In today's digital landscape, a brand's online presence extends far beyond a single website. Enterprises typically maintain numerous digital touchpoints, including multiple websites, mobile applications, web applications, and APIs that connect numerous services and systems. While this digital ecosystem enables efficient operations and enhanced customer experiences, it also presents an expanded attack surface that cybercriminals actively exploit.

The cost of such exploitation can be extremely high. Beyond the immediate financial losses of a successful attack, which averaged $4.35 million per data breach in 2022, organisations can also face long-term reputation damage, loss of customer trust, regulatory penalties, and potential legal liabilities if they do not properly protect themselves.

For enterprises that have complex digital ecosystems with multiple interconnected digital assets, the challenge of maintaining comprehensive security is complex. To stay safe, they must focus on protecting every single asset individually as well as a group. It is both a micro and a macro project that needs to be handled carefully so potential vulnerabilities are not overlooked as one transitions from protecting individual units to whole systems.

In this article, we explore how enterprises can protect the individual websites, applications, and APIs that make up their digital ecosystem, and provide actionable strategies for scaling protection so it covers the entire system and its interconnections.

Websites: Vulnerabilities and Protection Strategies

Websites serve as the primary digital storefront for most companies and are therefore a particularly important part of a brand’s digital presence. Unfortunately, websites are also vulnerable in many ways, making them highly attractive targets for cybercriminals.

A website’s Achille's heel: The CMS

One of the main ways in which cybercriminals exploit websites is through the Content Management System (CMS). Of all the parts that make up a website, this tends to be the most vulnerable as various teams in an organisation will have access to it so they can manage everything from design and blog posting to building new service pages, lead gen forms, and payment portals. With so many people with access, combined with poor management of user credentials and file permissions, as well as the option to install external plugins and themes, it is easy to lose control, creating many openings for cybercriminals to launch attacks like:

Cross-Site Scripting (XSS)

A cross-site scripting attack refers to the injection of malicious scripts into trusted websites and can lead to, amongst other things:

  • Theft of user session data

  • Defacement of website content

  • Redirection of users to malicious sites

XSS attacks come in three main varieties:

  • Reflected XSS: The malicious script is embedded in a URL and only affects users who click on specifically crafted links. For example, an attacker might send a legitimate-looking link to your company's website that includes JavaScript code in the URL parameters. When clicked, this code executes in the victim's browser.

  • Stored XSS: The malicious script is permanently stored on target servers (like in a database) and is served to users who visit affected pages. Common entry points include comment sections, user profiles, and form submissions.

  • DOM-based XSS: The attack occurs entirely in the browser when client-side JavaScript modifies the page's DOM in an unsafe way using untrusted data.

A website’s CMS often provides many features that can be exploited for XSS attacks, including:

  • Rich Text Editors: Attackers can bypass poorly configured WYSIWYG editors to inject malicious scripts into content that gets stored and displayed to other users, such as comments and reviews.

  • Themes and Plugins: Vulnerable themes or plugins might fail to properly filter malicious user input when rendering templates.

  • Widget Systems: Third-party widgets or customisable sidebar elements might process and display user input without proper sanitisation, creating perfect opportunities for malicious code or link injections.

  • Form Submissions: Contact forms, search functions, and other input fields can allow attackers to easily inject malicious content into a website.

SQL Injection

SQL injection attacks occur when malicious SQL code is inserted into website queries, allowing attackers to manipulate the underlying database, which can lead to:

  • Unauthorised access to databases

  • Theft of sensitive customer data

  • Manipulation of database content

These attacks typically exploit improperly sanitised input fields and take several forms, such as:

  • Union-Based: Attackers use UNION commands to combine results from their malicious query with legitimate results. Example:

Original query: SELECT * FROM products WHERE category = 'electronics'
Injected query: SELECT * FROM products WHERE category = 'electronics' UNION SELECT username, password FROM users--

  • Error-Based: Attackers craft inputs that cause SQL errors revealing information about the database structure. Example:

