Unit-1 Web vulnerabilities and attacks

2

UNIT 1: WEB VULNERABILITIES AND ATTACKS

Structure

1.1 Learning Outcomes 1.2 Define Web Vulnerabilities 1.3 OWASP

1.4 Common Web Vulnerabilities 1.4.1 Injection Attacks

1.4.2 Cross-Site Attacks

1.4.3 Broken access & Authentication control 1.4.4 Directory Attacks

1.5 Unique Web Vulnerabilities

1.5.1 Carriage Return and Line Feed (CRLF) Injection 1.5.2 Insecure Cipher Transformation

1.5.3 Cross-Origin Resource Sharing (CORS) Policy 1.5.4 Encapsulation

1.5.5 Error handling

1.5.6 Failure to restrict URL access 1.5.7 HTTP response splitting 1.5.8 HTTP verb tampering

1.5.9 Improper certificate validation 1.5.10 Insecure cryptographic storage 1.5.11 Insecure deserialization 1.5.12 Insecure digest

1.5.13 Insecure direct object references 1.5.14 Insufficient session expiration 1.5.15 Insufficient transport layer protection

1.5.16 Lightweight Directory Access Protocol (LDAP) injection 1.5.17 Missing function level access control

1.5.18 Missing PT_DENY_ATTACH 1.5.19 Race condition

1.5.20 Remote code execution (RCE) 1.5.21 Remote file inclusion (RFI) 1.5.22 Sensitive Data Exposure 1.5.23 Session ID leakage 1.5.24 Unrestricted File Upload

1.5.25 Unvalidated automatic library activation 1.5.26 Unvalidated redirects and forwards 1.6 Find vulnerabilities in Website

1.6.1 Free vulnerability scanning 1.6.2 Conducting penetration testing

1.7 Aspects to consider when finding Web vulnerabilities 1.7.1 Frequency of vulnerability scans

1.7.2 Types of vulnerability scan 1.7.3 Choosing Vulnerability scanner

1.7.4 Types of Web Application Security Testing 1.8 Let Us Sum Up

1.9 Check Your Progress: The Key

3 1.10 References and Further Readings

1.0 Introduction

Website vulnerabilities are flaws or misconfigurations in the code that hackers can use to acquire control of a website or online service. Hackers utilize automated tools to continually search for and detect these flaws, then exploit them to launch various forms of assaults after they've been discovered. For these reasons, each website owner must implement a patch management solution to identify and repair known vulnerabilities before they cause serious security difficulties. Security patching tools may help stay ahead of exploits and prevent assaults by detecting, eliminating, and correcting vulnerabilities. Organizations are continuing to 'shift left,' embracing the new employee and consumer experiences provided by cloud- hosted online apps. On the other hand, Malicious actors continue to adapt their assault tactics in response to this transition. According to the SiteLock cybersecurity report 2022 [1], websites are subjected to an average of 22 cyberattacks per day, or over 8,000 attacks per year.

1.1 Learning Outcomes

After having studied this unit, you will be able to:

 understand web vulnerabilities and discusses the various types of web vulnerabilities that cybercriminals exploit;

 discuss flaws using automated tools like vulnerability scanners and botnets;

 explain unique web vulnerabilities 1.2 Defining Web Vulnerabilities

Application vulnerabilities are defects or weaknesses in software that can be exploited or result in a security breach. Web applications are particularly vulnerable to attack because of the Internet's vast worldwide reach, and attacks can come from various sources via various attack vectors. A web application security program must include application vulnerability management and application security testing. A website vulnerability is a flaw or misconfiguration in coding a website or online application

4 that allows an attacker to take control of the site and perhaps the hosting server. The exploitability, detectability, and impact on the software of online security flaws are all emphasized as follows.

• Exploitability: what are the requirements for exploiting a security flaw? The attack has the most exploitability when it merely requires a web browser and the lowest when it requires complex programming and tools.

• Detectability: how easily can the threat be detected? The information displayed on the URL, Form, or Error message has the most priority, whereas the source code has the lowest priority.

• Impact or Damage: How much harm would the security vulnerability cause if revealed or attacked? The highest level is an entire system crash, while the lowest level is nothing.

