Following Adobe’s shift to its current software-as-a-service (SaaS) business and delivery model, analysts predicted the company’s eventual, resultant downfall. Though still going strong, the software giant would indeed suffer a catastrophic data breach that left the source code for Acrobat and Cold Fusion exposed—along with the data of 3 million customer accounts.
SaaS offerings and web applications are highly prone to being compromised. Unlike the traditional “boxed” software of the past, SaaS offerings can be easily probed by the general public for weaknesses and flaws. Security controls should therefore be implemented by developers at the code level to prevent the following common SaaS exploits from occurring.
9. Cross-site Scripting
Cross-site scripting (XSS) attacks take advantage of the fact that browsers can’t tell valid markup from attacker-controlled markup. They simply execute whatever markup text they receive. In these exploits, an attacker might inject a script and modify the web page to suit his own purposes—perhaps to extract data allowing the attacker to impersonate an authenticated user or input malicious code for the browser to execute.
8. SQL Injection
SQL injection attacks are a popular way for cyber attackers to gain access to data stored inside of databases. SQL stands for “structured query language,” a common language relational databases use for executing queries. Cyber attackers will often attempt to pass SQL commands inside of form field submissions to interact with and manipulate the website’s database directly.
7. Cryptographic Issues
Cryptography is a method of storing and transmitting data in encoded form so that only those for whom it is intended can read and process it. SSL encryption is common amongst SaaS apps, but many are using versions of the protocol that are no longer deemed effective (i.e., SSL 3.0 and below).
6. Data Leakage
Data leakage occurs when privileged system and application information is unintentionally revealed to the user. If discovered by nefarious actors, accidentally leaked data or debugging information can help them learn about the system and form a plan of attack. Website error pages and unsecured logs are typical data leakage culprits.
5. Insufficient Input Validation
Input validation determines if an end user’s input matches an expected format. For example, non-numeric values should not be allowed in a field that accepts social security numbers. Having proper input validation in place is an additional security measure for ensuring that malicious data payloads are not processed by the system.
4. Buffer Overflow
Buffer overflowing is also a highly common tactic used in carrying out cyber attacks. Multiple types of buffer overflow attacks exist; in general they all attempt to overwrite adjacent memory locations, causing system errors and eventual denial of service (DoS).
3. Bad Credential Management
SaaS offerings without proper credential management processes in place have an even higher probability of falling victim to data breaches. Enforcing strong password selection and frequent password changes are some of the measures a firm can take to bolster its security posture.
2. Time Exploits
Cyber attackers will often attempt to alter or compromise a SaaS offering’s ability to properly calculate time by exploiting weaknesses in underlying clocking mechanisms. For example, a critical vulnerability in the NTP protocol put countless networks across the globe at risk of being compromised last year.
1. Directory Traversal
Directory traversal occurs when cyber attackers are able to navigate through the system’s directory structure to identify and alter critical files. These exploits usually involve hackers gaining access to restricted directories and executing commands outside of the web server’s root directory.
A final note on content management systems (CMS): if your favorite SaaS is using a popular open source CMS like WordPress, Drupal, or Joomla, chances are it will get hacked. All of these highly-popular CMS platforms are based on PHP, a widely used and exploitable scripting language.