Web Application Security

Vulnerabilities, Attacks & Security

1
 Introduction
 A web application is an application that runs on a remote
Web server and is accessed through a web client.
 The application is presented through a client interface
such as a browser.
 Web applications have become incredibly popular because
they provide tremendous flexibility and power
 Web servers and web applications have a very high
potential to be compromised.
 The primary reason for this is that:
 the systems that run web server software must be publicly
available on the Internet.
 The web server cannot be completely isolated and to some
degree must be available to legitimate users.

2
 How Web Servers Work
 Web servers use Hypertext Transfer Protocol (HTTP) and
Hypertext Transfer Protocol Secure (HTTPS) to allow
web-based clients to connect to them and view and
download files.
 HTTP is an Application-layer protocol in the TCP/IP stack.
 HTTP and HTTPS are the primary protocols used by web
clients accessing web pages residing on web servers on
 the Internet.
 Hypertext Markup Language (HTML) is the language
used to create web pages and allows those pages to be
rendered in web browser software on web clients.

3
 How Web Servers Work

Fig: HTTP protocol components

4
 How Web Servers Work
 How web server service web clients:
1. The web client initially opens a connection to the web
server IP address using TCP port 80.
2. The web server waits for a GET request from the
client requesting the home page for the website.
3. The web server responds with the HTML code for the
web server home page.
4. The client processes the HTML code and the web
client’s browser software renders the page on the
client device.

5
 Vulnerabilities of Web Servers
and Applications
Flawed Web Design
 One common way to exploit a web application or site is in

the code itself.

 Comments and hidden tags that are embedded into a
web page by the designer can yield information to an
attacker.
 These tags and - can be viewed and analyzed using the
View Code or Source capability present in most browsers.

6
 Vulnerabilities of Web Servers and
Applications - Flawed Web Design

7
 Vulnerabilities of Web Servers and
Applications - Flawed Web Design
 The code contains information that is useful to an
attacker. E.g
 Notice the e-mail addresses
 and even what appears to be a payment processing server
(payments.termina.com).

 This is information that an attacker can use to target an

attack.

8
 Vulnerabilities of Web Servers and
Applications - Flawed Web Design

 The following is another example of a vulnerability in

code that can be exploited:

 In the above example, the application designer has used

hidden fields to hold the price of an item.
 Unscrupulous attackers could change the price of the item
from $6,000.00 to $60.00 and make their own discount.

9
 Why Web Application Vulnerabilities
Occur
The Web Application
Security Gap
Application Developers and QA
Security Professionals Don’t Know The Professionals Don’t Know Security
Applications

“As a Network Security “As an Application

Professional, I don’t Developer, I can
know how my build great features
companies web and functions while
applications are meeting deadlines,
supposed to work so I but I don’t know
deploy a protective how to develop my
solution…but don’t web application
know if it’s protecting with security as a
what it’s supposed to.” feature.”

10
 Web servers/Web Apps Attack
Methods
 Some common ways of attacking a web server and the
sites and applications hosted on them include:
1. Input Validation
2. Cross-Site Scripting (XSS)
3. Directory Traversal Attack
4. SQL Injections

11
 1. Input Validation Attack
 Input validation is a mechanism used to verify information
as it is entered into an application.
 Essentially, a user entering data into a form or website
will have few if any restrictions placed on them when they
enter data.
 Mechanism for validating input in place it is possible to
thwart problems, which include:
 Database manipulation
 Database corruption
 Buffer overflows
 Inconsistent data
 E.g a zip code is to be entered, but in reality it will accept
any data.
 The data becomes useless
12
 Non validated form filled with valid data

13
 Results : Data successfully submitted to
Database

14
 Non validated form filled with
invalid data String input instead of numeric
value

15
 Results of invalid data input

The web page returns error,

exposing the directory path
to the web server

Invalid data also successfully

added into database

16
 Database Records

17
 2. Parameter Tempering
 This involves changing ID values from the
URL.
 This exploits use of dynamic IDs to display
values from database.
 Effects of dynamic IDs
 Changing the value held by the ID
 Further exploitation through XSS
 Further exploitation through SQL injection.

18
19
 Parameter Tempering - Example
 On google search engine type .php?id=
 This retrieves web applications using
dynamic IDs.
 Open each web application on new tab.
 Change the ID value and see the effects
 E.g id=3 to id=5 etc.
 It is possible to move within records
without using links.

20
 Web apps with dynamic IDs

Note the id field retrieved

from database table

Select this link

21
 Results. change id=2

22
 Results of id=2, a different record
retrieved

23
 3. Cross-Site Scripting (XSS)
 It relies on a variation of the input validation attack, but
the target is different because the goal is attack user
instead of the application or data.
 An example of an XSS uses scripting methods to execute
a Trojan with a target’s web browser;
 this would be made possible through the use of scripting
languages such as JavaScript or VBScript.
 By careful analysis, an attacker can look for ways to inject
malicious code into web pages in order to gain
information from session information on the browser, to
elevated access, to content in the browser.

