According to a recent report by a leading software news portal, over 90% of websites relying on open source content management systems were found to be extremely vulnerable to hackers. Most of these break-ins were thought to be related to vulnerabilities in plugins and themes, issues with configuration and a general lack of maintenance by developers, who did not update their CMS.
Warning: Hackers Ahead!
In another report by a leading anti-virus software maker, online security breaches have been surging in the year 2019, with an average of nearly 5,000 websites being hacked each month. Not only that, over 70 million user data was stolen, by taking undue advantage of security gaps in connected devices!
The genesis of a hacking attack lies in surveillance of the application to find out which software version it is using, because not all versions have vulnerabilities. After they have detected the vulnerabilities, the attackers begin viewing content of the directories and checking out the installed plugins, by using HTTP requests or automated tools. Here, the attackers gather all the information they need, before creating a strategy to breach the defenses of the application. The hackers will now move to actively attack the app, in which, the stored information such as passwords will be cracked by using password-stealing malware or sniffing the network packets as they move online. These cracked passwords will then be used to gain unauthorized access into the CMS and create havoc by destroying data or taking over the server itself!
Top 10 Risk Factors
Here we list down the 10 most common risk factors that can compromise your CMS:
- Injection Flaw: When a hostile/untrusted data is forwarded to an interpreter along with a command or query, injection flaws occur. The hostile/untrusted data can mislead the interpreter and make it execute some unintended commands without adequate authorization.
- Broken Authentication: Often, in the development phase, functions related to user authentication and session validation are implemented in a shoddy way. This allows hackers to compromise passwords, session tokens or keys and exploit flaws in the app. It can lead to stolen identities of the users.
- Exposure of Sensitive Data: Financial and healthcare data is considered sensitive data and is a prime target for hackers. Attackers can steal or modify data that is improperly protected, with the ulterior motive of committing credit card fraud or other crimes. Special precautions, such as encryption during rest and transit, are required for transfer of such data over the internet.
- XXE (XML External Entities): Some of the older or incorrectly configured XML processors evaluate the external entity references which are within XML documents. These entities can be misused for disclosing the internal files by using the file URI handler, internal port scanning, file shares, remote code execution, or even denial-of-service hacks.
- Broken Access Control: Authenticated users who have access to the CMS should have certain restrictions, according to the best security practices. However, these restrictions are not properly enforced in some apps, allowing attackers to gain unauthorized access to user accounts, sensitive data, and/or functionality. Such attackers may also modify data of other users or change the access rights to authenticated users.
- Misconfiguration of Security: One of the most commonly viewed lapses is misconfiguration of security. It occurs as a result of insecure default configurations or ad hoc configurations, unrestricted cloud storage, or errors in HTTP headers. It is, therefore, important to not only configure all systems, libraries, frameworks and applications securely but also to upgrade them at the right time.
- XSS (Cross Site Scripting) Flaws: Whenever an application includes untrusted data without proper validation or updates to an existing page with user-supplied data, XSS flaws can occur. XSS allows the hacker to execute scripts in the host browser for hijacking user sessions, redirecting the user to malicious sites, or defacing the user interface.
- Deserialization Flaws: An insecure deserialization can lead to remote code execution. Even if deserialization flaws do not cause a remote code execution, they can still be used to perform hacking attacks such as injection attacks, replay attacks, and privilege escalation attacks.
- Known Vulnerabilities: Some components have known vulnerabilities, such as libraries, frameworks, and other software modules. They run with similar privileges as the application; and if the vulnerable component is exploited, the attack can cause a serious loss of data or even takeover of the server. Therefore, applications that use APIs with known vulnerabilities are considered susceptible to data hacking attacks.
- Inadequate Monitoring & Tracking: When the application is inadequately monitored or tracked, the hackers can maintain persistence and pivot to other systems in order to exploit the weaknesses. Also, if the app has not been effectively integrated with incident response, attackers can tamper with, extract or even destroy the data that is stored in CMS. Studies have shown that the typical time to detect a breach is over 200 days, that too by an external party rather than through internal monitoring.
Conclusion:
An attack against your CMS can take any form, such as brute force attacks to breach admin credentials and access the database, server, SSH etc. Or it can be an attack that detects vulnerability in the system and manipulates the application itself or its plugins. Therefore, it is important for organizations to create multi-layered defenses and an in-depth strategy to prevent the ever-evolving cyber attacks.
With the concept of IoT growing rapidly, securing databases and connected systems should be the prime focus while building any strategy of content management, whether you are building a utilities app or an e-commerce platform. Ignorance, therefore, is no longer an excuse!