Cyber Security Fundamentals (M) & (H): Web application attacks
Glasgow, 31st January & 7th of February 2022.
, School of Computing Science, University of Glasgow, Scotland. http://www.mariaevangelopoulou.com/
Material taken from OWASP.org for this lecture
Copyright By PowCoder代写 加微信 powcoder
Structure of Lectures
Sections that will be covered:
Cyber Security Basic background, Look into networking,
Cyber Attacks and defence,
Web applications’ vulnerabilities, Trending in Cyber,
Penetration testing & Digital Forensics. Guest lectures to be confirmed.
CSF 2022 Web application attacks
Lecturer’s instructions
When you see the red sign in a slide it means that you must not use anything described in the specific slide without the necessary authorisation. The lecturer of this course will not be responsible for any misuse.
When you see the green sign in a slide it means that you can use anything described in the specific slide on your own.
CSF 2022 Web application attacks
➢Some tools need special permissions in order to run them in a secure manner without violating any laws!!! Because of this we have created these signs to indicate to you which tools are ok to be used and which are not!
➢ One of the most important slides as if you don’t follow this rule it can have serious impact on you, so please don’t use anything under the banner of the red (first) sign.
This Photo by Unknown Author is licensed under CC BY-SA
CSF 2022 Web application attacks
@wordpress.com
➢ → The absolutely wizard of Social Engineering. People were so afraid that he was capable of hacking a nuclear plant from a pay phone. He was arrested by the FBI in 1995 and now he is a cyber security consultant. He is a writer od famous books called the Art of Deception, Art of Intrusion, Ghost in the wires, Art of invisibility. He was one of the first people that new cyber laws were tested and he brought awareness as cyber security in those years was something completely new. He never exploited the information he got, and this is why he is included in top 10 lists of most famous hackers but is respected and works on the cyber security field.
Web & Web Application attacks
➢ What is a Web Application?
CSF 2022 Web application attacks
@sciencesoft
➢ What is the difference between web application and webpage?
➢Website/webpage is something static on the other hand web application is something dynamic. Web application is a client server program which the client has to run in a browser.
Web application attacks cont…
CSF 2022 Web application attacks
➢What is a Web application attack? ➢What is the purpose and the end goal? ➢Can you name any?
➢Web application attack is the attempt to exploit an application running on a web server through a web site. The purpose and goal could vary as it can be about making the web application unresponsive, manipulate/steal data of users or customers, take control of the web application, cause disruption and even defacement that can be probably used for phishing purposes.
Web application attacks OWASP Top 10
CSF 2022 Web application attacks
@owasp.org
Web application attacks OWASP Top 10 updated
CSF 2022 Web application attacks
@owasp.org
➢OWASP is a non profitable organisation focusing on improving software security and provides many parallel cyber security projects and training environments (open source). It is essentially a hub of information that is being controlled by the community.
➢In this lecture we will see the identified OWASP top 10 vulnerabilities for web applications of 2021.
Number 1: Broken Access Control (5 → 1)
➢ Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc
➢ Trusting user input → privilege escalation.
➢ Scenario: An attacker simply force browses to target URLs. Admin rights are required for access to the admin page. If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw.
CSF 2022 Web application attacks
➢ When you login to a page you will notice that the URL is modified accordingly to demonstrate your session. For example on Facebook at some point they were allowing Facebook users to obtain their personalised URL. This of course was used in order to make people easier to identify you on Facebook. But some websites have broken authentication flaws and allow unauthorised access.
Number 2: Cryptographic Failures previously known Sensitive Data Exposure (3 → 2)
➢ Many web applications and APIs do not properly protect sensitive data. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
➢ Lack of data protection → Loss of trust and offense against privacy laws.
➢ Scenario: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
CSF 2022 Web application attacks
➢ General this flaw refers to unprotected data; lack of encryption in place; the methodology of communication like it will be mentioned in the cryptography lecture (use of public keys only) and more.
Number 3: Injection including XSS (1,7 → 3)
➢ Injection flaws → untrusted data is sent to an interpreter as part of a command or query. The attacker tries to trick the interpreter into executing unintended commands or accessing data without proper authorization.
➢ There are different types of injection, like: SQL, XML, LDAP, HTML and more.
➢ Two types of injection attacks:
➢Manual: When the attacker manually types code in the website to
retrieve errors and gain access.
➢Scripted: When the attacker uses tools who’s sole purpose is to execute all known attacks to speed up process.
