Nowadays hackers rely mostly on automated tools to exploit vulnerabilities in web applications, hence why hack attacks become a more common occurrence. There are many different type of web application vulnerabilities, but here are the 10 most critical and most exploited ones of 2015. These web application vulnerabilities can be found with automated scanners and rated according to their severity. The web application vulnerabilities that are mentioned below are worth fixing, not only because of their severity but also because of the risks it cases to a business.
1. Injection
You must be aware of this common type of vulnerability, which is the
common. Hackers, even script kiddies can easily exploit this
vulnerability using automated tools. Injection flaws are not limited to
SQL injection only. There are several others such as OS, LDAP and even
HTML injection where unstructured data is sent as a query or command.
This is one of the most severe web application vulnerabilities all over the internet in 2015. In a “XSS File Injection” attack, hackers injected a remote file into the website. So, they can execute java script on current web page. Researchers analyzed this as a particular technique of these hackers to execute their XSS (Cross-site Scripting) attacks.
This is one of the most severe web application vulnerabilities all over the internet in 2015. In a “XSS File Injection” attack, hackers injected a remote file into the website. So, they can execute java script on current web page. Researchers analyzed this as a particular technique of these hackers to execute their XSS (Cross-site Scripting) attacks.
2. XSS (Cross- site scripting)
Cross-site scripting issue is not a new vulnerability for any researcher. When an attacker exploits this vulnerability he can inject a malicious script in a website. This weakness affects a user, where the session can be hijacked and the user can be redirected to some malicious website instead of the intended web page. We have seen these attacks happening in numbers on different websites, some of which were quite serious, such as when attackers managed to gain access to the Apache foundation servers through a XSS. Hence it is not a surprise that XSS web vulnerability is listed on the top section of our list.
3. Using Components with Known Vulnerabilities
This happens when the developer does not take security seriously, or out
of neglecting. All the components of the web application should be
selected carefully and they should not carry any known vulnerability.
Here components means every module that the developer use while he is
creating the web application; for example, the framework, libraries and
etc.
4. HTTP – Insecure Authentication Scheme
When a web application is using Digest, NTLM and Basic authentication on
HTTP instead of HTTPS, it leaves application vulnerable to hacking
attacks. The most common issues we have seen in recent past are:
i) Information leakage, it occurs when a password transmitted over HTTP. This happens when the hackers intercept the user’s password, before it delivers to the website. The hackers who conduct these attacks are dubbed as (man in the middle), because they are between the user and website all the time.
ii) Transmission of users data (DOB,Name, social security number etc.) on a clear-text form. This enables an hacker to intercept the network traffic and steals users data.
Iii) The possibility to lock or brute force user accounts.
i) Information leakage, it occurs when a password transmitted over HTTP. This happens when the hackers intercept the user’s password, before it delivers to the website. The hackers who conduct these attacks are dubbed as (man in the middle), because they are between the user and website all the time.
ii) Transmission of users data (DOB,Name, social security number etc.) on a clear-text form. This enables an hacker to intercept the network traffic and steals users data.
Iii) The possibility to lock or brute force user accounts.
5. Hidden Files accessible
Another major vulnerability in web application is when a hacker attacks a
website and gains access to directories and files which are hidden.
Some major vulnerabilities in a websites, which may result in a breach
like this are:Crossdomain.xml File, Robots.txt, Google Sitemap and
clientaccesspolicy.xml.
6. Sensitive Data accessibility
Sensitive data accessibility occurs when an attacker gains access to
sensitive data or even to any backup of sensitive data through a
vulnerability in your site. Sensitive data may include the credit card
information of your users, private information and other type of
important data that is not supposed to go public.
7. Weak or common credentials
When a user uses a commonly used password or even username (in some
cases) he becomes vulnerable to attackers. If an attacker breaks or
accesses your weak password he not only can access your sites admin
panels but also have full control of your web application.
8. Programming errors& Misconfiguration
Misconfiguration is when the entire web application depends on the
poorly configured software and may be the programming errors that could
allow an attacker to get unauthorized access. Proper analysis of web
server and other network based service configuration is important as
analyzing the security of the web application itself.
9. Directory Listing
The hacker can see all the files of the system if directory listing is
enabled on a web server. This may result in serious data theft,
depending on the confidentiality of the data, because a hacker can also
download the data from the files if he wants to.
10. Unvalidated Redirects and Forwards
This may be caused by a user submitting his data online in shape of an survey form or anything else. The motive behind the hacker is to make a user click on the page, which allows them to break weak passwords or even bypass mediocre ones. The users in some cases installed malware in their system, which in some cases took the user’s computer ransom.Automated tools have already made the job easier for penetration tester to find the vulnerabilities in web application. But, the ultimate goal is to find the vulnerabilities no matter what tool or set of tools are you using. Check for vulnerabilities in a web application before the hacker do this.
ehacking
Không có nhận xét nào:
Đăng nhận xét