topic 6B: web application security (2)

Question 1

6 layers of Uniform resource locator (URL)

Answer 1

• tampering with specific parts of a URL has effects at different layers

1. http : the protocol, gets you through the firewall
2. 10.0.0.1 : IP address
3. catalogue : virtual directory mapping
4. display.asp : application component
5. pg=1 :
   > application parameter
   > modifying will have effects on the APPLICATION LOGIC
6. product=7
   > application parameter
   > modifying it will have effects at the DATABASE LAYER

Question 2

Directory Traversal attacks

Answer 2

1) in which a malicious user guesses the location of restricted files and views or executes them

eg:
Correct URL: http://www.test.com/getReport.aspx?id=Jan2009.htm

Attack URL: http://www.test.com/getReport.aspx?id=Mar2009.htm

• attacker can predict the name of the report and obtain the information early, before the link is published

2) source codes might be disclosed as well

• ”../” sequence is used to traverse one directory above the current directory and enter the /scripts directory (in a URL)

Question 3

How to protect against this attack

Answer 3

• effectively filter any user input
• always compare against a white list
• restrict the web application to serve pages only from the web root directory and its subdirectories

white list : a cybersecurity strategy that approves a list of email addresses, IP addresses, domain names or applications, while denying all others

Question 4

Web application threats (1)

Answer 4

1) input validation
- buffer overflow, cross-site scripting, SQL injection, canonicalization

2) authentication
- network eavesdropping, brute force attacks, dictionary attacks, cookie replay, credential theft

3) authorization
- elevation privilege
- disclosure of confidential data
- data tampering
- luring attacks

4) sensitive data
- access sensitive data in storage
- network eavesdropping
- data tampering

5) session management
- session hijacking
- session replay
- man in the middle

Question 4

Entry points and their impact

Answer 4

• entry point may be a direct access to the internal database or application logic
• how an entry point is handled by the web application defines its security
• if entry point is not well guarded and vulnerable, it can be easily exploited

Question 4

Entry points

Answer 4

Firewall :
- HTTP/HTTPS traffic to port 80 and 443 must be allowed

What are entry points?
- attackers can use them to “talk” with an application

entry points :
- QueryString (GET)
- Form (POST)
- Java Applets
- Web Services

Question 5

Web application threats (2)

Answer 5

6) configuration management
- unauthorized access to administration interfaces/configuration stores
- retrieval of clear text configuration data
- lack of individual accountability
- over-privileged process and service accounts

7) cryptography
- poor key generation/management
- weak or custom encryption

8) parameter manipulation
- query string
- form field
- cookie
- HTTP header

9) auditing and logging
- user denies performing an operation
- attacker exploits an application without trace
- attacker covers his or her tracks

10) exception management
- information disclosure
- denial of service

Question 6

Security controls : input validation

Answer 6

1) root cause of most web hacks

2) failure to properly validate input from the client
- leads to almost all of the major vulnerabilities in applications
- data from the client should NEVER be trusted for the client has every possibility to tamper with the data

3) tampering with any part of a HTTP request to try to bypass the site’s security mechanism
- attackers can tamper with the URL, QueryString, headers, cookies, form & hidden fields

4) lack of boundary checks on server application
- must have validation rules to ensure data falls within permitted boundaries

5) validation strategy
- accept only known valid data
- reject known bad data
- sanitize bad data

6) check for correct data type
7) NEVER RELY of client-side data validation, implement validation on server-side components as far as possible

Question 7

Using validation libraries

Answer 7

• code libraries that help to robustly validate data

eg :
1. JAVA
- IBM XSS custom tag library
- OWASP Java EE validation library
- DeXSS
2. PHP
- PHP IDS (application layer IDS)
- OWASP PHP validation library
- OWASP reform encoding library

Question 8

Web application firewall

Answer 8

1) HTTP request and response filtering like traditional firewall

2) detect and block unintended traffic

3) specific to application layer and rules are well-crafted

4) block SQL injection, XSS, CSRF and many other attack vectors

5) advantages
- quick to add rules
- can act as first line of defense
- no recoding is required
- easy to implement and manage

eg :
-ModSecurity
- open source project
- HTTP traffic monitoring, logging and real-time analysis

Question 9

OWASP : open web application security project

Answer 9

OWASP top 10 :

awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Globally recognized by developers as the first step towards more secure coding.

• injection
• broke authentication
• sensitive data exposure
• XML external entities (XXE)
• broken access control
• security misconfiguration
• cross-site scripting (XSS)
• insecure deserialization
• using components with known vulnerabilities
• insufficient logging and monitoring