Fundamentals

avatar
Created by
RetailTortoise38285

Cards (12)

  • Client Side Scripting:
    • Client-side scripting enables applications to push part of their processing to the client side, and browsers' capabilities can be extended in arbitrary ways using browser extension technologies where necessary.
  • Common Vulnerabilities:
    • Broken authentication — This category of vulnerability encompasses various defects within the application's login mechanism, which may enable an attacker to guess weak passwords, launch a brute-force attack, or bypass the login.
    • Broken access controls — This involves cases where the application fails to properly protect access to its data and functionality, potentially enabling an attacker to view other users' sensitive data held on the server or carry out privileged actions.
  • Common Vulnerabilities:
    • SQL injection — This vulnerability enables an attacker to submit crafted input to interfere with the application's interaction with back-end databases. An attacker may be able to retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself.
    • Cross-site scripting — This vulnerability enables an attacker to target other users of the application, potentially gaining access to their data, performing unauthorized actions on their behalf, or carrying out other attacks against them.
  • Common Vulnerabilities:
    • Information leakage — This involves cases where an application divulges sensitive information that is of use to an attacker in developing an assault against the application, through defective error handling or other behavior.
    • Cross-site request forgery — This flaw means that application users can be induced to perform unintended actions on the application within their user context and privilege level. The vulnerability allows a malicious web site visited by the victim user to interact with the application to perform actions that the user did not intend.
  • SSL
    • SSL is an excellent technology that protects the confidentiality and integrity of data in transit between the user's browser and the web server.
    • It helps defend against eavesdroppers, and it can provide assurance to the user of the identity of the web server he is dealing with. But it does not stop attacks that directly target the server or client components of an application, as most successful attacks do.
    • Specifically, it does not prevent any of the vulnerabilities just listed, or many others that can render an application critically exposed to attack.
  • Users Can Submit Arbitrary Input
    • As with most distributed applications, web applications face a fundamental problem they must address to be secure. Because the client is outside of the application's control, users can submit arbitrary input to the server-side application.
    • The application must assume that all input is potentially malicious. Therefore, it must take steps to ensure that attackers cannot use crafted input to compromise the application by interfering with its logic and behavior, thus gaining unauthorized access to its data and functionality.
  • Users Can Submit Arbitrary Input:
    • Users can interfere with any piece of data transmitted between the client and the server, including request parameters, cookies, and HTTP headers. Any security controls implemented on the client side, such as input validation checks, can be easily circumvented.
    • Users can send requests in any sequence and can submit parameters at a different stage than the application expects, more than once, or not at all. Any assumption developers make about how users will interact with the application may be violated.
  • Crafting Input:
    • Changing the price of a product transmitted in a hidden HTML form field to fraudulently purchase the product for a cheaper amount
    • Modifying a session token transmitted in an HTTP cookie to hijack the session of another authenticated user
    • Removing certain parameters that normally are submitted to exploit a logic flaw in the application's processing
    • Altering some input that will be processed by a back-end database to inject a malicious database query and access sensitive data
  • Crafting Input:
    • SSL does nothing to stop an attacker from submitting crafted input to the server. If the application uses SSL, this simply means that other users on the network cannot view or modify the attacker's data in transit. 
    • Because the attacker controls her end of the SSL tunnel, she can send anything she likes to the server through this tunnel.
  • Key Security Problems:
    Underdeveloped Security Awareness:
    • Although awareness of web application security issues has grown in recent years, it remains less well-developed than in longer-established areas such as networks and operating systems.
    • A web application developer's work increasingly involves weaving together tens, or even hundreds, of third-party packages, all designed to abstract the developer away from the underlying technologies
    • It is common to meet experienced web application developers who make major assumptions about the security provided by their programming framework
  • Key Security Problems:
    Custom Development
    • Most web applications are developed in-house by an organization's own staff or third-party contractors. Even where an application employs well-established components, these are typically customized or bolted together using new code.
    • In this situation, every application is different and may contain its own unique defects. This stands in contrast to a typical infrastructure deployment, in which an organization can purchase a best-of- breed product and install it in line with industry-standard guidelines.
  • Key Security Problems:
    Deceptive Simplicity
    • A prominent trend in recent years has been the use of application frameworks that provide ready-made code components to handle numerous common areas of functionality, such as authentication, page templates, message boards, and integration with common back-end infrastructure components. 
    • These products make it quick and easy to create working applications. This also means many companies use the same frameworks. Thus, when a vulnerability is discovered, it affects many unrelated applications.