Vulnerable Web Services: Cybersecurity’s Forgotten Edge
By Dan Williams
Whether it’s a customer-facing user interface, an employee resource login portal or a simple static website, publicly accessible web services are the furthest outlying resource for most organizations, infrastructure-wise.
In both traditional infrastructures that utilize a demilitarized zone and public cloud systems residing outside the data center, your organization’s publicly accessible web services are left wide open to attack. Ideally, these web services should be sufficiently hardened to contend with their global connectivity to every threat agent searching for its next easy target.
Get started on your cybersecurity degree at American Military University.
Information security professionals use best practices such as defense-in-depth, which offers an abstract approach to web services’ vulnerability. However, best practices inherently leave us with a very vague sense of duty, given the endless list of potential cyberthreats faced by a limitless list of possible system configurations.
Third-Party Security Assessments and Why They Matter
Even in the age of automation, there are still operational chores in the information technology field that benefit from the manual efforts of operators. However, every security-based task shouldn’t be left as a manual activity. Nor does it mean we must rely on our potentially limited knowledge when we tackle information security tasks, should we not have a solid starting point experience-wise.
Assessing web services may seem like a daunting chore if your strengths lie elsewhere, but one great starting point is the plethora of reputable web scanners hosted on the internet. One example is the Mozilla Observatory, a no-cost solution for domain scanning of insecure web security standards.
At this site, you can enter any publicly accessible domain. It will test that domain for poorly configured characteristics of web services that leverage the application-layer Hypertext Transfer Protocol (HTTP).
Translating Vulnerable Web Services into Risk
Let’s say your target domain is a website hosted by your organization for public relations purposes. Following the scan by Mozilla Observatory, you receive a letter grade on an A to F scale, complete with details that compose the numerical score of your grade.
Each of these categories represents a threat vector in the web services realm; some of them are mature threats that have persisted due to the fundamental means by which HTTP performs its operations to serve up web content to a user’s browser. This particular brand of risk leaves organizations open to critical security threats, depending on the role of the web service.
Should the web service be an e-commerce platform, a login portal for employee access to sensitive materials, or even a website that the company relies on for promoting their reputation in their particular industry, even the least sophisticated attack that leverages one of these common vulnerabilities can lead to a major security incident.
Some of the more popular security vulnerabilities consist of Cross-Site Scripting (XXS) and Cross-Site Request Forgery (CSRFs) attacks. These types of attacks permit malicious activities such as “clickjacking” and session fixation.
There are many exhaustive online r that address these types of classic and still occurring attacks. The concept of “content security policy” has proven to be one of the least properly configured aspects of web services, which ironically offers the greatest area of improvement for scan tests like Mozilla Observatory.
Additionally, many vulnerabilities listed in the test results are security problems commonly connected to the unfortunate lack of certificate-based controls. For example, Transport Layer Security (TLS), the successor to the now-depreciated Secure Sockets Layer (SSL), is such a problem.
Fixing the Security Vulnerabilities of Web Services
Remedial steps can be taken in the right direction to remove these common configuration-based vulnerabilities from outlying web services. In regard to HTTP, the concept of “headers” plays a key role in how requests are fulfilled by web browsers and services that can toss HTTP verbs at anything listening for them.
When resources are sent to fulfill an HTTP request, the headers that are returned in this call are crucial pieces of information that instruct the requester how to interpret the instructions that are parsed and executed. This could be translated as “Use my secure HTTPS connection instead of plain HTTP” or “Do not allow external websites to link my content using the <iframe> tag in their HTML document.”
Controlling what our web services will and will not allow to be executed on their behalf is a clear make-or-break point for a security policy.
There is no direct panacea for these vulnerabilities due to various vendor service configurations. However, the concept of headers in HTTP requests is a fundamental aspect of cybersecurity that can be tightly controlled. As with the case of a simple web server, whether it be using web server software such as Apache, NGINX, or Internet Information Services (IIS), hunting down the configuration file location and instituted syntax for your particular web server is only a search engine crawl away.
Correlating the amendments of the configuration files on a web server with the test results from Mozilla Observatory is in keeping with the age-old tradition of IT security operations. You can be assured that even seasoned veterans follow this virtual trail of breadcrumbs in a time of need.
Ensuring that the required software packages are present, the appropriate flags are enabled and verifying the precision of entries made to configuration files are the pillars of good cybersecurity.
There are countless online resources available to solve your unique remediation needs.
Cybersecurity is a journey. Modern IT operations beg of us that we try to automate as many tedious tasks as possible, so once you develop a baseline for your web server configuration hardening, try spinning it into an Ansible playbook to support the idea of an immutable, consistent and effortless infrastructure.
How to Stay on Target with Cybersecurity Maintenance
Test your web services and other areas of security vulnerability, and test them often. Standards change, services fail, paradigms shift and surprises never fail in the information security industry. A regular assessment of all your networked resources is not only suggested for the purposes of due diligence, but also for operational sanity.
Developing your own effective methods will take time. But the notion of continuous improvement is an idea that should be stitched into the fabric of every successful security policy.
About the Author
Dan Williams is an Information Security consultant with experience as a five year veteran of the U.S. Marine Corps and over 15 years in IT Operations. Dan’s career has spanned various specializations to include systems analysis, network monitoring and defense, software development, and cloud engineering solutions, all with a central theme of security administration and strategic cyber intelligence. He has a bachelor’s degree in Information Systems Security, a master’s degree in Cybersecurity Studies, and is a Systems Security Certified Practitioner through the (ISC)2.
More recently Dan’s focus as a consultant has been on conducting research regarding DevOps security practices and cloud infrastructure penetration testing and vulnerability assessments to maintain pace with threats towards advancing and quick-adopting technologies. On a volunteer basis, Dan mentors future and junior cybersecurity personnel in both an academic setting and in the workplace to offer guidance to the next generation of Information Security professionals.