Course title: Software

security
Course Code: SENG

Faculty of Information Technology

Department of Network and communication
systems
 Class Guidelines
• Class Attendance: Classes are held on Monday and Thursday at 6:00 PM. Please be
punctual. Late arrivals or absences will result in penalties.

• Assignment Deadlines: Submit assignments and projects on time. Late submissions

within 24 hours will incur a 60% penalty; submissions beyond 24 hours will receive a
zero.

• Academic Integrity: Cheating in any form, including copying and verbal cheating, is
prohibited and will result in severe consequences, including a possible zero on the
assessment.

• Class Participation: Active participation is required as it contributes to your overall

grade.

• Classroom Etiquette: Chewing gum in class is not allowed.

Web Application Attacks
and
Preventive measures
 Web Server Operations
Typical Client-Server
Web Server Operation
A web server is a computer
system that stores, Static Data Application
processes, and Store Data Store

delivers web pages to

Static Data
clients via HTTP Response

Application
Servlet Request
Server
Web Server
Attackers usually target Servlet Response Web Container
software vulnerabilities
and configuration errors to HTTP
Request
HTTP
Response
Other Services

compromise web servers

Web Client
 Impact of Web Server Attacks
Compromise of user Data tampering and data
Webaccounts
server attacks can compromise user Webtheft
server attacks can lead to data
accounts through various methods that tampering and data theft by exploiting
exploit vulnerabilities in the web server vulnerabilities in web server software,
software, misconfigurations, or web applications, or the underlying
weaknesses in web applications running infrastructure.
on the server. Reputational damage of the
Website defacement
company
Website defacement refers to the Web server attacks can damage a
unauthorized alteration or vandalism of company's reputation in several ways,
the visual appearance and content of a primarily by undermining trust and
website. confidence among customers, partners,
and stakeholders.
 Web Server Attacks: Directory
Traversal
In directory traversal attacks, attackers Attacks
use the ../ (dot-dot-slash)
sequence to access restricted directories outside the web server root
directory
Attackers can use the trial and error method to navigate outside the
root directory and access sensitive information in the system

Volume in drive C has no label.

Volume Serial Number is D45E-9FEE

Directory of C:\

06/02/2017 11:31 AM 1,024 .rnd

09/28/2017 06:43 PM 0 123.text
05/21/2017 03:10 PM 0 AUTOEXEC.BAT
09/27/2017 08:54 PM <DIR> CATALINA_HOME
05/21/2017 03:10 PM 0 CONFIG.SYS
http://server.com/ 08/11/2017 09:16 AM <DIR> Documents and Settings
scripts/..%5c../ 09/25/2017 05:25 PM <DIR> Downloads
08/07/2017 03:38 PM <DIR> Intel
Windows/System32/ 09/27/2017 09:36 PM <DIR> Program Files
cmd.exe?/c+dir+c:\ 05/26/2017 02:36 AM <DIR> Snort
09/28/2017 09:50 AM <DIR> WINDOWS
09/25/2017 02:03 PM 569,344 WinDump.exe
7 File(s) 570,368 bytes
13 Dir(s) 13,432,115,200 bytes free
 Web Server Attacks: Website
Defacement
Web defacement occurs when an http://www.certifiedhacker.com/index.aspx
intruder maliciously alters the
visual appearance of a web page You are
by inserting or substituting
provocative, and frequently, OWNED!!!!!!!
offending data
HACKED!
Defaced pages expose visitors to
some propaganda or misleading Hi Master, Your website is
information until the unauthorized owned by US, Hackers!
changes are discovered and
corrected Next target – microsoft.com
 Web Server Attacks: HTTP
Response-Splitting Attack
HTTP response splitting attack The attacker can control the first
involves adding header response response to redirect the user to
data into the input field so that a malicious website whereas the
the server splits the response into other responses are discarded by the
two responses web browser

String author =
request.getParameter(AUTHOR_PARAM);
...
Cookie cookie = new Cookie("author",
author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
 Web Server Attack Tools
An exploit development platform that supports fully automated
Metasploitexploitation of web servers, by abusing known vulnerabilities and
leveraging weak passwords via Telnet, SSH, HTTP, and SNM
 Web Server Security Tools
Fortify WebInspect is an automated dynamic testing solution
Fortify WebInspect that discovers configuration issues and identifies and prioritizes
security vulnerabilities in running applications
 Web Applications Overview

Web applications provide an interface between end users

and web servers through a set of web pages that are
generated at the server end or contain script code to be
executed dynamically within the client web browser

Though web applications enforce certain security policies,

they are vulnerable to various attacks such as SQL injection,
cross-site scripting, and session hijacking
 How Web Applications Work
http://
certifiedhacker.com/?
id=6329&print=Y

User Login Form Internet Firewall Web Server

OS System Calls

Operating System DBMS Web Application Server

ID Topic News
6329 Tech CNN SELECT * from news where id = 6329
Output
 Web Services
A web service is an application or software that is deployed over
the Internet and uses standard messaging protocols such as
SOAP, UDDI, WSDL, and REST to enable communication
between applications developed for different platforms