Original query: SELECT * FROM products WHERE id = 1
Injected query: SELECT * FROM products WHERE id = 1 AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 1 END)--

  • Time-Based Blind: Attackers use database time delays to infer information when no output is visible. Example:

Original query: SELECT * FROM products WHERE id = 1
Injected query: SELECT * FROM products WHERE id = 1 AND IF(1=1, SLEEP(5), 0)--

As with XSS attacks, a website’s CMS has many features that can create entry points for SQL injection, including:

  • Search Functions: Many CMS systems have search features that directly query databases with user input. Attackers can use this function to get information from the underlying database. Example:

Original search query: SELECT * FROM posts WHERE title LIKE '%user_input%'
Injected query: %' UNION SELECT username,password,null FROM users --
Resulting query: SELECT * FROM posts WHERE title LIKE '%%' UNION SELECT username,password,null FROM users --%'

  • User Authentication: Login forms and password reset functions might be vulnerable if input sanitisation is insufficient.

  • URL Parameters: Dynamic pages that use URL parameters to fetch content (like post IDs or category filters) can be exploited to inject SQL queries.

  • Plugin Databases: Third-party plugins might introduce their own database tables and queries with insufficient security measures that can be exploited for SQL injection.

These are just a few of the ways in which cybercriminals can exploit a website’s CMS. The extensive possibilities for attack mean that protection needs to be equally, if not more, extensive.

Protection Strategies for Websites

To keep a website secure on the many fronts from which it could be attacked, it is essential to invest in:

  1. Security Infrastructure

    • Implement Web Application Firewalls (WAF)

    • Use DDoS protection services

    • Enable HTTPS with proper SSL/TLS configuration

    • Carry out regular security scans and penetration tests to identify and remove any malicious content that could have been added.

  2. CMS Security

    • Automate security updates for CMS core, plugins, and themes to ensure you are always operating on the latest version

    • Regularly conduct security audits of third-party components

    • Implementation of least-privilege access principles

    • Strong password policies and multi-factor authentication

  3. Content Security

    • Implement a Content Security Policy (CSP)

    • Regularly scan for malware

    • Automated backup systems

    • Input validation and sanitisation

To successfully protect websites from threats, security requires a multi-layered approach that combines technical controls, regular monitoring, and proper maintenance procedures. For enterprises managing multiple websites, another essential element is centralising and automating all security measures through a single platform as this can significantly reduce the complexity of managing website security, preventing errors and oversights.

Applications: Vulnerabilities and Protection Strategies

Aside from websites, today’s enterprises also rely on numerous applications, both internal and customer-facing, which need to be protected. The main issue with applications is that they interact with users, external systems, and various data sources, creating numerous points where malicious data can enter the system.

Applications: A smorgasbord of vulnerabilities

Whether it is user-submitted forms, API calls, file uploads, or database queries, each interaction of an application with another system represents a potential entry point for malicious data. The complexity of modern applications, often built with multiple frameworks, libraries, and third-party integrations, makes it increasingly difficult to properly validate and sanitise all incoming data across every entry point. This challenge is compounded in enterprise environments where applications need to balance security with functionality, performance, and user experience. Additionally, applications often suffer from other issues, such as:

Authentication Weaknesses

Unfortunately, applications have many authentication weaknesses, including:

  • Broken authentication mechanisms

  • Session management flaws

  • Weak password requirements

  • Insecure password reset processes

All of these, create many opportunities for cybercriminals to easily gain access to enterprise systems. For example, a cybercriminal could take advantage of an application with broken authentication mechanisms that uses predictable session tokens for logins by simply analysing the pattern of session tokens to generate valid tokens for themselves, like this:

Session tokens follow pattern: BASE64(username:timestamp)
Attacker observes: dXNlcjE6MTcwNTM4NDAwMA== (user1:1705384000)
Attacker generates: dXNlcjI6MTcwNTM4NDAwMA== (user2:1705384000)
Result: Unauthorised access to user2's account

Once in, the attacker can just take all the user data that is stored in the application.

