Common Issues in Web Application Penetration Testing Services

Web applications typically offer some form of transactional service with payment options – shopping, banking, digital content, subscriptions, and so on. They are revenue drivers for organizations, generating sales that may not have possible in the past because now the buyer can come literally from anywhere across the globe. Added with the meteoric rise of the Internet, organizations can become multi-million (even billion) dollar companies, often from just online sales.

These organizations are not the only ones making money though. Web applications are now ripe targets for hackers.

Let’s take a look at some significant hacker attacks on web applications to underscore this point.

Next, we’ll identify common flaws in web applications and how to avoid them.

Web Application Hacker Attacks: An Expensive Endeavor

T-Mobile’s Customer Portal

In August 2024, T-Mobile was fined $60 million¹ over a significant data breach involving its web applications. Hackers had exploited vulnerabilities in T-Mobile’s customer portal, gaining access to sensitive user data, including names, addresses, and account information.

The breach affected over 40 million customers, leading to estimated financial losses of over $150 million, including fines, legal settlements, and the cost of security enhancements.

Beyond just the financial repercussions, T-Mobile’s reputation was severely impacted, with customers expressing concern over the telecom giant's ability to protect personal data.

TicketMaster Hacking

In May 2024, a hacker group called ShinyHunters attacked global events giant TicketMaster². The group sold the stolen database with personal information of 560 million customers on Russian hacking forums.

Dropbox Gets Hacked

In April 2024, Dropbox was attacked³ by hackers who were able to access sensitive information including password hashes, multi-factor authentication details, email addresses, phone numbers, as well as general account settings.

This intrusion also affected third parties who received or signed a document through Dropbox Sign but never created an account for themselves. The hackers were believed to have gained access all the way through to the backend where they were able to elevate account privileges and access the customer database.

Attack on Sharp HealthCare

In 2023, Sharp HealthCare, the largest healthcare provider in San Diego, suffered an attack⁴ on its website that led to the compromise of the personal information, including social security numbers, health insurance data, and health records, of 62,777 patients.

Significant data breach incidents also occurred at Tallahassee Memorial DotHouse Health and Tallahassee Memorial HealthCare.

Web Application Attack on GoAnywhere MFT

Around the same time, another web application attack at GoAnywhere MFT⁵ affected over 130 organizations including prominent companies such as Kensington and Commvault. The breach exposed sensitive data, including personal identifiable information (PII) and financial data, resulting in significant financial losses and reputational damage.

Ripe For The Picking

These attacks demonstrate that an organization’s web applications are one of its most exposed assets. And that is why it needs protection commensurate with the heightened risks.

Unfortunately, several recent big breaches can be blamed on web application vulnerabilities that could easily have been caught by web application penetration testing services.

Most web application breaches occur due to flaws in design, coding, business logic, security misconfigurations, or the use of outdated components. These types of flaws are commonly exposed by web application penetration tests.

Just because hackers think your web applications are ripe for picking, you don’t need to leave them  low hanging fruit.

Let’s take a look at some of the common issues found in web application penetration testing services. Hopefully, this will convince you that application penetration tests are worth your while.

Common Issues In Web Application Penetration Testing Services

Web application penetration tests are performed by ethical hackers. The goal is to uncover issues and vulnerabilities in web applications and to plug these holes before a malicious hacker takes advantage of them and exposes your organization.

Web application penetration testing services analyze various components of a web application such as authentication flow, input fields, application logic, session management, access control measures, technologies used etc. Based on the analysis of web application components, there are often some common vulnerabilities that are found in web application penetration tests such as:

Injection Flaws

An injection flaw is a vulnerability which allows an attacker to relay malicious code through an application to another system. This can include compromising both backend systems as well as other clients connected to the vulnerable application.[1]

The effects of these attacks include:

• Allowing an attacker to execute operating system calls on a target machine
• Allowing an attacker to compromise backend data stores
• Allowing an attacker to compromise or hijack sessions of other users
• Allowing an attacker to force actions on behalf of other users or services

These problems occur when web developers design applications that can be manipulated by threat actors and allow them to enter their own data. Hackers carefully analyze the inner workings of the application, focusing on what data the application requests, what data can be entered into data fields, the way the web application handles incorrectly entered data, and so on.

