Web Application Security

Saroj Agrawal and Prince Agarwal

MBA-IT

Indian Institute of Information Technology - Allahabad

Securing Enterprise and the various processes within is the major issue these days and Vulnerabilities in the web applications are now the largest vector of Enterprise security attacks. Last year, almost 55% of the vulnerabilities that were brought into light, affected the web applications. Also at the end of the year more than 74% of the web-application vulnerabilities had no patch available to remediate. Among the several vulnerabilities the main culprits were “cross-site scripting”, “SQL injection” and “buffer flow”. Even network security managers’ expertise is not enough for these kinds of vulnerabilities. The thing that makes them useful to attacks is the relative obscurity of the web applications.

In the mid-1990s, from the beginning of the World Wide Web, the attacks on vulnerabilities in web applications began appearing. Attacks are generally based on fault injection, which exploits the vulnerabilities in a web application’s syntax and semantics. An attacker needs to have basic knowledge of HTTP and HTML and use standard browser to attempt a particular exploit by automatically varying a Uniform Resource Locator (URL) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting.

http://example/foo.cgi?a=1

http://example/foo.cgi?a=1’ < SQL Injection

http://example/foo.cgi?a=<script> … < Cross-site Scripting (XSS)

Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI. http://example/foo.cgi?admin=false

http://example/foo.cgi?admin=true < Increase privileges

A significant number of attacks exploit vulnerabilities in syntax and semantics. Many of these vulnerabilities can be discovered with an automated scanning tool. However, Logical vulnerabilities are very difficult to test with a scanning tool. These require manual inspection of web application source code analysis and security testing. Web application security vulnerabilities usually stem from programming errors with a web application programming language (e.g., Java, .NET, PHP, Python, Perl, and Ruby), a code library, design pattern, or architecture. Using a web application firewall might control the effects of some exploits, but not appropriate to resolve the underlying vulnerabilities.

Types of web application vulnerabilities

Web applications may have dozens of vulnerabilities. Penetration testing can be done to find the top vulnerabilities.

Authentication – stealing user account identities

·         Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.

·         Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.

·         Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.

Authorization – illegal access to applications

·         Credential/session prediction is a method of hijacking or impersonating a user.

·         Insufficient Authorization will permit access to the sensitive content or functionality that requires more access control restrictions.

·         Session Fixation attacks force a user’s session ID to an explicit value.

Client – side Attacks – illegal execution of foreign code

·         Content Spoofing tricks a user into believing that certain content appearing on a website is legitimate and not from an external source.

·         Cross – site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.

Command Execution – hijacks control of web application

·         Buffer overflow attacks alter the flow of an application by overwriting parts of memory.

·         Format String Attack uses the string formatting library features to alter the flow of an application and access the other memory space.

·         LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input.

·         OS Commanding executes operating system commands on a web site by manipulating application input.

·         SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.

·         SSI Injection (also called Server-side Include) sends code into a web application, which is later executed locally by the web server.

·         XPath Injection constructs XPath queries from user-supplied input.

Information Disclosure – shows sensitive data to attackers

·         Directory Indexing is an automatic directory listing / indexing web server function that shows all files in a requested directory if the normal base file is not present.

·         Information Leakage is revealing of sensitive data such as developer comments or error messages, which helps an attacker in exploiting the system.

·         Path Traversal permits access to files, directories and commands that potentially reside outside the web document root directory.

·         Predictable Resource Location uncovers hidden web site content and functionality.

Logical Attacks – interfere with application usage

·         Abuse of Functionality uses a web site’s own features and functionality to consume, defraud or circumvent access control mechanisms.

·         Denial of Service (DoS) attacks prevent a web site from serving normal user activity.

·         Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.

·         Insufficient Process Validation permits an attacker to bypass or circumvent the intended flow of an application.

Detecting web application vulnerabilities

There is no “silver bullet” to detect web application vulnerabilities. The similar kind of strategy called multi layer approach that is used for security on the network can be used for detecting the vulnerabilities present in the web applications. Complex enterprise-scale web application requires source code analysis for detection and remediation of vulnerabilities. Also automated scanner can be used to detect the web application vulnerabilities. It will both supplement and compliment manual forms of testing. It provides five key benefits:

Ø  Identifies vulnerabilities of syntax and semantics in custom web applications

Ø   Performs authenticated crawling

Ø  Profiles the target application

Ø  Ensures accuracy by effective reduction of false positives and false negatives

Ø  Lowers total cost of operations by automating repeatable testing processes

A scanner performs likely attacks on target applications so that it can detect vulnerabilities, since it does not have access to web applications. A broad simulated attack on an application takes significantly longer than doing a network vulnerability scan against a single IP. However time required for scanning varies. A major requirement for a web application vulnerability scanner is comprehensive coverage of the target application’s functionality. Incomplete coverage will cause scanner to overlook existing vulnerabilities.

There are web applications scanning solutions that allow a network security or IT administrator to execute comprehensive, accurate vulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamic content. They combine pattern recognition and observed behaviours to accurately identify and verify vulnerabilities. The service identifies and profiles login forms, session state, error pages, and other customized features of the target application - even if they extend along multiple websites.