1.3 OWASP

Leading industry research and standards bodies provide application security standards to assist enterprises in identifying and removing application security vulnerabilities in complex software systems. The security of websites, online applications, and web services such as APIs is called web application security. The OWASP Top 10 list, which is highly regarded and updated

periodically as the security landscape morphs and evolves, details the ten most commonly found application vulnerabilities. The Open Online Security Project (OWASP) is a non-profit

organization that enhances software and web application security. This organization releases a list of online security flaws based on data from numerous security groups. OWASP Top 10's primary goal is to educate developers, designers, managers, architects, and organizations about the most critical security flaws. The top 10 security vulnerabilities as per OWASP Top 10 [2]

(

are:

 SQL Injection

 Cross-Site Scripting

 Broken Authentication and Session Management

 Insecure Direct Object References

 Cross-Site Request Forgery

5

 Security Misconfiguration

 Insecure Cryptographic Storage

 Failure to restrict URL Access

 Insufficient Transport Layer Protection

 Unvalidated Redirects and Forwards

1.4 Common Web Vulnerabilities

1.4.1 Injection Attacks

An injection flaw allows for a wide range of attack tactics. An injection issue can exist in any program that will enable users to update a database, run a shell command, or make an operating system call. An interpreter is computer software that accepts a command, creates an instruction, and executes it within the application. Malicious actors use injection issues to modify instructions, resulting in new and unexpected activities within the program. Attackers can use these weaknesses to create, read, update, or destroy data.

Code Injection

Malicious code is traditionally defined as code that is written with the intent of causing harm [3].

Malicious code is commonly thought of in terms of viruses, malware, and ransomware. It may also refer to code that allows individuals to obtain remote access to a computer through a backdoor inside an application. A lack of secure coding techniques can cause application backdoors. These code flaws, albeit unintentional, leave the online application insecure. Furthermore, because modern programs usually copy and paste code from one area to another, a mistake in one source might result in the same dangerous code being utilized in several apps. Some web apps call operating systems to interface with the OS or the hardware.

6 OS calls include functions for process control which monitor applications' operations and termination; file management provides application access for accessing and interacting with system files; device management requests and manages hardware resources; information management and maintenance keep data updated; and any inter-process communication coordination for effective operations. Users end up providing invalidated inputs via insecure OS command calls. In other words, malicious actors can take an OS command call and add a query notation to acquire vital information on how to attack the application.

SQL Injection

SQL (Structured Query Language) is a computer language that allows you to interface with databases and retrieve and manipulate data in relational databases. Hackers have devised methods to insert their SQL instructions into databases using Structured Query Language, a standard database query language used to manage and direct information on applications. These instructions have the potential to modify, steal, or destroy data, as well as give the hacker access to the root system. SQL is used to handle the data on many of the servers that store essential data for websites and services. An SQL injection attack [4] is a type of attack that uses malicious code to trick the server into divulging information it wouldn't ordinarily reveal.

This is a concern if the server contains sensitive consumer information from the website or online application, such as credit card numbers, usernames, passwords, or other personally identifiable information, all of which are attractive targets for an attacker. Successful SQL injection attacks occur when a susceptible application fails to properly sanitize user input by failing to take out anything that looks like SQL code. For example, if an application is vulnerable to an injection attack, an attacker might write code into a website's search box that would tell the site's SQL server to dump all of the site's stored usernames and passwords. SQL injection is part of the more significant category of invalidated user inputs. When hackers submit queries that they know are untrue, the web application responds with an error message that tells them about the database's structure and security.

7 Check your progress 1

Note a) Space is given below for writing your answer.

b) Compare your answer with the one given at the end of the Unit.

i)Describe Code Injection and what purpose? Can this attack serve?

ii) What do you understand by SQL Injection? Give at least five examples of SQLi.

………

………

………

………

………

………

………

1.4.2 Cross-Site Attacks

Cross-Site Scripting

An attacker uses a SQL injection attack to target a susceptible website's stored data, such as user passwords or sensitive financial information. However, if the attacker prefers to assault a website's visitors directly, they may utilize a cross-site scripting attack. This Cross-Site Scripting (XSS) attack involves inserting malicious code into a website or web-based program like a SQL injection attack. In this situation, however, the malicious code injected by the attacker only executes in the user's browser when they visit the targeted website, and it directly targets the visitor.

8 Injecting malicious code into an input field is one of the most popular methods an attacker might launch a cross-site scripting attack, which will be automatically executed when additional users see the infected website. They may, for example, add a link to a malicious JavaScript in a blog comment. Cross-site scripting attacks can severely harm an online company's reputation by putting users' information in danger without leaving any evidence that anything nefarious happened. Any sensitive information a user gives to the site or application, such as passwords, credit card information, or other private data, might be hijacked by cross-site scripting without the site's or application's owners even recognizing it. Unlike a CSRF attack, which needs the cybercriminal to inject code into a web page, generally in an element like an image, an XSS attack requires the cybercriminal to insert code into a web page. The malicious code downloads and executes in the browser when the user accesses the web page on their browser. The code may, for example, reroute people from a safe site to a dangerous one.

