With Sony the latest victim of hacking, large organisations are witnessing yet again how data breaches cause serious damage, to the tune of millions. The prevalence of hacking in the media begs the question, what’s in store for 2015? Against a background of more frequent and dangerous XSS attacks, third-party code and plugins remaining the Achilles’ Heel of web applications and growing chained attacks, organisations will be looking to new ways to protect their online properties.
Unfortunately, it’s pretty difficult to make information security predictions, and even more difficult to verify them afterwards – we can only judge the effectiveness of information security by the number of public security incidents, as the majority of data breaches remain undetected. However, here we make some web security predictions based on common sense profitability (profit/cost ratio) for hackers:
1. Vulnerable Web Apps Will Remain A Target
When almost any company has one or even several vulnerable web applications, hackers will not bother to launch complex and expensive APT attacks with zero-day exploits. Companies continue to seriously underestimate the risks related to their web applications and website. Tiny vulnerability, such as XSS, can lead to compromise of the entire local network, emails and databases of a company.
2. XSS Will Become More Frequent & Dangerous
It’s very difficult to detect high or critical risk vulnerabilities in well-known web products (e.g. Joomla, WordPress, SharePoint, etc). However, low and medium risk vulnerabilities, such as XSS, will still regularly appear. Sophisticated exploitation of an XSS can give the same outcomes as SQL injection vulnerability, therefore hackers will rely on XSS attacks more and more to achieve their goals.
3. Third-Party Code & Plugins Will Become The Achilles’ Heel Of Web Apps
While the core code of well-known CMSs and other web products are pretty safe, third-party code such as plugins or extensions remain vulnerable even to high-risk vulnerabilities. People tend to forget that one outdated plugin or third-party website voting script endanger the entire web application. Obviously hackers will not miss such opportunities.
4. Chained Attacks & Attacks Via Third-Parties’ Websites Will Grow
Today it’s pretty difficult to find a critical vulnerability on a well-known website. It’s much quicker and thus cheaper for hackers to find several medium risk vulnerabilities by combination of which they can get complete access to the website. Another trend is to attack a reputable website that victim regularly visits. For example, when chasing for a C-level executive, hackers may compromise several high-profile financial websites or newspapers, and insert exploit pack that will be activated only for a specific IP, user-agent and authentication cookie combination belonging to the victim. Such attacks are very complicated to detect, as only the victim can notice the attack.
5. Weak Passwords & Password Re-Use Will Remain A Very Serious Problem
Many people still use the same or similar passwords for all their accounts. Hackers cannot miss such opportunity and actively exploit this human weakness. The first step of attack is to identify all websites or blogs where the victim is registered or have an account. The second step is to select the weakest website from the list and to compromise it. Password encryption techniques commonly used in web applications today are far from being resistant, and a password in plaintext can be obtained pretty quickly. Even if the victim uses very strong password and it’s being properly encrypted in the database – hackers will just trojan the web application to intercept the password in plaintext during login. The last step is to try the password for all victim’s accounts and resources.
6. Application Logic Errors Will Become More Frequent & Critical
Examples with AliExpress and Delta Airlines highlight the impact of application logic vulnerabilities that are almost undetectable by automated solutions. Web developers become aware about XSS and SQL injections flaws and code much better than before, however they forget about application logic vulnerabilities that may be even more dangerous that SQL injections or RCEs.
7. Automated Security Tools & Solutions Will Not Be Efficient Anymore
Web Application Firewalls, Web Vulnerability Scanners or Malware Detection services will not be efficient anymore if used separately or without human control. Both web vulnerabilities and web attacks are becoming more and more sophisticated and complex to detect, and human intervention is almost always necessary to properly detect all the vulnerabilities. It’s not enough anymore to patch 90% or even 99% of the vulnerabilities – hackers will detect the last vulnerability and use it to compromise the entire website.