We talk a lot about attack surfaces because it is a useful construct in visualizing and understanding how adversaries compromise networks and systems. As a reminder, we discussed what is an attack surface:
What is an Attack Surface? In the context of cyber networks an attack surface is any device that can be exploited for an attacker's gain and the defender's loss. Importantly, attack surfaces can be externally facing (Internet facing), or internally facing, by which we mean "behind the firewall" from a device connected to the organization's network (to include cloud services). Devices can be laptops, workstations, servers, cameras, conference phones, printers, security appliances, actual appliances, TVs, and you-name-it Internet of Things (IOTs). The actual attack surface is software. And software is exploitable for attack by (mis)-configuation or software vulnerabilities. We use the term exposure to mean the set of configurations or vulnerabilities that can be exploited for attacker's gain.
Web Applications Present an Attractive Attack Surface
One often overlooked area of vulnerability for many IT Admins and security specialists is web applications. While network and host scanners can provide insights into web server protocols and vulnerabilities in software, they may miss web applications like WordPress, which lurk within web pages.
Most web developers rely on templates and plugins for efficiency in creating web pages, incorporating functionalities such as chatbots, email subscription boxes, and search boxes. However, these plugins and additional applications layered onto web servers constitute web applications, offering a rich landscape for potential attacks. The underlying issues usually stem from software bugs and misconfigurations. Since these applications are frequently internet-facing and operate using HTTP/S protocols, they become accessible to anyone who can test for and exploit vulnerabilities.
These plug-ins and other assorted applications that layer on top of the web server are called web applications and the richness of their functions provides an ample attack surface for adversaries. The root cause of course is software bugs and misconfiguration, however, this software is often Internet facing and the applications take an http/s string. This means anyone can test for and exploit those vulnerabilities.
Case in Point: WordPress Plugin Vulnerabilities
A recent solid example of a web application vulnerability is the WordPress "Better Search Replace" plug-in that runs on over 1 million websites. In this case, the plug-in has a PHP object with a bug that allows untrusted input from unauthenticated users to exploit the WordPress engine and execute code. The CVE is tracked as CVE-2023-6933 and is being actively exploited right now.
Earlier this month, security researchers discovered vulnerabilities in the POST SMTP Mailer WordPress plugin which is another widely used plug-in. Using the vulnerabilities in an attack chain, attackers can gain administrative control over the site.
Schedule Your Pen Test
Given that web applications offer an attractive attack surface for adversaries, who can exploit vulnerabilities to gain administrative control or other privileges on web servers, it's crucial to mitigate these risks proactively. The best approach is to identify susceptibility to attacks before adversaries do. Since these vulnerabilities can be discovered by ambient internet attack scans, compromise is a genuine threat.
Scheduling regular penetration tests for web servers, both externally and internally, is highly recommended. Weekly tests can identify security exposures and help ensure robust security measures are in place to protect against potential exploits and unauthorized access..