One of the first places to begin probing for vulnerabilities is your web or mobile applications. After all, these are often the public face of your organization. Unfortunately, people often miss crucial elements of application security. Whether they are web or native mobile applications, these mistakes can cause serious consequences from exposing sensitive data within the app itself or allowing nefarious actors an entry point to deeper intrusions.
Below, we outline the top 7 issues that we see in web and mobile applications we encounter that you should be aware of and act on.
1. Broken Authentication
Do you know the proper steps your application should take to properly authenticate a user? It is very common for applications to perform this basic function incorrectly.
Common authentication issues include:
- Session tokens not being refreshed upon all privilege level changes
- Session expirations that are set too long
- Cookies not using proper flags
- Use of JSON Web Tokens (JWT) without proper session timeouts
- JWTs that contain sensitive user information
2. Flawed Access Control
Once a user is authenticated, what are they allowed to do? Just because an action is hidden from a user doesn’t mean that they can’t interact with an endpoint. Can a normal user access admin pages and functionality? Can they access assets that belong to other users?
All pages and endpoints should verify user access before granting permission.
3. Cross-Site Scripting (XSS)
Cross-site scripting is the most common finding in every application. It occurs when an application includes untrusted user data without proper input validation or output encoding.
Have you validated that every user input field is performing proper input validation? If you think they are, do you know the tricks attackers use to bypass these filters? Many people think they are doing this, but we are constantly proving them wrong.
4. Sensitive Data Exposure
Many applications inadvertently expose sensitive data through insecure direct object references. This can allow attackers to access user data that should be protected such as email addresses, phone numbers, credit card information, etc.
Developers are focused on making the application function and provide the features their clients want. Attackers can take advantage of this sentiment and use these features to enumerate information in ways the developer did not intend.
5. XML External Entities (XXE)
Every application has an API, or Application Programming Interface. They are used by developers to interact with your platform and for React-style applications. They are also commonly used by mobile applications. These endpoints are commonly vulnerable to XML issues that allow attackers to query the backend systems.
We know the tricks hackers use to get at APIs and can help determine if your application is safe.
While not as prevalent as it was a few years ago, many types of injection (SQL, NoSQL, and OS) still exist. Is an attacker able to take advantage of an insecure sql statement to dump your entire database and publish this data online? Are you using parameterized queries with prepared statements? Are you doing this for every query? We still find applications where some queries have been missed and SQL Injection is very real and very bad.
7. Chaotic Dev Environments
This last category is a bit of a catch-all because every application and dev team are different. But almost every application has security misconfigurations. We can usually point the finger at chaotic dev environments with many teams working on different parts of the application. Often, this results in misconfigurations on servers, default configurations, or verbose error messages. Not to mention the difficulty in keeping frameworks operation systems libraries up to date and securely configured.
The growing (and often cultish) move toward DevOps and DevSecOps is intended to ensure tighter dev team integration and that security is baked in at all steps. Regardless of how your teams works, having a framework or process can bring some order and prevent avoidable vulnerabilities.
After decades and hundreds of application assessments, these are just the top several issues we see over and over. This list is a good place to start if you want to take a look at your app’s security. These seven alone should keep you busy for quite a while.
But to truly get to the bottom of your app security, it’s best to bring in an experienced third-party assessment team without the blind spots and biases of your internal team. At Packet Ninjas, we don’t go soft on your application, because your adversaries won’t. We use real-world tactics and get creative to uncover any lurking vulnerabilities. And when we find something, we’ll stick around and help you fix it so nobody can follow in our footsteps.
Get in touch today and ask about our flexible retainer engagement models, so you can stop wondering about your application security.