Security Testing: Top Web Application Vulnerabilities
Nowadays, web Applications are becoming our integral part in day to day life due to their 24X7 availability and accessing huge data on fingertips. As more and more vital data is stored in web applications and the numbers of transactions are increased on the web, proper security testing of web applications is becoming very important. The prime objective of Security testing is to find out ways to identify vulnerability in the system and to ensure that data is protected from hackers & invaders.
Most Common Types of Attacks causing Web Vulnerabilities
Injection Flaws [A1]: Injection Flaws results from failure in filtering un-trusted inputs. There are various forms of injection attacks like passing unfiltered data to the DataBase (SQL injection), to the browser (XSS), to the LDAP server (LDAP injection). This allows an attacker to submit malicious DB queries and pass commands directly to a database/server. To prevent such injections we need to make sure that application input fields should accepts inputs by filtering data, preferably according to a whitelist and should not support to black listed data. Broken Authentication & Session Management [A2]: Broken Authentication and Session Management attacks are generated to try and retrieve passwords, user IDs, account details and some of the common causes are:
- The URL may contain the session id which will leak in the referrer header
- The passwords may not be encrypted or hard coded
- The session ids may be predictable
- No Session timeouts implementation using HTTP, SSL
There are numerous steps that developers can use to prevent these attacks, including session expiration, login expiration and various other strategies like Two-factor authentication, Methods to enforce user to change their password after certain duration. Cross Site Scripting (XSS) [A3]: Cross Site Scripting (XSS) is a type of vulnerability where information is sent to web service providers such as banks or online stores, an attacker can interrupt the transaction process and extract valuable information. This is achieved by enabling attackers to inject client-side script into Web pages, viewed by other users and trick a user to click on that URL. Once it executed by the other user’s browser, this code then performs action to change website behaviour and stealing personal data. Developers should make use of existing security control libraries, such as OWASP's Enterprise Security API or Microsoft's Anti-Cross Site Scripting Library. Also they should ensure that any client inputs are checked, filtered and encoded before being passed back to the user. Insecure Direct Object Reference [A4]: Poor application design where authentication levels are not sufficiently checked and users can gain administrative access to system data. E.g. if a user's account ID is shown in the page URL, an attacker may able to guess another user's ID and can resubmit the request to access their data, provided if the ID is a predictable value. The best ways to prevent this vulnerability are user ID creation using UUID method, by randomly and authenticate user each time when try to access sensitive files or content. Security Misconfiguration [A5]: The Primary cause of this vulnerability is misconfiguration of the infrastructure that supports a Web application. Common issues include default usernames such as “admin”, and passwords, such as "password" or "123". Various unattended web pages/services running on server can also cause for such flaws. This can be prevented by educating the resources about the Security & Privacy and implementing them on priority at work by providing adequate training. Sensitive Data Exposure: This vulnerability occurs when sensitive data like User ID, password, Session ID, cookies are not encrypted and shows in browser URLs. Following are preventive measure to avoid above vulnerability:
- Sensitive data should be encrypted all times including in transit and at rest by using “HTTPS”
- Payment transactions should process by using Payment Processor such as “Stripe”, “Braintree”
- All passwords should be hashed and stored in encrypted using encryption utility such as “Bcrypt”
Missing Function Level Access Control [A6]: An authorization failure will cause this vulnerability. This vulnerability exists when websites has hierarchal or tier level user access accounts and depending on the account's privileges, the user will be able to access a certain level of applications. Whenever a valid user sends some request, the application verifies its access & privilege and sends an approval token to him. However, in case of untrusted, anonymous users, administrative functions become targets as they are prone to unauthorized functionality. To prevent it, authorization must be done for every server side calls. Cross Site Request Forgery (CSRF Or XSRF) [A7]: This is one of the most prevalent attacks from online scammers and spammers, where users are manipulated to provide sensitive information through a forged website. Attackers typically warn the user that their “account has been suspended”; their “password has changed” which force users to submit their information through the forged site. Use of CSRF, XSRF cookies into the session will validate every HTTP request and prevent such vulnerability. Denial of Service (DoS) or Distributed Denial of Service (DDoS) [A8]: These are attempts to flood a site with external requests, making the site unavailable for users. “DoS” attacks usually target specific ports, IP ranges, or entire networks, but can be targeted to any connected device or service. “Denial of Service” attacks are when one computer with an internet connection attempts to flood a server with packets. “DDoS” attacks are when many devices, which are widely distributed and attempt to flood the target with hundreds, often thousands of requests. Main DDoS attacks are:
- Volume Attacks where the attack attempts to overwhelm bandwidth on a targeted site.
- Protocol Attacks where packets attempt to consume server or network resources.
- Application Layer Attacks where requests are made with the intention of crashing the web server by overwhelming the application layer.
Invalidated Redirect & Forwards [A9]: This is again an input filtering issue, where a web application accepts unverified input that affects URL redirection and redirects users to malicious websites. In addition, hackers can alter automatic forwarding routines to gain access to sensitive information. Summing up: Top N vulnerability lists may initially appear to be interesting data sets but all of these are interwoven, and one can lead to another. Hence it is vital that one should have an understanding of the application security landscape to decide the approach for security testing to reduce the risk. This can be achieved by including multiple assessment approaches rather than depending on traditional approach, such as - code review/static analysis, threat modelling, and application-specific assessment methodologies like mobile or embedded, to get a more comprehensive picture of your software security threats.