This document discusses understanding web application attack vectors by examining the 7 deadly vectors: security mechanisms, page creation methods, degree of distribution, authentication, input vectors, active content technologies, and cookies. It describes the risks associated with each vector, such as non-encrypted traffic, server-side vulnerabilities, cross-domain problems spanning applications, and vulnerabilities in scripting languages exploited via active content. The document also covers assessing an application's attack surface based on these vectors, assigning a risk score, and developing an application security program to pay attention to these risks.
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
1. Understanding the 7 deadly web
application attack vectors
Stephane Konarkowski
22nd July 2020
2. Helping customers improve security posture since 2001
Full stack security assessment
Over 2,000 customers in all regions of the world
Really good at breaking technology
3. What you will learn:
β’ Think like a hacker
β’ Get inside knowledge on how multiple discovery techniques should be used to assess web
β’ Delve into the seven deadly
β’ Top tips on creating a complete security blueprint of your critical web apps and a continuous application security
program based on your attack surface
3
10. Security Mechanism (SM)
Risk Associated with SM
10
β’ Non-Encrypted
β’ Intercepted
β’ Stolen Data
β’ Developers often assume that the client won't modify the data
β’ The Web Application Hackers handbook
11. Page Creation Method (PM)
CS runs scripts on your computer after you've loaded a web page.
SS runs scripts before the HTML is loaded
Server-side code is source to vulnerabilityClient side Server side PHP
ASP
Java
Python
Ruby
11
12. Page Creation Method (PM)
Risk Associated with PM
12
β’ PHP Object Injection
β’ Java deserialization
β’ Server-Side Vulnerabilities Like SQL INJECTION
Attacks that cause a hosted application to operate in unexpected or
unpredictable ways, can result in private data either leaking out through
HTTP responses or logs
13. Degree of Distribution(DOD)
Cross-domain problems are a common source of vulnerabilities
WWW.WEBSITE.COM
SUBDOMAIN 2nd LEVEL DOMAIN TOP LEVEL DOMAIN
More Attack Vectors
Spans across
13
14. Degree of Distribution(DOD)
Risk Associated with DOD
14
β’ A Secure Web Application that connects to other Web Applications or is associated to them
Can be attacked from a vulnerable one.
β’ A script from page A can only access data from page B if they are of the same origin.
17. Input Vectors (IV)
The more input vectors the more complex
β’ File Upload
β’ Search Functions
β’ Other Forms
β’ External Engines
17
18. Input Vectors (IV)
Risk Associated with Input Vectors
18
Input Validation Attacks: Cause, Exploits, Impacts
Cause: Failure to properly validate data at the entry and exit
points of the application
Exploits: Injection of malicious input such as code, scripting,
commands, that can be interpreted/executed by different
targets to exploit vulnerabilities:
β’ Browser: XSS, XFS, HTML-Splitting
β’ Data repositories: SQL Injection, LDAP injection
β’ Server side file processing: XML, XPATH
β’ Application/Server/O.S. :File uploads, Buffer Overflow
Impacts: Phishing, Information Disclosure (PII), Data
Modification, Denial Of service, Financial Loss, Reputation Loss
20. Active Content Technology (ACT)
Risk Associated with ACT
20
Active content contains programs that trigger automatic
actions on a Web page without the user's knowledge or
consent.
All Web users are regularly exposed to active content.
β’ Code that you have copied
β’ Code that sits on an external side (No control)
Vulnerabilities in the scripting language are exploited to carry
malicious code, which could be downloaded through a Web
browser and executed on a local system without the user's
knowledge or consent
25. Business Criticality
β’ Is this application revenue
generating?
β’ Is this application hosting
sensitive information and
customer data (PII)
Update Frequency
β’ No application updates
β’ Application updates occur once a
year
β’ Application updates occur
several times a year
β’ Updates occur continuously
Complexity Level
β’ Application with a high number
of pages
β’ Application with dynamic
content
β’ Application with multiple inputs
(forms)
Criticality
UpdatesComplexity
ARS (Application
Risk Score)
Understanding your application
25
31. Takeaways
31
β’ Yes Cookies are also in that bag
β’ Understand how its built to better defend
β’ Not all of them need an in depth assessment
β’ If you donβt know what you have β¦
β’ Its not the big door they will open