We at Valency Networks, keep on studying various attack patters, while performing application security penetration testing for our customers. We also keep an eagle’s eye on the attack that are gaining momentum, resulting into credible damages. This blog is an outcome of the study and assessment that we performed over past few years, as well as the predominant attacks in year 2019.
This blog is meant for developers and solution architects, who are being urged to think deeply and carefully in terms of architecting and developing/testing their web application before making it live for their customers.
Here are Top 5 attacks that we think would be found predominantly in year 2020
- 1. Code injection attacks on PHP applications – While there are tons of articles and videos available, guiding PHP developers on how they should protect their applications, we think that there is a great scope for improvement especially when it comes to sanitizing the user inputs. Code injections are possible either via a malicious file upload or via script injections. PHP applications which accept a web url or text strings resulting into a web visible link, are still highly susceptible. A detailed manual penetration testing of such apps is critical
- 2. Vulnerable file upload – Many applications (java or .net or php), let users upload a file as a part of their functionality. While most of those seem to be sanitizing many aspects of the file being uploaded, we suspect that those attempt may still fail. This may attribute to bad coding practices when it comes to using server and client side controls pertaining to a file upload.
- 3. DOM based XSS – Lately cross site scripting (XSS) is being handled by WAF (windows application firewalls), and good measures are taken to sanitize the user inputs. However the most mistreated, or misconstrued attack is DOM XSS which we strongly believe, will be predominant. This is expected to be true especially for applications which heavily rely upon AJAX and JQuery engines. A strictly manual way of penetration testing is a must to detect and fix this attack.
- 4. CSRF on AJAX – Cross site request forgery attacks seems to be immortal in the web application attacks world. However due to a great deal of usage of AJAX, we predict that the CSRF attack will creep in further into the client side calls. We suggest that a rigorous code review is highly recommended.
- 5. Server mis-configuration for headers – In the past, we saw that headers were not being taken seriously. In year 2018 and 2019, the headers were seen being added, although either not entirely or correctly. Current web attack scenario, especially for REST API calls, expects the right header being added with the right value. With the current trend of negligence and unawareness of headers, we predict that many applications may still fail to follow the right standard, thus exposing their applications to various attacks.
- While above predictions were partly applicable to year 2019, those are most certainly true for 2020. It is important to remember that these predictions are not the only ones to be worked upon, but in fact a detailed manual pentesting based on OWASP Top 10 attacks, and that too on a periodic basis, is highly recommended.
Reference Links
1. Web app pentesting –https://www.valencynetworks.com/penetration-testing-services/website-security-penetration-testing.html
2. Security Code Review –https://www.valencynetworks.com/security-management/code-review.html
3. REST API VAPT –https://www.valencynetworks.com/penetration-testing-services/website-security-testing/rest-web-services-api-vulnerability-testing.html
4. Web app VAPT FAQ –
https://www.valencynetworks.com/penetration-testing-services/website-security-testing/web-vapt-faq.html