Cross-Site Request Forgery

When a person is compelled to take an unwanted action on a web application they are logged into, this is known as a Cross-Site Request Forgery (CSRF) attack. When the victim is duped into making a malicious request to the web application, the web application has already determined that the victim and their browser are trustworthy and perform an action requested by the hacker. This has been used for everything from harmless user pranks to money laundering. Advanced validation mechanisms for everyone who may view pages on a website or app, especially when it comes to social media or community sites, are one- way website owners may assist reduce their risk of being attacked. They will be able to identify the user's browser and session and verify their legitimacy.

While a hacker can penetrate an application in various ways owing to web application vulnerabilities, there are also various strategies to guard against it. Web application security testing solutions are specifically built to monitor even the most public apps. These scanners lower your chances of being a hacking victim by telling you exactly where to make the adjustments needed for more secure apps. The CSRF attack uses social engineering techniques to persuade a user to update information in an

9 application, such as the user name or password. Unlike malware or cross-site scripting (XXS) attacks, CSRF needs a user to be authenticated into an application that tracks sessions or validates user requests using just session cookies. After the user does the desired action, the attacker uses the browser to carry out the rest of the attack, such as transferring cash, without the victim being aware. The "purchase now"

option on retail websites, for example, is easy to exploit using a CSRF attack, according to OWASP, because the attacker may leverage cookies kept on the browser that preserves the payment data to finish the operation.

1.4.3 Broken Access & Authentication Control

Broken Access

Users' interactions with data and resources, as well as what they may read and update, are defined by access controls. When a person can interact with data in ways they don't require, they have a broken access control vulnerability. This is a faulty access restriction; for example, a user should only be allowed to see payment data but can alter them. Malicious actors exploit this flaw to obtain unauthorized access to systems, networks, and software. They can then elevate the privileges, giving the user ID more access to the ecosystem, potentially jeopardizing data security, integrity, or availability.

Broken Authentication

User access is also a subject of broken authentication issues. Malicious actors, however, breach information that proves a user's identity, such as passwords, keys, or session tokens. Because the organization fails to build up suitable identity and access management rules, the hostile actor acquires unauthorized access to the systems, networks, and software.

1.4.4 Directory Attacks Directory indexing

All files hosted on a web server are frequently listed in a single directory. When a user seeks to locate a specific file in a web application, the file name is usually included in the request. If the file isn't available,

10 the software will provide a list of all indexed files, allowing the user to select another option. Web servers, on the other hand, index the files automatically. A malicious actor exploiting weaknesses in the directory index might acquire access to information that can tell them more about the system if the application returns a list of all files stored. For example, it can inform them about naming standards or personal user accounts. Both pieces of information can track down sensitive information or perpetrate credential theft.

Directory traversal

Also called directory climbing, dot-dot-slash, and backtracking attack, the directory traversal method leverages how an application gets data from the webserver. Generally, Access Control Lists (ACLs) limit user access to specific files within a root directory. Consider a set of nested folders that follow this order (1) Root directory (/) Sensitive Data (SD)  protecting from H@X0rs folder (PfH)  My-Password- is-Bad folder (MPiB)  H@X0rs-Stole-My-Infodocx (Word file). Outside of that root folder, you may have an extra set of directories, such as Pictures, Videos, and Downloads. You won't be able to access the content in these other root directories unless you have access to them.

Known vulnerabilities

Every web application is reliant on other components to function. The server, for example, is the component with known vulnerabilities if you're running an application on an unpatched web/application server. The Common Vulnerabilities and Exposures (CVE) list includes all known security flaws.

Because hostile actors are aware of the list, they are always looking for components that haven't received the necessary security patch updates. They can acquire access to the program's data after they breach one web application component.

Credentials management

A user ID and password make up user credentials. The user must enter both pieces of information into the login screen to access an application. This information is compared to information saved in the application's database. If both components are the same, the user is granted access. On the other hand,

11 databases frequently keep this information in plaintext or with inadequate encryption. Due to poor credential management, attackers can easily steal credentials and use them to access online apps.

Insufficient logging and monitoring

You have insufficient logging and monitoring vulnerabilities when your data event logs fail to capture the required information to avert an attack. Every person, device, and resource creates an event log, which your security team can use to see what's happening in your systems, networks, and apps. Because successful attacks frequently employ vulnerability probing during the reconnaissance stage, gathering the appropriate event log data is a strategy to reduce risk. Standard logging and monitoring weaknesses include failure to collect logs for auditable events such as logins or high-value transactions which fail, no real-time warning or alerts with no proper thresholds and responses, no API log, and network traffic monitoring for anomalies and abnormal activities or storing local records.

Security misconfiguration

The possibility of a security misconfiguration is one of the most common web application vulnerabilities.

