AppCheck’s Top 5 Scariest Vulnerabilities

AppCheck’s Dev team got their heads together to come up with the Top 5 Vulnerabilities that keep them up at night.

Now this list isn’t all-encompassing or a list of the worst vulnerabilities out there. Each one is on the list for a different reason. Continue reading to discover why we these particular vulnerabilities give us the chills and fangs for checking it out.

A1:2017 Injection

Well this is the big one. Number one on OWASP’s Top 10 list. The most common type of vulnerability found in web applications and covers so many variants and flaws. A real Scary Mary.

This vulnerability could let hackers take over a server, steal your database, or attack your users. All of which can be a real pain in the neck.

Injection is usually the result of unfiltered user input being directly included into command executions or database queries.  We won’t explain this one to you as it comes in many guises, but if you’re interested in the OWASP Top 10 see our article here: AppCheck vs OWASP Top 10

Remote Command/Code Execution (RCE)

Being an injection type vulnerability, this classifies as top of the list in the OWASP Top 10. It might go without saying but this type of vulnerability is especially nasty.

In a nutshell the aim is for the hacker to be able to execute arbitrary commands on a host operating system via a vulnerable application no matter where the device is located. Once the hacker is able to do this, they can priv-up to attack internal systems.

After gaining access a hacker can execute malicious code or commands even take complete control of the system. Pretty terrifying really.

Even scarier, much like a ghost, this vulnerability can be very hard to detect.

How to avoid? Stay up to date with patches (not pumpkin patches) and make sure you are regularly checking for holes.

Cross-Site Request Forgery (CSRF)

Lots of tricks here and no treats.

Essentially this is a hacker tricking a user into performing an action, usually ending in the hacker gaining sensitive information. Users may think they are performing a benign task but really they could be setting a hacker up as an admin or revealing critical information.

Hackers may target social media accounts, online banking or browser based email clients amongst other examples. Through a link, users can be re-directed to a website controlled by the attacker and, because the user’s session is already authenticated and the hacker is just piggy-backing on this, they can submit a request to the vulnerable app with different parameters. An example of this may be changing the user’s password with a single request.

This might be code hidden inside an image using a <img> tag within that web page which will make the request on page load (no button click needed).

A possible impact could be to allow hackers to empty a bank account.

To prevent this you can generate a CSRF token each time the form is shown that is unique. That way the form needs to be loaded before it is submitted.

URL Level Vulnerabilities

The frightening part about these vulnerabilities are how simple they are to discover and exploit.

Attackers can exploit a URL through several different routes.

For example something as simple as guessing URL paths may produce a config file with credentials in it or log file with sensitive data about users or even the source control meta files (e.g .git/config) allowing a hacker to download the whole source code.

Other ways a URL can be exploited include; changing parameters, direct object referencing, open re-direction, XSS, Server-Side Request Forgery (SSRF), URL Parsing leading to authorisation bypasses, path traversal and file uploads. If executed correctly this final route can allow an attacker to upload a directly executable file, overwrite an existing file’s contents to elevate access levels or attack another user.

Spectre and Ghostscript vulnerabilities

Ok, we may have chosen these just for the name and they may not be as relevant anymore, but old vulnerabilities may come back to haunt you.

Spectre was made public in January 2018.

Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. Spectre exploits critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. The vulnerability was called Spectre because ‘…as it is not easy to fix, it will haunt us for quite some time.” See more here: https://spectreattack.com/spectre.pdf

In 2017 Tavis Ormandy (a Google Project Zero security researcher) discovered a vulnerability within Ghostscript allowing remote command execution. You can read more about that here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291

Ghostscript is by far the most widely used solution of its kind. The Ghostscript interpreter is embedded in hundreds of software suites and coding libraries that allow desktop software and web servers to handle PostScript and PDF-based documents.

For example, you’ll find Ghostscript inside ImageMagick, Evince, GIMP, and all PDF editing or viewing software.

AppCheck ain’t afraid of no vulnerability

Let AppCheck check under the bed and in the closet (by which of course we mean your website, applications, network and Infrastructure). While these vulnerabilities are scary, unlike ghosts they are very real.

Rather than hide under the duvet and hoping they go away, why not get a free vulnerability check of your website, applications, network and infrastructure?

See more below.