sensitive data, including publicly identifiable information (PII) and other privileged information. Your organization may have strict security measures to mitigate cyber threats, but your protection is only as strong as the weakest link in the supply chain.

Organizations must implement effective third-party risk management programs to consistently monitor and manage the unique cyber risks their SaaS vendors contribute to the attack surface.

June 17, 2023 by Application Security 0

How to Improve MySQL Security: Top 5 Ways
Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

MySQL RDBMS is esteemed among open-source technologies, a prevalent choice for integrating popular software packages such as WordPress and server stacks like LAMP. As the foundational data platform for numerous websites and cloud services, it is imperative to fortify MySQL security to safeguard your valuable data effectively. To that end, here are 5 essential techniques to bolster your MySQL security posture:

5 Ways to Improve MySQL Security

1. Eliminate the Test Database

The default installation of the MySQL Server package includes a test database accessible to all users. This database represents a prime target for potential attackers. As part of the post-installation hardening process, it is crucial to remove the test database completely.

2. Eradicate Anonymous Accounts

Upon installation, MySQL creates anonymous user accounts that serve no practical purpose. However, these accounts pose a potential vulnerability, offering attackers an entry point into the database. Thus, it is vital to eliminate these anonymous accounts from the system.

3. Alter Default Port Mappings

By default, MySQL operates on port 3306. To enhance security, it is advisable to modify this default port setting. Doing so helps obscure critical services on specific ports, as attackers commonly exploit default configurations. Altering the default port mappings strengthens your defense against such attempts.

4. Disable Remote Logins

If the MySQL database is solely utilized by local applications, it is prudent to disable remote access to the server. This can be achieved by editing the /etc/my.cnf file and adding a “skip-networking” entry under the [mysqld] section. By configuring MySQL to cease listening on all TCP/IP ports, including 127.0.0.1, you confine database access solely to local MySQL socket-based communications.

5. Avoid Running MySQL with Root Level Privileges

MySQL should not be operated directly under the root user account to reinforce security measures. Instead, running MySQL under a dedicated user account specifically created for this purpose is recommended. You benefit from improved auditing and logging capabilities by employing a distinct user account with the appropriate permissions to run the service. Moreover, this practice prevents attackers from gaining unauthorized access by exploiting the root user account.

Implementing these five measures will significantly enhance the security of your MySQL database, reducing the risk of potential breaches and protecting your data with heightened efficiency.

April 28, 2023 by Application Security 0

What is Cache Poisoning?
Photo by DeepMind on Unsplash

What is a Cache?

A cache is a temporary storage location that allows faster retrieval of frequently used data and files. Several types of caches are found across several devices and applications, such as laptops, desktops, smartphones, tablets, web applications, and web browsers. The purpose is to make everything run faster and more efficiently. 

When a user opens an app or visits a website for the first time, pertinent data and files are stored in the web cache. When the user revisits the website or app, the associated data and files can be accessed locally from the cache, allowing the site or app to load more quickly. This is why after users initially input their credentials into a website or app, such as Amazon or Gmail, they typically do not have to do so again with each subsequent visit.

Benefits of Caches

The most recognized benefit of caches by users and IT professionals is that they allow apps and websites to run much faster, improving the system’s performance. The DNS (Domain Name Server) resolver can respond to queries without communicating with multiple servers. There are also additional benefits to caches, including:

  • Offline access: As mentioned above, caches save data. In some situations, this allows apps to work without an internet connection. The reason some apps can do so is that the cached data can be used to enable the app to function correctly.

  • Optimize resources: Since caches only need to download files once, the app or website doesn’t have to waste battery power and time downloading data on each subsequent visit. Caches significantly increase efficiency.
It is pertinent to note two things. First, the data from a site or an
app will be redownloaded if changes have been made to the data or files. Second, the DNS information is stored in the designated cache for a specific time frame known as TTL (Time-to-Live). This is why users must re-login into applications such as their email every so often (e.g., 30 days).

How Cache Poisoning Works

In DNS poisoning, the perpetrator enters fake information into the DNS cache. The purpose is to redirect users from the intended server to a different server. The new destination is dangerous and has malicious intentions. There are three different forms of attack:

  1. Once the user is on the malicious website, some program, such as a hijacking program, spyware, malware, a worm, a trojan, etc., is downloaded onto the user’s device without their knowledge.
  2. Sensitive information such as login credentials or bank information may be stolen because the user believes they are on a legitimate website or app, so they willingly input their information. Instead, they are on a phishing website. A common tactic to use is the man-in-the-middle attack approach. A man-in-the-middle attack may occur where the perpetrator alters the communication between two parties. For example, users may think they are talking with a bank representative about their accounts. When the truth is that the attacker has intercepted and hijacked the conversation so that the user is now actually talking with a cyber attacker. The users believing they are communicating with a trustworthy party, may give out sensitive information.
  3. The attacker compromises security updates on the device, which leaves the device vulnerable to hacking.