This vulnerability is most commonly caused by an organization's failure to update default security settings. Off-the-shelf software, for example, usually comes with a default administrator ID and password. It is considered a security misconfiguration if these are not changed. Typical security misconfigurations include default accounts & passwords, insecure password policies, unpatched SO and Application software, no appropriate directory and file configurations, unused components, services, and features, with encryption.

XML External Entities (XXE)

The Extensible Markup Language (XML) is a markup language for describing data, such as the contents of a webpage or a database file. XML formatting enables apps to comprehend and uniformly transfer data.

You'll need an XML processor to read this information. These automated tools, also known as XML

12 parsers, read files, change the content, update databases, and distribute the material so the application can access it. On the other hand, web applications that utilize the XML format to send data between the browser and the server frequently employ APIs to process the data. Storage units are referred to as

"entities" in the XML standard. A storage unit that may access local or distant material is referred to as an external entity. XXE vulnerabilities arise from failures to determine the source before uploading or accepting XML data, disable document type definitions, use of simple data formats or detect XXE in source code.

1.5 Unique Web Vulnerabilities

To maintain data security and privacy, organizations must protect against these web application vulnerabilities; the section below describes other types of web vulnerabilities.

1.5.1 Carriage Return and Line Feed (CRLF) Injection

Carriage return, commonly abbreviated as r, is a command that signifies the beginning of a line of code.

A line feed, sometimes abbreviated as n, is a command that means the end of a line of code. Like many other pieces of software, each operating system employs a unique blend of carriage return and line feed.

When malicious actors introduce CRLF code into a web application, the injected code alters how the web application reacts to instructions. This may either be used to reveal sensitive information or to run code.

1.5.2 Insecure Cipher Transformation

The arithmetic behind an encryption/decryption process is a cipher, a common word for "encryption algorithm." Transformation is the operations done on an input to get the desired output. A cipher transformation is a sequence of procedures that converts unreadable encrypted data into decrypted data

13 that can be read. The encryption algorithm is trivial to crack due to a cipher transformation unsafe weakness, which defeats the point of encryption in the first place.

1.5.3 Cross-Origin Resource Sharing (CORS) Policy

A URL is used by every web-based application to link the user's browser to the server. The Same Origin Policy is a popular kind of protection. The server will only reply to a URL with the same protocol, top- level domain name, and path structure as this one. This implies you may visit both http://my- company.com/page01 and http://my-company.com/page02 since they share properties like HTTP Protocol, the same domain (My-Company.com), and the route of the schema of /page<count>.

The Same Origin Policy becomes restrictive when working with web-based applications that need access to resources that link to subdomains or third parties. By providing a set of authorized HTTP headers that are regarded as "trusted," the CORS policy allows the browser to access these shared resources. An application may, for example, require data from two databases on separate web servers. Creating a particular "permitted" list becomes too much labor when you add additional servers. The organization implements a CORS policy that allows browsers to connect to both servers because the application is

"shared" by both. If a CORS policy isn't sufficiently specified, though, the servers may be able to grant access when a malicious actor requests it.

1.5.4 Encapsulation

Encapsulation vulnerability attacks rely on flaws in how the developer designed the application, unlike other vulnerabilities that take advantage of web browser access to apps. Encapsulation is a programming concept that combines data and actions that may be performed on it into a single unit. Encapsulation protects data, which hides specifics about how the code works and results in a better user experience.

Users don't need to know how the app collects data; all they need is access to it. Access restrictions, such

14 as read/write rights, can be bundled with an application's capacity to obtain data. When a user asks for information from the app, it only delivers data that the user has permission to see.

On the other hand, the software has an encapsulation risk if the developers fail to correctly specify the boundaries between the data and the actions conducted across different application regions. Attackers take advantage of this by submitting a request to the application that they know would result in an error message. The error message provides them with knowledge about how the application functions, allowing hackers to carry out additional attacks such as denial of service.

1.5.5 Error handling

Various attack approaches are based on how an application reacts to unusual inputs or situations. When you try to access a website, you may receive an error message such as "404 not found." Error messages are helpful in most corporate apps and systems since they tell you how to remedy a problem. However, in the case of online applications, too much information given in an error message might be used by hostile actors. Frequently, attackers make a query to the web application that they know will result in an error message. This is commonly done during the reconnaissance phase when they strive to gather as much information as possible to uncover exploitable flaws.

1.5.6 Failure to restrict URL access

Like many other web application flaws, this has to do with access control privileges. Non-privileged users are prevented from accessing confidential data and resources through URL restrictions. In a web application, every clicking button leads to a URL. While clicking the button in the program would prohibit access, typing the URL into the browser straight permits access. Malicious actors can employ

"forced browsing" to attack when an application fails to control URL access.

