Web Application Security Testing

WEB APPLICATION SECURITY TESTING – 1. INTRODUCTION

This notes is for learning/educational purpose only. Use it at your own risks.

COMMON WEB APPLICATIONS

Most common Web applications used today are:

  • Shopping (Amazon)
  • Social Networking (Facebook)
  • Banking (CitiBank)
  • Web Search (Google)
  • Web Mail (Gmail)
  • Auctions (Ebay) etc.

Internal Web apps in organizations (Cloud services) are :

  • HR payroll information, performance reviews
  • Admin interfaces to servers, VM’s, workstations
  • Sharepoint, ERP, Outlook Web access, Office apps etc.

WEB APP SECURITY

State of Web app security:

  • Breaches are common. Attackers get sensitive data usually by gaining complete control of back end systems.
  • DoS (Denial of Service) at application level

Common Security flaws:

  • Broken Authentication and Access controls
  • SQL Injection
  • XSS (Cross Site Scripting – User input is script which gets executed in browser)
  • CSRF (Cross Site Request Forgery – Custom link created for execution in different context.)
  • Information Leak

THE FUNDAMENTAL SECURITY ISSUE is that users can supply arbitrary input. Malicious input can compromise site.

  • Alter parameters, cookies, HTTP headers
  • Client side controls cant be trusted
  • Developers must assume all input is malicious
  • Attacker have attack tools like burp, not restricted to use browsers

Scenario: Static Website

Information flows one way. Attacker who exploits web server can steal public data or deface the site.

Scenario: Web Applications

Two way information flow. User logs in and submit content. Lot of data is sensitive and private. Most apps are developed in house. And often developers are naive about security.

Various possible attacks at client side:

  • Change price of item
  • Modify session token to enter another user’s account
  • Remove parameters to exploit logic flaws
  • SQLi

Key Problem Factors for state of security:

  • Underdeveloped security awareness
  • Custom/In-house app development
  • Deceptive simplicity: Easy to make website (using frameworks etc.), but hard to secure it.
  • Rapidly evolving threat profile: Security steps taken at beginning might get outdated.
  • Resource and Time constraints
  • Overextended technologies
  • Increasing demands on functionality

The New Security Perimeter

  • Edge firewalls and bastion hosts are not enough to keep attacker out of critical systems, because user input is custom crafted.
  • Third party components can also have vulnerability which might break your security.
  • Attackers can attack client side controls instead of servers.

Future of Security

  • #1 security measure – updates
  • Some vulnerabilities are decreasing
  • Logic flaws and failure to use controls properly are not decreasing

Example of latest hack in Feb 2018 : SinVR Hack – 20k User credentials & information exposed. Hack was possible due to IDOR (Indirect Object Reference) weakness.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s