Protecting Against Web Application Attacks

December 18, 2019 - Ensighten

2019 has been the year of the web application attack. In the 18 months between January 2018 and June 2019, researchers have recorded more than four billion web application attacks. Cybercriminals use these types of application attacks primarily to harvest customer records and financial data from websites, by injecting malicious code. The web is the primary source for data breaches, accounting for 79 percent of compromised records in the first half of 2019, however, application attacks can also be used to post ads, commit fraud or even penetrate an internal network.

Juniper Research predicts that a staggering 146 billion records will be compromised by 2023 as a result of data breaches. Also, digital commerce is on course to increase by 66 percent to reach $18.7 trillion by 2024 as transacting online continues to grow in popularity. Since it has become more difficult to target physical stores and credit cards, criminals are focusing their efforts on hacking ecommerce websites instead, leading to a surge in attacks this year.

Security researchers note that without the proper security solutions in place, web application attacks are easy to perform and can be carried out by low-skilled hackers, sometimes even automatically, using publicly available software.

These attacks are dangerous because every organization across every industry, whether private or public sector, has a website which could be vulnerable to attack. Yet, few companies are taking the necessary steps to ensure their site and their business is protected.

 

What is a web application attack?

There are many examples of web applications such as webmail, login forms, content management systems or shopping carts. Developers use a combination of server-side script (ASP, PHP, etc.) and client-side script (HTML, JavaScript, etc.) to develop these applications – but both sides have vulnerabilities that can lead to a web application attack.  

Attacks can be as simple as an attacker manipulating data in a web page’s URL to force an exploitable malfunction in the application. For example, the two most common web application attacks are SQL injection and cross-site scripting (XXS). Executing an SQL injection exploit may just involve modifying the URL – all that is needed is one additional character to trigger a successful exploit. This can give the hacker control over the application and access to the server, database and other IT resources.

 

Cross-site scripting (XSS)

Cross-site scripting (XSS) takes the form of injects where an attacker adds or injects their own code into an existing authorized application. These can either compromise an individual site directly or breach a third-party script to access all the sites on which it runs, all at once. The attacks can see malicious code being sent to other website users, and customers being infected with malware that exposes their confidential information. DOM-based XSS attacks are the toughest to detect as the vulnerability is in the client-side code rather than server-side code, so the server never gets a chance to see the attack taking place.

  • Three quarters of sites are vulnerable to XSS attacks
  • Half of web applications have access control issues
  • A third are susceptible to code injection

[Positive Technologies’ Attacks on web applications: 2018 in review]

 

When talking about the recent surge in web attacks, it is necessary to mention the dominance of one particular type of attack: digital payment card skimming (DPCS) or formjacking, where cybercriminals inject malicious JavaScript (JS) code to steal credit card details and other sensitive information from the payment forms on checkout pages of ecommerce websites.

In 2019, formjacking made up 71 percent of web breaches and 12 percent of known breaches in total. This type of attack has increased due to attacks by notorious cybercrime group Magecart, which has resulted in hundreds of thousands of websites being exploited and the payment information of millions of users being compromised.

 

How can you protect your business from web application attacks?

A good starting point for advice is the International Council of E-Commerce Consultants, which says it is important that your web application “is providing trusted data and keeping away untrusted or malicious data from harming your database, web application or end user’s personal data.”

This means it is important you have full visibility of what code is running on your website – whether it is your own or from a third party – and have the ability to control the data they collect and share to prevent data leakage.

You should perform security assessments of web applications regularly and fix any vulnerabilities you find – this testing should happen at every stage of the site development lifecycle. Also, ensure you’re not using outdated versions of web servers, operating systems, content management systems, libraries or other software.

Ensighten’s MarSec™ platform provides client-side web application protection while enhancing website performance through:

  • Allow and block: Define permissions for approved third-party vendors you choose to allow to access data – or block from receiving any of specific types of data
  • Auditing of new scripts: Real-time view of all the technologies running on your website and full privacy risk assessment as web pages are loaded
  • Stopping injection-based attacks: Blocking of formjacking and payment card skimming by enabling control over third-party JavaScript which is given permission to operate within the user’s browser
  • Reporting: Comprehensive reporting of site traffic and real-time user activity to identify any suspicious patterns or network requests

 

Get in touch to find out how to prevent the growing tide of web application attacks.