Web Applications:

Vulnerabilities, Attacks &

Security
Paul Mutinda Kathale
Email: paulkathale@gmail.com

1
 Introduction
 A web application is an application that runs on a remote
Web server and is accessed through a web client.
 The application is presented through a client interface
such as a browser.
 Web applications have become incredibly popular because
they provide tremendous flexibility and power
 Web servers and web applications have a very high
potential to be compromised.
 The primary reason for this is that:
 the systems that run web server software must be publicly
available on the Internet.
 The web server cannot be completely isolated and to some
degree must be available to legitimate users.

2
 How Web Servers Work
 Web servers use Hypertext Transfer Protocol (HTTP) and
Hypertext Transfer Protocol Secure (HTTPS) to allow
web-based clients to connect to them and view and
download files.
 HTTP is an Application-layer protocol in the TCP/IP stack.
 HTTP and HTTPS are the primary protocols used by web
clients accessing web pages residing on web servers on
 the Internet.
 Hypertext Markup Language (HTML) is the language
used to create web pages and allows those pages to be
rendered in web browser software on web clients.

3
 How Web Servers Work

Fig: HTTP protocol components

4
 How Web Servers Work
 How web server service web clients:
1. The web client initially opens a connection to the web
server IP address using TCP port 80.
2. The web server waits for a GET request from the
client requesting the home page for the website.
3. The web server responds with the HTML code for the
web server home page.
4. The client processes the HTML code and the web
client’s browser software renders the page on the
client device.

5
 Vulnerabilities of Web Servers
and Applications
1. Flawed Web Design
One common way to exploit a web application or site is in

the code itself.

 Comments and hidden tags that are embedded into a web

page by the designer can yield information to an attacker.

These tags and - can be viewed and analyzed using the

View Code or Source capability present in most browsers.

6
 Vulnerabilities of Web Servers and
Applications - Flawed Web Design

7
 Vulnerabilities of Web Servers and
Applications - Flawed Web Design
 The code contains information that is useful to an
attacker. E.g
 Notice the e-mail addresses
 and even what appears to be a payment processing server
(payments.termina.com).
 This is information that an attacker can use to target an
attack.

8
 Vulnerabilities of Web Servers and
Applications - Flawed Web Design

 The following is another example of a vulnerability in

code that can be exploited:

 In the above example, the application designer has used

hidden fields to hold the price of an item.
 Unscrupulous attackers could change the price of the
item from $6,000.00 to $60.00 and make their own
discount.
9
 Vulnerabilities of Web Servers and
Applications
2. Buffer Overflow
A buffer overflow occurs when an application,

process, or program attempts to put more data in a

buffer than it was designed to hold.
 In practice, buffers should hold only a specific
amount of data and no more.
 In the case of a buffer overflow, a programmer,

either through lazy coding or other practices,

creates a buffer in code but does not put
restrictions on it.

10
 Why Web Application Vulnerabilities
Occur
The Web Application
Security Gap
Application Developers and QA
Security Professionals Don’t Know The Professionals Don’t Know Security
Applications

“As a Network Security “As an Application

Professional, I don’t Developer, I can
know how my build great features
companies web and functions while
applications are meeting deadlines,
supposed to work so I but I don’t know
deploy a protective how to develop my
solution…but don’t web application
know if it’s protecting with security as a
what it’s supposed to.” feature.”

11
 2. Buffer Overflow
 When data spills or overflows into the buffers it was not
intended for, the result can be:
 corrupted or overwritten data.
 data loses its integrity.

In extreme cases- loss of system integrity
 disclosure of information to unauthorized parties

12
 3. Denial-of-Service Attack(DoS)
 As a fixed asset, a web server is vulnerable to DoS attack
much as any other server based asset would be.
 DoS against a web server lead to all the resources on
that server can be rapidly consumed, slowing down its
performance.
 A DoS attack is mostly considered an annoyance because
it is easy to defeat.

