WEBSITE SECURITY (BUSINESS LOGIC VULNERABILITIES)

Abuse of Functionality

An attack that uses a website's own features and functionality to consume, defraud, or circumvent access control mechanisms. Some functions including security features may be abused to cause unexpected behavior, annoy other users, or perhaps defraud the system entirely.
Abuse of Functionality techniques are often intertwined with other categories of Web application attacks, such as performing an encoding attack to introduce a query string that turns a web search function into a remote web proxy. Abuse of Functionality attacks are also commonly used as a force multiplier. For example, an attacker can inject a Cross-Site Scripting snippet into a web-chat session, then use the built-in broadcast function to propagate the malicious code site-wide.

Brute Force

An automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key. Many systems will allow the use of weak passwords or small cryptographic keys. An attacker can cycle though the dictionary word by word, generating thousands or potentially millions of incorrect guesses searching for the valid password.
There are two types of brute force attacks: normal brute force and reverse brute force. A normal brute force attack uses a single username against many passwords. A reverse brute force attack uses many usernames against one password. In systems with millions of user accounts, the odds of multiple users having the same password dramatically increases.

Credential/Session Prediction

A method of hijacking or impersonating a website user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the consequences could allow attackers the ability to issue website requests with the compromised user's privileges.
Many websites are designed to authenticate and track a user when communication is first established. To do this, users must prove their identity to the website, typically by supplying a username/password (credentials) combination. Rather than passing these confidential credentials back and forth with each transaction, websites will generate a unique "session ID" to identify the user session as authenticated. Subsequent communication between the user and the website is tagged with the session ID as "proof" of the authenticated session. If an attacker is able predict or guess the session ID of another user, fraudulent activity is possible.

Cross-Site Request Forgery (CSRF)

An attack that tricks the victim into loading a page that contains a malicious request. The request inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server, but can also be used to access sensitive data.
For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, or Windows domain credentials. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish a CSRF attack from a legitimate user request. The attacker can then make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.

Denial of Service (DoS)

An attack with the intent of preventing a website from serving normal user activity. DoS attacks, normally applied to the network layer, are also possible at the Web application layer. These malicious attacks succeed by starving a system of critical resources, vulnerability exploit, or abuse of functionality.
DoS attacks attempt to consume all of a website's available system resources such as CPU, memory, or disk space, to render the website inaccessible. 
As modern Web application environments include a Web server, database server and an authentication server, DoS at the Web application layer may target each of these independent components. Unlike DoS at the network layer, where a large number of connection attempts are required, DoS at the Web application layer is a much simpler task to perform.

Insufficient Anti-automation

Insufficient Anti-automation can happen when a website permits an attacker to automate a process that should only be performed manually. Certain website functionalities should be protected against automated attacks.
Left unchecked, automated robots or attackers could repeatedly exercise website functionality attempting to exploit or defraud the system. An automated robot could potentially execute thousands of requests a minute, causing potential loss of performance or service.

Insufficient Authentication

Insufficient Authentication can happen if a website permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of websites providing access to sensitive functionality. Depending on the specific online resource, these Web applications should not be directly accessible without the user required to properly verify their identity.
To get around setting up authentication, some resources are protected by "hiding" the specific location and not linking the location into the main website or other public places. However, this approach is nothing more than ‘Security Through Obscurity.’ It is important to understand that simply because a resource is unknown to an attacker, it still remains accessible directly through a specific URL. The specific URL could be discovered through a Brute Force probing for common file and directory locations (/admin for example), error messages, referrer logs, or perhaps documented in Help files. These resources, whether they are content or functionality driven, should be adequately protected.

Insufficient Authorization

A vulnerability that permits access to sensitive content or functionality that should have increased access restrictions.
Authorization procedures are performed after authentication, enforcing what a user, service or application is permitted to do. Thoughtful restrictions should govern particular website activity according to policy. Sensitive portions of a website may need to be restricted to everyone except to an administrator.

