WhiteHat Security outlines the most prevalent web exploits used last year and what you can do about them.
On a daily basis, you are likely to interact with a variety of applications as you go about your business. While apps are critical for the growth of many businesses, vulnerabilities and risks continue to surface. From Ticketmaster to British Airways, many companies fell victim to application security vulnerabilities last year.
Today (16 January), WhiteHat Security experts have revealed the most common web exploits used by malicious actors, in an effort to reduce the number of breaches and incidents in 2019. The top 10 application security vulnerabilities of 2018 reflect a combination of observed trends from the WhiteHat Security vulnerability data lake and the active customer feedback on the threats across its enterprise application portfolio.
The top 10 web exploits of 2018
jQuery File Upload RCE – CVE-2018-9206
jQuery File Upload is a popular open source package that allows users to upload files to a website. A common vulnerability and exposure (CVE) within it can be abused by creating a shell that is uploaded to run commands on the server.
This vulnerability can be traced back to 2015, and all versions prior to 9.22.1 are vulnerable. Organisations should ensure any site using jQuery is updated to the most current version.
Although not a CVE, Magecart is a card-skimming attack that cannot be overlooked. It originated from a black-hat group in 2018, and companies such as Ticketmaster, British Airways, Feedify, ABS-CBN and Newegg were among the victims of this attack.
With the release of Drupalgeddon 2 and immediate proof of concept (PoC) exploit, more than 100,000 websites using the open source CMS Drupal were considered vulnerable to this remote code execution vulnerability. The exploit worked by manipulating the functionality to inject a render array containing executable code, then tricking the application into rendering the injection.
Upgrading to the most recent version of Drupal 7 or 8 core mitigates the vulnerability. The vulnerability was used to infect servers with cryptocurrency miners, among other things.
Coming in fast following the patch for Drupalgeddon came Drupalgeddon 3, which reported that the exploit could still be achieved by using the destination parameter in Drupal. This parameter could be found on the cancel links during confirmation of deletions on various functions for Drupal 7.
It also required the attacker to be authenticated and have delete permissions to execute this attack. Again, upgrading to the most recent version of Drupal 7 or 8 core mitigates the issue.
RadAsyncUpload uses a default, hardcoded key, which, if not changed, allows an attacker to decrypt the data and modify configurations such as ‘where to upload the file’ and ‘what are the allowable extensions’. The hacker can encrypt data and send it back to the server with a request, which results in unrestricted file upload. WhiteHat advises setting strong custom encryption keys to protect against this threat.
Spring Data Commons
Within the Spring Framework, the data commons are used to provide an API for accessing NoSQL and relational databases. However, in versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions of Spring Data Commons, the MapDataBinder class could be exploited using projection-based request payload binding through the Spring Expression Language Injection, leading to remote code execution. Upgrading the version will remediate the vulnerability.
Flash Player hack
Remote code execution is possible within Adobe Flash Player before version 220.127.116.11.
The issue lies within the Primetime software development kit, which contains a dangling pointer in the media player’s handling of the listener object. A successful attack can lead to arbitrary code execution. This was the case in the wild in January and February 2018.
Spring OAuth Approval
The default approval endpoint for Spring Security OAuth found in versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15, and older unsupported versions is vulnerable to remote code execution through a Spring Expression Language Injection.
This remote code execution occurs when a malicious attacker creates an authorised request to the authorisation endpoint, and the resource owner is then able to forward to the approval endpoint. To ensure sites are not vulnerable, companies should upgrade to the latest version.