1.5.7 HTTP response splitting

15 A form of CRLF injection attack is HTTP response splitting. HTTP is the protocol that allows a browser to submit requests and receive results from a server. In an HTTP response splitting attack, malicious actors alter how the browser and server "speak" to one another by sending a request but asking the server to "split" the answer into multiple sections using the CR and LF notations. The attacker gains control over the data the server provides in response to the second portion of the request by splitting the answer into two pieces. The malicious attacker has performed the attack when the sought data is sensitive or user ID data.

1.5.8 HTTP verb tampering

Programmers use the HTTP protocol to reply to requests and retrieve data. When asking the server, an HTTP verb is one of several options available to the application. Most online applications employ HTTP verbs to authenticate users and control access privileges. Malicious actors can get through authentication and access measures that keep confidential data safe. Common HTTP verbs include:

• GET: retrieves data from the specified source

• HEAD: requests preview of a specified resource

• POST: submits entity to specified resources, such as editing data

• PUT: transmits new data to the specified resource replacing the old information

• DELETE: deletes the specified resource entirely

1.5.9 Improper certificate validation

SSL certificates link a corporation and its location to a domain, server, or host name. MY-Company.com, for example, installs SSL certificate data files on US site servers. When a browser requests data from a US web server, the SSL certificate verifies that the user's browser communicates with an authorized owner. If the answer is yes, the two are securely connected. An inappropriate certificate validation vulnerability exists when an app refuses to validate or wrongly verifies the certificate. Attackers build a fictitious trusted entity that convinces the server or application that the certificate is valid, allowing the

16 data transmission to proceed. Malicious actors frequently leverage faulty certificate validation flaws to infect endpoints with malware.

1.5.10 Insecure cryptographic storage

Encrypting data before storing it is a standard best practice for preventing unwanted access to or using sensitive material. Encryption takes data in a legible format, such as Plain Text, and scrambles it using mathematical techniques, rendering it unreadable. Encryption usually necessitates the employment of an encryption key, which is the technology that implements the algorithm that runs the data and then decrypts it. However, the protection is rendered useless if the encryption key is discovered. An unsafe cryptographic storage vulnerability implies issues like no encryption of critical data, improper key management and storage, utilization of breakable encryption algorithms, and non-standard, internally built, and untested storage security.

1.5.11 Insecure deserialization

Applications process complex data structures: Serialization transforms structures into objects that can be efficiently stored and transmitted. For example, think about different actions that go into making aalu paratha:

 Gather dough made of wheat flour

 Either boil the potatoes in a pressure cooker or cook them in a pan

 Peel and chop the boiled potatoes

 Next, mash the potatoes, and ensure no lumps, chunks, orbits

 Add ingredients and spices such as - finely chopped green chilies, Garam masala powder, Kashmiri red chili powder, Mango (Amchur) powder or lemon juice, and salt according to taste

 Now mix the mashed potatoes along with spices, powders, and chilies

 Add 2 cups whole wheat flour and knead into a smooth

17

 Pinch two small balls from the dough.

 Flatten them and dust them with whole wheat flour.

 Roll them into rounds roughly 5-6 inches in diameter.

 Try making both discs the same size.

 In one place, the potato stuffing is in the center, keeping about 1-inch space from the sides.

 Press and seal the edges with your fingertips.

 Dust some flour on the stuffed aloo ka paratha and start rolling.

 Roll the paratha into a roundabout 7 to 8 inches in diameter.

 Put on hot Tawa and bake with oil.

These things must happen due to the paratha-making process, although they do not have to occur in this order. It can be time-consuming to write down and deliver these data items, such as unique texts, every time someone requests a peanut butter and jelly sandwich. Similar to serialization, you'd probably group them in a document called 'Alu Paratha Recipe' that you provide when someone asks. Like deserialization, when a person views the document, they can see each data point. Deserialization is reassembling the enlarged data structure from its original state. A deserialization vulnerability is one of the most significant attack types, which allows hostile actors to modify the application logic or execute code remotely.

1.5.12 Insecure digest

An insecure message-digest vulnerability is another cryptographic flaw that affects encryption's efficacy.

A message-digest comprises the cryptographic hash function, which is the technique that converts any amount of data to a fixed bit array, allowing data to be stored more compactly. Hash functions, unlike encryption, do not require the sender and user to have keys. In a "hash collisions attack," malicious actors exploit vulnerable digest flaws. The purpose of the attack is to check if submitting an input causes a

18 duplicate hash to be generated. If attackers brute force a shared hash, they can exploit it to propose a malicious file for download, leading the end-user to believe the file is legitimate.

1.5.13 Insecure direct object references

Also referred to as IDOR, it is the format or pattern to lead visitors to backend storage locations that can be exposed via web application URLs. A URL, for example, might be used to provide the format/pattern for a record identifier in a storage system like a database or file system. IDOR may be a low-risk problem on its own. IDOR, combined with a failed access control check, on the other hand, allows attackers to conduct enumeration attacks successfully.