13
 4. Error Messages
 Error messages can reveal a lot of information
about a server and a web application.
 Careless reveals of error messages can provide
information that may be used for an attack or at
least the fine-tuning of an attack.
 E.g Messages such as the common 404 can
inform a visitor that content is not available or
located on the server.
 Typically these messages should not be too
descriptive—if seen at all—outside a development
or test environment.
14
 5. Vandalizing Web Servers: Defacement
 Defacing a website can be aggressive or subtle,
depending on the goals of the attacker.
 Goals of defacement:
 to embarrass the company,
 make a statement, or
 just be a nuisance.
 To deface a website, it is possible to use a number of
methods, depending on the attacker’s own skill level,
capabilities, and opportunities available.

15
 6. Misconfiguration of the Web Server
Software
 A common issue - is the use of the default website
settings.
 The permissions on the default website are open,
meaning the default settings leave the site open to
attack.

16
 Web servers/Web Apps Attack
Methods
 Some common ways of attacking a web server and the
sites and applications hosted on them include:
1. Input Validation
2. Cross-Site Scripting (XSS)
3. Insecure Logon Systems
4. Scripting Errors
5. Directory Traversal Attack
6. SQL Injections

17
 1. Input Validation Attack
 Input validation is a mechanism used to verify
information as it is entered into an application.
 Essentially, a user entering data into a form or website
will have few if any restrictions placed on them when
they enter data.
 Mechanism for validating input in place it is possible to
thwart problems, which include:
 Database manipulation
 Database corruption
 Buffer overflows
 Inconsistent data
 E.g a zip code is to be entered, but in reality it will accept
any data.
 The data becomes useless
18
 2. Cross-Site Scripting (XSS)
 It relies on a variation of the input validation attack, but
the target is different because the goal is attack user
instead of the application or data.
 An example of an XSS uses scripting methods to execute
a Trojan with a target’s web browser;
 this would be made possible through the use of scripting
languages such as JavaScript or VBScript.
 By careful analysis, an attacker can look for ways to inject
malicious code into web pages in order to gain
information from session information on the browser, to
elevated access, to content in the browser.

19
 2. Cross-Site Scripting (XSS)
 What are the implications? An XSS attack can:
 Steal your cookies for the domain that you’re browsing
 Completely modify the content of any page that you see on this
domain
 Track every action you do in that browser from now on
 Redirect you to a Phishing site
 Exploit browser vulnerabilities to take over machine

20
 2. Cross-Site Scripting (XSS)

21
 3. Insecure Logon Systems
 Applications can track information relating to improper or
incorrect logons by users if so enabled.
 Typically, this information comes in log form, with entries
listing items such as:
 Entry of an invalid user ID with a valid password
 Entry of an valid user ID with an invalid password
 Entry of an invalid user ID and password
 Applications should be designed to return generic
information that does not reveal information such as
correct usernames.
 Web apps that return a message such as “username
invalid” or “password invalid” can give an attacker a
target to focus on—such as a correct password.
22
 4. Upload Bombing
 Upload bombing uploads masses of files to a server with
the goal of filling up the hard drive on the server.
 Once the hard drive of the server is filled, the application
will cease to function and will crash.

23
 5.Scripting Errors
 Default Scripts
 Default scripts are uploaded to servers by web designers who do
not know what they do at a fundamental level.
 In such cases, an attacker can analyze or exploit configuration
issues with the scripts and gain unauthorized access to a system.
 Sample Scripts
 Web applications may include sample content and scripts that
are regularly left in place on servers.
 In such situations, these scripts may be used by an attacker to
carry out mischief.
 Poorly Written or Questionable Scripts
 Some scripts have appeared that include information such as
usernames and passwords, potentially letting an attacker view the
contents of the script and read these credentials.