These experiments allow hackers to find exploitable flaws. They can even inject attacks into error pages produced by web applications when incorrect information is entered.

Unfortunately, injection flaws are really common. We’ve performed several web application penetration tests that allowed us to dump entire tables with credit card numbers, usernames, password hashes - and pretty much any piece of data that an organization is trying to protect.

Weak Encryption

Weak or outdated implementations of encryption mechanisms in web applications are also commonly found with web penetration testing services. Encryption plays a very important role in protecting the data that the web application holds and transmits. But poorly configured encryption settings such as weak algorithms, protocols, ciphers, libraries, keys or certificates allow malicious hackers to perform a wide range of attacks on the web application.

Security Misconfigurations

Security misconfigurations are frequently attributed to human error, such as failing to change a default setting, enabling insecure services, or enabling unnecessary features.

A tiny security misconfiguration could create a mountain of consequences for an organization.

Japanese car maker Toyota learned this the hard way⁷ when data of 260,000 of its customers was exposed online due to a simple misconfiguration in the cloud environment. Several breaches in the cloud and of content management systems such as WordPress also demonstrate the damage that can be caused by a simple misconfiguration.

Broken Authentication

Web application typically have user accounts with associated credentials that a user uses to login. Sometimes, the boundaries and restrictions around this authentication process are not implemented well and can lead to malicious attackers gaining unauthorized access to a user’s account. Broken authentication issues arise for several reasons:

• Allowing users to select weak passwords by not enforcing strong password policies
• Allowing multiple sessions for the same account
• Allowing sessions that do not time out after a certain period of inactivity
• Displaying error messages that allow hackers to infer if accounts are present on the application or that display user session-related parameters in the URL. For example, a hacker could enter the username “John” to authenticate an account and then enter a ridiculous name such as “tootsieroll.” If the error messages displayed in these two cases are different, then the hacker can infer that “John” might be a valid account and try to exploit it.

These kinds of flaws often allow malicious hackers to bypass the authentication process and gain unauthorized access to the web application.

Outdated Technology

Outdated technology is another very common issue found in most web application penetration tests. Not all code is developed by web application developers. A lot of it is leveraged from third party libraries and frameworks.

When there are bugs in these borrowed libraries and frameworks, the effects can easily cascade into the web application, causing a domino effect. Inheriting vulnerabilities in this manner across libraries is an extremely common occurrence in several web applications today.

Common Issues in Penetration Testing Services Can Be Of Uncommon Significance

The consequences of web application attacks vary. For instance, injection flaws could allow outcomes such as website defacement, redirection of victims to malicious websites, theft of sensitive data, or failure of authentication mechanisms.

Improper implementation of encryption mechanisms can lead to data exposure.

Security misconfigurations can open access to a database server, content management system, or a cloud service provider.

Broken authentication issues can allow malicious attackers to gain unauthorized access to legitimate accounts leading to identity theft, unauthorized transactions, and complete account hijacking, among others.

Outdated technologies allow malicious hackers to perform a wide gamut of attacks including injection attacks, remote code execution, access control related attacks, and other attacks based on the specific unpatched component(s) used in the web application.

What Can Organizations Do To Avoid This Can Of Worms?

To avoid these issues, organization’s must adopt a proactive security stance. And the best place to begin is with the low-lying fruit. Let’s take a look at some of the steps that can be taken to ensure that common vulnerabilities are not present in web applications:

