Web Application Security Learning Objectives ❑Realize when, where and why protocol level security mechanisms are not enough ❑Understand how SQL injection attacks affect web application back ends ❑Understand how the web implements session state, using cookies and how improper implementations are subject to Session hijacking and Cross-site Request Forgery (CSRF) attacks ❑Understand how popular, browser-executed JavaScript programs can be used incorrectly by web sites, leading to Cross-site Scripting (XSS) vulnerabilities ❑ Avoid flaws and bugs that introduce these vulnerabilities, with a focus on employing input validation and sanitization Introduction to web security Bypassing Client-Side Controls Attacking Authentication Outline Attacking Session Management Code Injection Attack (SQL,HTML,SMTP) Attacking Other Users Application Logic Attacks Web Applications - old ❑ Original web sites contained static documents ❑ Flow of interesting information was one-way ❑ No need for authentication, sessions, access control, input validation Web Applications - now ❑ Highly functional ❑ Flow of information is two-way ❑ Content is dynamic ❑ Much data is private and sensitive ❑ Attacks against web applications Common Web Applications Vulnerabilities 6 7% b r o k e n a u t hent icat ion 7 8% b r o k e n a c c e s s co n t ro ls 3 6% S Q L i n j ec t ion an attempt by the hackers to manipulate your database particularly to get information 9 1% c r o s s - s i t e s c r i pt ing allows the attackers to inject client side script into web pages 8 1% inf ormat ion l e a k a g e 0% 10% 20% 30% 40% 50% 60% 70% 80% 90 % 100% Why web application security becomes critical • Conventional organisations’ security efforts focused on the network perimeter • Modern Web apps have introduced newrisks: • Users must be able to reach web servers viaHTTP/S • Web servers must be able to reach databases, mainframes, logistical systems • Defectsin web apps leave internal systems vulnerable to attack Why web application security becomes critical Vulnerable Webapplications damage not only the server end: • Malicious or compromised applications can be leveraged to attackother users • Users’ browsers can be used to attack other internal systems The essential security problem • Users have complete control over the clientend: • Can submit arbitrary input • Can modify all data passing between browser and server • Can send requests and parameters in any sequence • Most attacks involve sending crafted or unexpectedinput: • Changing a hidden field • Modifying a session token • Injecting code into back-end components Bypassing Client-Side Controls • Hidden HTML form fields are a common mechanism for transmitting data via the client in a superficially unmodifiable way. changing form fields - -They are not displayed on-screen. -The field's name and value are stored within the form Bypassing Client-Side Controls Example1 Bypassing Client-Side Controls Example1 Bypassing Client-Side Controls Example1 http cookies can be modified using intercepting proxy and are not displayed on the screen