Web app penetration testing best methods tools used
Research Paper
1. Johnson County Community College
Cyber Security:
A Brief Overview for Programmers
David Chaponniere
CIS-264
Professor Angela Sunderland
October 10, 2016
2. P a g e | 1
CyberSecurity:A Brief OverviewforProgrammers
DavidChaponniere
Executive Summary
Cyber Security is still a relatively new term to describe the protection of data and information
stored electronically. With the steady rise of the “Internet of Things” – a network of everyday
devices, appliances, clothing, automobiles, and other objects equipped with computer chips that
can collect or transmit data through an Internet connection it is increasingly more difficult to
protect user data. In mid-2015, Cisco Systems Inc. estimated that there were already 15.7 billion
devices connected to the Internet – including mobile phones, parking meters, thermostats,
cardiac monitors, tires, roads, cars, supermarket shelves, and many other types of objects (ITU).
Allied Business Intelligence Research Inc. predicts “The number of devices will more than
double from the current level, with 40.9 billion forecasted for 2020” most of the increased
devices being connected are expected to be in the form of non-traditional connections as
remarked by principal analyst Aapo Markkanen “…smartphones, PCs, and other ‘hub’ devices
represent still 44% of the active total, but by end-2020 their share is set to drop to 32%. In other
words, 75% of the growth between today and the end of the decade will come from non-hub
devices: sensor nodes and accessories.” (ABIresearch). Protecting the user’s privacy and data
from attack with the increase in potentially vulnerable devices that a user will possibly be storing
that information on is of vital importance for these devices to be a safe enhancement to the user’s
daily life.
3. P a g e | 2
CyberSecurity:A Brief OverviewforProgrammers
DavidChaponniere
Types of Attacks
For a programmer or web developer the possibility of someone attempting to gain
unauthorized access to the stored information in a database or to force an application to behave
in ways not intended is a very real threat. A non-secure application or website puts the users at
risk of losing valuable data and confidential information. Understanding how application attacks
work is critical for developers to build defenses right into their applications.
One organization that tries to help programmers and developers understand the risks,
types of attacks, and ways to prevent those attacks is the Open Web Application Security Project
(OWASP). The OWASP Foundation first formed in late 2001 and in 2004 they established
themselves as a 501(c)(3) nonprofit organization in the United States. The goal of OWASP is to
support developers with free open source educational materials to make more developers aware
of security threats and how to prevent those threats.
Some examples of the types of currently known threats that OWASP and other
organizations are helping to eliminate include (Ionescu):
Un-validated Redirects and Forwards – this is more commonly referred to as a “phishing
attack” which tricks the user into navigating to a malicious site. Attackers are able to manipulate
the URLs of a trusted site to redirect to an unwanted location.
A Developer Uses a Component with Known Vulnerabilities – developers should be
careful about using unpatched third-party components that may contain security bugs or flaws.
These flaws are well known to attackers as these vulnerabilities are often publicized or talked
about within the media.
4. P a g e | 3
CyberSecurity:A Brief OverviewforProgrammers
DavidChaponniere
Cross-Site Request Forgery – this type of attack is typically used in conjunction with
social engineering (tricking users to engage in a specific action without knowledge of what they
are doing) this can allow an attacker to gain control over a user’s system or get access to
sensitive information.
Missing Function Level Access Control – with this type of attack an application is
vulnerable because of a lack of authenticated users or administrator accounts which allows for
unauthenticated users to access hidden functionality or control over an application. This can also
be from a developer not using strong enough passwords and authentication controls to limit
access to the website or application.
Sensitive Data Exposure – something as simple as a lack of encryption on a website or
application can leave it open to attackers. Passwords and logins that are sent as plain text are
easy for an attacker to gain access to and use to commit crimes with. Proper protection of not
only the user’s information, but that of the application itself is of equal importance.
Security Misconfiguration – a misconfiguration on the server or the application itself can
leave it open to attacks and falls on the developer to ensure that the proper security measures are
in place so that users who access the application are safe.
Insecure Direct Object References – this occurs most commonly when the application
provides direct access to objects (e.g. strings, files in the system, or database records). This
allows an attacker to bypass authorization and access the resources directly.