It is essential to understand that the attacker disguises the dangerous destination, so the user has no idea they’ve been a victim of a cyber attack and were diverted to a different server other than the intended one. One way attackers accomplish DNS spoofing attacks is to enter a website address into the DNS that has been altered. The destination is a fake website disguised as a real one. Cache poisoning can occur on Apple (Mac), Android, and Microsoft operating systems.

Preventing Cache Poisoning

Effectively preventing cache poisoning is the combined responsibility of website owners, DNS service providers, and users. Here are the best ways to protect your business from DNS poisoning.

Utilize DNS Security Extensions

DNS Security Extensions (Domain Name System Security Extensions) or DNSSEC is a protocol in which authentication is required at every communication step between servers. It creates a digital hierarchy designed to prevent cache poisoning. While this is better than nothing, DNS Security Extensions still have vulnerabilities because IP addresses and URLs can still be falsified. Name servers cannot tell the difference during translation.

Utilize End-to-End Encryption 

End-to-End Encryption (E2EE) sends encrypted DNS requests that only the intended server can decrypt. This is a useful method because cyber attackers should be unable to decrypt and exploit the request. However, as with all things internet-based, some attackers can decrypt or foil these encrypted requests. 

Educate users

Educate end-users on how to safely use apps and websites and implement internet protocols that significantly reduce their chances of introducing an attack into the system. Here’s what users should do whenever possible:

  • Never click on unknown URLs
  • Never disable firewalls
  • Routinely scan devices for suspicious activity
  • Routinely clear the cache (if a cache has been poisoned unknowingly, this will help get rid of it faster than waiting for the TTL to expire)
  • Use a VPN (a virtual private network) when possible.

February 22, 2023 by Application Security 0

What is Web Application Security?

Photo by Carlos Muza on Unsplash

Since the commencement of existence, every element was needed to be protected or secured for peace. There is no exception in the aspects that are required to be secured, which includes human beings as well. Human beings face danger and fall victim to crimes in many ways. One of which is cyber crime. In day to day life, we’re all depending on the internet and the applications we use on the internet. These apps can be used to cause harm by any means to its user. Moving forward, a web application is simply an application that is primarily used on a browser to perform a task over the internet, depending on the user’s needs. These applications are created using various techniques and languages with the hope of making it efficient for users to perform a specific task. As we know, every coin has two sides, so does the internet. The internet is home to excellent knowledge and, simultaneously, home to different crimes, often referred to as “cyber crime.” These web applications can be used for cyber crime activities. It could be any activity like stealing money from someone, stealing their identity, corrupting or destroying a computer system, stealing some sensitive data, and so much more. Therefore, it is necessary to secure ourselves from such crimes and prevent them from harming us.

The first thing that pops up in our mind is, “What does web app security/Pentesting mean?”.

Since we all know that nothing in existence is perfect, neither is a computer system nor everything inside it. Web app security refers to the amount of protection or the total layers of protection applied on a web application. Web Application Pentesting means performing various methods or techniques on an application to draw out or highlight its vulnerability or several vulnerabilities to patch those weaknesses up to make that application secure and efficient. Penetration testing (often referred to as “Pentesting”) is a technique of testing various nodes present on the internet to find out the flaws and strengthen them up.
Now we all know what it is. The next thing that we think of is, “Why is Web Application Pentesting necessary/needed?”

Well, the entire existence is flawed regardless of what it is. These flaws can sometimes lead up to something serious, which ends up in human beings’ suffering. The suffering could be either emotional or physical. So, the web applications are no exceptions. The thing that differs from every other flawed entity is that these flaws can be removed and strengthened up. These flaws are necessary to be sealed up because they can be used in a number of ways to harm a user, either virtually or physically. Let’s take up a few instances of how and what various harms can an attacker cause a user using these flaws/vulnerabilities/weaknesses.
Many tools exist that can be used to analyze and a system’s security and find out vulnerabilities that can be used as a path to intrude into a plan to cause destruction. Such tools can be used to secure a network and, at the same time, create a severe threat. These include a vast number of tools like “Metasploit” which is one of the most influential and notorious tools that can be used to withdraw out the flaws and use them as an exploit in a system. Metasploit has over 2000 catalogued vulnerabilities, and even if any 1 of those vulnerabilities is present in a system, then that system is as good as a destroyed one. “John the Ripper” is another tool that is considered one of the fastest password cracking tools and can be used to decrypt your Wi-Fi password, system password, password-protected files, encrypted files, etc. more without much effort. Another one of the most powerful tools is “Maltego,” which can be used for open-source intelligence and digital forensics. An attacker can use this tool to recover all the sensitive data that you’ve deleted or hidden that you didn’t want anyone to get hands-on. An attacker can trace the bits of evidence of that file’s existence and can reach its current location and cause you to harm using those files. There are many more tools that an attacker can use to attack you or the ones close to you in many ways like phishing scams where an attacker can lure you towards using a website or an application that might seem genuine but is not and is used to obtain sensitive information, identity theft scams where an attacker can perform a criminal act and impersonate you while doing that, online harassment where an attacker can harass or harm someone emotionally which might end up in a case of suicide, and so much more threats like these.

