Accepting the inevitable: The pitfalls of web security

The issue of web security is one that attracts advocates, malicious actors, ethical hackers, and proposed solutions of all stripes, at times ignoring the root causes of compromised client-side security and its devastating implications. OWASP, the foremost evaluator of web app security, recently released its Top Ten ranking, placing broken access control at the top of the list. This shift represents the growing problem with access control since the last OWASP release four years ago. The decoupling of front-end code from the back-end in modern web applications shines a blinding light on the ease with which cybercriminals abuse access control to log into dashboards or impersonate end-users. Regardless of how sophisticated or well-integrated any web application is, threat actors will find exploitable code sooner or later. The key is identifying it before they do.

Vulnerability scanning and threat detection are still experiencing their nascent days, especially when considering the volume and fast-paced evolution of malware and its far-reaching distribution. Toward the end of last year, 1.3 billion bot threats were detected, demonstrating both the pressing need for effective protection against such threats and the impossibility of entirely avoiding them. Protecting client-side data has become increasingly valuable and strategic, particularly as online reliance has increased since the start of the pandemic. In this increasingly cyber-centric atmosphere, both IT professionals and web app developers must understand the vulnerable position end-users are in. More than primarily focusing on the smartest or most solid code configuration, web app security should take on a strategy that recognizes the inevitability of attack and how to identify an unending onslaught of malicious activity.

What is broken access control?
Broken access control, as its name suggests, refers to the methodology used by malicious actors to access protected resources that they shouldn’t have access to, such as successfully logging into an administrative account without using the proper administrative credentials. Vulnerabilities in this space abound, from Client-Side Request Forgery (CSRF) to Cross-Origin Resource Sharing Information (CORS). Examples include changing an end-user’s password to block them from an account to then steal valuable personal information. In 2020 alone, the Federal Trade Commission received 2.1 million fraud reports from consumers, primarily related to online shopping. Billions of dollars are at stake, affecting not only consumers but the survival of the online industry itself.

Mitigating these threats can be done but requires a comprehensive approach. Logging access control failures, implementing across-the-board access control mechanisms, and disabling web server directory listings are a few steps to take when limiting who is granted authorized access to sensitive dashboards. Web applications are involved in 43% of all breaches, requiring a robust approach to security that implements not only sound policy, but effective threat detection and prevention.

A few key security components
Beyond code-specific recommendations, such as ensuring third-party, dynamically sourced code is safe enough to rely on, client-side security should include basic protections that any online store, bank, or healthcare system could easily deploy.

Vulnerability Management & Penetration Testing: Fully evaluating the health of a website is an essential first step to determining where points of entry lie. Code exploits are bountiful and inevitable, requiring any domain owner handling online client data to seek out a trustworthy team of pen testers to safely exploit vulnerabilities in the site’s IT infrastructure. Diagnosing points of weakness, patterns of behavior, or blind spots can inform vulnerability scanners of the value a website has to malicious actors and how to best fend off specific threats.

Content Security Policy (CSP): As mentioned in reference to broken access control, enforcing control mechanisms within the infrastructure of a website is necessary to block certain attacks aimed at impersonating end-users, or should simply make it more difficult to access dashboards that contain sensitive data. Cross-site scripting (XSS), JavaScript code injection, and data skimming attacks are all aimed at stealing data, distributing malware, or defacing a site, all of which CSP makes far more difficult for hackers to carry out.

Web Application Firewall (WAF): Shielding a website from the unrelenting attacks of the internet is essentially the job of a WAF. Although it cannot protect against all attacks and should be used within a more comprehensive security strategy, WAFs mitigate threats by filtering and monitoring HTTP traffic, protecting against cross-site forgery and thwarting attempts at achieving broken access control.

How can web security move forward?
The stressors associated with the pandemic, such as increased isolation and global shutdowns, rapidly accelerated the pace at which online reliance was already growing, leading to an 800% spike in web app attacks last year. Although server-side security is undoubtedly essential, client-side security has greatly lagged behind, all while malicious actors continuously target end-users for the valuable information they possess. PII, PHI, financial information, legal documentation, and more are all at risk of being stolen if comprehensive security measures aren’t taken seriously.

Implementing a CSP and WAF can make a website more secure, but never hack-proof. Code exploits are ripe for the taking, especially when relying on third-party software. Verifying the reliability of code is an essential component of protecting the client-side attack surface but can only be done successfully if proper vulnerability scanning and pen testing have taken place. Web security is more than understanding the necessity of cybersecurity protections, it’s anticipating the attacks before they happen, knowing that they most likely will.