• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Student360
  • About
    • Secure360
    • UMSA
  • Secure360 2022
  • For Sponsors
  • For Speakers
  • Get Involved
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

How ignoring low-level security risks can open the door to major attacks

April 25, 2016 by Dingjie Yang

opening door for attacks

Copyright: 123rf/Sutichak Yachiangkham

The following is a guest post by a 2016 Secure360 Twin Cities Gold Sponsor Qualys.

As attacks against web applications rise, cyber security teams naturally have prioritized the elimination of high-risk threats, such as SQL injections and cross-site scripting (XSS) vulnerabilities. The flip side of this is that many cybersecurity teams choose to ignore or delay the remediation of low-level security vulnerabilities in their web applications. Unfortunately, this isn’t a wise strategy. Underestimating the importance of fixing low-level security issues could create a major problem for an organization. Why? By exploiting a combination of seemingly trivial vulnerabilities, attackers can sometimes open up a big security gap that lets them do extreme damage. In this article, I will demonstrate such a scenario, showing how by taking advantage of several unfixed low-level security issues, an attacker could transform insignificant security issues into an armor-piercer to break your web applications!

Low Level Security Issues share unique factors

For attackers, low-level security vulnerabilities are simple and inexpensive to discover, as well as straightforward to exploit. For instance, I conducted surveys about clickjacking, which is treated as minor security issue, among the top 20 bank websites, and surprisingly found that 70 percent were at risk of clickjacking attacks in 2012 and 45 percent in 2015.

Meanwhile, webmasters usually treat low-level vulnerabilities as trivial issues until a real breach occurs. This means that low level security issues persist longer on web applications, giving attackers time to leverage them for mounting a major attack.

Modern web application firewalls can be configured to block low level security issues, but often webmasters will not bother to do so, leaving these vulnerabilities as “blind spots.” This means that some WAFs (web application firewalls) will not be able to block the threats when attackers are manipulating the web applications via these low level security threats.

After taking into account all the above-mentioned factors, it is easy to understand why low level security issues could open the first door to take down your web applications.

Real-world-scenario

In a recent audit of MyBB, an open source application which people use to create discussion forums, I found three low-level security issues. If exploited in aggregate, these flaws could allow a hacker to gain total control of MyBB. The issue has been partially addressed in its latest version — MyBB 1.8.7 – so users are no longer vulnerable to the danger described here.

Three low level issues discovered in MyBB

MyBB 1.8.6 contains the following minor security issues, which seem trivial if they are evaluated separately.

“GET” and “POST” methods are not distinguished

The “GET” and “POST” methods are the most commonly used for making HTTP requests. From a security perspective, using the “POST” method to submit sensitive data is always recommended. Those interested in learning in detail the security differences between the “POST” and “GET” methods should read this article which goes into fine-grained detail.

MyBB adopts the “POST” method at its ACP (Administrator Control Pages) for submitting sensitive data, such as, add users, web application setting and database backup. However, the web application does not strictly distinguish “POST” and “GET” requests, although it is designed to use the “POST” method by default for some types of sensitive requests, such as adding an “administrator” user.

Data is processed before the CSRF (cross-site request forgery) validation

A robust server should block the request and forbid parsing the forged value when it detects the CSRF token is not valid or is missing. But in this case, the web application is still parsing the forged value and entering the forged value into the input field despite the missing CSRF parameter in the request.

Clickjacking vulnerability

Clickjacking is an attack that tricks a web user into clicking a button, link or picture by overlaying the vulnerable web page with an iframe.

The absence of a clickjacking countermeasure is another security issue in this application. This one is the last nail in the coffin. By taking advantage of this vulnerability, the ACP pages could be framed by an attacker and he or she could trick the victims into clicking on something inadvertently.

Gain admin access of by using these vulnerabilities

After exploiting all these minor security issues, it would be as easy as taking candy from a baby for an attacker to gain administrator access. It just requires some social engineering work to trick the administrator user to click on a button or a link in a framing page! More details can be found in the Qualys Blog.

Lessons

As the saying goes, small leaks will sink a big ship. Several low-level security issues could crack the hull of your web application. This danger is especially real these days when cyber attackers have become particularly sophisticated and don’t limit themselves to traditional exploits.

It is not uncommon to see some low-level security flaw reside in a web application for a long time, even though the Qualys WAS (Web Application Scanner) flags these security holes. I hope this article flashes a red warning light for webmasters and web developers the next time they have to decide whether to ignore low-level security issues.

Filed Under: Guest Posts

About Dingjie Yang

As a Web Application Security Engineer at Qualys, Dingjie Yang spends most of his time researching and evaluating the latest vulnerabilities while collecting real-time web performance data to better secure our customers’ web applications and environments. As an avid pen tester and security bug hunter, Dingjie has discovered multiple vulnerabilities on some of the most popular web applications such as Joomla, PHPBB, Moodle and more. You can read more about Daniel’s research on the Qualys Community blog.

Reader Interactions

Comments

  1. Lovie says

    April 29, 2016 at 12:14 pm

    The web document works it when an interest sales comes like with the showed pages in the database it dissects
    the pursuit rope in the solicitation request. Since search engines like highly-structured websites and new content,
    blogs often rank high on them. You read at the start that these
    large companies are offering business websites. These efforts
    are used to produce attention from the target audience.
    The focused keywords and landing page quality greatly affect the cost for the company.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. Bryghtpath LLC
    Bryghtpath LLC: Bryghtpath CEO @bryanstrawser presented last week at the @Secure360 Conference on "Navigating the Ransomware Challe… https://t.co/iXa3JeRKNN
    about 1 day ago

  2. Scott Sutherland
    Scott Sutherland: For those who missed it, here's a video of the "Building Ransomware Detections" presentation I gave @Secure360 last… https://t.co/DkjNZnCfRw
    about 1 day ago

  3. 🟣Tyler Cohen Wood
    🟣Tyler Cohen Wood: @HaroldSinnott @Secure360 Thank you, @HaroldSinnott!
    about 2 days ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2022 Secure360. All rights reserved.