Almost everything can be done online nowadays, and even some of the oldest professions in the world are modernizing and moving to the Web. Application security is becoming more and more important with the online enablement of all kinds of new services.

Since everyone and everything is online, the Dutch government decided that one of the basics of a modern society — law and order — should be facilitated through online channels as well. For example, when a lawyer wants to start a procedure, he or she can do so digitally. Proponents argued that it was good for speed and better for the environment.

The website has been modernized and, next to publishing court decisions, a lawyer or legal representative can launch a new case and upload the accompanying documents. Since it is run by the government, one would expect that the application security would be top-notch, right?

A Big Team, Lots of Money and an XSS Vulnerability

A new user experience, a new, up-to-date design, case manager tooling — the website had it all. Highly skilled people worked on the site for years, at the cost of millions of euros, so it was expected to be the best and most secure government website yet produced. Think again: Within a couple of days, an ethical hacker found a DOM-based cross-site scripting (XSS) vulnerability

According to OWASP, a DOM-based XSS attack occurs when the payload is executed by changing the DOM environment in the victim’s browser, which causes page code to operate differently.

A DOM-based XSS vulnerability is one of the vulnerabilities named in the OWASP Top 10, a powerful awareness document for Web application security. It represents a broad consensus about what the most critical flaws are — and these vulnerabilities tend to be present in many applications.

How Application Security Could Have Helped

Could this have been prevented? The answer is yes! But what steps should have been taken to ensure that the vulnerability did not exist in the first place?

To enable clients to prevent these kinds of exploits and vulnerabilities, IBM provides a comprehensive Application Security Testing portfolio. IBM Security AppScan scans source code and Web applications for vulnerabilities. It reports on known issues, giving advice on how to repair them and how to prevent them from being exploited.

Do I Need to Install It All On-Premises?

You have a choice: Build your IBM AppScan environment on-site or use the IBM Application Security on Cloud offering. The latter enables you to quickly scan an application or website without having to install software or manage a complex application scanning environment.

For example, the builders of the website in question could have scanned the site for known vulnerabilities with a few clicks. It could have prevented them from having issues — most importantly, developers could have bypassed the embarrassment of their brand-new site having XSS vulnerabilities.

Is IBM AppScan the Only Solution?

There is more to securing sites and applications than simply leveraging the right tools. It is important to incorporate security awareness and secure development into the whole software development life cycle.

From the initial design of a website up until its final stages, security should be top of mind. Developers need to receive appropriate training on how to build securely and how to test their code, or they should be supported by teams with these skills. To learn more about implementing an application security testing program at your organization, consult our blog.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…