i³ Threat Advisory: Insecure Web Apps Creating High Risk for Insider Abuse
ACT NOW TO MITIGATE RISK
- Enforce strong password policies and implement multifactor authentication.
- Employ secure storage solutions and regular API key rotation.
- Implement rate limiting mechanisms.
- Implement secure authentication protocols, such as 0Auth 2.0 or Open ID Connect.
- Employ random or complex object reference identifiers.
Web applications and portals have become synonymous with our digital way of life, providing workforces with convenient access to data from anywhere in the world. However, without the right checks in place, this convenience can come at a high cost. In the context of insider risk management, lack of proactive mitigation is all it takes to lead a malicious insider to access, steal and exploit sensitive company secrets and personally identifiable information (PII).
The DTEX i³ team has found several high-risk vulnerabilities pertaining to misconfigurations across 13 different web application categories across our global client base on several occasions over the past year. Of those applications, employee rewards programs and workplace monitoring applications, have been highlighted as particular concerns, as outlined in the Operational Scenarios.
This DTEX i³ Threat Advisory outlines categories of web applications that may be vulnerable to exploitation and provides recommendations for identifying and mitigating potential risks associated with unauthorized access.
In one insider risk assessment, the DTEX i³ team found that the application associated with an employee rewards program was publicly accessible.
Upon investigation, the DTEX i³ team found that the specific URLs identified did not require username and password authentication, meaning anyone without authorization could access sensitive data, including:
- Employee information (e.g. name and email address)
- Potential access to employee rewards information
- Partial credit card information.
In addition, an unauthorized user could create their own account within the rewards platform to take advantage of the employee benefits.
In the context of insider risk management, a malicious insider with motivation to cause harm could easily access this information and exploit it for their own gain.
The risks of unauthorized access may be compounded by the fact that the accessible URLs and the underlying content could be indexed by search engines or web crawlers. Third-party browser plugins may also store the URL path which may lead to access by individuals outside the organization. External threat actors could also easily abuse the URL path to gain access to sensitive information or to even upload malware.
In a separate insider risk assessment, the DTEX i³ team found two misconfigured workplace monitoring platforms that allowed access to unauthorized users.
While threat hunting in a customer’s environment, the DTEX i³ team found an employee had created a shared feed to remotely monitor a specific site. The feed was accessible to anyone with an internet connection, and could provide timelapse imagery taken between one and minutes.
Specific information that could be accessed include location, employee information and attributes, workplace operations and projects as well as details of the organization’s physical security controls. For a motivated insider, the camera feed would provide ample information to plan an attack, from espionage to IP and PII theft.
DTEX i³ has provided immediate actions for mitigation at the top of this Threat Advisory. The below section provides insights on how to detect and prevent these risks before vulnerability abuse occurs.
Web Application and Portal Incidents
The DTEX i³ team, based on their experience responding to real world investigations and threat hunting, has observed several categories of web applications and portals that are under increased attacks both from insiders as well as external threat actors.
Many organizations use applications from the list below that either cross multiple categories or have products to serve different needs. DTEX i³ will not disclose active vulnerabilities within this Threat Advisory (iTA-24-01) due to responsible disclosure but can confirm the root cause is often linked to misconfigured deployment of the web applications or portals. The OWASP Foundation currently lists two (Insecure Design and Identification and Authentication Failures) out of the top 10 web application security risks that contribute towards the observed increase in attacks.
The following list provides categories of potentially exploitable web applications and portals:
- Supplier onboarding
- Learning management platforms
- Document signing platforms
- Employee merchandise
- Asset and remote employee tracking
- Employee review/HR
- Risk and compliance SaaS solutions
- Employee rewards
- Employee onboarding
- Customer CRM and intranet
- Workplace monitoring (live camera feeds).
Improper URL Configuration (Tokens and GUIDs):
Tokens in URLs, often referred to as URL parameters or query parameters, are elements appended to a URL that carry information about a user’s session or specific details related to a request. In the context of authentication, these tokens are commonly used to manage user sessions, granting access to protected resources and webpages without the need for continuous reauthentication.
