Many companies use web-based solutions to interact with their customers. However, this web exposure can be exploited by attackers to infiltrate networks and acquire sensitive information. To avoid this, web application security must be a key concern, and one of the best ways to achieve this is through penetration testing.
Penetration tests are designed to replicate the real-world scenario of the attackers, by testing the security posture of web applications and attacking all known vulnerabilities before the real adversaries get their hands on it.
Below are the top 10 web vulnerabilities found during our penetration tests, accompanied by a short explanation of how these vulnerabilities can be exploited and how mitigate them.
1) Cross-Site Scripting (XSS) – stored and reflected
XSS vulnerabilities allow attackers to inject malicious scripts into web pages, potentially affecting all users who view or interact with those pages. The most common XSS are:
- Reflected XSS: When a user clicks on a malicious URL created by the attacker, JavaScript code within the URL is executed. As the code is not stored on the server, the attacker must encourage people to click on a link, by using, for example, social engineering.
- Stored XSS: The malicious code is stored in the database and executed whenever a user accesses a page that uses it.
Exploitation: In the case of a stored XSS attack, an attacker may insert malicious code in a comment or a form field, which is executed when another user views the content. Reflected XSS happens when an attacker crafts a URL containing malicious code and deceives a user into clicking on it.
Recommendation: Implement strict input validation and output encoding to prevent XSS. Sanitise all user inputs and escape output. Additionally, use Content Security Policies (CSP) to reduce the risk of executing unauthorised scripts.
2) Cross-Site Request Forgery (CSRF)
CSRF can be used to trick verified users into carrying out unwanted actions on a web application, such as completing transactions or altering account information. This attack exploits the web application's inability to verify the origin of the request and the user's authorised session.
Exploitation: An attacker creates a malicious form or link. When the victim uses the link or the form, it sends a request to the vulnerable web application using the victim's cookies. This request can do all the actions that the user can do on the application, which can compromise their account.
Recommendation: There are several methods for mitigating the risk of CSRF, and we recommend using as many of them as possible. The most popular of these methods are anti-CSRF tokens, the use of custom headers, and the use of session cookies with the SameSite=Strict attribute.
3) CORS misconfiguration
By default, applications cannot communicate in JavaScript with applications from other domains. Cross-Origin Resource Sharing (CORS) can be used to modify this behaviour. Incorrect configuration could make the application vulnerable to unauthorised access from other domains.
Exploitation: The most frequent configuration errors are the misconfiguration of “Access-Control-Allow-Origin”, which if too permissive, uses a wildcard (*) or the null value, and allows requests to be made from uncontrolled domains. If, in addition, the application uses “Access-Control-Allow-Credentials: True”, then an attacker could make requests from users' sessions, thus stealing their accounts, because unlike CSRF attacks, the attacker can read the results of these requests.
Recommendation: Avoid using wildcards or null in the Access-Control-Allow-Origin header. Restrict CORS requests to trusted domains and avoid credentialed requests from untrusted origins.
4) Insecure Direct Object References (IDOR)
IDOR occurs when an application exposes internal references to objects like database keys or file paths. Attackers can manipulate these references to access unauthorised data.
Exploitation: If a user has access to document 123, he can try to modify the URL or the body of the request to access other users’ documents. For example, he could look for document 122.
Recommendation: Implement server-side access control checks to ensure users can only access authorised data. Avoid exposing sensitive identifiers in URLs and use indirect references or access tokens.
5) File upload vulnerabilities
Allowing users to upload files can pose security risks if not properly handled. Many applications rely on client-side validation, which is easily bypassed.
Exploitation: Attackers can upload malicious files such as an HTML file containing JavaScript or a server-side script like PHP, potentially gaining control of the server. It could also upload very large files to saturate the server's storage, or files that once downloaded are dangerous, such as DOCM or EXE files.
Recommendation: Perform strict server-side validation on uploaded files, checking the file type, size, and content. Store files in a non-executable directory and use randomised file names.
6) Open Redirect
An open redirect vulnerability occurs when an application allows users to be redirected to external URLs without proper validation, often based on user input.
Exploitation: An attacker can craft a legitimate-looking URL that redirects users to a malicious website, potentially tricking them into visiting harmful sites like phishing pages. On some redirects, it's also possible to add JavaScript code in place of the URL.
Recommendation: Avoid open redirects when possible. If necessary, validate and whitelist allowed domains or limit redirects to a predefined set of trusted URLs.
7) JWT vulnerabilities
JSON Web Tokens (JWT) are widely used for authentication in web applications, but improper implementation can lead to security risks.
Exploitation: If an application fails to verify a JWT’s signature, attackers can manipulate the token to alter claims, such as the user’s identity or role. So, even without an account on the application, the attacker can obtain an admin token that never expires.
Recommendation: Always verify JWT signatures using secure algorithms (e.g., HS256, RS256) and ensure tokens are signed with a strong secret key. Enforce strict expiration times.
8) Components with known vulnerabilities
Web apps frequently rely on external libraries, which might have security vulnerabilities. If certain components are not updated, the application may become vulnerable.
Exploitation: Attackers can exploit known vulnerabilities in outdated components to compromise the system.
Recommendation: Regularly update third-party libraries and frameworks. Apply security patches promptly and remove unused dependencies.
9) Insecure storage of session tokens
Storing session tokens in insecure locations such as local or session storage exposes them to potential theft by malicious actors. These tokens are essential for maintaining user sessions and, if compromised, an attacker can hijack the session, impersonate the user and gain access to sensitive information.
Exploitation: Attackers can exploit cross-site scripting (XSS) vulnerabilities to steal session tokens stored in the browser's storage. Furthermore, tokens stored in these locations are vulnerable to browser-based attacks, such as client-side malware or browser extensions.
Recommendation: Prefer cookies with Secure, HttpOnly and SameSite flags over other storage mechanisms to make them inaccessible to JavaScript and therefore protected against XSS attacks.
10) SQL injection (SQLi)
SQL injection vulnerabilities allow attackers to execute malicious queries by injecting SQL code into input fields.
Exploitation: Attackers can insert malicious SQL commands to access, modify, or delete data, bypass authentication, or execute commands on the server.
Recommendation: Use prepared statements and parameterised queries to prevent SQL injection. Validate and sanitise all inputs and avoid constructing SQL queries by concatenating user input.