We're only a month into the new year and already there are quite a few articles of interest. Before we get into them, let's take a minute to review why we run this series and why web application security is so important.
My colleague, Slawek Ligier, discusses the application threat vector in his blog post here:
… web applications are things like webmail, online forms, banking sites, shopping site, etc. These sites support complex user input scenarios and are usually completely exposed to the public. They are sometimes written with insecure code or developed in such a way that there are vulnerabilities inside the code. As such, these applications can be difficult to defend.
IT professionals tasked with securing a web application are often unfamiliar with code-related vulnerabilities, or may have difficulty justifying the need for a web application security solution. In the simplest possible terms, if you host an application that can be reached by the public, that application is a potential way in to your network. Once inside, the attacker can stay perform exploratory tasks, or can get right to work launching a ransomware attack. Any number of things can happen, and victims may find that they have been subject to several different types of attacks due to just one breach.
Since I am part of the Barracuda Web Application Firewall (WAF) team, I find stories about application vulnerabilities to be of particular interest. I want to understand them and help build solutions to stop attackers who take advantage of these weak spots. With our resources here on our website, and our regular look at the top stories around this topic, we hope to help shed some light on this threat vector. Hopefully this can help IT professionals better understand and communicate the threats surrounding web applications.
With that in mind, here are some of the significant application security headlines from January.
…This post is going to be discussing how I was able to get the primary/hidden email address for any Facebook user. This also happens to be my first accepted bug to the Facebook Bug Bounty Program…
…Welcome to Mozilla’s new open source initiative to document and explain what’s happening to the health of the Internet. Combining research from multiple sources, we collect data on five key topics and offer a brief overview of each…
…How healthy is our Internet? How might we understand and diagnose it? We believe this is a timely and necessary conversation, and we hope you’ll join in.
Our individual actions shape the health of the Internet ecosystem. Only by recognizing where the system is healthy can we take positive steps to make it stronger. Only by understanding where it’s at risk can we avoid actions that weaken it.
This prototype – a snapshot of a moment in time in the life of the Internet – identifies five health markers that we believe are worth paying attention to and offers an initial prognosis for each…
…The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant websites including those mission critical to recruiting – and to that we say “Hooah!”…
…A researcher could move from a public facing website, goarmy.com, and get to and internal DoD website that requires special credentials to access. They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system.
On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious….
For the vast majority of people in 2017, creating a website is simply a matter of combining a number of off-the-shelf components until they end up with something that does what they want it to.
Anyone wanting to create an online shop could just hack together WordPress and Shopify. There are a plethora of affordable plugins and tools that allow you to turn a barebones blog into a fully-featured social network – like Peepso – or a YouTube-style video sharing site.
Now is a great time to have lofty aspirations, but lack any sort of technical prowess whatsoever.
But there’s a big problem with this approach. Whenever you use someone’s code, you’re essentially making a big leap of faith that they know what they’re doing. There’s always a possibility that any plugin or tool you use comes with a serious security vulnerability. That was certainly the case with the popular (and self-explanatory) HTML Comment Box plugin, which is used by around 2 million blogs and websites….
We are thrilled to announce that we have begun to enable HTTPS on NYTimes.com, an effort that helps protect the privacy of our readers and ensures the authenticity of our content. This is a significant milestone in the 21-year history of our website, and though it’s taken us some time, we are very excited to share this with our readers…
By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald's user. Besides that, other personal details like the user's name, address & contact details can be stolen too…
Many breaches stem from the same root causes. What are the most common security problems leaving companies vulnerable?
… Google and Mozilla are taking new steps to warn internet users about websites vulnerable to hacking. In the latest updates to the Chrome and Firefox web browsers (versions 56 and 51, respectively), users will be told if they’re submitting sensitive information over insecure HTTP connections — rather than the safer HTTPS protocol. These warnings have already been deployed in beta versions of the browsers, but their move to the primary version will reach a great number of users…
If you would like information on how the Barracuda Web Application Firewall can help you protect your resources, visit our corporate site here.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.