Web Application Attacks and Countermeasures

1. Web Application Attacks
&
Countermeasures
me.whimsical@gmail.com

2.  The Open Web Application Security Project (OWASP) is an open-
source application security project.
 OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate, and
maintain applications that can be trusted.
 OWASP TOP 10 lists the most prevalent attacks in a generic
order

3. OWASP Top 10 Web Application Vulnerabilities
 Injection Flaws
 Broken Authentication and Session Management
 Cross Site Scripting (XSS)
 Insecure Direct Object References
 Security Mis-configuration
 Sensitive Data Exposure
 Missing Function Level Action Control
 Cross Site Request Forgery (CSRF)
 Using Known Vulnerable Components
 Unvalidated Redirects and Forwards

4. Injection Flaws
Injection flaws such as SQL, Command occur when untrusted data is
sent to the application as a part of user input.
Types of Injection flaws
• Command Injection
Targets under lying Operating System of the Web Server
(Ex: Password field contains : “somepassword; rm –rf /” )
• Code Injection
Targets Application/ Web Broswer
(Ex: <script>alert(“your are hacked”); </script>)
• SQL Injection
Targets backend Database of the Web Application.
(Ex: SELECT * FROM users WHERE name = '' OR '1'='1' -- '; )

5.  Do rigorous input data validation
 Do server-side validation
 Each parameter should be checked against a white list that
specifies exactly what input will be allowed
 Validation Criteria
 Data type (string, integer, real, etc…)
 Allowed character set or numeric range
 Minimum and maximum length
 Whether null is allowed
 Whether duplicates are allowed

6. Application functions related to authentication and session
management are often not implemented correctly, allowing attackers
to compromise passwords, keys, session tokens, or exploit other
implementation flaws to assume other user’s identity.
Commonly flawed credential management functions include
password change, forgot my password, accounts update and other
related functions.
Typical Impact
User accounts compromised or user sessions hijacked

7.  Password strength
 Password use
 Password change controls
 Password Storage
 Browser caching
 Re-authentication for critical functions

8. Cross-Site Scripting attacks are a type of injection problem, in
which malicious scripts are injected into the otherwise benign and
trusted web sites.
It involves tricking the browser into executing code. The browser
believes that the code is part of the site runs it in that context.
As a result the malicious script can access any cookies, session
tokens, or other sensitive information retained by your browser
and used with that site.
Typical Impact
Steal sensitive data, rewrite web page, redirect user to phishing or
malware site

9.  Use HTML Encoding
<script>XSS example</script> gets encoded as
&lt;script&gt;XSS example&lt;/script&gt;
 Use URL encoding
<script>XSS example</script> gets encoded as
%3Cscript%3EXSS%20example%3C%2Fscript%3E
 Filter input for any special characters
 Use tools such as XSS Me for Firefox or XSS Rays for Chrome to
test your website for any XSS vulnerability

10. A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file,
directory, database record, or key, as a URL or form
parameter.
An attacker can manipulate direct object references to access
other users without authorization.
Typical Impact
Sensitive information disclosure

11.  Avoid exposing your private object references to
users whenever possible
 Minimize user ability to predict object IDs/Names
 Verify user authorization each time sensitive
objects/files/contents are accessed
 Use an indirect reference map to create alternative ID/Name for
server side object/data so that exact ID/Name of object/data is
not exposed

12. Some common server configuration problems that can plague the
security of a site include
 Unpatched security flaws in the server software
 Improper file and directory permissions
 Unnecessary services enabled, including content
management and remote administration
 Default accounts with default passwords
 Overly informative error messages
Typical Impact
Server or application compromise

13.  Configuring all security mechanisms
 Turning off all unused services
 Setting up roles, permissions, and accounts, including disabling
all default accounts or changing their passwords
 Logging and alerts
 Applying the latest security patches (OS, DBMS, Web server and
code libraries)
 Regular vulnerability scanning from both internal and external
perspectives

14. Sensitive data like passwords and credit cards information
deserves extra protection such as encryption at rest or in transit.
Common problems leading to Sensitive data exposure :
 Not encrypting sensitive data
 Insecure use of strong algorithms
 Continued use of proven weak algorithms
 Improper key management
Typical Impact
Sensitive information disclosure

15.  Ensure that critical data is encrypted everywhere it is stored
long term, including backups of this data
 Strong encryption algorithms are used for encryption
 Strong keys are generated, and proper key management is in
place

16. Access Control is a mechanism of authorizing requests to a system
resource or determining if that functionality should be granted or
denied.
Attacks on Access Control can be
 Vertical
 Horizontal
Typical Impact
Elevation of privileges and disclosure of confidential data

17.  Implement role based access control to assign permissions to
application users for vertical access control
 Implement data-contextual access control to assign
permissions to application users in the context of specific data
items for horizontal access control
 Where possible restrict administrator access to machines
located on the local area network (i.e. it’s best to avoid remote
administrator access from public facing access points)

18. Cross-Site Request Forgery (CSRF) is an attack that tricks the
victim into loading a page that contains a malicious request to
perform an action on victim’s behalf.
For example, using CSRF, an attacker makes the victim perform
actions that they didn't intend to, such as logout, purchase
item, change account information, or any other function
provided by the vulnerable website.
Typical Impact
Attackers can persuade victims to perform any function on the
web application in which the user is currently authenticated

19. • Secret (non predictable) Validation Token
• Referrer Validation
• User re-authentication for any account related tasks (password
change)
• Use of two factor authentication for any sensitive tasks (online
payment)

20. Vulnerable software components can be identified and exploited by
attackers via automated tools and vulnerability databases.
Typical Impact
The full range of weaknesses is possible, including injection,
broken access control, XSS, etc.

21.  Identify the components and their versions you are using,
including all dependencies. (e.g., the versions plugin)
 Monitor the security of these components in public databases,
project mailing lists, and security mailing lists, and keep them
up-to-date

22. Unvalidated redirects and forwards are possible when a web
application accepts untrusted input that could cause the web
application to redirect the request to a URL contained within
untrusted input.
Typical Impact
Redirect victim to phishing or malware site or bypass security
checks to perform unauthorized function or data access
http://mytrustedsite.com/Redirect.aspx?Url=http://myuntrustedsit
e.com
Malicious
Redirection

23.  Simply avoid using redirects and forwards
 Spider the site to see if it generates any redirects (check for
HTTP response codes)
 All input must be validated against a whitelist of acceptable
value ranges