Home / Companies / Detectify / Blog / April 2018

April 2018 Summaries

5 posts from Detectify

Filter
Month: Year:
Post Summaries Back to Blog
Cross-Origin Resource Sharing (CORS) is a security feature implemented through headers set by web servers to regulate which domains can send requests to a specific server, preventing unauthorized data access and interaction. Misconfigurations in CORS can lead to significant security vulnerabilities, allowing malicious domains to bypass restrictions and access sensitive data. Common mistakes include reflecting origin headers, using insufficient regular expressions, allowing requests from localhost in production, and misconfiguring third-party hosts like Amazon S3 or domains like JSBin and CodePen. Such misconfigurations often stem from attempts to automate CORS policies or oversight during development, resulting in vulnerabilities like prefix checks where only the beginning of an origin is verified. Detectify, a continuous web scanner, offers automated scanning to identify these vulnerabilities, highlighting the importance of correctly configuring CORS to protect against unauthorized access.
Apr 26, 2018 1,017 words in the original blog post.
On March 28th, Drupal released a critical security update to address a severe remote code execution vulnerability, known as Drupalgeddon 2.0, which affects Drupal versions 8, 7, and unsupported 6, potentially impacting over one million sites. This vulnerability (CVE-2018-7600) allows attackers to take control of a Drupal site, accessing and modifying non-public data by merely accessing a specific URL, resulting in a high severity score. Site administrators are urged to upgrade to the latest versions, 7.58 for Drupal 7.x and 8.5.1 for Drupal 8.5.x, as exploits have been confirmed and automated attack attempts have been detected. In the interim, if immediate upgrades are not possible, patches recommended in the security advisory can provide temporary protection, and it is advised to scrutinize logs for any signs of malicious activity.
Apr 18, 2018 272 words in the original blog post.
The OWASP Top 10 of 2021 has reclassified XXE (XML External Entities) vulnerabilities, now placing them under the category of Security Misconfigurations at rank #5. XXE allows attackers to exploit XML parsers by abusing external entities, potentially leading to significant security breaches such as reading local files, initiating network requests, or executing denial-of-service attacks. Although not the most prevalent, the severity of XXE vulnerabilities remains high due to its exploitability, which requires minimal skills beyond uploading XML documents for parsing. XML's widespread use in various data forms, like metadata in images and PDFs, underscores the risk, as applications often unknowingly parse XML. Notably, XXE was successfully exploited on a Google server via Google Toolbars, highlighting its real-world impact. To mitigate risks, security measures include disabling External Entities in XML parsers, switching to simpler data formats like JSON when possible, and ensuring XML parsers are patched and up to date. Detectify and other security tools can help identify XXE vulnerabilities by scanning web applications.
Apr 17, 2018 875 words in the original blog post.
Broken Access Control, identified as the top vulnerability in the OWASP Top 10 list of 2021, affects 94% of tested web applications by failing to properly restrict user access to various functions and data. This vulnerability arises when access control mechanisms are not well-designed from the beginning or when they become overly complex as applications grow. The potential impact ranges from exposure of trivial information to complete system takeover, as demonstrated by a Twitter vulnerability where a user could delete another's account by altering request parameters. Detecting Broken Access Control involves testing for unauthorized access to restricted areas or altering user IDs to access other users' data, which can be done using tools like Detectify. To mitigate such vulnerabilities, it's crucial to implement a default-deny policy, granting access only to specific roles as needed, and logging failed access attempts for proper configuration.
Apr 10, 2018 842 words in the original blog post.
Insufficient Logging and Monitoring is a category identified by the OWASP Top 10 list, highlighting the absence of best practices that could prevent or mitigate security breaches. OWASP is dedicated to enhancing software and internet security, and this category emphasizes the importance of properly logging events, storing logs securely, and taking timely action on warnings. Although the prevalence of this vulnerability is based on industry surveys rather than exact data, improving logging and monitoring is universally acknowledged as vital. The impact of inadequate logging is significant, as evidenced by the 2016 average detection rate for attacks being 191 days, allowing attackers to further infiltrate systems and exploit stolen data. Notably, Yahoo's breaches in 2013 and 2014, reported only in 2016, underscore the consequences of delayed breach disclosure. Detecting insufficient logging and monitoring from an outsider's perspective is challenging, but tools like Detectify can simulate attacks to validate logging efficacy. To address these issues, it is crucial to back up logs, ensure sensitive actions are logged, regularly review critical logs, and implement automated alerts for specific warnings.
Apr 06, 2018 687 words in the original blog post.