When a company puts up a new web application, there is typically a business reason for do so. The reason may be to simplify a process or to make the flow of a process more efficient. Whether the case may be, hackers may try to utilize the web application against you to either extract information, harvest data or delude an employee.
The following is a list of some features an attacker may inspect on the web application:
• Features that don’t require authentication
• Features that are offered from free registrations
• A free demo of the web application
• Remote access capabilities
• Web input forms
Why do hackers look for these features?
The web application is a trusted application on the company’s internal network. The features offered by the web application will not be detected as a threat when utilized by an outside user. Employees within the company also trust the application and its outputs.
Features that don’t require authentication
A company’s web application way require an input from public users which is a feature being provided by the company to create an ease of use for the public user. These public features usually do not require authentication, which in return creates the ease of user for the public user. The user can simply submit the information or content to the company which requires the information or data. The information or data is usually processed and delivered to the respected employee or employees for review.
An attacker may use this same feature to send malicious information or data to the employees of the company. For example; many companies allow an unauthenticated user to upload files to their servers. Usually these file uploads will include a comment or memo section that can be populated. An attacker could exploit this feature in many ways.
Below is a list of possible misuse of the feature:
• Denial of Service attack, by continuously uploading large files to the server until it’s no longer available.
• Distributed Denial of Service attack, by using an API on a malicious fake website to upload files and then convince everyone else on the internet to upload files to the server unknowingly.
• Upload files, such as word or PDF with malicious code attached.
• Use the comment section to relay a phishing type message to one of the employees.
Features that are offered from free registrations
There are many advantages that could benefit an attacker by registering for a free service or login that allows the use of services. Before you authenticate into the system, you do not directly have access to any part of the web application. After you authenticate, you know have access to portions of the web application you did not have before.
Registration usually requires an email address and validation of the email address before gaining access to the web application. The registration process can be easily done using an anonymous or throw away email address. These types of email addresses can be created by anyone and does not require any personal information to create.
Once the attacker registers and logs into the web application, any actions performed will be through the web application that’s trusted on the company’s internal network. The company that owns the web application will be under the assumption that if you are willing to spend the time to register and if the information you provided is valid, then your actions must be valid.
Now that the attacker is trusted, the attacker could perform the following:
• Learn more about the web application in question and its features
• View source code that was not readily available before authenticating
• Learn how to misuse the features after authentication to obtain information or additional data
A free demo of the web application
Companies in some occasions may offer a free demo of their web application to help with marketing of the features of the application. Typically the demo portals will not allow you to send or receive data and is usually a static web application that continuously resets at a periodic interval.
The demo web application can assist an attacker in a few different ways. The attacker can use the demo portal to learn more about the applications functions and weaknesses. The attacker can also view the source code of the web application, to try and find vulnerabilities or weaknesses within the application.
Web input forms
Almost every company that has a website has an input form, usually a contact form that can be filled out by anyone on the internet. These forms depending on the type of input boxes being used, can be very useful to an attacker.
The attacker could use the form in the following ways:
• With no captcha, could run a script to continuously fill out the form and submit it, potentially causing a DoS attack on the user or users receiving the form messages.
• The form could be used to obtain confidential information about the company.
• The form entries could be filled out in a way to craft a phishing type message to send to the user or users receiving the form messages.
• A contact form could be used to perform injection attacks.
In conclusion, the companies web application should undergo a penetration test before going live and after any large upgrades are done to the application. A penetration test will inform the company of any critical risks the web application may pose to the company.
Often, it’s the simplest thing that may cause your company to fall victim to a data breach or intrusion. Company’s need to have a penetration test conducted at least once a year or when there are any drastic changes make to their infrastructure.
Falcon Network Services provides an assortment of Security Services which includes penetration testing for your web applications. Help protect your company’s infrastructure today, visit https://fns1.com or email firstname.lastname@example.org
OUR SECURITY SERVICES INCLUDE:
- Risk Assessments
- Penetration Testing
- Web Application Testing
- Security Awareness Training
- Managed SIEM
- Managed Security Services (MSSP)
- Security Consulting