Insufficient Process Validation

A vulnerability that permits an attacker to bypass or circumvent the intended flow control of a Web application. If the user state through a process is not verified and enforced, the website could be vulnerable to exploitation or fraud.
When a user performs a certain website function, the Web application may expect the user to navigate through a specific order sequence. If the user performs certain steps incorrectly or out of order, a data integrity error occurs. Examples of multi-step processes include wire transfer, password recovery, purchase checkout, account sign-up, and so on. These processes will likely require certain steps to be performed as expected.
For multi-step processes to function properly, websites are required to maintain user state as the user traverses the process flow. Websites will normally track a user’s state through the use of cookies or hidden HTML form fields. However, when tracking is stored on the client side within the Web browser, the integrity of the data must be verified, otherwise an attacker may circumvent the expected traffic flow by altering the current state.

Insufficient Session Expiration

A vulnerability that enables an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases a website's exposure to attacks that steal or impersonate other users.
Since HTTP is a stateless protocol, websites commonly use session IDs to uniquely identify a user from request to request. Consequently, each session ID's confidentiality must be maintained in order to prevent multiple users from accessing the same account. A stolen session ID can be used to view another user's account or perform a fraudulent transaction.

Session Fixation

An attack that forces a user's session ID to an explicit value. Techniques to "fix" the session ID value range from Cross-Site Scripting (XSS) exploits to peppering the website with previously made HTTP requests. After a user's session ID has been fixed, the attacker will wait for the user to login, upon which the attacker uses the predefined session ID value to assume their online identity.
There are two types of session management systems: "permissive" systems that allow Web browsers to specify any ID, and "strict" systems that only accept server-side generated values. With permissive systems, arbitrary session IDs are maintained without contact with the website. Strict systems require the attacker to maintain the "trap-session", with periodic website contact, preventing inactivity timeouts.

Weak Password Recovery Validation

A vulnerability that permits an attacker to illegally obtain, change or recover another user's password. Conventional website authentication methods require users to select and remember a password or passphrase. The user should be the only person that knows the password and it must be remembered precisely. As time passes, a user's ability to remember a password fades. The matter is further complicated when the average user visits 20 sites requiring them to supply a password. Thus, Password Recovery is an important part in servicing online users.
Examples of automated password recovery processes include requiring the user to answer a "secret question" defined as part of the user registration process. This question can either be selected from a list of canned questions or supplied by the user. Another mechanism in use is having the user provide a "hint" during registration that will help the user remember his password. Other mechanisms require the user to provide several pieces of personal data such as their social security number, home address, zip code etc. to validate their identity. After the user has proven who they are, the recovery system will display or e-mail them a new password.


TECHNICAL VULNERABILITIES

Buffer Overflow

An attack that alters the flow of a Web application by overwriting parts of memory, resulting in an error condition. This error condition occurs when data written to memory exceed the allocated size of the buffer. As the buffer is overflowed, adjacent memory addresses are overwritten causing the software to fail. When unrestricted, properly crafted input can be used to overflow the buffer resulting in a number of security issues.
A Buffer Overflow can be used as a Denial of Service attack when memory is corrupted. Even more critical is the ability of a Buffer Overflow attack to alter application flow and force unintended actions, such as overwriting stack pointers and redirecting the program to execute malicious instructions, or to change program variables.
Since the attacker must exploit custom code on a remote system, they would have to perform the attack blind, making success very difficult.

Content Spoofing

An attack used to trick a user into believing that certain content appearing on a website is legitimate and not from an external source.
This attack exploits the trust relationship established between the user and the website. The technique has been used to create fake web pages including login forms, defacements, false press releases, and so on.
Specially crafted links can be sent to a user via e-mail, instant messages, left on bulletin board postings, or forced upon users by a Cross-Site Scripting attack. If an attacker gets a user to visit a web page designated by their malicious URL, the user will believe he is viewing authentic content from one location since the browser location bar displays a legitimate-appearing URL, when in fact the underlying HTML frame is referencing attack data.

Cross-Site Scripting (XSS)

An attack that forces a website to echo attacker-supplied executable code, which loads in a user's browser. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his code, the code will run within the security context (or zone) of the hosting website. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-Site Scripted user may have his account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the website they are visiting. 
There are two types of Cross-Site Scripting attacks: non-persistent and persistent.
  • Non-persistent attacks require a user to visit a specially crafted link laced with malicious code. Upon visiting the link, the code embedded in the URL will be echoed and executed within the user's Web browser.
  • Persistent attacks occur when the malicious code is submitted to a website where it is stored for a period of time.
Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to click on any link, just simply view the web page containing the code.

