The Home of the Security Bloggers Network
Home » Security Bloggers Network »
By Tom Kellermann, SVP Cyber Strategy, Contrast Security
December 5, 2022
As the financial sector digitally transforms, it is under siege, as data from Contrast’s platform and other reports clearly show.
Over the month of November, Contrast’s financial services customers endured a myriad of application attacks, including the following Top 10 attack types with their attack totals.
November ushered in a surge of path-traversal attacks.
A path-traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash” (../) sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. This attack is also known as “dot-dot-slash,” “directory traversal,” “directory climbing” and “backtracking.” — OWASP
Cross-site scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. — OWASP
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. —OWASP
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. — OWASP
Expression-language (EL) injection entails attacker-controlled data entering an EL interpreter. — OWASP
A padding oracle is a function of an application that decrypts encrypted data provided by the client, e.g. internal session state stored on the client, and leaks the state of the validity of the padding after decryption. The existence of a padding oracle allows an attacker to decrypt encrypted data and encrypt arbitrary data without knowledge of the key used for these cryptographic operations. —OWASP
Struts, the open-source web application framework, is vulnerable to remote-command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header: a vulnerability that allows such commands to be executed under the privileges of the web server.
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 18.104.22.168 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. — NVD
Method tampering (aka verb tampering and HTTP method tampering) is an attack against authentication or authorization systems that have implicit “allow all” settings in their security configuration. This type of attack takes advantage of vulnerabilities in HTTP verb authentication (also known as HTTP method authentication) and access control mechanisms.
HTTP provides a list of methods that can be used to perform specific actions. In the list of HTTP methods, GET and POST are most commonly used by developers to access information provided by a web server. But HTTP also provides several other methods and many of these can pose a critical security risk for a web application, as they allow an attacker to modify the files stored on the web server, delete a web page on the server, and upload a web shell to the server, which can lead to the theft of user credentials. — Contrast Security
HTTP Verb Tampering tests the web application’s response to different HTTP methods accessing system objects. For every system object discovered during spidering, the tester should attempt accessing all of those objects with every HTTP method. — OWASP Testing Guide
Data which is untrusted cannot be trusted to be well formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized. — OWASP
The Struts 1 plugin in Apache Struts 2.1. x and 2.3. x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. — GitHub advisory
Given the current threat landscape, intelligent runtime protection is an imperative. Financial institutions must defend their applications from within by using instrumentation to inject automated trust boundaries.
Click here for a demo.
Cybersecurity Insights with Contrast CISO David Lindner | 12/2
By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.