Episode 11 – Common Web App Vulnerabilities
Music provided by: Denis Kreynin https://soundcloud.com/denis-kreynin
Authentication of users happens either at the OS layer, at the application layer or within the database. Services such as web servers and databases also need to run under some sort of context. This combination creates authorization challenges and loopholes that need to be accounted for by the developer and platform administrator.
Forcible (or forced) browsing is a way for someone to manipulate the URL to gain access to something they should not have access to. Check for unpublished content along a similar naming convention, pull up configuration or debugging information, or escape the sandbox that the web browser is supposed to operate in. With really bad session handling, you can even change user context, called horizontal escalation of privileges.
Forcible browsing is corrected with granular access controls being applied, both to what a user can do, and what the services (like database and web server) can access. These should never run as root/system because that grants them access to all files and programs.
Cross Site Scripting (xss) depends on knowing how HTML works in conjunction with client-run scripts (like javascript), and form submissions like comment pages.
XSS is split into two types:
– reflected XSS affects the person going to that URL (probably for phishing attacks to steal session IDs)
– stored XSS is a way to make everyone browsing a website execute javascript intended by the submitting attacker.
Cross site scripting is fixable by sanitizing input. if you have to show what someone is typing in for confirmation or others, then get rid of HTML tags.
SQL injection interrupts the normal webpage queries to the database by adding more to the query. If a normal logon query based on a form submission looks like
select * from users where name = ‘Matt’ AND pass = ‘Monkeys’;
then adding extra special characters and input to the password field it could send something like
select * from users where name = ‘Matt’ AND (pass = ‘Monkeys’ OR ‘1’ = ‘1’);
or more maliciously drop the tables that control all access to the application like
select * from users where name = ‘Matt’ and pass = ‘Monkeys’; drop table users;
references:
OWASP top 10 – https://www.owasp.org/index.php/Top_10_2013-Top_10
Common Weakness Enumeration top 25 – https://cwe.mitre.org/top25/#Listing
Forcible browsing – https://www.imperva.com/resources/glossary/forceful_browsing.html
XSS prevention (with a link to explanation) – https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Microsoft reference to SQL injection and prevention – https://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx
XKCD comic highlights SQL injection – https://xkcd.com/327/