The Ultimate Guide to Addressing Web Security Vulnerabilities

by The Editor [Published on 16 Nov. 2016 / Last Updated on 16 Nov. 2016]

This article looks at addressing web security vulnerabilities.

Way back in 2007, Bennett Haselton showed the world how to find credit card numbers using Google search. He typed the first eight digits of a credit card number in the format "xxxx xxxx" in Google, and using some advanced numerical queries, he was able to find all the 16 numbers of almost a million Chase credit cards.

When Google came to know about it, they immediately worked on their filters to prevent anyone from searching through number ranges. In fact, for such requests, Google would return a response that'll say something like "You're a bad person!" So, everyone thought their personal information was safe, until another IT security specialist found a way around it in 2012. Instead of typing a range like 5513000000000000..5513999999999999, he typed it all in hexadecimal, like this: 13960B56A59000.. 1396F42B4A9FFF. And guess what - he was still able to access sensitive credit card information. Honestly, hackers would have found this technique long back, and could have siphoned off or sold millions of such information on the black market.

This is just one example of what's possible on the web. There are literally millions of such techniques and workarounds that hackers with malicious intent have been using for a long time now. This explains why every major company that deals with sensitive information have had a breach in the last five years or so. In 2016 alone, there were more than 500 data breaches, that includes the disclosure of 427 million records from MySpace, 80 million records from Anthem, and 15 million records from T-Mobile. No industry has been immune to these data breaches, and this has resulted in millions of dollars in lawsuits, not to mention the tarnished reputation of companies.

Why do you think data breaches occur so frequently?

One of the primary reasons is a lack of proactive and defensive approach to tackling security vulnerabilities. For most companies, security becomes a priority only after some form of breach has occurred, and unfortunately, only after some sensitive information has fallen into the hands of the wrong people.

To prevent falling into the trap of data breaches and the costly consequences that come with it, here are some things you can do.

Review all data

Injection and cross-site scripting (XSS) are two of the most common attacks, where hackers take advantage of sites that generate SQL queries or execute client-side scripts. In these sites, information entered by users is processed without checking for the validity and authenticity of the data, so hackers can inject the information they want. In the case of SQL injection, hackers can submit malicious SQL queries that can affect the entire database, and it is believed that the 2011 attack on Sony Playstation was an SQL injection. In XSS attacks, hackers inject code into a client-side script like JavaScript, and when this code is executed, it can take users to malicious sites or simply deface the page.

Both these kinds of attacks happen when data is not validated at different points. To prevent these attacks, your application has to assume that all data comes only from an untrusted source, regardless of whether it is coming from a URL, database, or any other source. So, it'll check every point where user-supplied data is handled or processed, thereby reducing the chances for hackers to inject their own code.

Remove Vulnerable Applications

Some applications pose greater security risk because of certain vulnerabilities present in them or lack of security support from the developers. It's best to remove such applications as the vulnerabilities may be hard or sometimes even impossible to fix. Below are some examples of applications that you should avoid:

Apple QuickTime for Windows

Apple QuickTime is a multimedia framework that's available for both MacOS and Windows. This year Apple has decided to end its support for QuickTime on Windows, as there are a ton of vulnerabilities in it that could allow potential hackers to gain control of the entire computer.

Adobe Flash Player

Though Adobe Flash Player is being used to enrich browsing experience, it has a poor record for security. For many years, hackers have used its vulnerabilities to watch users through their webcam or listen in to conversations. This is why most modern browsers have discontinued support for Adobe Flash Player, but it continues to be an Achilles heel in older browsers.

Apple iTunes for Windows

Another Apple product that works poorly on Windows is iTunes. This vulnerability is because Apple keeps sending security updates and patches, that you should constantly install. If you miss even once, or if you're using an outdated version, then you're setting yourself up for a potential attack. In general, it's best to remove it from your system, especially if you haven't followed the updates.

Legacy Versions of Oracle Java

Though Java is used in thousands of applications accessed by billions of users, it comes with many security loopholes. This is why you need to constantly stay on top of updates and patches to ensure that all current vulnerabilities are fixed in your version. At the same time, it's important to remove the older legacy versions of Java from your system to mitigate the chances of an attack.

Microsoft Office 2007

Microsoft is going to end its support for Office 2007 by October 2017, which means there are going to be no more security updates for this software. With a lack of support, Office 2007 is going to get more vulnerable to attacks. Also, its poor security and sharing features make it an easy avenue for hackers to access confidential information.

Thus, the above applications have to be blacklisted to ensure that your data and systems are protected. If you're unsure how to go about it, there are companies like Thycotic that specialize in staying on top of vulnerable applications, and they even blacklist them for you. A software called Privilege Manager for Windows offered by Thycotic is probably the easiest way to protect your system from such vulnerable applications.

 Image

Using products like Privilege Manager for Windows can go a long way in making your system safer and more secure.

Avoid Broken Authentications

Authentication is one of the most important, and yet one of the hardest aspects to implement. All authentication credentials and session identifiers have to protected at all times with encryption to prevent code injection, XSS, and session theft. It's recommended to go with existing frameworks for authentication, rather than creating one from scratch, to ensure that all loopholes are covered. It is also a good idea to have a two-factor authentication for financial and other high-value transactions.

Beef up Security Configurations

Every security infrastructure is a complex web of servers, devices, firewalls, databases, and authentication systems. Each of these elements should be configured properly to ensure that they fit well within the larger infrastructure. Even one misconfiguration can put the entire system at risk, so it's important to have trained and knowledgeable professionals in charge of configuring and managing the security configurations.

Limit Data Exposure

Limiting exposure of sensitive data such as SSNs and credit card numbers is absolutely important. They should always be encrypted, both during transit and when at rest. In fact, user passwords and credit card information should never travel across the web for any reason, besides being hashed all the time.

In short, there are many vulnerabilities present in applications, so one should be wary while using them. It's important to have a proactive and defensive approach when it comes to security, as it can go a long way in mitigating many risks for you. Some of the things you can do to protect your sensitive information is to have different review points for handling user data, remove blacklisted applications from your system, take the help of companies that stay on top of security vulnerabilities, use existing frameworks for authentication, doing the right security configurations, limiting data exposure, and more. Such an approach is sure to protect your sensitive information, even from the most sophisticated hackers.

Download the Free Endpoint Application Discovery Tool Today!

See Also