How criminals take advantage of vulnerabilities in web systems
Vulnerabilities in web applications and systems, in other words, those you access and use directly from your browser, without downloading anything, are becoming the favorites for cybercriminals. The reason is that it is easier to exploit this type of weakness, given the existence of a series of automated tools and techniques that are simple to learn, than having to write malicious code or elaborate complex phishing campaigns to deceive internet users.
Let's take a look at bad configuration weaknesses in web servers, for example. A malicious agent can use Google Dorking techniques (using specific parameters to find indexed content in the search engine) to find sensitive directories and documents on a web server that was created as public. From there, it is easy to explore other folders, find files that should be kept under lock and key, and launch a data leakage or extortion campaign.
SQL injection problems also do not require any kind of technical knowledge to be exploited. There are several tools that can be easily found on the web to automate the exploitation of these vulnerabilities. With a few clicks of the mouse, a criminal can find points where it is possible to inject malicious code into the interpreter and gain access to the SQL database tables. The cybercriminal then only needs to make a local copy of the entire database to "have fun".
Risk to users
Vulnerabilities in web applications are not only exploited for sensitive data theft purposes. It is also possible to take advantage of other weaknesses, such as cross-site scripting (XSS), to change the behavior of a web page when it is visited by an Internet user, convincing them, for example, to fill out a malicious form that will steal their credit card data.
And we cannot forget web shells. These are malwares sent to compromised servers and, once inside, they allow criminals to execute arbitrary code remotely, taking control of the entire web server.
Watch out!
In general, what happens is that web applications usually receive less attention from developers and the information security area, compared to installable software. However, with employees working remotely because of the pandemic, this type of application is becoming increasingly common — any professional who is not using a single software-as-a-service (SaaS) during this pandemic can cast the first stone.
That's why it's always important to ensure that your web app or website project is in compliance with OWASP TOP 10, a global ranking that lists the most critical and common vulnerabilities in this type of project. Based on your technical guidelines and documentation, it's easier to ensure that the application will be free of errors that may cause headaches in the future.