Directory Indexing

A vulnerability present when a Web server function that lists all of the files within a requested directory if the normal base file (index.html/home.html/default.htm) is not present. When a user requests the main page of a website, they normally type in a URL such as http://www.example.com - using the domain name and excluding a specific file (/index.html). The Web server processes this request and searches the document root directory for the default file name and sends this page to the client. If this page is not present, the Web server will issue a directory listing and send the output to the client. From an attack and countermeasure perspective, unintended directory listings may be possible due to software vulnerabilities combined with a specific web request.
When a Web server reveals a directory's contents, the listing could contain information not intended for public viewing. Often web administrators rely on "Security Through Obscurity" assuming that if there are no hyperlinks to these documents, they will not be found, or no one will look for them. The assumption is incorrect. Today's vulnerability scanners can dynamically add additional directories/files to include in their scan based upon data obtained in initial probes. By reviewing the /robots.txt file and/or viewing directory indexing contents, the vulnerability scanner can now interrogate the Web server further with these new data. Although potentially harmless, Directory Indexing could allow an information leak that enables further attacks against the system.

Directory/Path Traversal

An attack that forces access to files, directories, and commands that potentially reside outside the Web document root directory. An attacker may manipulate a URL in such a way that the website will execute or reveal the contents of arbitrary files anywhere on the Web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
Most websites restrict user access to a specific portion of the file-system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executables necessary to drive Web application functionality. To access files or execute commands anywhere on the file-system, Path Traversal attacks will utilize the ability of special-characters sequences.

Format String Attack

Format String Attacks alter the flow of a Web application by using string-formatting library features to access other memory space. Vulnerabilities occur when user-supplied data are used directly as formatting string input for certain C/C++ functions (e.g. fprintf, printf, sprintf, setproctitle, syslog, . . . ).
If an attacker passes a format string consisting of printf conversion characters (for example:  "%f", "%p", "%n", and so on.) as parameter value to the web application, they may:
  • Execute arbitrary code on the server
  • Read values off the stack
  • Cause segmentation faults / software crashes

HTTP Response Splitting

A technique allowing the attacker to send a single HTTP request that forces the Web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important. What is material is that the attacker completely controls the form of the second response from the HTTP status line to the last byte of the HTTP response body. Once this is possible, the attacker realizes the attack by sending two requests through the target.
The first one invokes two responses from the Web server, and the second request would typically be to some "innocent" resource on the Web server. However, the second request would be matched by the target to the second HTTP response, which is fully controlled by the attacker. The attacker tricks the target into believing that a particular resource on the Web server (designated by the second request) is the server's HTTP response (server content), while it is in fact data forged by the attacker through the Web server in the second response.

Information Leakage

A vulnerability present when a website reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system. Sensitive information may be present within HTML comments, error messages, source code, or simply left in plain sight. While leakage does not necessarily represent a breach in security, it does give an attacker useful guidance for future exploitation.
In the first case of information leakage (comments left in the code, verbose error messages, etc.), the leak may give intelligence to the attacker with contextual information of directory structure, SQL query structure, and the names of key processes used by the website. Often a developer will leave comments in the HTML and script code to help facilitate in debugging or integration. This information can range from simple comments detailing how the script works, to, in the worst cases, usernames and passwords used during the testing phase of development.
Information Leakage also applies to data deemed confidential, which aren't properly protected by the website. This data may include account numbers, user identifiers (Drivers license number, Passport number, Social Security Numbers, and so on) and user-specific data (account balances, address, and transaction history). Insufficient Authentication, Insufficient Authorization, and secure transport encryption also deal with protecting and enforcing proper controls over access to data.

LDAP Injection

An attack used to exploit websites that construct LDAP statements from user-supplied input.
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. The LDAP protocol runs over Internet transport protocols such as TCP. Web applications may use user-supplied input to create custom LDAP statements for dynamic Web page requests.
When a Web application fails to properly sanitize user-supplied input, an attacker can alter the construction of an LDAP statement so that the process will run with the same permissions as the component that executed the command. This can cause serious security problems where the permissions grant the rights to query, modify or remove anything inside the LDAP tree.

