Web Applications are that applications that is running on a remote application server and available for clients over the internet.
Server Administrators are responsible for the web server's safety, speed, functioning and performance.
Application Administrators are responsible for the management and configuration required for the web application.
Clients are the endpoints which interact with the web application / server.
Front-end <-> Back-end
Users are interacting with the front-end. The processing was controlled and processed by the back-end.
Server-side languages:
- PHP
- Java
- C#
- Python
- JavaScript
- many more...
Client-side languages:
- CSS
- JavaScript
- HTML
- Presentation Layer is responsible for displaying the information to the user.
- Logical Layer : manipulate information to and from the forms.
- Data Layer : hold the data for the application.
In web 1.0, the users are limited to passive viewing the content.
In web 2.0, the users can interact and collaborate, it contain rich user experience, dynamic content.
- Cookie poisoning
- Insecure storage
- Information leakage
- Directory traversal
- Parameter/Form tampering
- DOS attack
- Buffer overflow
- Log tampering
- SQL injection
- Cross-site Script
- Cross-site Request Forgery
- Security misconfiguration
- Broken session management
- DMZ attacks
- Session hijacking
- Network access attacks
Process an non-validated input from the client to the back-end. This is a major vulnerability, this is the basics of injection attacks (SQL injection, xss, buffer overflow).
Parameter tempering is an attack, where the attacker manipulate the parameter while client and server are communicating with each other. Parameters such as Uniform Resource Locator (URL) or web page form fields are modified (cookies, HTTP Header, form fields).
Works if a web application allows untrusted input to be executed.
- Malicious code injection
- File injection
- SQL injection
- Command injection
- LDAP injection
Injection of malicious SQL queries. Attacker can manipulate the database These vulnerabilities can be detected by using an automated scanner.
- Shell injection
- File injection
- HTML embedding
Attacker can access the database using LDAP filter to search information.
- User Registration DoS : an automated process, the attacker keep registering fake accounts.
- Login DoS : attacker keep sending login requests.
- User Enumeration : attacker brute force login credentials with a dictionary attacks.
- Account Lock : attacker attempt to lock the user account by attempting invalid passwords.
- Observing functionality
- Identify vulnerabilities, entry points, servers
- HTTP request analyze
- HTTP fingerprinting
- Hidden content discovery
Exploit the authentication mechanism:
- Username enumerate
- Cookie exploitation
- Session attacks
- Password attacks
- Accessing the web application with low level privilege account, then escalate privileges to get information
- Parameter tampering (URL, POST data, Query string, cookies, HTTP header)
Impersonate a legitimate user.
Session hijacking techniques:
- Session token prediction
- Session token tampering
- Man-in-the-Middle attack
- Session replay
Inject malicious code, commands and files.
Techniques:
- Web Script injection
- OS Command injection
- SMTP injection
- SQL injection
- LDAP injection
- XPath injection
- Buffer Overflow
- Canonicalization
Exploit the data connectivity between application and its database. Data connection requires a connection string.
- Connection String Injection
- Connection String Parameters Pollution (CSPP)
- Connection Pool DoS
Percent Encoding or URL Encoding is a technique for secure handling of URL by replaces unsafe and non-ascii characters with % followed by two hexadecimal digits.
Example:
%20 or + both are used for SPACE
In URL:, there are some reserved character such as '/' that is used to separate paths in URL. To use this not as separator, then it must be encoded.
%2F used for '/'
Full list of percent encoded characters here
HTML Encoding specify how special character will shown.
- Input validation
- Customized error messages
- Monitoring database traffic
- Limit length of user input
- Testing tools
- Filtering meta
- Filtering output
- Reverse proxy
- Remove unnecessary functions
- Secure remote administration
- Firewall
- IDS
- Dynamic testing
- Source Code analysis
- Strong cryptography
- Use SSL
- Hotfixes / patches
- Cookie timeout