Malicious hackers are always looking for ways to target businesses, government agencies and individuals, and they have a wide variety of methods and vectors at their disposal to attack their targets. But naturally, they’ll always choose the channel that will enable them to deal the most damage for the least effort, or as the saying goes give them “the biggest bang for the buck.”
In this regard, websites and web applications have proven to be one of the favorite targets for cyber-attack, because they’re easier to hack than, say operating systems or networking hardware such as routers and switches, and they provide lots of opportunities to wreak havoc across a victim’s network. According to SANS institute, web applications account for more than 60% of targets in cyber-attack attempts in the internet, and statistics released by Sophos Labs show that tens of thousands of websites are targeted and hacked every day.
Here are some of the reasons that back this argument and prove that web application security should be taken more seriously.
Web applications are easier to reach
Web applications and websites are the usual façade and front end of most businesses and organizations. In comparison to other hacking targets, they are easier to access and don’t need any special connection or tools or state-sponsored resources, and when they’re not intended to be used in an intranet, they can be accessed with any computer with an internet connection and a web browser. If a vulnerability such as an SQL injection (SQLi) or Cross-Site Scripting (XSS) loophole is found in a website, exploiting it will be a trivial task and a walk in the park for script kiddies sitting in the comfort of their homes.
In many cases, once websites are breached, they serve as a beachhead for other major attacks and allow attackers to move laterally across the network with insider access, to escalate their privileges, and to eventually gain access to more critical resources such as databases, file servers, decryption keys…
There are too many novice programmers writing web application codes
Languages such as JavaScript, PHP and C#, which are used for web programming, are easier to pick up and learn than the lower level dialects that are used in more sophisticated products, and there are too many novice developers who claim to be versed in web programming.
Moreover, in contrast to many generic networking products, web applications are a more specialized breed of software, and a considerable number of websites tend to have custom code that fits the needs of their owners.
Many organizations outsource their customized web development tasks to amateur developers who will work at a low price, or will turn to in-house developers who might have experience writing web applications. This is especially true of small businesses, who have websites but do not have professional developers and a proficient IT staff.
The problem is, most of these developers lack knowledge in the basic tenets of secure coding practices, and you still find many custom web application source codes that have basic SQLi or XSS vulnerabilities because they use raw user input without processing it first. And you also find too many developers who are using “root” or “sa” accounts to access MySQL or MS SQL servers. Too many web applications use high privileged users to run their web app’s process, and you can still find web sites that allow you to upload any types of files, including custom scripts that can later be run with a simple HTTP request. The list is long, the flaws many, the damage irreversible, and the disappointment real.
With a little patience and scrutiny, malicious actors can find flaws in custom-made websites and hack them at their leisure.
Failure to update third-party packages
Many web applications rely on third party source code or components to run. This is a trend that will continue to grow, especially as distributed and API-based programming becomes more and more popular. As with every other software, these third party resources are likely to be found to have bugs and flaws, and will later be patched by their developers and publishers. But the problem is, many site owners do not know which third party components are running on their websites (or they just couldn’t care less) and they fail to apply patches and updates after they are released.
Unless you regularly check cybersecurity news headlines for reports on threats and attacks, you’re likely to miss the news about the latest vulnerabilities found in WordPress and Joomla!, which are two of the most popular platforms for developing websites.
This is an especially critical issue with self-hosted web applications, where companies deploy websites on their own server. This is the case for many businesses, since purchasing a hosting plan and setting up a website has become easier and is a one-time task that can be done in a few trivial steps.
Web applications allow hackers to target a large audience
Once web applications are breached, attackers will not only gain access to the company’s resources, they’ll also be able to target the users of the website. This is also the logic behind watering hole attacks, in which hackers distribute malware to their targets through compromising a website. This is how a Network Investigation Tool (NIT) allowed the feds to identify and arrest users of illegal website PlayPen. It is also how hackers managed to distribute an unknown number of copies of a compromised version of Linux Mint to users that visited the distributor’s website. Therefore, by breaching a website, attackers can potentially gain access to thousands and millions of users who are not necessarily security-savvy, do not follow network security protocols and principles and can become easy bait for future attacks.