OS Command Injection

When a Web application does not properly sanitize user-supplied input before using it within application code, an attacker can trick the Web application into executing Operating System commands. The executed commands will run with the same permissions of the component that executed the command such as the database server, Web application server, or Web server.

Predictable Resource Location

An attack used to uncover hidden website content and functionality. By making educated guesses, the attack is a brute force search for content not intended for public viewing such as temporary files, backup files, configuration files, and sample files. Hidden files will often have common naming conventions and reside in standard locations which may disclose sensitive information about Web application internals, database information, passwords, machine names, file paths to other sensitive areas, or possibly contain vulnerabilities. Disclosure of this information is valuable to an attacker.

SQL Injection

A very severe attack used to exploit websites that construct SQL statements from user-supplied input to steal information from a database and/or to gain access to an organization's host computers through the computer that is hosting the database.
Structured Query Language (SQL) is a specialized programming language for sending queries to databases. However, many database products supporting SQL do so with proprietary extensions to the standard language. Web applications may use user-supplied input to create custom SQL statements for dynamic web page requests.
SQL injection attacks are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization's host computers through the computer that is hosting the database.
SQL Injection attacks may be prevented by enforcing the use of parameterized statements.

Server Side Include (SSI) Injection

A server-side technique that allows an attacker to send code into a Web application, to be executed locally by the Web server. SSI Injection exploits a Web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.
Before serving an HTML web page, a Web server may parse and execute Server-side Include statements. In message boards, guest books, or content management systems, a Web application will insert user-supplied data into the source of a web page.
An SSI is a variable value such as a ‘Last modified’ date that a server can place in an HTML file. Before sending the file to the requestor, the server searches the file for CGI environment variables and inserts the appropriate values in the places where "include" statements appear. In SSI injection, the variable values are modified to allow the attacker to add, alter or delete HTML files on the server, or to gain access to server resources.

XPath Injection

An attack used to exploit websites that construct XPath queries from user-supplied input.
XPath 1.0 is a language used to query an XML document, or as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document.
If an application embeds unprotected data into an XPath query, the query can be altered so that it is no longer parsed in the manner originally intended. This can be done by bypassing the website authentication system and extracting the structure of one or more XML documents in the site. This attack may be prevented by parameterizing XPath queries.


GENERAL WEB APPLICATION SECURITY TERMS

Application Security Manager (ASM)

A web application firewall from F5 Networks that integrates with WhiteHat Security Sentinel's vulnerability management service. Sentinel users can update the security policy on a per-vulnerability basis to mitigate the risk of its exploitation while the vulnerability is being addressed in the Web application code.

Authentication

The process of verifying identity, ownership, and/or authorization.

Backdoor

Malicious code inserted into a program for the purposes of providing the author covert access to machines running the program.

Base 64

A method for encoding binary data into printable ASCII strings. Every byte of output maps to six bits of input (minus possible padding bytes).

Blacklist

When performing Input validation, the set of items that —if matched — result in the input being considered invalid. If no invalid items are found, the result is valid.

IP Address

A unique address assigned to a networked device, including computers, and servers.

Padding

Data added to a message that is not part of the message. For example, some block cipher modes require messages to be padded to a length that is evenly divisible by the block length of the cipher — i.e., the number of bytes that the cipher processes at once.

Policy

A set of rules employed by a Web application firewall that detect and block attempts to exploit a vulnerability in a Web application. All HTTP requests are assessed for strings that contain vulnerable parameters. Policy rules need to be maintained periodically.

Root User

A user with unlimited access to all operations on a computer.

Read Access

The ability to view the names of files in a directory, but not any other information such as file type, size, and so on.)

Web Application Firewall (WAF)

A device or software module that applies a set of policy rules to incoming traffic to block potential attacks on a Web application. Also known as a WAF.

Whitelist

When performing input validation, the set of items that, if matched, results in the input being accepted as valid. If there is no match to the whitelist, then the input is considered invalid. That is, a whitelist uses a ‘default deny’ policy.

Write Access

The ability to create, delete, change permissions, or rename files.

Comments

Popular posts from this blog

PHP / SQL Security – The Big Picture

PHP / SQL Security – SQL Commands and Non-String Variables

Top 50 Web Hacking Techniques