CYE Insights

Your Scanners and WAFs are Not Going to Protect You

In the modern world, every company uses software to support their business activities: from garages to banks to local grocery stores to e-commerce – to name a few. While small to medium-sized companies usually use off-the-shelf products and\or cloud services (SaaS), medium and large enterprises, as well as software development companies, often require proprietary self-developed software solutions.

While off-the-shelf and cloud service clients are often not responsible for the security of the software products, proprietary solutions require both the developing company and the main consumer to be responsible and\or accountable for the security of their software.

Software security should be an ongoing process by adopting SDL (Security Development Lifecycle) best practices, but companies often do not follow them and instead focus on software testing and on-prem defense. While security testing can be done manually (via penetration testing), the automated testing of products is becoming more and more popular, as part of the DevOps chain (DevSecOps).

Automated security testing products can be divided into two main categories: Dynamic scanners (DAST – Dynamic application security testing) that scan the web interface itself and automated code scanners (SAST – Static application security testing) that scan the software source code. In addition, automatic protective mechanisms try to stop applicative attacks as they happen. The most common type is Web Application Firewalls (WAF), which look for signatures of known attacks and block the requests from reaching the server.

All these products seek to protect against long-time and well-known attacks, such as SQL Injections and Cross-Site-Scripting (XSS). However, these products are often imperfect, as scanners can miss vulnerabilities and signature-based products, such as WAFs can be bypassed. In addition, all of these tools are focused on vulnerabilities, such as SQL injections and XSS, which are considered yesterday’s vulnerabilities.

As programming frameworks are becoming more and more advanced, built-in and\or by-design protected mechanisms replace the old and vulnerable technologies. In this day and age, instead of programmers writing code with manual SQL queries and syntax, ORM (Object Relational Mapping) frameworks are being used, greatly reducing the frequency of SQL Injections. Moreover, instead of manual frontend HTML and Javascript programming, frontend frameworks, such as React, Angular and Vue.js, are being used, greatly reducing the frequency of XSS. In fact, all the technical injections that can be detected by black-list signatures, are becoming less and less frequent.

Instead, hackers are focusing on business-related vulnerabilities, such as Insecure Direct Object Reference (IDOR), authorization and authentication bypass and different kinds of business-related parameter tampering, such as transferring a negative amount of money from one account to the other. These vulnerabilities were always present, but as technical injections become less frequent, the focus has shifted to business-related vulnerabilities.

Moreover, the common automated defensive products – WAFs and dynamic and static scanners – do not detect these types of vulnerabilities. In fact, there is currently no practical way to automatically detect or protect against authorization bypass, for example. In the future it is likely that there will be automatic mechanisms to protect against these attacks, as machine learning and artificial intelligence become more advanced and enter the application security field. However, today these vulnerabilities can almost entirely be detected by using manual penetration testing.

These advanced vulnerabilities are everywhere: In November of 2020, for example, the United States Department of Defense was reported to be vulnerable to Insecure Direct Object Reference; In January 2021, Parler, the social network that has became the social network of choice of many fringe Republican users, was reported to use sequential post IDs and enabled scraping of terabytes of information, using the Insecure Direct Object Reference technique; In the last few days of April 2021, 500 million LinkedIn records were reported to be scraped and sold on the dark-web, presumably also using Insecure Direct Object Reference.

In addition, in 2017, the United States Postal Service (USPS) Informed Visibility service was vulnerable to authorization bypass, enabling any user to access or modify other users’ personal data; In early 2020, Virgin Media authentication misconfiguration led to data breach affecting 900,000 customers; in March 2021, the entire Israeli voter database – containing records of 6.5 million citizens – was leaked, probably by exploiting Insecure Direct Object Reference vulnerability, accessing an exposed database.

These are just a few of the many examples of business-related, authentication and authorization related vulnerabilities that were exploited in order to cause massive amounts of damage.

So, what can a Chief Information Security Officer (CISO) do to reduce the risk of such attack? Do not rely on automatic mechanisms to do the work for you, as they cannot face with these kinds of attacks. Instead, adopt Secure Development Lifecycle best practices, promote security awareness, and focus on hybrid testing approach, combining both automated mechanisms for older technical injection attacks, and manual penetration test to protect against business, authentication and authorization related attacks.

Path Copy 3

By Gil Cohen
Research Director & Application Security SME
May 9, 2021