February 18, 2023 by Application Security 0

What is an SSL Certificate?

Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

An SSL certificate (or TLS certificate) is a digital certificate that binds a cryptographic key to your organization’s details. Secure Sockets Layer (SSL) are cryptographic protocols designed to encrypt communication between a server and a web browser.

While SSL certificates are installed server-side, there are visual cues in the browser that show SSL protection. If SSL is present, you may see https:// in the address bar, a padlock, a green address bar, or a combination of the three. SSL secures your connection to a web server and encrypts any transferred data. Encrypting data reduces the cybersecurity risk of man-in-the-middle attacks or many other cyber attacks. SSL has traditionally been used to secure credit card information on e-commerce sites, personal data transfers, and social media sites.

Today, search engines like Google have called for HTTPS everywhere, even if websites don’t handle sensitive data or information like personally identifiable information (PII). HTTPS not only provides critical information security and data integrity but is a requirement for many new web browser features like progressive web apps (PWAs). What is Transport Layer Security (TLS)?

Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). Think of it as a more secure version of SSL. Despite new certificates using TLS (RSA or ECC), it remains common for security certificates to be referred to as SSL certificates.

TLS, like SSL, provides privacy and data integrity between two or more communicating applications. When secured by TLS, connections between your browser and a server must have one or more of the following properties:

The connection is secured by symmetric cryptography. The keys for symmetric encryption are unique to each connection, based on a shared search negotiated at the start of a session through a TLS handshake. The server and your browser negotiate the details of which encryption algorithm and cryptographic keys are used before data is transmitted. Negotiating a shared secret is secure (preventing eavesdropping) and reliable (no attacker can modify messages without being detected, preventing man-in-the-middle attacks).

The identity of communicating parties can be authenticated using public-key cryptography. Public keys are disseminated widely, and private keys are only known to the owner. People can encrypt a message using the receiver’s public key, but only their private key can decrypt. Authentication can be optional but is generally required for at least one of the parties (typically the server).

The connection is reliable because each transmitted message has integrity checked using a message authentication code (MAC), preventing undetected loss or manipulation of data. A MAC is a short piece of information used to confirm the message came from the stated sender and has not been changed. This protects data integrity and authenticity.

In addition, the configuration of TLS can provide additional privacy-related benefits like forwarding secrecy. Forward secrecy ensures future disclosure of session keys only compromises a particular session. This is achieved by generating a unique key for each session, so the compromise of a single session key cannot affect the data exchanged in any other session.

What is Hypertext Transfer Protocol Secure (HTTPS)?

Hypertext Transfer Protocol Secure (HTTPS) is an extension of Hypertext Transfer Protocol (HTTP). It is used to securely transfer data over a network. In HTTPS, the communication is encrypted using TLS.

HTTPS provides authentication of the accessed website, protecting the privacy and integrity of exchanged data. It also protects against man-in-the-middle attacks such as eavesdropping and tampering with transmitted data. Because HTTPS piggybacks HTTP on top of TLS, the entire HTTP protocol is encrypted, including the requested URL (the specific page requested), query parameters, headers, and cookies (which often contain identifying information about the user).

The one thing that eavesdroppers can see is the website address and port numbers which are part of TCP/IP protocols and not protected by HTTPS. This means an eavesdropper can infer the IP address and port number of a web server (the domain name but not the specific page) that you are communicating with, as well as the amount of data transferred and session time.

Modern web browsers know which HTTPS websites to trust based on pre-installed certificate authorities. Certificates authorities like Let’s Encrypt are trusted to provide valid certificates. This means HTTPS connections are only trusted if all the following are true:

You trust your web browser correctly implements HTTPS with valid certificate authorities. You trust the certificate authority will only vouch for legitimate websites. The website you visit provides a valid certificate signed by a trusted certificate authority. The SSL certificate correctly identifies the website and not another entity. You trust SSL/TLS is sufficient to protect against eavesdroppers.

December 29, 2022 by Application Security 0

How does OAuth 2.0 work?

