Security Vulnerabilities in Web apps

4 years ago 146
BOOK THIS SPACE FOR AD
ARTICLE AD

Sheik Shameer

Web applications hold the potential to transform the world of
information and internet services by providing more acces-
sible and easy to use creative interfaces to people. However,
with the advent of technologies, there also comes a need to
protect these services from attackers. Since a security breach
or a hack posts questions on the reliability of services af-
fecting the e-service businesses. In today’s world due to the
large demand for data, more emphasis on the security of
these e-services is required. This article provides a survey of
the top 10 vulnerabilities along with their description, aggre-
gation of the past and current preventive approaches, with
their current open problems and suggestible future work
that can provide a consolidated knowledge for developers
building web applications.


Injection:

An injection is a process of inserting and executing mali-
cious code as part of a query in a web application. Common
injections happen in SQL (database access), NoSQL, LDAP
(Directory access), or on OS (execute OS commands in the
server). The impact of such an attack can loose the brand
value of the product, give access to unrestricted data, or even
at times result in hostile take over of the environment as well
[32]. The primary cause of such an attack is allowing the
user-supplied string as part of a query. There are different
types of injection attacks based on how the attack is used,
some of the popular ones are as follows.

Tautologies — The most common type of injections in
database target the where clause of the query to always
return true. Consider if a user supplies a string “ or
1==1” into user in the query “select * from permissions
where id=$user, will fetch all the details from the table.
• Union — The user supplies a string with the word union
to extract details from other tables as well.
• Error-based — The error of a failed query is displayed
to the user, which can be exploited to gather useful
information.
• Time-based — The attacker infers the time taken for
processing a query by the delay in the execution time,
this enables him to overload the server aiming a Denial
of service attack.
• Piggy-backed Queries — User supplied query is attached
to the executable query after a ;, which enables him to
execute complete queries.
• Encoding attacks — Here the attacker encodes the user
string so that it can bypass the prevention mechanisms
and exploit the vulnerabilities.


Broken Authentication:

Broken Authentication is the process by which an attacker
impersonates an authenticated session. This generally occurs
due to the misconfiguration of session management. When
a user logins with their username and password, the user
is authenticated to use the services. Since this is a tedious
process to perform every time, the service will generate a
session Id that can be used by the user to authenticate next
time. This session id is stored on the client-side, and the
client application such as a browser can be made to take care
of sending the session id with each request [21]. At times, the
attacker could get a hold of this session Id and impersonate
the session by sending requests with the session Id. This
would make the server authenticate the impersonated user as
an active user. Generally, this attack is done in the following
ways.

The designer or the user could misconfigures the ses-
sion protocols, like setting a large timeout for the ses-
sion inactive expiration time.
• Using weak username/password combinations that
could be guessed by a dictionary attack.
• Using injection attacks to get access as stated in section
2.1 and bypass the authentication system.
• Using decoding mechanisms to approximate the ses-
sion Ids of the users or of the service in general.
• Using XSS or phishing vulnerabilities to hijack the
session of the users.

Sensitive Data Exposure:

Sensitive Data Exposure refers to the access of sensitive
data by an attacker. Generally, this refers to the absence of
usage of cryptographic or hashing mechanisms when storing
sensitive data such as credit card numbers, Social insurance
numbers, and authentication credentials. Attackers may gain
access to these sensitive data and due to the absence of any cryptographic or hashing mechanism, they get access to user
sensitive data.

This type of vulnerability
depends on the type of encryption mechanisms used and
at times depends on the way of access of data as well. The
following are some of the best practices that is offered till
now to avoid sensitive data exposure [26]

ensure that the encrypted data stored is not easy to
decrypt. For example donot allow unencrypted access
from the database connection pool. [63]
• ensure that the database or infrastructure credentials
are secured via tight file system permissions and con-
trols.
• only use publicly approved cryptographic algorithm
such as AES, RSA public key cryptography, and SHA-
256 or better for hashing[46].
• never transmit private keys over insecure channels.
• donot store unwanted data in the system. For example ,
when dealing with credit cards ,adhere to the Payment
Card Industry’s security standard which lists not to
store cvv numbers or pan card details etc [8].

XML External Entities (XXE)

The XML External Entities or XXE refers to the unwarranted
usage of xml files in the system. Generally a XML processor
is used to parse the xml files in a system. Here the attacker
could upload an evil XML file for the processor to parse [20].
For example, an entity in an xml file may refer to a random
value again and again causing an infinite loop. This may make the processor to exhaust its available memory and
cause a denial of service attacks. There are different types of
XML attacks available as follows.

using malicious strings such as shell code, XQuery,special
characters , tag injection,XSS strings etc.
• using oversized xml entities such as recursive referring
(Billion laughs attack), large tag names, large number
of elements etc.
• trying to access unauthorized files or information but
referring to it within inside the document.
• the attackers tries to take advantage of the specified
XML schema to input malicious code like inserting
interior nodes in excess etc.
• Using weak encryption mechanisms such as md5 to
encrypt the xml files while transferring them.

