In
earlier versions of the Internet there were only static web pages with
limited ability to interact with users. Today every business has its own
identity on the Internet and there is advance commerce taking place
online. Businesses depend on the Internet because of its high
flexibility and speed. The main point I want to discuss is the
importance of web applications. The era of static web pages is over and
now we have user-friendly web pages that built from multiple types of
scripts (Perl, PHP, ASP, etc.).
So the importance of web
applications is not a hidden truth and the security of web application
is necessary to protect information from strangers (black-hat hackers).
Web applications are on the hit list of hackers because they are easy to
access, and the risk is high for both system and user. From the systems
point of view we need to protect the integrity and reputation of the
system. From the user’s perspective we need to care about identity,
privacy, money and other things.
Open Web Application Security
Project (OWASP) is an open source community for application level
security projects and OWASP has defined or created a list of the top
vulnerabilities and security risks for web applications. This list is
commonly known as the OWASP Top 10. The top ten vulnerabilities for web
applications as defined by OWASP are not the only risks because there
are hundreds of other issues and vulnerabilities that may occur on a web
application.
The OWASP Top 10 are the most critical and common vulnerabilities that can cause a system to compromise the user information.
OWASP Top 10
- Injection
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
In
this article we will discuss the security risks and their effect on a
web application. This is a good way to create security awareness among
web application developers, web masters and users. In this article we
will also cover the best open source tools that can be helpful while
doing penetration testing on a web application; it is a good practice to
conduct a penetration testing on web applications to protect both the
system and the users.
Injection
Dynamic web applications
are based on bi-directional communication where users are allowed to
send data to web application. So in this case a user (internally or
externally) might act as a threat agent and they can send simple syntax,
query, command and arguments to a web application. Injection flaws are
very common and dangerous. They can be discovered by evaluating code,
via automatic scanners and the use of fuzzers.
Injection, or code injection, is too general a term. I categorize the different types like this:
- Command injection
- SQL injection
- Blind SQL injection
- LDAP injection
- and others (as I said above, there might be hundreds of vulnerabilities that may occur but we will discuss the most dangerous)
SQL
(Structured Query Language) injection is treated as a the most
dangerous and common web application vulnerability because SQL is a
language that is used to manage the data (information) on a database.
Due to SQL injection vulnerability an attacker can control the database
(that means all the information, including administrator and users’
confidential information) and can execute commands on the server (that
means they have full access).
Open Source Tools to Find Injection Vulnerability in Web Applications
As
I said earlier, I will discuss only open source tools (or tools that
are available free of cost) while there are some commercial tools that
are also available and can be helpful. It is not a hard and fast rule to
use the tools that are mentioned here, you can use whatever you want to
use.
- w3af (Web Application Attack and Audit Framework)
- OWASP ZAP (I prefer and use)
- HackBar and SQL Inject Me (Firefox add-ons)
To exploit the SQL injection vulnerability an attacker can use automatic tools or manual techniques. The most common tools are:
- SQLmap
- SQLninja
Cross-Site Scripting (XSS)
XSS
or Cross-Site Scripting is another dangerous and common web application
vulnerability and can be categorized under the heading of an injection
attack because in XSS a malicious script or syntax is injected into a
web server. In simple words, cross-site scripting is an attack in which
an attacker injects malicious code into a web application and the server
sends this page to the browser (other users) without any validation of
content. The common method or way to execute the syntax is via the guest
book, contact form, search bar and other forms that allows user to
enter some information.
There are mainly three types of cross-site scripting:
- Stored
- Reflected
- DOM based XSS
In
stored XSS the malicious code is permanently stored on a web server
(database) via comment and forum message. In reflected XSS the malicious
code or script reflects back from the web server in an error window,
search result and many other ways. DOM XSS or type-0 XSS is an attack in
which the malicious script or payload modifies the DOM environment on
the victim (other user) side by using a client side attack vector.
The
risk factor of XSS is high because user information can be stolen via
XSS vulnerability. Session hijacking, cookies stealing, phishing
(redirecting users to another malicious website), website defacement and
an attacker can control the victim’s web browser and then their
operating system.
Open Source Tools to Find Cross-Site Scripting Vulnerability in Web Applications
- OWASP ZAP
- DOMinator (A Firefox based plugin for DOM XSS)
- XSSer (Cross Site “Scripter” is an automatic framework used to detect, exploit and report XSS vulnerabilities in web-based applications.)
There
are different ways and techniques to exploit the XSS vulnerability,
like phishing and others discussed above. Besides manual technique,
these common tools can be helpful:
- XSS Shell
- BeEF XSS Framework
Fuente: http://www.ehacking.net/2012/07/owasp-top-10-vulnerabilities.html
No hay comentarios:
Publicar un comentario