Why Web Services Are Vulnerable

Not Enough

 

Today we will discuss reasons why Web Services are vulnerable to attack and some of the countermeasures you may implement for defense against attack.

Access Control Vulnerabilities

The three most common vulnerabilities, weak passwords, phishing exploits and stolen credentials were the subjects of previous blogs. Please revisit them if you would like to refresh on those topics.

Single Sign-on Vulnerability

Many websites, wishing to leverage the popularity of the social media phenomenon, allow a user to sign-on with their Facebook or Google accounts. This is commonly known as “Single Sign-on” authentication.

Rui Wang, Shuo Chen and XiaoFeng Wang published a 15-page report detailing the security flaws made possible by “poor integration by website developers of the application programming interfaces (APIs) made available by the identity providers, and the lack of end-to-end security checks.” “These bugs allow an unauthorized party to log into legitimate users’ accounts … thereby completely defeating their authentication protection.”

Access Control Attack Counter Measures

Obviously, the prevention for weak password vulnerabilities is to institute password strength requirements and limitations on the number of logon attempts that are permitted. The University of California publishes a guide on password strength standards.

Preventions for phishing exploits and stolen credentials were discussed in the previous blog posts mentioned above.

Monitoring Solutions

Compromised passwords and other account information is frequently posted on the “Dark Web”. VeriClouds offers a monitoring service that is not expensive and can be deployed in 24 hours. It will discover if any employee or client account credentials have been exposed.

Paessler offers a network monitoring software to detect “abnormal network behavior” that may indicate your network has been breached.

The Caligare Flow Inspector – NetFlow Monitor and Analyzer “helps you find suspicious network activities and gives you adequate time to respond…”

The Nagios Network Analyzer “is capable of alerting users when suspicious activity takes place on the network.”

Colasoft offers nChronos, “a Network Forensic Analysis Appliance for high performance & critical enterprise networks.”

Website Logic Vulnerability

Another attack vector that hackers frequently exploit is website logic vulnerabilities. Rui Wang participated on a research team that investigated the logic vulnerabilities in third party payment systems (e.g. PayPal, Amazon Payments, and Google Checkout). The research paper was published in Informatics. The paper Abstract briefly describes the causes of the vulnerabilities.

“Web applications increasingly integrate third-party services. The integration introduces new security challenges due to the complexity for an application to coordinate its internal states with those of the component services and the web client across the Internet.” Logic flaws may then be exploited to cause inconsistencies between the states of the third-party payment solution and the merchant. As a result, a malicious shopper can purchase an item and avoid payment.

Website Logic Attack Prevention

The first line of defense should be implementing a regular code QA review process. NIST and US-CERT publish documents on secure coding best practices.

There are numerous companies offering penetration testing services as well as some DYI penetration testing kits. A good third-party penetration test may be expensive, but it will reveal vulnerabilities that you may never know you had until an attacker shows you.

Web Services Software Vulnerabilities

The most common Web Services vulnerabilities are SQL Injection, Cross-site Scripting, and Insecure Web Applications.

SQL Injection

According to Securi, injection vulnerabilities are rated as the number one problem on the list of top 10 security issues put out by the Open Web Application Security Project. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input to effect the execution of predefined SQL commands. – OWASP

Cross-site Scripting (XSS)

XSS is a style of attack where the front of the website acts as a launching point for attacks on users visiting the website. This happens when developers don’t properly test their code for the possibility of allowing scripts to be injected.

Insecure web application

As a result of insecure coding, malicious users can find functionality within a web application, and use the underlying mechanics to execute their code. The two variations of this are Local File Inclusion and Remote File Inclusion

Local File Inclusion

By targeting ‘include’ parameters in PHP code, intruders can request an alternative file be used in the specified request instead of the file meant to go along with the program. This can lead to unintended access to internal files and logs.

Remote File Inclusion

This method of running malicious software on a victim’s server is accomplished by simply asking it to go somewhere else on the Internet to find a dangerous script, and then run it from that location. Including a script in this way opens up some dangerous options that a hacker can use against you.

Web Services Software Attack Defense

A simple low-cost measure is to make sure your servers are all up to date with the latest security patches. Create a process that monitors for new updates on your server and all outside facing applications. You can also write a script that automatically updates the server.

Employ a service such as Tinfoil – “Empowering DevOps with Security”. Tinfoil will scan your website for vulnerabilities that open you to attacks via issues SQL injection or Cross-site Scripting

ABOUT VERICLOUDS

VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to support@vericlouds.com