Lecture 8 - Web App Security Flashcards
What is a web application?
an application program that is stored on a remote
server and delivered over the internet through a
browser interface
- the app may or may not be interactive
What does a web application typically have (related to link)
Query parameters and schemes within the URL.
What is a webpage?
a single document which can be displayed in a web browser. Often one part of the web application.
What is HTTP?
Hypertext Transfer Protocol (HTTP), an application-layer protocol used to transmit hypermedia between web browsers and web servers. It is stateless and based on the client-server model (client opens connection and waits for response).
Often labelled a ‘carrier’ protocol.
What does hypermedia include?
images
videos
HTML
CSS
JS
What is FTP?
File Transfer Protocol
Standard communication protocol used for transfer of computer files from a server to a client
By default the traffic is not encrypted, so it can be read by any sniffer, use SFTP instead
What is HTTPS?
encrypted extension of HTTP, encryption is used for traffic to be transferred over a network. TLS (used to be SSL) is used to enforce encryption.
Is HTTPS widely supported?
YES, it is widely supported with browsers usually notifying if secure connection has been compromised
What are sessions?
Since HTTP is stateless, we cannot use it to store data between requests. Sessions are used for just that. Sessions are a conceptual idea for interaction between server and client. Cookies are used to actually store data client and server side regarding the session.
What is a session cookie?
A session cookie contains a random number identifier (key) used to
index the server’s session cache (get the data regarding the session).
What are cookies?
Cookies are small files of information that a web server generates and sends to a web browser. Web browsers store the cookies they receive for a predetermined period of time, or for the length of a user’s session on a website. Cookies help inform websites about the user, enabling the websites to personalize the user experience. Cookies help to store data between requests -> so we can remember past user interaction and data e.g. what has been added to the cart
What are the 3 main web application vunerabilities (or most prominent attacks)?
- SQL Injection
- CSRF
- XSS
What is SQL Injection?
The sending of malicious SQL commands to the server via input mechanisms on the site or webapp, these are executed on the server. It is mainly allowed by poor input checking.
What can happen when SQL injection takes place?
attacker may be able to act as database administrator , view records or alter them -> anything possible with sql
What is command injection?
execution of arbitrary code on the server, often by posting. Commands can be placed as query parameters or within input forms for example. This is again a vulnerability due to the fact there is bad input checking.
What would this do when passed and executed on a server?
ok= execute (SELECT …
WHERE user = ‘ or 1=1 – …)
The query would always succeed -> we could login , get all members in db etc.
How to prevent SQL Injection?
- never build sql commands yourself -> use parameterized / prepared SQL
- use an ORM framework -> so that there is an abstraction layer between application code and the database
DO NOT USE RAW SQL QUERIES, only let people interact via high level OOP code
What is CSRF?
Cross Site Request Forgery
This is an attack against web applications where web browsers send an authentication token with a request. This usually leverages user’s session at victim sever
What are other names for CSRF?
- oneclick attack
- session riding
as attack takes advantage of previously established sessions
Process of CSRF?
- user logs in and gets authentication credentials and cookie
- user visits malicious site with HTML form
- when form is submitted attacker sends forged request disguised as a legitimate communication
- this request is handled by the server as if it came from a legitimate entity
How to prevent CSRF?
- do not click malicious links
- use https
- use csrf session tokens ( Token needs to be unique per user session
and should be of large random value to make it difficult to guess)
What is XSS
Cross Site Scripting
An attack which is based on the attacker injecting scripting code into a web application in some way. Attacker’s malicious code executed on victim machine. Usually used to steal information and data.
What are the 2 types of XSS?
- reflected xss (The attacker script is reflected back to the user as
part of a page from the victim site) - stored xss (The attacker is able to inject malicious code into a
web application that is stored permanently on the server, such as in a database. This code is then served to users who view the affected page.)
Process of a reflected XSS?
- attacker send script-injected link to victim
- victim clicks on the link and requests legitimate website
- Victim’s browser loads legitimate site, but also executes malicious script
- usually valuable data is sent back to the attacker
Process of stored XSS?
- attacker injects malicious script onto the web application server
- victim requests content
- victim receives and executes the malicious script
- usually valuable data is sent to the attacker
How to defend yourself against XSS?
- proxy based defense (analyze the HTTP traffic exchanged
between user’s web browser and the target web
server by scanning for special HTML characters and
encoding them before executing the page on the
user’s web browser) - application level firewall (naylze browsed HTML
pages for hyperlinks that might lead to leakage of
sensitive information) - auditing system ( monitor execution of JavaScript
code and compare the operations against high level
policies to detect malicious behaviour)
