This document discusses understanding web application attack vectors by examining the 7 deadly vectors: security mechanisms, page creation methods, degree of distribution, authentication, input vectors, active content technologies, and cookies. It describes the risks associated with each vector, such as non-encrypted traffic, server-side vulnerabilities, cross-domain problems spanning applications, and vulnerabilities in scripting languages exploited via active content. The document also covers assessing an application's attack surface based on these vectors, assigning a risk score, and developing an application security program to pay attention to these risks.

1. Understanding the 7 deadly web
application attack vectors
Stephane Konarkowski
22nd July 2020

2. Helping customers improve security posture since 2001
Full stack security assessment
Over 2,000 customers in all regions of the world
Really good at breaking technology

3. What you will learn:
• Think like a hacker
• Get inside knowledge on how multiple discovery techniques should be used to assess web
• Delve into the seven deadly
• Top tips on creating a complete security blueprint of your critical web apps and a continuous application security
program based on your attack surface
3

4. We look at
your Web
Application
like a hacker
does
4

5. Pen Tester vs Hacker vs Burglar
Hacker Pen TesterBurglar
In common
5

6. Which Vectors are they looking at

7. 7
7 Vectors

8. Security Mechanism (SM)
HTTP HTTPS
http://www.bank-example.com
Password: abc123
https://www.bank-example.com
Password: e99a18c428cb38d5f260853678922e03
1) SSL Certificate Encryption
2) TLS Transport
host port
┌───────┴───────┐ ┌┴┐
http://www.example.com:123/forum/questions/?tag=networking&order=newest#top
└─┬─┘└───────────┬─────┘└─┬───────────┘└────────┬───────────────┘└┬─┘
scheme authority path query fragment
8

9. Security Mechanism (SM)
Client side Server side
Both = Better
Input Validation
Can be by-pass
9

10. Security Mechanism (SM)
Risk Associated with SM
10
• Non-Encrypted
• Intercepted
• Stolen Data
• Developers often assume that the client won't modify the data
• The Web Application Hackers handbook

11. Page Creation Method (PM)
CS runs scripts on your computer after you've loaded a web page.
SS runs scripts before the HTML is loaded
Server-side code is source to vulnerabilityClient side Server side PHP
ASP
Java
Python
Ruby
11

12. Page Creation Method (PM)
Risk Associated with PM
12
• PHP Object Injection
• Java deserialization
• Server-Side Vulnerabilities Like SQL INJECTION
Attacks that cause a hosted application to operate in unexpected or
unpredictable ways, can result in private data either leaking out through
HTTP responses or logs

13. Degree of Distribution(DOD)
Cross-domain problems are a common source of vulnerabilities
WWW.WEBSITE.COM
SUBDOMAIN 2nd LEVEL DOMAIN TOP LEVEL DOMAIN
More Attack Vectors
Spans across
13

14. Degree of Distribution(DOD)
Risk Associated with DOD
14
• A Secure Web Application that connects to other Web Applications or is associated to them
Can be attacked from a vulnerable one.
• A script from page A can only access data from page B if they are of the same origin.

15. Authentication (AUTH)
Usernames
Emails
Passwords
Domains
& much more
15

16. Authentication (AUTH)
Risk Associated with Authentication
16
• Curiosity: Yes
• Trusted: To a degree
• Important: Maybe
• Data: Oh yeah

17. Input Vectors (IV)
The more input vectors the more complex
• File Upload
• Search Functions
• Other Forms
• External Engines
17

18. Input Vectors (IV)
Risk Associated with Input Vectors
18
Input Validation Attacks: Cause, Exploits, Impacts
Cause: Failure to properly validate data at the entry and exit
points of the application
Exploits: Injection of malicious input such as code, scripting,
commands, that can be interpreted/executed by different
targets to exploit vulnerabilities:
• Browser: XSS, XFS, HTML-Splitting
• Data repositories: SQL Injection, LDAP injection
• Server side file processing: XML, XPATH
• Application/Server/O.S. :File uploads, Buffer Overflow
Impacts: Phishing, Information Disclosure (PII), Data
Modification, Denial Of service, Financial Loss, Reputation Loss

19. Active Content Technology (ACT)
• JavaScript
• Java Applet
• AJAX
• & more
• Externally Loaded
• RIA
• RSS
19

20. Active Content Technology (ACT)
Risk Associated with ACT
20
Active content contains programs that trigger automatic
actions on a Web page without the user's knowledge or
consent.
All Web users are regularly exposed to active content.
• Code that you have copied
• Code that sits on an external side (No control)
Vulnerabilities in the scripting language are exploited to carry
malicious code, which could be downloaded through a Web
browser and executed on a local system without the user's
knowledge or consent

21. Cookies (CS)
Own Cookies &
21
• Session
• Persistent
Foreign Cookies

22. Cookies (CS)
Risk Associated with Cookies
• Cross Site Request Forgery Attack (XSRF)
• Session Fixation
• Cross-Site Scripting
• Cookie Tossing Attack
• Cookie Overflow Attack
• Tracking/Privacy
22

23. How to Score

24. 24
Attack Surface based on Vectors
Attack Surface
Max Score: 39,19

25. Business Criticality
• Is this application revenue
generating?
• Is this application hosting
sensitive information and
customer data (PII)
Update Frequency
• No application updates
• Application updates occur once a
year
• Application updates occur
several times a year
• Updates occur continuously
Complexity Level
• Application with a high number
of pages
• Application with dynamic
content
• Application with multiple inputs
(forms)
Criticality
UpdatesComplexity
ARS (Application
Risk Score)
Understanding your application
25

26. Application Risk Score (ARS)
26
Application Name Surface Score
Criticality
Update frequency Appsec Program
Availability Confidentiality Integrity
demo1.com 20.45 2 2 2 1 5
demo2.com 20.22 3 2 2 2 9
! CVSS becomes CASS

27. Attack Surface Radar
Airline Other
27

28. ASP
Onboarding
Scout
Application Security Program (ASP) 28
?=?

29. Paying Attention
How many have you counted in the presentation?
The right answer gets a Free Scout Assessment
29

30. Takeaways?
30

31. Takeaways
31
• Yes Cookies are also in that bag
• Understand how its built to better defend
• Not all of them need an in depth assessment
• If you don’t know what you have …
• Its not the big door they will open

32. Stephane Konarkowski
Senior Security Consultant
sk@outpost24.com
Questions?