• Web developers need to scan their code for injection flaws in the development stages to identify vulnerabilities. Injection flaws in the web application can be avoided by sanitizing the data submitted by users, preventing them from entering any kind of data they want (including malicious strings and scripts.)
• If data entered by the user causes an error, then errors should be displayed with a generic message. At no time should detailed errors from the web application be displayed to the users. Like we saw in broken authentication, the simple act of having a different error message in different situations can leak valuable information to a hacker. By making all error messages generic, you minimize the chances of any internal data leakage through them.
• Ensure sensitive data in transit and at rest are secured with strong encryption mechanisms such as SSL/TLS. Ensure that secure versions of ciphers, protocols, algorithms, and other encryption components are used within the web application. Encryption mechanisms should be patched and updated to the latest stable versions as soon as they are available.
• Regularly review security configurations and settings in the web application to ensure that they are hardened as per security best practices. Access controls should be in place with the least privileges assigned to users. Vendor defaults and unnecessary features should be disabled. The latest patches should be applied in a timely manner.
• Implement two factor authentication on web applications to add an extra layer of security for online accounts. In addition, session management best practices should be employed to make sure that inactive sessions are terminated automatically within reasonable timeframes and to ensure that session-related parameters and information that the web application maintains and exchanges about a user session are protected with strong encryption and handled securely.
• Ensure that developers use components and libraries that are actively updated and patched on a timely basis. This will help your organization avoid using outdated technology with vulnerabilities and bugs.
• Insist that all departments undergo security awareness training so users learn how to work safely on-line and spot signs of attacks. It is important to train and strengthen the “human firewall” in the organization.

Studies show that 95% of all cybersecurity issues can be traced to human error⁸. Training goes a long way in understanding potential vulnerabilities and recognizing threats, thus minimizing the risks that originate from the human element.

Penetration Testing Services are Critical for Web Applications

Web applications play a very significant role in organizations. Organizations need to understand that performing regular web application penetration tests is more important than ever to build trust with customers.

Keep in mind, too, that it is much more economical to engage penetration testing services than pay for data breaches. The average cost of a data breach in the United States amounted to $9.36 million⁹. In the current threat landscape, it is essential that web applications are regularly tested to ensure that they build in resilience against cyber-attacks.

At ERMProtect, our penetration testing services are unmatched. We have been conducting them for nearly three decades and take pride in our expertise, experience, and commitment to safeguarding our clients’ cybersecurity posture. For more information, please email Judy Miller at [email protected] or call 305-447-6750.

References:

1. https://www.forbes.com/sites/antoniopequenoiv/2024/08/14/t-mobile-will-pay-record-breaking-60-million-settlement-over-alleged-data-breach-violations/
2. https://www.bitdefender.com/en-us/blog/hotforsecurity/notorious-hacking-group-claims-ticketmaster-data-breach-personal-details-of-560-million-customers-potentially-compromised
3. https://thehackernews.com/2024/05/dropbox-discloses-breach-of-digital.html
4. https://www.techtarget.com/healthtechsecurity/news/366593878/Nearly-63K-Impacted-by-Healthcare-Data-Breach-from-Exploited-Web-Server
5. https://www.fortra.com/blog/summary-investigation-related-cve-2023-0669
6. https://www.securitymagazine.com/articles/99770-70-of-web-applications-have-severe-security-gaps
7. https://www.csoonline.com/article/575483/cloud-misconfiguration-causes-massive-data-breach-at-toyota-motor.html
8. https://www.weforum.org/agenda/2020/12/cyber-risk-cyber-security-education/
9. https://www.statista.com/statistics/273575/us-average-cost-incurred-by-a-data-breach/#:~:text=As%20of%202024%2C%20the%20average,million%20U.S.%20dollars%20in%202024

[1] Source: OWASP

About the Author

Akash Desai is a Director of Consulting for ERMProtect. For more than 21 years, he has combined technical expertise with creativity and problem-solving acumen to create innovations and solutions that address challenging cybersecurity problems. His past accomplishments at the prestigious CERT® Coordination Center and the innovative Carnegie Mellon CyLab bear witness to his goal-oriented approach to cybersecurity’s biggest issues in the areas of insider threat, intrusion prevention, proactive and agile cyber-defense, and security awareness training. At ERMProtect, he is the brain behind the innovative ERMProtect cybersecurity awareness training practice and he has led several, highly complex cybersecurity projects and project teams.