Authorisation Flaws

Beyond the many authentication weaknesses, applications are often also plagued with authorisation flaws that are easy to take advantage of, such as:

  • Insufficient access controls

  • Vertical and horizontal privilege escalation

  • Missing function-level authorisation

  • Insecure direct object references

These vulnerabilities often allow attackers to access unauthorised resources or perform unauthorised actions. For example, when an application does not have proper function-level authorisation, an attacker could use exposed API endpoints, such as a URL only shown to admin users, to gain access to the backend as an admin user and delete user accounts or block access to legitimate users.

Data Security Issues

Lastly, aside from all the other vulnerabilities, applications also have many data security issues, including:

  • Insufficient encryption

  • Insecure data storage

  • Unprotected sensitive information in logs

  • Inadequate data validation

Attackers can take advantage of these to steal sensitive information. For example, in applications that will accept file uploads without proper validation, attackers can simply upload malicious files with a double extension (example.jpg.php). The server will process these files as PHP, giving the attacker access for remote code execution.

The many ways in which applications can easily be taken advantage of calls for security that covers many layers and touch points, from the backend to the frontend.

Protection Strategies for Applications

Application security needs to be both specific and comprehensive to avoid creating openings for attackers. It should include:

  1. Secure Development Practices

    • Implementation of secure software development lifecycle (SDLC)

    • Regular security training for development teams

    • Automated security testing in CI/CD pipelines

    • Code review processes with security focus

  2. Runtime Protection

    • Application monitoring and logging

    • Runtime application self-protection (RASP)

    • Automated vulnerability scanning

    • Real-time threat detection and response

  3. Authentication and Authorisation

    • Implementation of strong authentication mechanisms

    • OAuth 2.0 and OpenID Connect for third-party authentication

    • Role-based access control (RBAC)

    • Regular access rights reviews

In other words, for applications to stay secure, security measures must be implemented from beginning to end, from the code all the way through to execution and interaction. As was the case with websites, for large enterprises with many applications, it is also important to implement centralised security controls and automated testing to ensure a consistent security across all applications. Otherwise, you will quickly lose control and oversight.

APIs: Vulnerabilities and Protection Strategies

In the same way websites and applications have become indispensable for business operations, APIs have also become critical components of modern digital infrastructure, enabling integration between services and systems. However, they also present unique security challenges that attackers increasingly target.

A direct route into systems: APIs

The most critical vulnerability in APIs stems from their fundamental nature as programmatic interfaces designed for machine-to-machine communication. Unlike web interfaces or applications built for human interaction, APIs provide direct access to application logic and data structures, often with granular endpoints that handle specific functions or data operations. This direct access means that attackers can interact with your systems in ways that bypass the usual constraints and validations present in user interfaces.

Furthermore, APIs often operate with elevated privileges to perform their functions efficiently, and their documentation - whether public or leaked - provides attackers with a detailed roadmap of available endpoints and data structures. This combination of direct access, elevated privileges, and exposed system architecture makes APIs particularly attractive targets for cybercriminals. When you consider that modern enterprises often manage hundreds or thousands of APIs across different services, versions, and environments, the challenge of securing these endpoints becomes exponentially more complex.

The vulnerabilities that affect APIs can be categorised into three principal areas:

Authentication and Authorisation

APIs in general often fail to properly verify user identity or enforce access controls. They commonly have issues like:

  • Broken authentication

  • Missing or weak API keys

  • Insufficient OAuth implementation

  • Lack of rate limiting

Attackers often target authentication mechanisms by intercepting and manipulating API tokens. In a common scenario, an attacker might capture a JWT (JSON Web Token) through network monitoring or client-side storage. They then decode the token, modify its contents (such as changing user roles or permissions), and resign it:

Original API Request: GET /api/user/profile
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{role: "user"}
Attacker's Modified Request: GET /api/admin/all-profiles
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
{role: "admin"}

If the API does not properly validate token signatures or implement additional security checks, the attacker can use the modified token to gain admin access to all user profiles.

Data Exposure

APIs often expose data because they reveal too much information in their responses or fail to properly protect sensitive data. This is often the result of poor API design or insufficient data filtering.

