10. Web Applications Mapping
• Collect theinfogatheredin theanalysisprocess
• Mapeach infoto the appropriate resource
• 2.1 – Reconnaissance
Database
Web Server
• SW version
• OS version
• Net info
Web App
• Language
• …
Web Server
Lucas
15. A1: Injection
• Text-basedattacksthatexploit thesyntax of thetargetedinterpreter
• 2.2 – Web Applications Attacks
OS Command
Database
Logs
XML
XML
JavaScript
JS
LDAPAttack Payload
16. SQL Injections
• Database executesthecode in theattackerpayload
• 2.2 – Web Applications Attacks
SELECT * FROM Movies WHERE Title = a‘ OR 1 = 1 ORDER BY Year
data code
escape character
HTTP Request
HTTP Response
SQL Query
SQL output
Database
Web Browser
Title:
Year:
Price:
a ‘ OR 1 = 1
Eisenberg Web App
dumpdump
17. A2: Broken Auth. and Session Management
• Attackerusesexposed credentialsor session IDs to impersonate users
• 2.2 – Web Applications Attacks
Tommy
Eisenberg
HTTP Request
http://airline.com/login.html
HTTP Response
http://airline.com/?SESSIONID=03098301
Web App
HTTP Request
http://airline.com/?SESSIONID=03098301
18. A3: Cross-Site Scripting (XSS)
• Attackpayload storedin applicationdatabase(JavaScript Injection)
• Reflected directlyinto the client
• 2.2 – Web Applications Attacks
Eisenberg
Tommy
HTTP Request
HTTP Request
HTTP Response
Browser
HTTP Request
Hackerland
Web App
19. A4: Insecure Direct Object References
• Usersable to accessunauthorizedfiles data
• 2.2 – Web Applications Attacks
Eisenberg
HTTP Request
http://mybank.com/?acct=1000
HTTP Response
http://mybank.com/?acct=1000
HTTP Request
http://mybank.com/?acct=1001
HTTP Response
http://mybank.com/?acct=1001
Web App
20. A5: Security Misconfiguration
• Anycomponent of anysystemnot properly secured
• Defaultaccounts,unpatchedflaws,unprotectedfilesanddirectories
• 2.2 – Web Applications Attacks
Eisenberg
HTTP Request
Components:
• Operating System
• Web Server Software
• Web App Technology
Database
HTTP Request
Web Server
21. A6: Sensitive Data Exposure
• Attackergain accessandretrieve sensitive data
• Stealingencryptionkeysorcleartextdata
• 2.2 – Web Applications Attacks
Eisenberg
HTTP Request
Web App
Database
HTTP Response
Encrypted Data
SQL Query
Clear Text Data
22. A7: Missing Function Level Access Control
• Private functionsare notprotectedagainstunauthorizedaccess
• 2.2 – Web Applications Attacks
Eisenberg
HTTP Request
http://myportal.com/?action=search
HTTP Request
http://myportal.com/?action=admin
Web App
23. A8: Cross Site Request Forgery (CSRF)
• Attackerforges HTTP requestsonbehalf of theuser
• Canbeembeddedinimagestags,XSSetc.
• Attacksucceedsonlyifuserisauthenticated
• 2.2 – Web Applications Attacks
Tommy
Hackerland
Web App
Browser
HTTP Request
http://hackedwebsite.com
http://hackedwebsite.com/welcome.html
HTTP Response
HTTP Request
http://mybank.com/transfer?amm=1000&dest=1308921
mybank.com
session cookie
welcome.html
<html>….
<img src=
http://mybank.com/transfer?
amm=1000&dest=1308921
……</html>
mybank.com
session cookie
24. A9: Using Known Vulnerable Components
• Attackerscans, identifies, andexploits vulnerable modules of webapp
• Automatedtoolscanbeused
• 2.2 – Web Applications Attacks
Eisenberg
ZAP
Web App
25. A10: Unvalidated Redirects and Forwards
• Attackersredirectvictim toa specific website
• 2.2 – Web Applications Attacks
HTTP Request
HTTP Response
HTTP Request
Hackerland
Web App
Tommy
Browser
http://shop.com/prod.jsp?p=120&dest=http://hackerland.com
HTTP Response
Redirect to http://hackerland.com
28. Application Denial of Service
• Attackerconsumes all theavailable systemresources
• Webapplicationstakedowntheentire system
• Attackercantargetspecific usersor modules of aweb application
• Common HTTP DoS attacks:
• Slowloris: SlowHTTPHeadersVulnerability
• RUDY(R-U-Dead-Yet):Slow HTTPPOSTVulnerability
• Slow-ReadDoSAttack
• 2.2 – Web Applications Attacks
29. Information Leakage
• Web application reveals sensitive data regarding
• Webapplicationitself
• Hosting environment
• Userdataintoerrorresponses
• 2.2 – Web Applications Attacks
Eisenberg Web App
HTTP Request
HTTP Response
503 – DB 192.168.0.23 unreachable