24
 6.Directory Traversal Attacks
 The hacker browses through the folders on a system via a
 web browser or Windows Explorer.
 It allows an attacker to move outside of the web server directory and
into other parts of the host system.
 Once outside this directory, the attacker may then be able to bypass
permissions and other security controls and execute commands on
the system.
 To execute this attack, an intruder takes advantage of errors or
weaknesses in one of two areas:
 Access control lists (ACLs)- used to indicate which users and groups

are allowed to access files and directories on a server as well as

what level of interaction is allowed.
 Root directory - which is the directory on the server to which users are
specifically restricted.
 The root directory acts as the top directory in the website and prevents
users from gaining access to sensitive files on the server.
25
 Directory Traversal Attacks
 Directory Traversal Attack Countermeasures
 A handful of methods can be used to thwart directory
traversal attacks, such as:
 Running modern web server software or ensuring that up-to-date
patches are installed.
 Enabling filtering of user input to the web server. It is common
for modern web servers to include the ability to filter out
nonstandard requests or codes.

26
 7. SQL Injection
 Involves Inserting SQL commands into the URL gets the
database server to dump, alter, delete, or create
information in the database.
 SQL injection involves an attacker appending SQL
database commands within an input field – form or URL
 If the web application code does not filter (sanitize) the
input, SQL commands could be executed on the web
server, allowing an attacker to bypass network security,
and directly interrogate the back-end database.
 With SQL injection, an attacker is able to return and steal
tables of information, make changes to records, or even
delete the entire database.

27
 7. SQL Injection
 What are the implications?
 Information leakage through DB error
messages
 Data extracted from your DB
 Take complete control your DB (insert data,
delete tables, and so on)
 Execute commands on your system
 Complete system compromise

28
 Example

29
 Example: Results to Successful log in

30
 Fixing SQL Injection
 Input validation
 As often as possible, only accept known good values,
rather than sanitizing
 Never use dynamic queries
 Use parameterized query APIs
 These APIs encode the user input, and make sure that
it doesn’t break the SQL statements
 Use stored procedures
 They are generally safe from SQL Injection

31
 Web Hacking tools
 Brutus- One tool designed to uncover and crack passwords for web
applications and websites.
 Download and install Brutus from www.hoobie.net.
 Instant Source allows a hacker to see and edit HTML source code.
It can be used directly from within the web browser.
 Wget is a command-line tool that a hacker can use to download an
entire website, complete with all the files.
 The hacker can view the source code offline and test certain attacks
prior to launching them against the real web server.
 WebSleuth uses spidering technology to index an entire website.
 For example, WebSleuth can pull all the email addresses from different
pages of a website.
 Acunetix Web Vulnerability Scanner - from
www.acunetix.com.

32
 Web Hacking tools
 BlackWidow - can scan and map all the pages of a
website to create a profile of the site.
 SiteScope maps out the connections within a web
application and aids in the deconstruction of the program.
 WSDigger is a web services testing tool that contains
sample attack plug-ins for SQL injection, cross-site
scripting, and other web attacks.
 Burp is a Windows-based automated attack tool for web
applications.
 It can also be used to guess passwords on web applications and
perform man-in-the-middle attacks.

33
 Web Servers/Apps security
Techniques
 Rename the administrator account, and use a
strong password.
 Disable default website and FTP sites settings.
 Remove unused applications from the server,
 Disable directory browsing in the web server’s
configuration settings.
 Add a legal notice to the site to make potential
attackers aware of the implications of hacking the
site.

34
 Web Servers/Apps security
Techniques
 Apply the most current patches, hotfixes, and service packs to the
operating system and web server software.
 Perform bounds checking on input for web forms and query strings to
prevent buffer overflow or malicious input attacks.
 Disable remote administration.
 Use a script to map unused file extensions to a 404 (“File not found”)
error message.
 Enable auditing and logging.
 Use a firewall between the web server and the Internet and allow
only necessary ports (such as 80 and 443) through the firewall.
 Replace the GET method with the POST method when sending data
to a web server.

35
  End

36