1.5.14 Insufficient session expiration

Session timeout is when an application automatically logs a user out after being idle for a specified time.

When an application is idle and open, attackers look to steal the credentials associated with the account.

Examples of insufficient session expiration issues include the absence of session timeout or unnecessary lengthy session timeouts and the inability to trace session creation and destruction for analyzing application process trends.

1.5.15 Insufficient transport layer protection

TLS (transport layer security) is how computer applications on the internet securely "talk" to one another.

Some apps employ TLS for authentication, exposing data and ID session information when users interact with the app. Attackers can leverage this flaw to intercept data as it travels between the user's device and the application server via the internet.

1.5.16 Lightweight Directory Access Protocol (LDAP) injection

LDAP protocol allows applications to communicate with directory services servers that hold user IDs, passwords, and account information. Attackers can utilize the LDAP server to deliver malicious queries

19 when programs accept user input and execute it. LDAP coding issues include assigning admin privilege level access to LDAP accounts, inability to perform any dynamic check, lack of output regulation, and no static code analysis.

1.5.17 Missing function level access control

The function level access restrictions describe the activities that users may execute once they have authenticated to an application, for example, URL access. www.insecure-web-app.com/generic-user- name/read - the www.insecure-web-app.com/Super-Ad... Generic Username may access files in this application, whereas the Super Admin user can update them. No one requires the authentication that secures these operations since the access privileges are contained in the URL. Unauthenticated or non- administrative users might enter a URL hoping to gain administrative access. Malicious actors may attempt to type. The lack of function level access control at www.insecure-web-app.com/SuperAd...

means that the malicious actor no longer has to authenticate to the system and may remove data.

1.5.18 Missing PT_DENY_ATTACH

Although this vulnerability is a little more particular and technical than other web application vulnerabilities, it is becoming more critical as businesses develop more mobile applications. A debugger is a software that assists programmers in locating faults in their code. They frequently employ debuggers to keep the application running and avoid downtime due to problems. On the other hand, malicious actors can use these debuggers to determine how the application works and develop ways to exploit it. Process trace (also known as ‘ptrace’) is a system call used by various debuggers and code analysis tools. Ptrace calls, on the other hand, allow tools to manipulate their targets. For iOS mobile applications, the PT DENY ATTACH command disables debuggers from connecting to them. A missing PT DENY ATTACH command exposes an iOS mobile application to malicious attackers who may use ptrace to connect and infect it.

20 1.5.19 Race condition

Web application processes typically rely on activities performed in a specific order to accomplish a goal.

Click the Word icon, wait for the Word application to open, then click Open file. Wait for the file storage places to appear, then browse and click the appropriate file. Wait for the file to open, edit the Word document, then Save and Exit.

You must complete these steps in the exact sequence to write in a new Word document. On the other hand, application activities are frequently more complicated and need more speed. It means they employ a multi-threaded, asynchronous approach. For example, you assign tasks to the application if you're working on a document on a shared drive with a coworker in real-time. This is when the vulnerability to the race condition comes into play. Web applications that have been incorrectly coded may include logic that adjusts for asynchronous operations but lacks the necessary controls. Malicious attackers can then influence the timing of operations, causing the sequence to be thrown off and resulting in unexpected, sometimes maliciously designed, application behavior.

1.5.20 Remote code execution (RCE)

RCE vulnerabilities are web application coding errors that allow malicious actors to enter code independent of their location. RCEs are a subset of online application injection vulnerabilities in which malicious actors inject their code into an application that does not validate user inputs, causing the server to mistake it for legitimate application code. In most cases, attackers will take advantage of well-known unpatched vulnerabilities and inject their code into the application.

1.5.21 Remote file inclusion (RFI)

To link common folders to an application, developers use ‘include’ instructions in their code. An application could, for example, desire to get data from a database. Instead of individually coding it to fetch each file, you can use the ‘include’ command to link to the entire source directory and utilize

21 everything there. Harmful actors can instruct a web application with an RFI vulnerability to upload malware or malicious code to the website, server, or database.

1.5.22 Sensitive Data Exposure

Unlike a data breach where a cybercriminal steals information, sensitive data exposure vulnerabilities leave information visible to the public. Vulnerabilities for sensitive exposure exist, including insecure SSL protocol to authenticate and encrypt data, misconfiguration on cloud storage locations leading to data storage and transmission in plaintext, weak encryption algorithms, and the use of default or invalid cryptography keys.

