Web Application Exploits


Web Evolution
  • Static content:-  Server serves web pages created by people.
  • Dynamic content via server-side code:- Server generates web pages based on input from user and a database using code executed on server.
    Ex - CGI scripts (Perl, Python, PHP, Ruby, Java, ASP, etc.)
  • Dynamic content via client-side code:- Code embedded in web page is executed in browser and can manipulate web page as a data structure (Domain Object Model = DOM)
    Ex. - JavaScript, VBScript, Active X controls, Java applets
  • AJAX (Asynchronous JavaScript and XML):- Framework for updating page by communicating between browser and remote servers.

Attack Surface

Web applications have a large attack surface  places that might contain vulnerabilities that can be exploited. A vault with a single guarded door is easier to secure than a building with many doors and windows.
  • Client side surface:- form inputs (including hiddenfields), cookies, headers, query parameters, uploaded files, mobile code
  • Server attack surface: web service methods, databases
  • AJAX attack surface: union of the above

These were divided into six categories:
Broken Authentication (62%) - This vulnerability relates to the application’s login mechanism, which may enable the attacker to guess username and passwords and thus launch a brute-force attack.

Broken Access Controls (71%) - The application fails to properly protect access to sensitive information. An attacker can be able to view other user’s personal information.

SQL Injection (32%) - This allows the attacker to submit arbitrary input to the application and interfere with the application’s back-end database. An attacker may be able to modify or retrieve data from the application or execute commands on the database.

Cross-site Scripting (94%) - This vulnerability enables the attacker to input malicious javascript to the application and potentially gain access to their data, or carrying other attacks against them.

Information Leakage (78%) - In this case the application exposes sensitive data or information that might be useful for the attacker when targeting the application.

Cross-site Request Forgery (92%) - This allows the attacker to create malicious and unintended actions in the application with other user’s behalf.

The OWASP Top 10 - 2013 Release Candidate includes the following changes as compared to the 2010 edition:
  • A1 Injection
  • A2 Broken Authentication and Session Management (was formerly A3)
  • A3 Cross-Site Scripting (XSS) (was formerly A2)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration (was formerly A6)
  • A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
  • A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
  • A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
  • A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
  • A10 Unvalidated Redirects and Forwards

Like it ? Share it.