CSF 2022 Web application attacks
➢ SQL (Structured Query Language) is the language that is being used for communication between databases. Let’s consider as a simplified example the teaching office that needs to handle and store students’ data including course id, exam marks etc. You need to imagine that there is a database for students and each database is constructed of different tables depending on the subject. For example a table with the name exam mark can have columns with Student ID, Course ID, Assessment mark, Exam mark and Final mark. In order to extract specific information someone can use SQL queries. Similar approach is taken on storing and handling data of users for a website in terms of authentication purposes (username and password).
➢ XML (eXtensible Markup Language) is similar to HTML. XML was designed to store and transport data. LDAP (Lightweight Directory Access Protocol); Internet protocol that programs like email use to look up information from a server (access directory services).
➢ HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.
Number 3: Standard SQL injection
CSF 2022 Web application attacks @portswigger.net
➢ SQL injection is when an attacker manually or scripted tries to trick the database which communicates with the front end website in order to retrieve valuable information which eventually will grant them access.
➢In order to try SQL injection someone can use SQL statements in every entry point of a web application for testing purposes. For example; login/register form, feedback form, search bar and more.
Number 3: Standard SQL injection
➢ Problem: User data used with no sufficient checks.
➢ SELECT * FROM Users WHERE Username = ‘$username’
AND Password = ‘$password’
➢This can lead to stolen user data, takeover and denial of access.
➢ Types of SQL injection: ➢ Blind
➢ Error-Based
CSF 2022 Web application attacks
➢ The reason that injection is mostly possible is bad coding. This means the code is not validated and not clean so in consequence arguments like ‘ = can cause the database to give results that was not supposed to release.
➢ In an SQL Injection attack sometimes the server responds with error messages from the database server complaining that the SQL Query’s syntax is incorrect. In blind SQL injection when an attacker attempts to exploit an application rather than getting a useful error message they get a generic page specified by the developer. This can make the attack harder in succeeding but not impossible. On the other hand, error based SQL injection is a technique in which vulnerabilities of the system become known by causing the database to throw errors on purpose. In this case an attacked can gain information like the database version, Operating System in use and more.
Simple Generic SQL injection
CSF 2022 Web application attacks http://testphp.vulnweb.com/index.php
➢This website contains a vulnerable application for testing purposes so feel free to have a look and try some things if you want.
➢In this case we try to exploit the authentication mechanism by using ‘OR‘’=‘ statement as username and password. The result would be to login as the first user on the table and you can see on the next screenshot that we have access to this account and essential information of the user like email, credit card number and more.
Simple Generic SQL injection cont…
CSF 2022 Web application attacks http://testphp.vulnweb.com/index.php
Blind SQL example
CSF 2022 Web application attacks http://testphp.vulnweb.com/index.php
➢In the above attempt we enter an SQL query on the url of the website that asks for information for the admin page. The 20%1 are symbols used for empty space. You will notice that we weren’t given access and an error message appeared.
Blind SQL example
CSF 2022 Web application attacks http://testphp.vulnweb.com/index.php
➢In the above attempt we enter an SQL query on the url of the website that asks for information about the user page. You will notice that we acquired access and no error message was encountered.
Injection Guessing SQL table
➢ If there is any kind of login or subscription area that means that an SQL database is being used. Adding “+order+by+6753′′ at the end of the URL→“6753” is used because most websites don’t have more than 6753 columns. If an error returns then the website is vulnerable to SQL injection. You can keep guessing with a smaller number in order to identify the exact column numbers of the SQL table. The next step would be to start guessing the name of each column.
CSF 2022 Web application attacks
➢ There are different types of SQL injection attacks and as you can see from what is described from the slide above, sometimes attackers try to guess information about the database. How many columns are being used? If this becomes known then they use queries and start guessing combination of letters so they can identify the names of the columns. By building slowly knowledge about the exact structure of the database afterwards they can easily extract information.
Cross-Site Scripting (XSS)
➢XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user- supplied data using a browser API that can create HTML or JavaScript.
➢Trusting user input→hijack user sessions, deface web sites, or redirect the user to malicious sites.
CSF 2022 Web application attacks
Cross-Site Scripting (XSS) cont.
➢Persistent/Stored XSS; the malicious string originates from the website’s database.
➢ Reflected XSS; malicious string originates from the victim’s request.
➢DOM-based XSS; client-side code vulnerability and not server-side code.
CSF 2022 Web application attacks
➢DOM based XSS is not something that will be encountered in a usual rate.
➢In XSS is all about where the script originates from; if it is from user input or stored. But someone would say why use XSS? What can we do with XSS? The first example given below is just creating an alert message through user input. This shows us that the web application is vulnerable to XSS and scripting can be used for various purposes. Let’s see more in depth below.
