This notes is for learning/educational purpose only. Use it at your own risks.
COMMON WEB APPLICATIONS
Most common Web applications used today are:
- Shopping (Amazon)
- Social Networking (Facebook)
- Banking (CitiBank)
- Web Search (Google)
- Web Mail (Gmail)
- Auctions (Ebay) etc.
Internal Web apps in organizations (Cloud services) are :
- HR payroll information, performance reviews
- Admin interfaces to servers, VM’s, workstations
- Sharepoint, ERP, Outlook Web access, Office apps etc.
WEB APP SECURITY
State of Web app security:
- Breaches are common. Attackers get sensitive data usually by gaining complete control of back end systems.
- DoS (Denial of Service) at application level
Common Security flaws:
- Broken Authentication and Access controls
- SQL Injection
- XSS (Cross Site Scripting – User input is script which gets executed in browser)
- CSRF (Cross Site Request Forgery – Custom link created for execution in different context.)
- Information Leak
THE FUNDAMENTAL SECURITY ISSUE is that users can supply arbitrary input. Malicious input can compromise site.
- Alter parameters, cookies, HTTP headers
- Client side controls cant be trusted
- Developers must assume all input is malicious
- Attacker have attack tools like burp, not restricted to use browsers
Scenario: Static Website
Information flows one way. Attacker who exploits web server can steal public data or deface the site.
Scenario: Web Applications
Two way information flow. User logs in and submit content. Lot of data is sensitive and private. Most apps are developed in house. And often developers are naive about security.
Various possible attacks at client side:
- Change price of item
- Modify session token to enter another user’s account
- Remove parameters to exploit logic flaws
Key Problem Factors for state of security:
- Underdeveloped security awareness
- Custom/In-house app development
- Deceptive simplicity: Easy to make website (using frameworks etc.), but hard to secure it.
- Rapidly evolving threat profile: Security steps taken at beginning might get outdated.
- Resource and Time constraints
- Overextended technologies
- Increasing demands on functionality
The New Security Perimeter
- Edge firewalls and bastion hosts are not enough to keep attacker out of critical systems, because user input is custom crafted.
- Third party components can also have vulnerability which might break your security.
- Attackers can attack client side controls instead of servers.
Future of Security
- #1 security measure – updates
- Some vulnerabilities are decreasing
- Logic flaws and failure to use controls properly are not decreasing
Example of latest hack in Feb 2018 : SinVR Hack – 20k User credentials & information exposed. Hack was possible due to IDOR (Indirect Object Reference) weakness.