Cross-Site Scripting – in this type of attack the attacker is able to insert JavaScript
directly into the pages of a trusted website and in so doing the attacker is able to modify the
contents of the entire website to whatever they choose.
5. P a g e | 4
CyberSecurity:A Brief OverviewforProgrammers
DavidChaponniere
Broken Authentication and Session Management – without properly configured security
measures it leaves an application or website open to attacks.
Injection – allows an attacker to modify the back-end database through code that is not
checked for errors by the application. By doing so the attacker is able to copy or access the
restricted data without authorization. Currently, injection is one of the most popular forms of
web attacks.
Distributed Denial of Service (DDoS) – a simple yet extremely effective form of attack
the denial of service attack is focused on making the website unavailable by making more
requests than the website or server can respond to. In this way a DDoS attack overwhelms the
site and renders it unusable.
This list is just a brief list, every year more vulnerabilities are being discovered and used
by attackers to gain unauthorized access to applications and websites. The leading provider for
antivirus in the United States Symantec Corporation found security vulnerabilities in three
quarters of all websites in use today:
“There were over one million web attacks against people each day in 2015.
Cybercriminals continue to take advantage of vulnerabilities in legitimate
websites to infect users, because website administrators fail to secure their
websites. Nearly 75 percent of all legitimate websites have unpatched
vulnerabilities, putting us all at risk.” (Symantec).
6. P a g e | 5
CyberSecurity:A Brief OverviewforProgrammers
DavidChaponniere
Web attacks blocked per day.
Preventing Attacks
Education is one of the most important ways to improve Cyber Security. Developers
should actively seek out information on the latest security trends and ensure that the applications
they create are compliant. Keeping in mind how quickly new threats can arise and how long it
takes to secure a vulnerable system it is critical that developers continuously look at the current
trends and stay up to date on new technology standards.
Developers should also actively keep their code up to date. This is especially important if
the developer is using third-party software to ensure they are using the latest patched code from
the third-party. This applies to the server operating system and any code being used by the
application such as HTML, CSS, ASP, .NET, and JavaScript. When security flaws are
announced or discovered the key is to quickly patch the application to secure it.
Developers should test all code for security flaws before deploying it in a live
environment. This is widely considered to be a best practice for ensuring the application remains
secure. Using an independent resource to test the code for compliance and security is an option
that many companies and developers use. Using encryption and restricting access to sensitive
7. P a g e | 6
CyberSecurity:A Brief OverviewforProgrammers
DavidChaponniere
parts of the code is essential to ensuring the code continues to remain safe while in production
and cannot be used for malicious attacks on users.
Summary
Developers are ultimately responsible for the code, application, or website that they
create and ensuring that their intended users do not come under attack while using their
application is a crucial piece to creating an overall successful application. Staying up to date on
current technology standards and trends – continuous education is a key component in Cyber
Security. Learning how an attacker can use the code against users will help to close any
unintended backdoors and prevent attacks before they occur. Supporting a culture of security
within an organization can raise awareness of Cyber Security and foster a more secure Internet
for users to enjoy. Maintaining high quality, secure code will keep attackers from gaining access
to sensitive information or exploiting the code to act in ways it was not intended. Securing the
applications while they are being developed, and having developers with a security first mindset
can mean the difference between a new viral success and a huge financial embarrassment.
8. P a g e | 7
CyberSecurity:A Brief OverviewforProgrammers
DavidChaponniere
Bibliography
Biggs, Phillippa, ITU, et al. “Harnessing the Internet of Things for Global Development” p. 11.
https://www.itu.int/en/action/broadband/Documents/Harnessing-IoT-Global-Development.pdf
Markkanen, Aspo, ABIresearch. https://www.abiresearch.com/press/the-internet-of-things-will-
drive-wireless-connect/
Ionescu, Paul. “The 10 Most Common Application Attacks in Action”, April 8, 2015,
https://securityintelligence.com/the-10-most-common-application-attacks-in-action/
Symantec. “Threat Report”, https://www.symantec.com/security-center/threat-report
OWASP. “Main Page”, https://www.owasp.org/index.php/About_OWASP