XSS example
CSF 2022 Web application attacks http://testphp.vulnweb.com/index.php
XSS example cont.
CSF 2022 Web application attacks http://testphp.vulnweb.com/index.php
XSS commands
CSF 2022 Web application attacks http://testphp.vulnweb.com/index.php
➢ First when testing a web application someone would use a simple approach. Trying to write something underlined hello or bold hello. This would give an indication that no user input sanitization is in place. The next stage would be what has been presented in the previous slide; using a script for creating an alert or error message or similar. If this works too then it can be used for various things. Above an example is shown where the script statement is changed with document.cookie. In this case the cookie of the session can be acquired and by using this someone can create something known as a cookie grabber (code presented in slide). Then a script statement would be used by adding the created cookie grabber and the previously acquired cookie. In this way the script is uploaded and that means every time someone accesses the web application the creator of the cookie grabber acquires cookie information as presented in the next slide.
XSS commands
CSF 2022 Web application attacks http://testphp.vulnweb.com/index.php
Number 4: Insecure Design (NEW)
➢Insecure design is a broad category, what is known as “missing or ineffective control design.” Insecure design differs from insecure implementation. Design flaws defer from implementation defects as they have different root causes and remediation. A secure design can still have implementation defects leading to vulnerabilities that may be exploited.
➢ Lack of business risk profiling; secure development lifecycle, secure library, threat modelling, secure language, plausibility checks, testing, segregation of different elements, limitation of user consumption.
CSF 2022 Web application attacks
Example Scenario
➢“Scenario: A cinema chain allows group booking discounts and has a maximum of fifteen attendees before requiring a deposit. Attackers could threat model this flow and test if they could book six hundred seats and all cinemas at once in a few requests, causing a massive loss of income.”
CSF 2022 Web application attacks
@owasp.org
Number 5: Security Misconfiguration including XML External Entities (4,6 → 5)
➢Security misconfiguration; a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Lack of securely configurations, patching and timely upgrades.
➢ Lack of knowledge → information gathering, unauthorised access, system takeover.
➢ Scenario: The application server comes with sample applications that are not removed from the production server. These sample applications have known security flaws attackers use to compromise the server. If one of these applications is the admin console, and default accounts weren’t changed the attacker logs in with default passwords and takes over.
CSF 2022 Web application attacks
➢ In this case two issues are identified:
1) Admin is not aware that new updates of the system are available or even is not knowledgeable on how to setup the system with settings that will enhance the cyber security level.
2) Admin is aware that there are some updates that need to take place but doesn’t identify them as critical or have the “if it works, no reason to change” attitude or maybe “why should I spent resources? The system would never become a target.”
Moreover, it is good for you to remember that in critical infrastructures patching is usually avoided as the risk of the system becoming unresponsive is generally high.
XML External Entities (XXE)
➢ Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
➢ xml version=“1.0” encoding=“ISO-8859-1”?>
]>
➢ Trusting user input → extraction of data and information gathering.
CSF 2022 Web application attacks
➢In the previous slide a piece of XML code is given. The vulnerability in this example is that the path is clearly visible of the password file. This gives important information on where valuable information is stored and how.
Number 6: Vulnerable & Outdated components known previously as using Components with Known Vulnerabilities (9 → 6)
➢Libraries, frameworks and other components run with the same privileges as the application. If a components is exploited there can be serious data loss or server takeover.
➢Privileges’ policy + lack of knowledge → privilege escalation, remote execution, data loss + takeover
➢ Scenario: “There are automated tools to help attackers find unpatched or misconfigured systems. For example, the Shodan IoT search engine can help you find devices that still suffer from Heartbleed vulnerability patched in April 2014.”
CSF 2022 Web application attacks
@owasp.org
➢Imagine having an application that relies on different libraries, frameworks and more and is hosted on a server. If someone manages to exploit for example one of the libraries this incident will destabilize the application and not only this but might be able to open a door for further exploitation on other domains too. This is why it is important to make sure individually and as a group that a certain cyber security level has been achieved. However, this level is not something that can be easily defined.
Number 7: Identification & Authentication Failure previously known as Broken Authentication (2→7)
➢ Compromise of the system, unauthorised information disclosure and more.
➢Scenario: Airline reservations application supports URL rewriting, putting session IDs in the URL. The user wants to let his friends know about the sale, so e-mails the link which contains his session ID. When his friends use the link they will use his session ID and possibly the credit card, if the user moved on with a purchase.
CSF 2022 Web application attacks
➢When a visitor signs in to a website, the site uses a proprietary algorithm to generate a unique session ID. This becomes the
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com