Web Attacks

By -
This blog post was contributed by Vaibhav Rastogi.

The web is one of the most common interfaces between an organization and the outside world and so web attacks, or attacks on web applications, are a fairly frequent attack scenario. They have been studied for decades, projects such as OWASP Top Ten have been there to create awareness about these attacks, and there are numerous tools, which can be used to detect and mitigate common web application vulnerabilities. Here, we outline some of the common categories of attacks on web applications.

Injection attacks

Such attacks happen when untrusted data is incorporated into the server-side application logic without proper sanitization. These attacks can use a variety of vectors: for example, unsanitized input can make its way into a SQL query to result in a so-called SQL injection. Similar attacks can result with injection into noSQL database queries, and into server-side scripts (e.g., a PHP script that evaluates some untrusted input, which then gets executed as code).

These attacks can result in exposure of confidential data or a compromise of data integrity. Ways to prevent these attacks involve proper placement of sanitizers in the server-side logic so as to never let unsanitized, untrusted data reach places where it could execute as part of application logic.

Cross-Site Scripting (XSS)

Cross-site scripting is similar to injection attacks in that the some untrusted input is interpreted as the application logic, but this time the attack happens in the browser rather than the server. Specifically, the attack happens when an attacker injects into the webpage markup data, that is interpreted by the browser as a script (typically, Javascript) and executed.

As an example, consider an attacker inserting a script element (Javascript code enclosed in <script></script> tag) in an input field that requires their name. Upon submission, the data in the field is then stored in a server-side database. An unsuspecting user viewing the names of all people in the database through a web interface then gets the attack script in lieu of the attacker's name. This attack script is then executed by the browser.

Cross-site scripting can again lead to compromise of confidentiality and integrity. The primary way of preventing cross-site scripting to insert sanitizers that modify the inputs in ways such that the browser does not interpret them as executable code. Another line of defense comes from the so called content security policies in web browsers. These policies specify where content (including executable content) can come from (e.g., from specific domains or specially marked-up elements). The browser then ignores any content that has not been white-listed in this manner. We will discuss CSP in greater detail in a future blog post.

Authorization and Authentication Flaws

This category represents several scenarios. For example, an object may be publicly accessible though a URL while it should have been accessible only to authenticated users, who have the right privileges. Another example could be bypassing highjacking an authenticated session by merely using the URL of the authenticated session. To elaborate, suppose a session is authenticated through a session ID, which is present in the URL. An attacker could entice a victim to send them an authenticated session URL and use the session ID-containing URL to get the victim's session. Failure to enforce strong passwords or the use of insecure authentication practices, e.g., authenticating a user based on secret question/answers in lieu of passwords are also authentication flaws.

Man-in-the-middle Attacks

With the client-server communication happening over an unencrypted channel, the data is open to sniffing and spoofing attacks while in transit. This can most easily be fixed with by using HTTP over TLS or HTTPS. HTTPS encrypts the communication channel and provides authentication of the server (i.e., the connected example.com is indeed example.com) and integrity and confidentiality of the data. TLS configuration errors can sometimes result in weakened security. It is therefore important to choose a strong default configuration for your web server.

Cross-Site Request Forgery (CSRF)

In this, the attacker exploits the browser to send a request to the server on victim's behalf. The victim is typically logged-in into the website and so the request is processed in an authenticated context. For example, consider a user logged into their bank website and in a separate browser tab clicking on an attack link that directs the bank website to transfer money from the victim's account to the attacker's account. The main issue here is that the server has no way to tell if the victim created this request or the attacker did it from the victim's browser.

Common ways of dealing with CSRF attacks include the server sending a nonce (a random, unpredictable token) to the client, which is then embedded in every legitimate request to the server. Any attacker-created request will not have the nonce and hence can be rejected by the server.

The above is only a very short summary of the attacks. There are many details we have skipped, including variations on these attacks, and how to prevent them effectively. We will cover some of these attacks in detail in future posts.

Comments

Post a Comment

Popular posts from this blog

Malware Trend in 2007

By -
I read the report IBM Internet Security System X-Force 2007 Trend Statistics. This is a report describing trends for various threats in 2007. This team has been tracking trends since 2000. I found the report to be quite interesting. In the rest of this post, I highlight some of the interesting points from the report and what they mean in the context of malware detection. (I) The X-Force team reports continued growth in Web browser exploitation. This clearly shows that the infection vector is changing to the Web. Earlier the primary infection vectors were email and the network. Therefore, for detecting malware, drive-by-downloads (DBD) and other threats targeted at hacking through the Web browser need a lot of attention. (II) X-Force also reports a marked increase in obfuscated exploits, i.e., exploits that use various code obfuscation techiques (such as encryption). Here is a quote, "X-Force estimated that nearly 80 percent of Web exploits used obfuscation and/or self decryption .
Read more

Model Checking and Security

By -
Model checking is a technique of verifying temporal properties of finite-state systems. One of the attractive features of model checking over other techniques (such as theorem proving) is that if a property is not true, a model checker provides a counter-example which explains why the property is not true. Inventors of model checking, Edmund Clarke, Allen Emerson, and Joseph Sifakis, won the 2008 ACM Turing award (see the announcement here ). I have a personal connection to two of the recipients. Edmund Clarke was my adviser at Carnegie Mellon, and Allen Emerson and I have collaborated on few projects and he has supported me through out my career. In this note I try to summarize various applications of model checking to security. Protocol verification : Protocols in the realm of security (henceforth referred to as security protocols) are very tricky to get correct. For example, flaws in authentication protocols have been discovered several years after they have been published. Techniqu
Read more