Addressing security risks at scale is more important than ever. With a global pandemic accelerating digital transformations, organisations are shipping new products and services at a faster clip, processing new forms of payment, and increasing reliance on web assets. To keep pace, organisations across the globe have decided to expedite their move to the cloud.
But with cloud transformation comes new risks. Dramatic shifts in organisations’ attack surfaces, coupled with increasingly overburdened security teams, have changed the vulnerabilities that businesses can expect to encounter. For applications hosted on the cloud, Improper Access Control, Information Disclosure, and Server-Side Request Forgery have become the three most severe and common vulnerabilities in 2020.
Server-Side Request Forgery (SSRF)
SSRF vulnerabilities are dangerous because they can lead to total system compromise and allow access to an organisation’s cloud infrastructure. SSRF vulnerabilities are most common in applications where the user has the ability to download an asset from an external resource, such as webhooks, integrations, and PDF generators.
Previously, SSRF bugs were fairly benign as they only allowed internal network scanning and sometimes access to internal admin panels, but the advent of cloud architecture has inadvertently exposed organisations to more risk due to the cloud metadata service. When vulnerable, instead of pointing to an external resource, the attacker could be pointed to an internal resource. Although this service cannot be queried from outside the firewall, the SSRF vulnerability and missing mitigations can allow an attacker to access them anyway. In fact, SSRF is now the fourth highest paid vulnerability on HackerOne, up 103% in popularity year over year according to proprietary research.
Improper Access Control and Information Disclosure
Similarly, Improper Access Control and Information Disclosure are particularly prevalent, increasing 134% and 63% year over year respectively, because they’re nearly impossible to detect using automated tools. Organisations continue to develop new applications in or migrate existing applications to cloud-based services and there are inherent issues with vulnerabilities slipping through the cracks. The result? Dangling DNS records and misconfigured S3 buckets.
A dangling DNS record is a record that is pointing to an AWS resource that doesn’t exist anymore. Due to the namespacing on AWS, this often means that the same resource can be claimed again by an attacker. While there are many forms of misconfigured S3 buckets, the two common mistakes are over-exposure of data or temporarily granted upload policies that are incorrectly scoped. Most people test anonymous access to their S3 buckets but forget to test access from a separate AWS account, which can have a different policy.
While not a high-paid vulnerability on HackerOne, misconfiguration vulnerabilities have experienced a 12,286% increase in the past year. Often seen as an easy target, these vulnerabilities can be easy to detect to the experienced eye, and they are created just as easily.
When moving to the cloud under immense pressure, best practices like developing clear architecture, access management configuration, and well-designed APIs, as well as simply setting up assets correctly, can be difficult to prioritise. When that occurs, it creates dangerously clear entry points for attackers. Cloud-native organisations and those migrating to the cloud need robust security solutions to ensure their cloud development reduces security risk while development teams work to configure their applications.