Photo by FLY:D on Unsplash

OAuth 2.0 was originally developed as a way of sharing access to specific data between applications. It works by defining a series of interactions between three distinct parties, namely a client application, a resource owner, and the OAuth service provider.

  • Client application – The website or web application that wants to access the user’s data.
  • Resource owner – The user whose data the client application wants to access.
  • OAuth service provider – The website or application that controls the user’s data and access to it. They support OAuth by providing an API for interacting with both an authorization server and a resource server.

There are numerous different ways that the actual OAuth process can be implemented. These are known as OAuth “flows” or “grant types”. In this topic, we’ll focus on the “authorization code” and “implicit” grant types as these are by far the most common. Broadly speaking, both of these grant types involve the following stages:

  1. The client application requests access to a subset of the user’s data, specifying which grant type they want to use and what kind of access they want.
  2. The user is prompted to log in to the OAuth service and explicitly give their consent for the requested access.
  3. The client application receives a unique access token that proves they have permission from the user to access the requested data. Exactly how this happens varies significantly depending on the grant type.
  4. The client application uses this access token to make API calls fetching the relevant data from the resource server.

Before learning how OAuth is used for authentication, it’s important to understand the fundamentals of this basic OAuth process. If you’re completely new to OAuth, we recommend familiarizing yourself with the details of both of the grant types we’re going to cover before reading further.

November 2, 2022 by Application Security 0

What is Clickjacking?

Photo by Sigmund on Unsplash

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website. Consider the following example:

A web user accesses a decoy website (perhaps this is a link provided by an email) and clicks on a button to win a prize. Unknowingly, they have been deceived by an attacker into pressing an alternative hidden button and this results in the payment of an account on another site. This is an example of a clickjacking attack. The technique depends upon the incorporation of an invisible, actionable web page (or multiple pages) containing a button or hidden link, say, within an iframe. The iframe is overlaid on top of the user’s anticipated decoy web page content. This attack differs from a CSRF attack in that the user is required to perform an action such as a button click whereas a CSRF attack depends upon forging an entire request without the user’s knowledge or input.

Protection against CSRF attacks is often provided by the use of a CSRF token: a session-specific, single-use number or nonce. Clickjacking attacks are not mitigated by the CSRF token as a target session is established with content loaded from an authentic website and with all requests happening on-domain. CSRF tokens are placed into requests and passed to the server as part of a normally behaved session. The difference compared to a normal user session is that the process occurs within a hidden iframe.

October 2, 2022 by Application Security 0

What is an Exploit?

An exploit is a piece of software, data, or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data.

Once vulnerabilities are identified, they are posted on Common Vulnerabilities and Exposures (CVE).CVE is a free vulnerability dictionary designed to improve global cyber security and resilience by creating a standardized identifier for a given vulnerability or exposure.

How Do Exploits Work?

Exploits take advantage of a security flaw in an operating system, piece of software, computer system, Internet of Things (IoT) device, or other security vulnerability. Once an exploit has been used, it becomes known to the vulnerable system or software developers, is often fixed through a patch and becomes unusable. This is why many cyber criminals and military or government agencies do not publish exploits to CVE but choose to keep them private.

When this happens, the vulnerability is known as a zero-day exploit. One famous example of a government agency (the NSA) choosing to keep a software vulnerability private is EternalBlue. EternalBlue exploited legacy versions of the Microsoft Windows operating system that used an outdated version of the Server Message Block (SMB) protocol.

Cybercriminals developed the WannaCry ransomware worm that exploited EternalBlue. It spread to an estimated 200,000+ computers across 150 countries, with damages ranging from hundreds of millions to billions of dollars before EternalBlue was patched. Despite software developers issuing a patch to fix EternalBlue, this known vulnerability continues to be a considerable cybersecurity risk because of poor user adoption of the patch.

September 29, 2022 by Application Security 0

XML External Entities (XXE)

Photo by Mohammad Rahmani on Unsplash

Extensible Markup Language (XML) describes data, like the contents of a webpage or database file. XML formatting allows applications to understand information and share data consistently. In order to read this data, you need to have an XML processor. Also referred to as an XML parser, these automated tools read files, transform the content, update databases, and deliver that content so the program can access it.

However, when web applications use an XML format to transmit data between the browser and server, they often use APIs to process the data. Within the XML standard, storage units are called “entities.” External entity refers to a storage unit that can access local or remote content.

An XXE vulnerability can arise from failure to:

  • Know the source before accepting or uploading XML data
  • Disable document type definitions (DTDs)
  • Use less complex data formats like JSON
  • Patch XML processors or underlying operating system
  • Detect XXE in source code
September 15, 2022 by Application Security 0

Recent Comments

No comments to show.