Web security and hacking trends for 2015
What are biggest risks and threats your web applications will probably face in 2015?
It's pretty difficult to make infosec predictions, and even more difficult to verify them afterwards: we can mainly judge by public security incidents that were uncovered, while the majority of data breaches remain undetected or never go to the media.
Nevertheless, by combining our web penetration testing and computer forensics experience, web security research, as well as common sense and efficiency (cost/profit ratio) that motivate Black Hats, we can highlight several trends in web application security for 2015:
Vulnerable web applications will remain the easiest way to compromise companies
When almost any company has one or even several vulnerable web applications, hackers will not bother to launch complex and expensive APT attacks with 0day exploits. Companies continue to seriously underestimate the risks related to their web applications and website. Tiny vulnerability, such as XSS, can lead to compromise of the entire local network, emails and databases of a company.
XSS will become more frequent and dangerous vector of attacks
It's very difficult to detect high or critical risk vulnerabilities in well-known web products (e.g. Joomla, WordPress, SharePoint, etc). However, low and medium risk vulnerabilities, such as XSS, will still regularly appear. Sophisticated exploitation of an XSS can give the same outcomes as SQL injection vulnerability, therefore hackers will rely on XSS attacks more and more to achieve their goals.
Third-party code and plugins will remain the Achilles' Heel of web applications
While the core code of well-known CMSs and other web products are pretty safe today, third-party code such as various plugins or extensions remain vulnerable even to high-risk vulnerabilities. People tend to forget that one outdated plugin or third-party website voting script endanger the entire web application. Obviously hackers will not miss such opportunities.
Chained attacks and attacks via third-parties' websites will grow
Today it's pretty difficult to find a critical vulnerability on a well-known website. It's much quicker and thus cheaper for hackers to find several medium risk vulnerabilities by combination of which they can get complete access to the website. Another trend is to attack a reputable website that victim regularly visits. For example, when chasing for a C-level executive, hackers may compromise several high-profile financial websites or newspapers, and insert exploit pack that will be activated only for a specific IP, user-agent and authentication cookie combination belonging to the victim. Such attacks are very complicated to detect, as only the victim can notice the attack.
Weak passwords and password re-use will remain a very serious problem
Many people still use the same or similar passwords for all their accounts. Hackers cannot miss such opportunity and actively exploit this human weakness. The first step of attack is to identify all websites or blogs where the victim is registered or have an account. The second step is to select the weakest website from the list and to compromise it. Password encryption techniques commonly used in web applications today are far from being resistant, and a password in plaintext can be obtained pretty quickly. Even if the victim uses very strong password and it's being properly encrypted in the database - hackers will just trojan the web application to intercept the password in plaintext during login. The last step is to try the password for all victim’s accounts and resources.
Application logic errors will become more frequent and critical
Examples with AliExpress and Delta Airlines highlight the impact of application logic vulnerabilities that are almost undetectable by automated solutions. Web developers become aware about XSS and SQL injections flaws and code much better than before, however they forget about application logic vulnerabilities that may be even more dangerous that SQL injections or RCEs.
Automated security tools and solutions will not be efficient anymore
Web Application Firewalls, Web Vulnerability Scanners or Malware Detection services will not be efficient anymore if used separately or without human control. Both web vulnerabilities and web attacks are becoming more and more sophisticated and complex to detect, and human intervention is almost always necessary to properly detect all the vulnerabilities. It's not enough anymore to patch 90% or even 99% of the vulnerabilities - hackers will detect the last vulnerability and use it to compromise the entire website. As a solution to the rise of new threats, High-Tech Bridge has launched ImmuniWeb in 2014 - a unique hybrid that efficiently combines automated security assessment with manual penetration testing.
High-Tech Bridge wish you to stay safe and secure in 2015!