Web Application Exploits
Web Evolution
- Static content:- Server serves web pages created by people.
- Dynamic content via server-side code:- Server generates web pages based on input from user and a database using code executed on server.
Ex - CGI scripts (Perl, Python, PHP, Ruby, Java, ASP, etc.) - Dynamic content via client-side code:- Code embedded in web page is executed in browser and can manipulate web page as a data structure (Domain Object Model = DOM)
Ex. - JavaScript, VBScript, Active X controls, Java applets - AJAX (Asynchronous JavaScript and XML):- Framework for updating page by communicating between browser and remote servers.
Attack Surface
Web applications have a large attack surface places that might contain vulnerabilities that can be exploited. A vault with a single guarded door is easier to secure than a building with many doors and windows.
- Client side surface:- form inputs (including hiddenfields), cookies, headers, query parameters, uploaded files, mobile code
- Server attack surface: web service methods, databases
- AJAX attack surface: union of the above
These were divided into six categories:
Broken Authentication (62%) - This vulnerability relates to the application’s login mechanism, which may enable the attacker to guess username and passwords and thus launch a brute-force attack.
Broken Access Controls (71%) - The application fails to properly protect access to sensitive information. An attacker can be able to view other user’s personal information.
SQL Injection (32%) - This allows the attacker to submit arbitrary input to the application and interfere with the application’s back-end database. An attacker may be able to modify or retrieve data from the application or execute commands on the database.
Cross-site Scripting (94%) - This vulnerability enables the attacker to input malicious javascript to the application and potentially gain access to their data, or carrying other attacks against them.
Information Leakage (78%) - In this case the application exposes sensitive data or information that might be useful for the attacker when targeting the application.
Cross-site Request Forgery (92%) - This allows the attacker to create malicious and unintended actions in the application with other user’s behalf.
The OWASP Top 10 - 2013 Release Candidate includes the following changes as compared to the 2010 edition:
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly A3)
- A3 Cross-Site Scripting (XSS) (was formerly A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly A6)
- A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
- A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
- A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
Like it ? Share it.