Low code, high risk: your site is a security nightmare
E-commerce stores exploded in 2020. With the outside world becoming suddenly off limits, many businesses made rapid leaps into the online retail space.
By the end of the year, online sales had grown by 61.4%, compared to the previous December.
However, these rapid developments have come at great risk to security.
From leaked passwords to stolen credit cards, customers are increasingly bearing the brunt of enterprises’ security mistakes. Your no-code sites may have risked company data; a web application firewall can help defend and protect.
Content management system sites may have streamlined website creation - but have they sacrificed security for convenience?
The no-code revolution
Developing, maintaining and hosting even a basic HTML website used to be a complex system of developers and webmasters. Every UX decision and server option would entail swathes of expert opinion.
Now, however, creating your own site is as easy as making a shopify account and throwing together some ready baked page elements.
Even domain purchasing and server hosting are now built-in functionalities for some CMS sites. Given the huge surge in e-commerce over the last decade, low-code or no-code solutions have helped dramatically reduce the barrier to entry.
CMS solutions sell themselves on ease of use; instead of writing line upon line of JavaScript, you instead only need to assemble various essential elements. This is enabled by plugins. Plugins have become pillars of no-code architecture, as pre-coded functionalities can simply be dragged and dropped onto your page.
The websites created by each CMS platform are beautiful, scalable, and device adaptable. On the backend, however, these sites are patchwork quilts of plugins and widgets. The sheer range of third-party plugins opens each site up to a veritable pick ‘n mix of vulnerabilities: here are a few recent examples.
Wordpress woes
If you’re familiar with Wordpress, you may have come across its WP Shopify plugin. WP Shopify syncs the two low-code e-commerce sites, allowing customers to add items to their Wordpress basket and go through the checkout process.
Unfortunately, versions 2.0.4 and earlier of the WP Shopify plugin opened up serious vulnerabilities in company sites. One particular danger is that WP Shopify allows cross-site scripting (XSS) attacks. XSS transforms this plugin into a vector for code injection.
This is because WP Shopify does not clean the input data coming from the user. This allows an attacker to input a URL into any field.
This URL can give access to the plugin's own settings, instructing the plugin to download a small piece of javascript from an attacker’s server onto the page. This further opens the floodgates to cookie-based authentication theft. XSS is so powerful that an attacker does not even need to be logged in.
WooCommerce woopsies
Another Wordpress plugin, WooCommerce, is a fantastic tool for small to medium-sized enterprises. Free secure payment and configurable shipping options are implemented within minutes - all for free.
However, a customer complaint surfaced in 2020. Shortly after making a purchase on one small business’ site, they noticed a fraudulent transaction on the card. After flagging this up with the company, it was time for a deep delve into the guilty plugin.
It was - unsurprisingly - another case of code injection. Here however, the attackers had managed to alter the PHP files themselves, instead of running external commands in Javascript. These malicious instructions would then send off login and card details to an anonymous Russian server.
This card swiper had been installed for the last three and a half months, affecting potentially hundreds of clients.
The accessibility blindspot
There’s one rule with plugin vulnerabilities: successful ones hide themselves. For some enterprises, security solutions are as lacklustre as a quick manual review of the backend code.
This is where obfuscation becomes a powerful form of malware resilience. One popular solution is the use of the strrev() command. Strrev - literally ‘string reverse’ - swaps the order of every letter in a string.
This means that there might be a simple ‘exe.erawlam nur’ sandwiched in the middle of a chunk of code. Whilst a human eye would absolutely gloss over this, the strrev function would read ‘run malware.exe’.
Another common method of hiding malicious code is via the javascript function atob(). This simply decodes a string that has previously been encoded; once again tucking malicious code just out of sight.
Unfortunately, the separation of code and web developer has given malicious actors a gap within which they’ve comfortably nestled themselves. Many vulnerabilities take over a few months to find, and by this point in time they’ve already done considerable damage to your reputation.
Protecting yourself
Attempting to manually spot vulnerabilities in every single CMS plugin would drive anyone up the wall. Instead, your focus should be on keeping all your plugins patched. This is a basic but powerful long-term strategy to minimise the risk associated with a no-code platform.
However, sometimes patches are several weeks away - and, once they’ve been released, they can even fail to fully fix a vulnerability. In this case, you need a last minute solution to plug the gaps.
A Web Application Firewall (WAF) is a small but mighty solution that analyses and intercepts the web traffic flowing to and from your site. Once you’ve defined a blacklist, whitelist, or a hybrid setup of the two - it is able to intercept attacks in transit. This blocks malicious actors from even accessing vulnerable plugins.
WAFs are powerful thanks to their flexibility. First of all, they only need to be implemented in a few key locations. This makes them highly scalable, compared to other patches that must be installed on every single host.
There is also a lower chance of introducing conflicts to a CMS site. Whereas messing with the code itself could even break your e-commerce site, WAFs provide protection whilst sitting external to the lines of support code and libraries.
Finally, the continuous background protection that WAFs offer allow mission critical systems to stay online at all times.
The sheer adaptability and wide range protection that a WAF can offer should make it a staple of any security minded enterprise. In the realm of low-code, patchwork CMS sites, WAFs are critical pieces of site architecture.