Organisations are increasingly managing their relationships with customers, employees and other stakeholders through a variety of web applications.
These ubiquitous apps are designed to run across multiple platforms and devices and go by a variety of names depending on their function.
Web applications such as microsites, portals and online tools differ from webpages as they allow users to perform actions, rather than just display content. When cybercriminals access the data that sits behind these web apps it’s referred to as a breach. And some of these breaches can be huge, both in terms of the amount of data stolen and the reputational and financial damage that can follow.
We’ve examined some of the biggest web app data breaches of 2018 by the techniques that were used. Whilst there are multiple lessons to be learned from these examples, the key takeaway is that with regular web application security testing, organisations can significantly reduce their risk of falling victim to similar attacks.
This technique is tried and tested, involving the insertion of Structured Query Language (SQL) code into online forms to instruct or query backend databases for information. In 2018 this type of attack was employed against government web apps in the US where contractor and employer details were leaked. Evidencing the ease with which web forms can be exploited, an 11-year old compromised the Florida election reporting system in under 10 minutes, whilst students took advantage of an SQL vulnerability to give themselves better grades.
This time a victim’s browser presents the hacker with the opening they’re looking for. Scripts are executed that may redirect the browser to an attacker-controlled website or steal user credentials. A cross-site scripting (XSS) attack abuses trust in a site. The Magecart attacks in 2018 were a sophisticated take on this methodology, as data sent by customers to vendors was skimmed by the perpetrators.
Weak access controls
A breach of 21 million records was suffered by Timehop, whose system was accessed by hackers using compromised admin credentials. The admin account was selected by the hackers as it didn’t use multi-factor authentication. Timehop admitted overlooking the way one of their longest standing employees was authenticated to the system.
A compromised super user is a nightmare situation, and that’s exactly what Ticketfly experienced in the summer when a hacker was able to gain access to the webmaster’s account, which provided all the privileges and access needed to steal data on 26 million customers.
When it comes to the management of user permissions and privileges, is important to strike a balance between security and the ability of administrators to do their job effectively.
Facebook was breached in September 2018, and over 50 million user accounts were compromised. This occurred because hackers had taken the time to explore how a new feature could be abused for malicious purposes. The attack, which was described as “highly sophisticated”, compromised the user access tokens of fifty million accounts in a move that could have given the hackers password and authentication-free access to those accounts.
In all cases, data breaches occur when hackers get to vulnerabilities before the blue team identify them and take remedial actions. There are times when a lack of comprehensive and structured testing is the root problem, as when vulnerabilities that have been closed on websites are left open in their sibling web app. Exploiting this oversight, hackers hit Air Canada, leading to the loss of 20,000 sets of customer data. Each version of every web app presented by an organisation requires testing to ensure that it’s secure.
Redscan’s web application penetration testing services
Regardless of the type of web applications your business uses, Redscan’s web application testing service is designed to provide the support you need to help keep them secure.
Our CREST certified ethical hackers comprehensively test for vulnerabilities, including OWASP’s current top ten. At the end of each assessment, we provide a detailed report outlining the level of risks posed and the remediation advice to help address them quickly and effectively.