Lessons From a Synack Security Analyst
By Aigerim Kikabayeva
Security teams inside your organization can’t be the only ones guarding against cyberthreats. But that’s all too often the case. Many of us may think what we don’t know, can’t hurt us, and we tend to focus on business issues rather than the potential impact of cyberattacks. However, every line of business is vulnerable, and, in many cases, successful breaches will affect LOB executives the most due to lost revenue or brand damage.
In Part 1 of this article, we’ll discuss four of the eight biggest threats facing businesses and describe common scenarios for how malicious hackers might exploit vulnerabilities to carry out an attack.
Threat No. 1: Access Control Violation
Access Control vulnerabilities are among the most commonly found flaws on the Synack security testing platform. This is a major issue as this kind of vulnerability can give privileges to unauthorized users.
Although researchers are able to find numerous vulnerabilities through automated scanner tests, scanners cannot catch Access Control vulnerabilities. This requires an actual researcher to go through the application logic and corresponding roles, testing various scenarios.
One recent Access Control vulnerability discovered using the Synack platform could have allowed an attacker to place orders without any validation on a payment processing platform.
Threat No. 2: Code Injection Attacks
Code injection attacks are simply attacks that happen when malicious hackers insert code into an application and then manipulate it to cause some damage or gain control. These attacks take advantage of vulnerabilities that allow unauthorized users to inject code into programs. These are not common flaws and often require skilled adversaries to exploit, yet Synack researchers find them all too often.
File upload services are commonly known to be especially vulnerable to Code injection attacks. Attackers are often able to bypass extension restrictions on sites and upload dangerous files into systems that can then give them the ability to execute arbitrary commands to access other parts of the network and sometimes steel or manipulate data across entire systems.
Threat No. 3: SQL Injection Attack
This is another data manipulation attack that occurs when an attacker inserts an unvalidated SQL query into an application. This will give an attacker the ability to manipulate and steal data, spoof identities and generally wreak havoc inside a victim’s inside databases. These can be prevented by making sure user input validation and parameterized queries are in place and up to date so that unauthorized use isn’t allowed.
Since SQL injection provides full access into the database and its data, an attacker can take advantage of further database misconfigurations. One such critical vulnerability was a PCI violation revealed through SQL injection where hundreds of credit card accounts had expiration dates and cvv numbers stored in cleartext.
Threat No. 4: Business Logic Flaws
While these often appear to be low impact flaws, they can actually allow attackers to interrupt business operations by taking advantage of poorly designed processes. Business Logic Flaws aren’t technically vulnerabilities, but are operational glitches that can allow malicious hackers to manipulate the process for financial gain or cause other damage. And because these aren’t vulnerabilities in a technical sense, scanners aren’t going to catch them and traditional testers could miss them or down play them.
A simple example of a very basic Business Logic Flaw was discovered in movie theater booking systems that allowed customers to hold seats for 10 minutes before actually buying seats for the next show time. If someone wanted to get a whole theater to themselves, they could carry out an attack on a ticket seller and they could select all the seats and hold them every 10 minutes and prevent other customers from buying any seats at all. The result would be total financial loss for the ticket seller.
Stay tuned next week when we discuss how weaknesses in apps can allow them to be exploited and even customer data to be compromised. In the meantime, if you’d like to learn more about Synack and how we scan and test apps to harden them against criminals, view our Buyer’s Guide to Pentesting.