However, the use of tokens in URLs poses a potential security risk, primarily due to the ease with which they can be exposed and manipulated. If sensitive information, such as authentication tokens, is included in the URL, it becomes vulnerable to various forms of exploitation. Typical use cases found by DTEX include tokens with weak timeout functionalities or those which do not expire even after a user’s session has ended.
The DTEX i³ team has observed insiders (employees or contractors) exploiting tokens in URLs in the following ways:
- Exposure in logs and browser history: URLs, including parameters, are often logged in various places, such as web server logs and browser history. If authentication tokens are included in these URLs, they can be inadvertently exposed, providing an opportunity for attackers to gain unauthorized access.
- Cross-site scripting (XSS) attacks: In the presence of XSS vulnerabilities, attackers can inject malicious scripts into a web application. If these scripts can manipulate or read URL parameters, they may extract authentication tokens and send them to a malicious server, compromising user accounts.
- Man-in-the-middle attacks: In transit, URL parameters, including tokens, can be intercepted by attackers in a man-in-the-middle attack. This can occur, for example, when a user is accessing a website over an unsecured Wi-Fi network, allowing an attacker to capture and reuse authentication tokens.
In addition to tokens, Globally Unique Identifiers (GUIDs) are alphanumeric strings assigned to uniquely identify resources or entities. While GUIDs are designed to be globally unique, their inclusion in website URLs can pose certain security risks if not implemented and handled carefully.
The DTEX i³ team has observed insiders as well as external threat actors exploiting GUIDs in website URLs in the following ways:
- Predictability and enumeration: If GUIDs are generated in a predictable manner or if there is a lack of randomness in the generation process, attackers may attempt to guess or enumerate other valid GUIDs. This could lead to unauthorized access to resources or information associated with different GUIDs.
- Insecure Direct Object References (IDOR):GUIDs are often used to reference specific objects or resources. If there is inadequate access control or insufficient validation on the server side, attackers might manipulate GUIDs in URLs to access resources they are not authorized to view. This is known as an Insecure Direct Object Reference (IDOR) vulnerability.
- Information disclosure:GUIDs, when exposed in URLs, may inadvertently disclose information about the system’s internal structure or organization. Attackers could use this information to gather intelligence about the application, aiding in the planning of more targeted attacks.
- Brute force attacks:If there is no rate limiting or account lockout mechanism in place, attackers might attempt to conduct brute force attacks by systematically trying different GUIDs in URLs until a valid one is found. This could potentially lead to unauthorized access or disclosure of sensitive information.
EARLY DETECTION AND MITIGATION
DTEX Intelligence Release 6.10.0 contains a new Data Enrichment category and a new helper Dashboard designed to help DTEX insider risk practitioners detect potentially vulnerable URLs.
How to Identify and Mitigate Potentially Vulnerable Web Application URLs
While threat hunting within the DTEX InTERCEPT platform, potentially vulnerable URLs can be found through a targeted effort of searching for poorly configured URL parameters, such as Globally Unique Identifiers (GUIDs) and authentication or session tokens.
Login to the customer portal to access the indicators or contact the i³ team to request access.
Addressing security vulnerabilities in third-party web applications requires a comprehensive approach that encompasses regular security assessments and ongoing monitoring. By understanding and proactively mitigating misconfigured APIs, IDOR vulnerabilities, and authentication weaknesses, organizations can significantly enhance the resilience of their web applications against potential threats.
Continuous security testing, threat hunting within the DTEX platform and staying abreast of emerging security trends are vital components to identify and remediate web application security vulnerabilities.
For intelligence or investigations support on securing web applications and preventing unauthorized access, contact the i³ team. Extra attention should be taken when implementing behavioral indicators on large enterprise deployments.
OWASP: Open Web Application Security Project:
The OWASP website provides a wealth of resources, including the OWASP Top Ten, a regularly updated list of the most critical web application security risks. It also offers guides, cheat sheets, and tools for secure coding practices.
References: SANS provides various resources on web application security, including training courses, whitepapers, and articles. It covers topics ranging from secure coding practices to penetration testing.