Test apps for vulnerabilities that enable phishing

As the network boundary becomes more ephemeral, and attackers don't have obvious kickoff points for attacks as often, they are resorting more and more to the human angle.  This is not news to any reader of this blog, I am certain. Physical attacks notwithstanding, the best place to stage an attack against the humans that run the systems is via phishing - using email, SMS, forum comments, customer service requests, or other communication to trick the people that have the keys to applications into giving them up.

Phishing increased 250% in 2018, according to Microsoft.

Vulnerabilities in applications are  a key vector in phishing - not the most common vector, but a key vector.  Nonetheless, we are testing for them more and more rarely.  For instance, unvalidated requests and forwards dropped from the OWASP Top 10 in 2017, as was Cross Site REquest Forgery, even though they are used in a significant portion of phishing attacks.  I get it, SQL Injection is more damaging and Cross Site Scripting is sexier, but these identity attacks are what the attackers are doing these days.

Bottom line, you have to be checking for these vulnerabilities.  Here is an incomplete list:

  • Unvalidated Requests and Forwards
  • Cross Site Request Forgery
  • Cross Site Scripting
  • Host Header Poisoning
  • Lack of Two Factor Authentication
  • CORS Policy Violations
  • Improper Handling of HTTP Verbs
  • Out of Date or Insecure Third Party Components

I'll do a little more research on this topic and see if I can't get together a testing guide on this, but in the meantime I think you will find guidance in the new OWASP ASVS v4.0.

Comments are closed
Mastodon