1.5.23 Session ID leakage

When users use a web application, session IDs are the unique identifiers that authenticate them and monitor their activity, such as

 Storing the session ID in the query string is a web application vulnerability that leads to session leaking. Sharing a URL with the session ID stored in the URL section that requests the application to obtain information from the database allows the receiver to inherit that session without having to authenticate again.

 Using HTTP cookies to save the session ID: The program offers the attacker the opportunity to steal the session ID and impersonate the user by storing it in tiny data files that allow a web server to remember a web browser and utilize the unencrypted HTTP protocol.

1.5.24 Unrestricted File Upload

Uploading files is a common feature in web applications. For example, you might upload a CSV file to a database if you wish to input data in bulk. When someone tries to upload a file, an uncontrolled file upload vulnerability can be caused by a lack of authentication/authorization. This indicates that the application has failed to validate the user, allowing bad actors to submit infected files. Furthermore, the

22 application may fail to sanitize files before uploading, allowing attackers to leave harmful material in the files, such as malware-hiding macros.

1.5.25 Unvalidated automatic library activation

To save time while coding, developers leverage third-party libraries. This often allows them to leverage pre-tested code, which speeds up the development process. However, publicly available, open-source code adds security concerns, such as abandoning the project. They are no longer updated, and lacking documented ownership increases the chance of malicious code being introduced and failing to monitor library updates for bug fixes. This issue is growing increasingly widespread as more applications rely on third-party libraries.

1.5.26 Unvalidated redirects and forwards

After a user submits a form, web applications can employ redirects or forwards. If your marketing website offers a form for users to download a whitepaper and submit the form, the page redirects or passes them to the "thank you" page. Malicious actors, on the other hand, can spoof these redirected or forwarded page URLs to steal user data. Web apps with a high number of destination sites, inability to save entire URLs, absence of IDs for redirects and forwards, missing identifiers used as request parameters, and failure to filter untrusted URL inputs are all frequent instances.

23 Check your progress 2

.

Note a) Space is given below for writing your answer.

b) Compare your answer with the one given at the end of the Unit.

i) What is HTTP Verb? Mention at least five methods involved.

………

………

………

………

………

………

………

………

1.6 Find vulnerabilities in Website

In the ever-changing cybersecurity world, finding and resolving vulnerabilities is essential for website developers. If these flaws aren't addressed, hackers will be able to get access to the website with higher rights. Web developers and administrators discover website vulnerabilities which include some of the following.

1.6.1 Free vulnerability scanning

An application security scanner is a program to query specified interfaces to find security and performance flaws. To check flaws, these tools rely on described tools and scripts. Vulnerability scanners examine user behaviors and system configurations that potentially assist an attack by simulating various

24 if-then situations. A well-configured passive online security scan aids in examining apps and networks, then generates a list of flaws that must be fixed in order of importance. Crashtest Security Suite is a popular and effective scanner that helps enterprises construct an end-to-end continuous testing process, making vulnerability detection easier. The online scanner not only detects and alerts system flaws but also assists developers in establishing a dependable, repeatable restoration procedure.

1.6.2 Conducting penetration testing

Penetration testing is a proactive security strategy in which security experts try to exploit vulnerabilities such as SQL injections, cross-site scripting, cross-site request forgery, and cross-site request forgery in a safe manner. Organizations often imitate and comprehend an attacker's behaviors once vulnerabilities have been found. Security teams use penetration tests to assess the effectiveness of security systems and compliance with security standards. Testers mimic an attacker's process, gaining access to system data through existing vulnerabilities and privilege escalation. They describe reports on the test's findings, which are subsequently utilized to fine-tune security safeguards. Following the penetration test report submission, it's critical to establish a central repository for identifying, alerting, and managing security issues. For all stakeholders involved in website security, a threat intelligence framework specifies a repeatable, scalable security incident management methodology. A comprehensive threat intelligence framework helps firms save money by speeding up the reaction to data breaches. The shared repository contains critical data that may be utilized as a collaborative knowledge base for ensuring security compliance across the enterprise.

1.7 Aspects to consider when finding Web vulnerabilities

1.7.1 Frequency of vulnerability scans

25 Vulnerability scans are performed on a case-by-case basis and depend on several criteria. Security strategy, compliance standards, and organizational structure are among them. Scanning websites for vulnerabilities at least once every three months is standard business practice. The security team must also analyze the threat environment and corporate security posture and alter the frequency as needed.

1.7.2 Types of vulnerability scan

External or internal vulnerability-based application scans are possible. The tester carries out internal scans as an authenticated user from within the organization's network. In external scans, the tester does not have authorized network access and scans the application as if they were a hacker.

1.7.3 Choosing Vulnerability scanner

The significant features in any vulnerability scanner should include accuracy, scalability, control levels, display vulnerabilities covered & discovered, report & visualization, update frequency, automated scan session management, and compliance with security standards.