24
 3. Cross-Site Scripting (XSS)
 What are the implications? An XSS attack can:
 Steal your cookies for the domain that you’re browsing
 Completely modify the content of any page that you see on this
domain
 Track every action you do in that browser from now on
 Redirect you to a Phishing site
 Exploit browser vulnerabilities to take over machine

25
 Cross-Site Scripting (XSS)

26
27
 Example 2:Adding script on form input

28
 Example 2 : Page results

29
 Example 2 : Database results

30
 Example 3: Adding JavaScript
codes on input field

31
 Example 3: Adding JavaScript codes on
input field, results on form submission

32
 Example 3: Adding JavaScript codes on
input field, results on database

33
 Example 3: Adding JavaScript codes on
input field, results on display page

34
35
 4. Insecure Logon Systems
 Applications can track information relating to improper or
incorrect logons by users if so enabled.
 Typically, this information comes in log form, with entries
listing items such as:
 Entry of an invalid user ID with a valid password
 Entry of an valid user ID with an invalid password
 Entry of an invalid user ID and password
 Applications should be designed to return generic
information that does not reveal information such as
correct usernames.
 Web apps that return a message such as “username
invalid” or “password invalid” can give an attacker a
target to focus on—such as a correct password.

36
37
 5.Scripting Errors
 Default Scripts
 Default scripts are uploaded to servers by web designers who do
not know what they do at a fundamental level.
 In such cases, an attacker can analyze or exploit configuration
issues with the scripts and gain unauthorized access to a system.
 Sample Scripts
 Web applications may include sample content and scripts that are
regularly left in place on servers.
 In such situations, these scripts may be used by an attacker to
carry out mischief.
 Poorly Written or Questionable Scripts
 Some scripts have appeared that include information such as
usernames and passwords, potentially letting an attacker view the
contents of the script and read these credentials.

38
 5 Directory Traversal Attacks
 The hacker browses through the folders on a system via a
 web browser or Windows Explorer.
 It allows an attacker to move outside of the web server directory and
into other parts of the host system.
 Once outside this directory, the attacker may then be able to bypass
permissions and other security controls and execute commands on
the system.
 To execute this attack, an intruder takes advantage of errors or
weaknesses in one of two areas:
 Access control lists (ACLs)- used to indicate which users and groups

are allowed to access files and directories on a server as well as

what level of interaction is allowed.
 Root directory - which is the directory on the server to which users are
specifically restricted.
 The root directory acts as the top directory in the website and prevents
users from gaining access to sensitive files on the server.
39
40
 Directory Traversal Attacks
 Directory Traversal Attack Countermeasures
 A handful of methods can be used to thwart directory
traversal attacks, such as:
 Running modern web server software or ensuring that up-to-date
patches are installed.
 Enabling filtering of user input to the web server. It is common
for modern web servers to include the ability to filter out
nonstandard requests or codes.

41
 SQL Injection : Database
Vulnerability Testing
 Involves Inserting SQL commands into the URL gets the
database server to dump, alter, delete, or create
information in the database.
 SQL injection involves an attacker appending SQL
database commands within an input field – form or URL
 If the web application code does not filter (sanitize) the
input, SQL commands could be executed on the web
server, allowing an attacker to bypass network security,
and directly interrogate the back-end database.
 With SQL injection, an attacker is able to return and steal
tables of information, make changes to records, or even
delete the entire database.
42
 SQL Injection

 What are the implications?

 Information leakage through DB error
messages
 Data extracted from your DB
 Take complete control your DB (insert data,
delete tables, and so on)
 Execute commands on your system
 Complete system compromise

43
 Example

44
 Example: Results to Successful log in

45
 Fixing SQL Injection
 Input validation
 As often as possible, only accept known good values,
rather than sanitizing
 Never use dynamic queries
 Use parameterized query APIs
 These APIs encode the user input, and make sure that
it doesn’t break the SQL statements
 Use stored procedures
 They are generally safe from SQL Injection

46
 Web Servers/Apps security
Techniques
 Rename the administrator account, and use a
strong password.
 Disable default website and FTP sites settings.
 Remove unused applications from the server,
 Disable directory browsing in the web server’s
configuration settings.
 Add a legal notice to the site to make potential
attackers aware of the implications of hacking the
site.

47
 Web Servers/Apps security
Techniques
 Apply the most current patches, hotfixes, and service packs to the
operating system and web server software.
 Perform bounds checking on input for web forms and query strings to
prevent buffer overflow or malicious input attacks.
 Disable remote administration.
 Use a script to map unused file extensions to a 404 (“File not found”)
error message.
 Enable auditing and logging.
 Use a firewall between the web server and the Internet and allow
only necessary ports (such as 80 and 443) through the firewall.
 Replace the GET method with the POST method when sending data
to a web server.

48
  End

49
 Web Hacking & Vulnerability testing tools

 Burpsuite (Both)
 wpScan (Kali)
 https://www.youtube.com/watch?v=TyBlsKskq
7k
 Get vulnerabilities
 Enumerate users
 DVWA

50