Friday, September 18, 2009

10th Sept 2009 - Lab 5: Web Application Security

The top 10 web application vulnerabilities are:
  • Cross site scripting
  • Injection flaws
  • Malicious file execution
  • Insecure direct object reference
  • Cross site request forgery
  • Information leakage and improper error handling
  • Broken authentication and session management
  • Insecure crypto storage
  • Insecure comms
  • Failure to restrict URL access
Today, in this lab session, we are going to see, learn and perform real attacks against a web application. That mean we are going to hack to the web browser by using above method. Simulation toolkit that used for today is WebGoat and WebScarab.

WebGoat is toolkit that can create a de-facto interactive teaching environment for web application security. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

WebGoat and WebScarab provided by OWASP community and be can be downloaded from http://www.owasp.org

After complete setup the WebGoat and WebScarab, first, we were using the Cross site scripting (XSS) attack to phishing attack. XSS is a vulnerability that can happen when a web application accept any input and sends it to a web browser without validate or encoding the content. When it is not validate, attacker can execute script in the victim's browser and can cause web defacement.

Next, we were trying in the Injections flaw. Injection flaw like SQL injection will cause web application to run an SQL code that was not intended by the application. For an example a web application might have a query statement as below:

The attacker can manipulate this statement by adding

In which it returns all the data from the table user.

In the end of the lab, we are trying the Malicious File execution. It is another web application vulnerabilities caused by failing to control application input. In this attack, attacker will manipulate the web application to become the attacker remote terminal to execute command line instructions such as directory list, dir or displaying network configuration, ipconfig. It will become more dangerous if the attacker manipulate this vulnerability by executing command that can create a backdoor to your server.

In order to prevent such vulnerability, the web application must strongly validate user input, strong output encoding, do not use "blacklist" validation and etc.

No comments:

Post a Comment