Broken Access Control

Access control enforces policies that the users should adhere
to in a system. These access control should be properly en-
forced so that the attackers cannot bypass them. However
enforcing access control in a system can be tricky and these
controls need to be changed often as well. The attackers take
advantage of loosely enforced access control to steal or input
information that they are not supposed to [33]. Generally
Broken access control attacks takes place as follows.

Bypassing control checks by directly modifying the
URL, or using a custom API tool
• Allowing the primary key or a reference key to be
changed so that another user’s record can be viewed.
• Manipulating JSON Web token which is a token that
can indicate permission levels to impersonate as ad-
min.• Accessing API with missing permission control checks
directly bypassing client side validation.

Security Misconfiguration

Improper security configuration leads to this vulnerability.
The web application is a complex ecosystem composed of a
large number of hardware/software components including
web server, database server, request handling queues etc.
Improper or absence of security configuration at any one
of the levels could lead to this vulnerability. This attack is
mainly impactful in cloud based systems where users share
resources. Compromising one server may lead to retriving
information from other servers as well [4].


Cross-Site Scripting XSS

This is one of the famous and easily exploitable vulnerabil-
ity that is present in web applications. Dynamic webpages
became a requirement for webpages long ago and this al-
lows user content to be displayed in the webpage. Here the
attacker can add malicious code as user content which gets executed when a web page is executed. The heart of the
issue is that if distrusted content can be introduced into a dy-
namic page, neither the web sites nor the client has enough
information to recognize that this has happened and take
protective actions . Some of the types are listed below.

One can execute persistent malicious code, that can
fetch restricted details from a server which is also
classified as persistent XSS that is retained in a page.
• change the contents of the html page, so that a dubious
content can be displayed to the user. This is called as
DOM based XSS.
• can exhaust resources by creating worms in the html
page. This would create numerous entities which would
exhaust resources.
• can make the user visit untrusted URLs hijacking cook-
ies and sessions in the process.
• using user’s permission to do unwaranted operations,
since this attack makes the user execute scripts.

Insecure Deserialization:

serialization is the process of writing the data as a string so
that it can be easily transmitted over the network. Its inverse
is called deserialization where the string data is converted
back to its original data [30]. The data which is untrusted
cannot be deserialized without sufficiently verifying that the
resulting data is valid/genuine. The serialized data/object can
be conveniently used, but unsterilized data can be modified
by an attacker if it is not protected by the cryptographic
function.


Using Components with Known Vulnerabilities:

In recent times application developments have moved to-
wards using third party components. However the third
party components can have vulnerabilities in them, which
might be used as a gateway for the used system. Generally
these vulnerabilities are caused by lag in updation of the third
party components or not being aware of the vulnerability in
them. The heart of the problem is that when a component is
compromised, it is open knowledge to the attacker. So the
attacker can easily use this knowledge to attack the host
system.


Insufficient Logging and Monitoring

This is more of a impact builder than an isolated attack. The
systems need proper logging and monitoring mechanisms to detect malicious activities once it happens. Any delay in
doing this may provide free reign for the attacker. According
to OWASP most of the attacks are detected on an average of
191 days [27].


Trends in Vulnerability

There are a lot of changes that were added in the 2017 list
when compared to the 2013 list as show in the [1]. There were
new type of vulnerabilities added and some type of vulnera-
bilities were merged. The new categories that were added in
2017 are XML External Entities (XXE) with ranking number
4, Insecure Deserialization with ranking number 8 and In-
sufficient Logging and Monitoring with ranking number 10.
These categories were only looked at 2017. The vulnerabili-
ties Insecure Direct Object References with ranking 4 and
Missing Function Level Access Control with ranking 7 were
merged into Broken Access Control with ranking 5 in 2017.
Some vulnerabilities were also removed from the rank-
ings such as Cross-Site Request Forgery (CSRF) from rank
number 8. This seems to be attributed to the adaptation
of frameworks such as spring, django, phoenix etc provid-
ing default security configurations for prevention against
CSRF attacks and also the adaptation of the same site cookies
around 2014. Another vulnerability that was removed as well
was Unvalidated Redirects and Forwards from rank 10, this is
understandable due to the advent of browser authenticating
requests and requiring certificates for websites.
Some vulnerabilities went up in ranking and some went
down over the years. The Cross Site Scripting XSS were
dropped from rank number 3 to rank number 7 because of the
introduction of client side frameworks that provides provi-
sions for auto encoding of user inputs and dynamic contents
that were displayed. Some of the mention-able frameworks are mustache template systems, angular, react etc. These
frameworks provide default functionalities for encoding data
before showing it to in the webpage.
Sensitive Data Exposure increased in ranking from 6 to
3, this could be attributed to the evolution of web technolo-
gies. Old codes that were architecturally dependent on the
client devices like browsers were now based on REST APIs,
this means that they are now accessed by smart tvs, mobile
application etc. These old codes were only designed to be
accessible by web browsers. However, the demand for sup-
porting multiple devices made them to be accessible by other
devices, which meant that the code changes to accommodate
this brought in more room for vulnerabilities. We believe
that as technology emerges, it also demands improvement
in security to accommodate the new challenges [31].

Read Entire Article