Attackers can easily take advantage of these weaknesses to analyse API responses and identify endpoints that return excessive data. They can then craft requests that manipulate API parameters to extract sensitive information. This often involves modifying query parameters or request payloads to bypass intended data access limitations. For example:

Normal API Call: GET /api/products/123
Response: {basic product info}
Attacker's Modified Call: GET /api/products/123?fields=all
Response: {detailed product info, supplier data, pricing strategy, profit margins, customer data}

Without proper API protection that prevents this kind of response, attackers can gain access to sensitive business data that should be internal only.

Resource Management

Aside from the vulnerabilities already described, APIs also have resource management issues, including:

  • Lack of resource limitations

  • Insufficient monitoring

  • Missing API inventory

  • Deprecated API versions remaining active.

When APIs lack proper limits on resource usage or fail to manage API versions and deprecation effectively, attackers can exploit these weaknesses by using automated tools that overwhelm API endpoints or use older, less secure API versions that haven't been properly decommissioned to cause service disruptions or access vulnerable legacy endpoints. For example, an attacker could stage the following attack:

Phase 1 - Resource Exhaustion:
Attacker sends 1000s of simultaneous requests: POST /api/search { "complex_query": "...", "deep_filter": "...", "multiple_joins": "..." }
Phase 2 - Version Exploitation:
Attacker discovers old API version: GET /api/v1/users (vulnerable)
Instead of: GET /api/v2/users (secure)

This can lead to service degradation or service interruptions for legitimate users and can grant the attacker potential system access through vulnerable endpoints.

With thousands of potential APIs and endpoints in a system, it is vitally important to have complete oversight to protect them.

Protection Strategies for APIs:

There is nothing more important for protecting APIs than proper oversight and management. It is key to monitor all endpoints and identify those that could be potential entry points for attackers to make sure they are intelligently designed, protected or decommissioned when necessary. Lack of oversight over the thousands of APIs and endpoints that make up an enterprise system is the main reason cybercriminals can carry out the attacks described above.

To ensure APIs remain secure, API security must include:

  1. Access Control

    • Implementation of API gateways

    • Strong authentication mechanisms

    • Rate limiting and throttling

    • Regular API key rotation

  2. Data Security

    • Input validation and sanitisation

    • Response filtering

    • Encryption of sensitive data

    • Proper error handling

  3. Monitoring and Management

    • API discovery and inventory

    • Traffic monitoring and analysis

    • Anomaly detection

    • Version management and deprecation processes

Overall, API security requires specialised attention due to their unique characteristics and increasing importance in enterprise architectures. As with websites and applications, with so many APIs making up enterprise digital environments, a centralised system with automated detection and response is essential to ensure security. It is not humanly possible to manage and protect the massive digital systems of today, with their thousands of interconnected websites, applications, and APIs, without it.

The Key to Protection: Unified Security Management

If there is one thing to take away from this article, it is the great need for unified security management. For enterprises with thousands of digital assets, implementing individual security measures for each asset while staying ahead of evolving threats would be overwhelming and next to impossible even for the most sophisticated IT teams. A unified security management solution is required to help streamline the protection of all assets and maintain comprehensive coverage across all digital touchpoints. It is essential that this solution also includes:

  1. Centralised Security Controls

    • Single dashboard for security management

    • Unified policy enforcement

    • Centralised monitoring and alerting

    • Automated response capabilities

  2. Integrated Protection

    • Common security rules across assets

    • Shared threat intelligence

    • Coordinated incident response

    • Unified access management

  3. Automated Security Operations

    • Automated vulnerability scanning

    • Continuous security testing

    • Automated patching and updates

    • Regular security assessments

Without this, and the advanced automations that instantly identify, analyse, learn, and adapt to threats across the entire digital infrastructure, any enterprise system would quickly become vulnerable on many fronts.

Take the first step toward unified protection for your digital assets with a 30-day free trial of Webscreen's adaptive security platform, including a complimentary risk assessment from our security experts:

Contact us for a free consultation: