Humanity has come a long way from the times when the Internet became mainstream. Initially what began as a research project ARPANET (Advanced Research Projects Agency Network) funded by DARPA has grown aggressively and has single-handedly shaped human behavior.
When WWW (world wide web) came into existence, it was meant to share information over the Internet, from there part through natural evolution and part through webonomics driving innovations, Internet & www has metamorphosized into the lifeblood of the world.
It is difficult to imagine now how the world functioned before Internet integrated into our lives. It has somewhat an influence in each aspect of human life and is now pretty much critical for day to day existence. It is widely accepted that no business today can exist without an online presence. It no longer serves as just a medium to share information; World economics runs over the web today.
Organizations, governments, and people all equally depend on this. New warfares will not happen in the real world but would be fought over the cyber world. In all fairness, cybersecurity is as crucial or maybe even more important than physical security for any business, organization, or government.
Try getting a website online without any sort of protection and you will immediately start seeing some traffic hits on your site. This is not because your site is something that everyone is looking for. It is somewhat because there are bots on the Internet that are continually searching for sites that are available to be exploited. So, to fully comprehend how to protect your site, one needs to first understand how an attack happens. You get to the root of the possible problem first !
How And Why Does An Attack Happen?
Attacks on-site happen for various reasons; It could be to steal private data, for some financial gains or just pure malicious reason to ensure genuine users are not able to reach your site.
Whatever the reasons are, an attack on a website can be painful and can have a catastrophic effect. Attackers generally try and exploit security vulnerabilities found in applications; various stages of attack can be generally thought as follows.
During a reconnaissance attack, attackers try to get information of a website and see where the vulnerabilities lie, the intruder queries the alive IP in the network and then for the ports to determine the type and version of the application and operating system running on the target host and then tries to see what vulnerabilities are found in the application and this is usually done through automated bots. And it is due to this that when a website goes online immediately, there is an uptake of traffic and bots around on the Internet, which keep searching for sites to obtain any sort of information that can be used by attackers.
Once vulnerabilities are identified in a site, attackers then weaponize the requests based on the vulnerabilities found and launch attacks, and this is to exploit the vulnerabilities for any kind of malicious intent. This also depends on the attacker’s intention, the attack against the website can be launched either to bring down the whole site altogether or to escalate from there.
Command & Control:
If the attacker decides to escalate, then using the exploit, he might also try to get control of the internal system or privilege control for the exfiltration of data from the targeted website or to infiltrate some financial crime.
How To Keep Your Site Secured?
“Be smart, understand your risk profile and ensure your site is always protected.”
As the saying goes. Better be safe than sorry. One of the first steps to protect your site is to put your site behind a firewall or any intrusion prevention system, which would help you protect the site from basic reconnaissance attacks.
However, that is not sufficient because, as technology improves, attackers are also becoming sophisticated on the same ratio — they are able to figure out website vulnerabilities to exploit even if it is behind a firewall.
Therefore, the best defense is to not have a vulnerable application out on the web, and in order to do this, one needs to identify the vulnerabilities found in the application and fix them.
Vulnerabilities can be found through automated scans. There are multiple automated scans out there, but a good scanner should be able to crawl the application, mimic user behavior to identify different workflows, and identify vulnerabilities.
That said, automated scan alone is not enough to ensure an application is thoroughly tested from a security perspective. Some flaws, such as CSRF (Cross-Site Request Forgery) and business logic vulnerabilities, require a human to be in the loop to exploit and verify the vulnerability.
Only Manual Pen Testing (MPT) can provide identification and manual validation of these vulnerabilities. Any flaw where a real, human judgment call is needed is where pen-testing truly shines.
Certain categories of vulnerabilities, such as authorization issues and business logic flaws, cannot be found with automated assessments and will always require a skilled penetration tester to identify them.
During manual PT, the penetration testers understand the application through a thorough application walk-through by talking to the customer and understanding the nature of the application, which helps them understand better and define accurate business logic test cases as per the application that needs to be tested.
Past this, they test the application during run time and figure out vulnerabilities that are consolidated along with the automated scanning results and presented in comprehensive testing reports that include proof of concept and screenshots of every vulnerability to find out loopholes in a step by step process. Essentially experts do ethical hacking to identify vulnerabilities before attackers do.
Below are some examples of business logic flaws that Manual Pen Testing teams undertake in their testing scenarios:
- Malicious file upload – The testing team will try to upload unsupportive files to the application and figure out whether those files can put any kind of severe impact on the server end.
- Price manipulation and product manipulation in e-commerce applications – The team will try to change the price or quantity of products to overcome the business validation for pricing.
Pen Testing will also validate all authorization test cases as well in which they will try to bypass the authorization mechanism and access authorized pages/files/data from unauthenticated user/less privileged user. Once the vulnerabilities are discovered, the application vulnerability needs to be fixed before the application goes live so that there is no application that is vulnerable and can be exploited by attackers.
Unfortunately, though many organizations make the best effort to ensure their websites and web apps are not vulnerable on the web, reality kicks in.
There is always pressure on businesses to continually evolve. Also, to innovate. In this quest, security takes a back seat. Many times, organizations do not have the security expertise to ensure their sites are safe, so they end up employing the wrong tools or the security measures they have in place most of the time remain inadequate.
Source : hackernews.com