Despite making huge investments in IT security, large corporations across the world seem to be losing out to the new generation of cyber attackers. These modern day hackers are smarter, more innovative and have the capabilities to cause severe damage. Indusface, a leading provider of application security solutions for web and mobile applications, has identified five notorious habits of web application hackers that can help you understand their strategies and devise smarter ways to counter them.
According to Mr Ashish Tandon, Chairman and CEO at Indusface, “If you have to prevent a hacker, you need to think like him. You have to test the security system just the way a real hacker would exploit them. And that’s where our ‘Five habits of web application hackers’ guide will help you understand their strategy better and learn from them to protect websites.”
Habit 1: Finding Dark Motivation
According to results from the “Cyber crime Survey Report 2014,” 58% attacks happen for financial gains. Malicious damage, competitor grudge, and ethical reasons are some of the other popular motivators to cyber crimes. While online business websites are at highest risk of hacking, public sector isn’t safer either. Last year alone 155 .GOV and . NIC domains were hacked. A majority of these attacks came from neighboring country IPs.
Begin with gauging risk level and allot appropriate budget to web application security. Risks levels are critical for organization with considerable online reputations and business credibility. Government and banking websites are also lucrative options for hackers around the world.
Habit 2: Detecting Weaknesses
Detecting weaknesses or vulnerabilities in web application architecture is the first step for any hacker. It helps him analyze if a certain website is exploitable. A few years ago, the vulnerability-finding process had to be performed manually, but now there are dozens of open source scanners that look for basic vulnerabilities like Cross Site Scripting (XSS), Command execution detection CRLF Injection, SEL Injection and Xpath Injection, Weak .htaccess configuration.
The only smarter way to stay one-step ahead of the hackers is to detect vulnerabilities with an even smarter web application scanner. IndusGuard Web not only looks for OWASP and WASC listed vulnerabilities but also monitors for malware, blacklisting, and defacement attempts.
Habit 3: Analyzing Logical Weaknesses
Modern apps are continuously changing with new vectors coming in and you can never really predict that a hacker might find handy. While automated programs can find basic vulnerabilities, it requires an analytical human mind to look for logical weaknesses. These are vulnerabilities within business logic of an application and are limited by a definition or scope. The logic flaws could creep into commands related to monetary transactions, timeout of sessions or any other aspect of business processes. Unfortunately, most companies do not even know about them unless there is a monetary leakage.
Business logic flaws can only detected and mended by people who understand how such exploitations work. Manual penetration testing from application security experts is the best way to find such vulnerabilities before hackers.
Habit 4: Exploiting Weaknesses
It has been estimated that businesses lose annually $3.8 million annually to cyber exploitations. In fact, in the past few months, large online song portal and taxi-for-hire websites have been hacked using vulnerabilities like SQL Injection.
After vulnerability detection, patching application source code is not always possible for many reasons. For continuous protection, web application firewall is a feasible solution that not only prevents attacks but also provides data on attack attempts. It helps learn more about techniques that attackers use and then framing better policies to detect and protect web applications.
Habit 5: All-Out Service Denial
Distributed denial-of-service (DDoS) is an exploitation that all web applications are vulnerable to. Under a DDoS attack, users are unable to access the websiteas the server is busy processing requests from bots before it crashes completely. In fact, there have been reports of DDoS attacks lasting for weeks, costing millions for companies. Hackers often ask for ransom in lieu of stopping such attacks. In other scenarios, they just want to disrupt performance out of grudge or rivalry.
Distributed denial-of-service attacks can only be stopped with constant monitoring. Managed security experts have to look for attack patterns based on malicious IPs, machine fingerprints, and bot signature and create custom rules to block them and prevent DDoS attack before it can cause any harm