1.7.4 Types of Web Application Security Testing

 Dynamic Application Security Testing (DAST): The DAST method includes scanning a web app for vulnerabilities that an attacker may try to exploit. This testing technique determines the vulnerabilities an attacker may exploit and how an attacker could access the system from the outside. Because dynamic application security testing solutions do not require access to the program's source code, they may be used to test applications fast and often.

 Static Application Security Testing (SAST): Unlike DAST, SAST takes a more inside-out approach, which means it looks for vulnerabilities in the source code of the web application. SAST can provide a real-time picture of the web application's security since it requires access to its source code.

26

 Application Penetration Testing: Humans are involved in application penetration testing. To identify exploitable holes, a security expert will try to simulate how an attacker might break into a web app, utilizing their security knowledge and several penetration testing tools. If you don't have in-house resources, you may outsource web application penetration testing to a third party.

1.8 Let Us Sum Up

While the significance of safe coding standards cannot be overstated, a thorough vulnerability assessment may assist businesses in improving their security posture by proactively finding and addressing security flaws. The OWASP top 10 is a great place to start if you want to tighten your security. It outlines common web application flaws and how to fix them in real-world circumstances. Crashtest Security Suite is a web application scanning platform based on the OWASP Top 10 benchmark. To see how Crashtest Security fits into your development stack for fast, automated vulnerability scanning, download it for free now.

1.9 Check Your Progress: The Key

1. (i) The exploitation of a computer flaw produced by processing incorrect input is known as code injection. An attacker uses injection to insert (or "inject") code into a susceptible computer program and modify the execution path. Successful code injection can have severe consequences, such as allowing computer viruses or worms to spread. When an application transmits untrusted data to an interpreter, it creates a code injection vulnerability. SQL, LDAP, XPath, NoSQL queries, OS commands, XML parsers, SMTP headers, and program parameters are all vulnerable to injection issues. Injection problems are more easily discovered when reviewing source code rather than testing.

The injection can lead to data loss or corruption, as well as a lack of accountability and access

27 limitations. The infusion can occasionally result in total control of the host. Code injection techniques are widely used for information, privilege escalation, or illegal access to a system.

Code injection may be used for a variety of malicious objectives, including:

a.) changing database values arbitrarily using SQL injection. This can have many consequences, from website defacement to significant data breaches.

b.) Using server scripting code to install malware or run malicious code on a server (such as PHP or ASP).

c.) Privilege escalation to root permissions on UNIX by exploiting Shell Injection vulnerabilities in a setuid root binary or on Microsoft Windows by abusing a service.

d.) Using HTML/script injection to attack online users (Cross-site scripting).

(ii) SQL injection is an online security flaw that allows an attacker to tamper with a web application's database queries. It will enable attackers to see data they wouldn't ordinarily be able to see. This might include data belonging to other users or any other information the app has access to. In many circumstances, an attacker can edit or remove this data, causing the application's content or behavior to be permanently altered. An attacker can use a SQL injection attack to compromise the underlying server or other back-end infrastructure or to launch a denial-of-service attack in some cases. SQL injection vulnerabilities, attacks, and tactics come in various shapes and sizes and may be used in multiple ways. Some common SQL injection examples include:

a.) Retrieving hidden data, where you can modify an SQL query to return additional results.

b.) Subverting application logic, where you can change a query to interfere with the application's logic.

c.) UNION attacks, where you can retrieve data from different database tables.

d.) Examining the database, where you can extract information about the version and structure of the database.

28 e.) Blind SQL injection, where the results of a query you control are not returned in the application's responses.

2. The hypertext transfer protocol (HTTP) provides a variety of techniques for performing activities on a web server. Many of these methods are intended to aid developers in deploying and testing HTTP applications while in the development or debugging stages. Certain HTTP methods can be exploited for malicious purposes if the webserver is set incorrectly. In addition, high-risk vulnerabilities such as Cross-Site Tracing (XST), a type of cross-site scripting that uses the server's HTTP TRACE function, are investigated. HEAD, GET, POST, PUT, DELETE, TRACE, OPTIONS, and CONNECT are examples of HTTP methods.

References and Further Readings

Limited, S., (2022). Cybersecurity And Website Security Reports.

https://www.sitelock.com/resources/security-report/, Accessed 27 May 2022.

Owasp.org. (2022). OWASP Foundation, Open Source Foundation for Application Security.

https://owasp.org, Accessed 27 May 2022.

Owasp.org. 2022. Code Injection Software Attack, OWASP Foundation.

https://owasp.org/www-community/attacks/Code_Injection, Accessed 2 June 2022.

W3schools.com. (2022). SQL Injection.

https://www.w3schools.com/sql/sql_injection.asp, Accessed 2 June 2022.