Types of Web Services

SOAP web RESTful web
services services
It is based on the XML
It is based on a set of
format and is used to
constraints using
transfer data between a
underlying HTTP concepts to
service provider and
improve performance
requestor
 OWASP Top 10 Application Security Risks -
2017
1 2 3 4 5

Injection Broken Sensitive Data XML External Broken Access

Authentication Exposure Entity (XXE) Control

6 7 8 9 10

Security Cross-Site Insecure Using Components Insufficient Logging

Misconfiguration Scripting (XSS) Deserialization with Known and Monitoring
Vulnerabilities
 SQL
Injection
Injection It involves the injection of
Flaws malicious SQL queries into user
Injection flaws are web application
input forms
vulnerabilities that allow untrusted
Command Injection
data to be interpreted and executed as
part of a command or query It involves the injection of
Attackers exploit injection flaws by malicious code through a web
constructing malicious commands application
or queries that result in data loss or
corruption, lack of accountability, or LDAP
denial of access Injection
It involves the injection of
malicious LDAP statements
 Sensitive Data Exposure
Sensitive data exposure occurs due Vulnerable Code

to flaws like insecure cryptographic

public String encrypt(String plainText) {
storage and information leakage plainText = plainText.replace(“a”,”z”);

plainText = plainText.replace(“b”,”y”);
When an application uses poorly ---------------
written encryption code to return Base64Encoder.encode(plainText); }

securely encrypt and store sensitive

data in the database, an attacker can
exploit this flaw and steal or modify
weakly protected sensitive data
such as credit cards numbers, SSNs,
and other authentication credentials
 Security
Misconfiguration
Unvalidated Inputs
It refers to a web application vulnerability where
input from a client is not validated before being
processed by web applications and backend servers
Parameter/Form Tampering
It involves the manipulation of parameters
exchanged between client and server to modify
application data
Improper Error Handling
It gives insight into source code such as logic
flaws, and default accounts. Using the information
received from an error message, an attacker
identifies vulnerabilities to launch various web
application attacks
Insufficient Transport Layer Protection
It supports weak algorithms and uses expired or
invalid certificates. Using insufficient transport layer
protection exposes user data to untrusted third
parties and can lead to account theft
 Cross-Site Scripting (XSS) Attacks

Cross-site scripting ('XSS' or 'CSS') attacks exploit vulnerabilities in

dynamically generated web pages, enabling malicious attackers to
inject client-side scripts intoRequest
Normal web pages viewed by other usersThis example uses a vulnerable page,
which handles requests for
http://certifiedhacker.com/ nonexistent pages: a classic 404 error
jason_file.html page

404 Not found

/jason_file.html (Handles requests for a

Server Code
Server Response nonexistent page: a
<html> classic 404 error page)
<body>
<? php
How XSS Attacks Work XSS Attack Code
print "Not found: " .
urldecode($_SERVER[“
REQUEST_URI"]);
?>
Server Response </body>
404 Not found
</html> Server

http://certifiedhacker.com/<script>
alert(“WARNING: The application has
encountered an error");</script>
 Web Application
Attack Tools
Support the entire web application testing process, from initial
Burp
mapping and analysis of an application's attack surface to finding
Suite and exploiting security vulnerabilities
 Web Application Attack Tools
(Cont’d)
OWASP Zed
Provides automated scanners and tools that allow you to find
Attack
security vulnerabilities manually
Proxy
 Web Application Security
Testing
N-Stalker
Tools
N-Stalker web app security scanner checks for
Web App
vulnerabilities such as SQL injection, XSS, and other
Security
known attacks
Scanner
 What is SQL
Injection?
SQL injection is a technique used
It is a basic attack used to either
to take advantage of un-sanitized
gain unauthorized access to a
input vulnerabilities to pass SQL
database or retrieve
commands through a web
information directly from the
application for execution by a
database
backend database
SQL injections can be used to implement the following
types of attacks

1 Authentication Bypass Compromised Data Integrity 4

2 Authorization Bypass Compromised Availability of Data 5
3 Information Disclosure Remote Code Execution 6
 Types of SQL Injection
In-band SQL Out-of-Band SQL
Injection Injection
In Out-of-Band SQL injection, the
Attackers use the same attacker needs to
communication channel to communicate with the
perform the attack and retrieve server and acquire features of
the results the database server used by
the web application
Examples: Error-based SQL Attackers use different
Injection, System Stored communication channels to
Procedure, Union SQL Injection, perform the attack and obtain
Illegal/Logically Incorrect Query the results
 SQL Injection
Tools
sqlma sqlmap automates the process of detecting and exploiting SQL
p injection flaws and the taking over of database servers
 SQL Injection
Damn Small Detection Tools
SQLi DSSS is an SQL injection vulnerability scanner that scans
Scanner the web application for various SQL injection vulnerabilities
(DSSS)
Thanks