Third-party components are used to build most new web applications, and these components are highly vulnerable. Here’s how you can use Tenable.io Web Application Scanning (WAS) to assess common vulnerabilities in custom code.
Today’s web applications are highly complex in terms of business features and technical architecture. This complexity leads to a dramatically expanded attack surface requiring a new approach to web application scanning.
Limitations with traditional web application scanning
Web application scanning has been traditionally focused on generic web app vulnerability detection. This is a mandatory requirement to discover and remediate common vulnerabilities, such as injection, cross-site scripting, broken authentication or insecure deserialization (see OWASP and CWE for more information). However, traditional web application scanning alone can often miss component vulnerabilities, which can be exploited in real world attacks.
The complexity of web applications ranges widely - from a single static page to a full transactional business platform. However, even a simple web application is built with multiple layered third-party components, like web servers, web application servers, web frameworks, programming languages and JavaScript libraries. The problem for security teams is that many of these components are outdated and contain multiple high-risk vulnerabilities.
Third-party components are creating growing cyber risk
While common web vulnerabilities - like those identified by OWASP - are often used for targeted attacks, third-party component vulnerabilities are being weaponized for use in automated attacks that look for vulnerable components to exploit.
Equifax is the best-known breach in the last two years as a result of threat actors exploiting third-party components. The entry point was likely an outdated Apache Struts exploited to get remote code execution on the targeted web application. Therefore, a third-party component vulnerability was the main issue. Content Management Systems (CMS) are also becoming a significant web attack vector. Web applications using unpatched Drupal were widely exploited with Drupalgeddon (1, 2 and 3) attacks over the past several years. WordPress, used by an estimated 30% of all web applications, has also been targeted recently with CVE-2017-1001000 actively exploited in 2017.
The ability to identify and assess these third-party components is critical in web application security, and it must be part of a comprehensive web application scanning solution.
Tenable Web Application Scanning approach
Web application security assessments have to cover weaknesses and vulnerabilities for internal development and third-party components used to build the web application. The assessment process includes the following main steps:
- Browsing and enumerating hidden files and directories to identify web application entry points;
- Fingerprinting to provide information about all components used and their versions, which can identify additional entry points; and
- Vulnerability and misconfiguration detection based on information gathered during the previous steps to understand security issues to fix.
This full assessment process must be run frequently due to the continuously evolving attack surface and threat landscape, which create new entry points and vulnerabilities.
At Tenable, we have a product called Tenable.io Web Application Scanning (WAS) that can be used to assess common vulnerabilities in custom code, such as SQL Injection, Cross-Site Scripting (XSS), XML External Entity, Command Injection and Path Traversal, among many others. Once common web vulnerabilities are covered, WAS can also assess third-party component vulnerabilities.
For example, for web applications built with Drupal, WAS can detect Drupal and identify its version. Then vulnerabilities can be reported with version-based plugins (e.g., one of the plugins for SA-CORE-2019-003 security release) or remote-check plugins (e.g., the plugin for SA-CORE-2018-002).
Misconfiguration detection is also a potential critical security issue as it can lead to full web application takeover if a web application is not configured properly. A fully patched WordPress can leak usernames and provide access to its administration console without restriction. With these misconfigurations, an attacker is able to brute-force username passwords to get access to the WordPress administration panel and take control of the web application. To guard against this security threat example, WAS is able to enumerate WordPress usernames and detect whether a WordPress administration panel is available.
The same approach is applied to web framework components, which are more difficult to detect and assess. ThinkPHP is one of the web frameworks WAS is able to fingerprint, and for which it can provide remote-check plugins for critical vulnerabilities like CVE-2018-20062 and the most recent Remote Code Execution (RCE) for ThinkPHP 5.x < 5.0.24. JavaScript libraries are also components that must be assessed to detect Cross-Site Scripting and other critical vulnerabilities (e.g., jQuery File Upload). jQuery, Bootstrap or YUI are some of the JavaScript libraries WAS supports in its broad vulnerability coverage.
Learn more
Web applications can be extremely complex to secure, and the web application attack surface and threat landscape are continuously evolving. All third-party components must be covered in terms of misconfiguration and vulnerability detection in a web application scanning solution. Because WAS is backed by Tenable Research, the industry’s largest vulnerability research organization, the product supports a broad range of web application vulnerability detection plugins spanning custom web development and 3rd-party components.
If you’re interested in learning more, please join us on March 27 for a complimentary webinar on how to Protect Your Web Applications from Component Vulnerabilities. You can also try WAS in your environment. Click here to start a free 60-day evaluation.