Humanity has come a long way from the times when the Internet became mainstream. Initially what began as a research project ARPANET (Advanced Research Projects Agency Network) funded by DARPA has grown aggressively and has single-handedly shaped human behavior.
When WWW (world wide web) came into existence, it was meant to share information over the Internet, from there part through natural evolution and part through webonomics driving innovations, Internet & www has metamorphosized into the lifeblood of the world.
It is difficult to imagine now how the world functioned before Internet integrated into our lives. Organizations, governments, and people all equally depend on this. New warfares will not happen in the real world but would be fought over the cyber world.
Try getting a website online without any sort of protection and you will immediately start seeing some traffic hits on your site. This is not because your site is something that everyone is looking for. It is somewhat because there are bots on the Internet that are continually searching for sites that are available to be exploited.
How And Why Does An Attack Happen?
Attacks on-site happen for various reasons; It could be to steal private data, for some financial gains or just pure malicious reason to ensure genuine users are not able to reach your site. Attackers generally try and exploit security vulnerabilities found in applications; various stages of attack can be generally thought as follows.
Reconnaissance attack:
During a reconnaissance attack, attackers try to get information of a website and see where the vulnerabilities lie. The intruder queries the alive IP in the network and then for the ports to determine the type and version of the application and operating system running on the target host. This is usually done through automated bots.
Exploitation:
Once vulnerabilities are identified in a site, attackers then weaponize the requests based on the vulnerabilities found and launch attacks. This also depends on the attacker's intention; the attack against the website can be launched either to bring down the whole site altogether or to escalate from there.
Command & Control:
If the attacker decides to escalate, then using the exploit, he might also try to get control of the internal system or privilege control for the exfiltration of data from the targeted website or to infiltrate some financial crime.
How To Keep Your Site Secured?
"Be smart, understand your risk profile and ensure your site is always protected."
As the saying goes, better be safe than sorry. One of the first steps to protect your site is to put it behind a firewall or any intrusion prevention system. However, that is not sufficient because attackers are also becoming sophisticated.
Therefore, the best defense is to not have a vulnerable application out on the web. Vulnerabilities can be found through automated scans, but that alone is not enough. Some flaws, such as CSRF (Cross-Site Request Forgery) and business logic vulnerabilities, require a human to be in the loop.
Only Manual Pen Testing (MPT) can provide identification and manual validation of these vulnerabilities. Certain categories of vulnerabilities, such as authorization issues and business logic flaws, cannot be found with automated assessments and will always require a skilled penetration tester to identify them.
Below are some examples of business logic flaws that Manual Pen Testing teams undertake in their testing scenarios:
- Malicious file upload - The testing team will try to upload unsupportive files to the application and figure out whether those files can put any kind of severe impact on the server end.
- Price manipulation and product manipulation in e-commerce applications - The team will try to change the price or quantity of products to overcome the business validation for pricing.
Unfortunately, though many organizations make the best effort to ensure their websites and web apps are not vulnerable, security can take a back seat due to business pressures to continually evolve and innovate.
