Three web application security lessons to keep in mind
In 2015, the Ponemon Institute released findings from a study "Cost of Cyber Crime", which they had conducted. It came as no surprise that the cost of cybercrime was increasing. However, the figures were stuttering. Cybersecurity Ventures (global conglomerate) projects that this cost will hit $6 trillion per year. On average, it takes an organization 31 days to bounce back after a cybercrime with the cost of remediation at about $639 500.
Did you know that denial of service (DDOS attacks), web-based breaches and malicious insiders make up for 55% of all cybercrime costs? This not only poses a threat to your data but also could make you lose revenue.
Frank Abagnale, the Customer Success Manager of Semalt Digital Services, offers to consider the following three cases of breaches made in 2016.
First case: Mossack-Fonseca (The Panama Papers)
The Panama Papers scandal broke into the limelight in 2015, but because of the millions of documents that had to be sifted through, it was blown in 2016. The leak revealed how politicians, wealthy businessmen, celebrities and the creme de la creme of society stored their money in offshore accounts. Often, this was shady and crossed the ethical line. Although Mossack-Fonseca was an organization that specialized in secrecy, its information security strategy was nearly non-existent. For a start, the WordPress image slide plugin they used was outdated. Secondly, they used a 3-year old Drupal with known vulnerabilities. Surprisingly, the organization's system administrators never resolve these issues.
Lessons:
> always ensure that your CMS platforms, plugins and themes are regularly updated.
> stay updated with the latest CMS security threats. Joomla, Drupal, WordPress and other services have databases for this.
> scan all plugins before you implement and activate them
Second case: PayPal's profile picture
Florian Courtial (a French software engineer) found a CSRF (cross-site request forgery) vulnerability in PayPal's newer site, PayPal.me. The global online payment giant unveiled PayPal.me to facilitate faster payments. However, PayPal.me could be exploited. Florian was able to edit and even removed the CSRF token thereby updating the user's profile picture. As it was, anybody could impersonate someone else by getting their picture online say for example from Facebook.
Lessons:
> avail unique CSRF tokens for users – these should be unique and change whenever the user logs in.
> token per request – other than the point above, these tokens should also be made available when the user requests for them. It provides additional protection.
> timing out – reduces the vulnerability if the account remains inactive for some time.
Third case: The Russian Foreign Affairs Ministry Faces an XSS Embarrassment
While most web attacks are meant to wreak havoc to an organization's revenue, reputation, and traffic, some are meant to embarrass. Case in point, the hack that never happened in Russia. This is what happened: an American hacker (nicknamed the Jester) exploited the cross-site scripting (XSS) vulnerability that he saw on Russia's Foreign Affairs ministry website. The jester created a dummy website that mimicked the outlook of the official website except for the headline, which he customized to make a mockery of them.
Lessons:
> sanitize the HTML markup
> do not insert data unless you verify it
> use a JavaScript escape before you enter untrusted data in the language's (JavaScript) data values
> shield yourself from DOM-based XSS vulnerabilities