SlideShare a Scribd company logo

Vulnerabilities in modern web applications

Download as PPTX, PDF
N
Niyas Nazar

Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.

1 of 34
NIYAS N S 14CS246 Vulnerabilities in Modern Web Applications
Introduction • Trend in modern application design is to move applications into a remote server . • Consistent and quick updates • Application monitoring • and lower requirements on local hardware performance. • eg Office 365, Google Docs etc. • Need good quality of Internet connection • Security
Contents • Penetration Testing Tools • Web Application Vulnerabilities • Security Recommendations
Penetration Testing Tools • Higher Security risk of remotely run applications has to be verified, expressed, and minimized. • Main goal - improve the application security via pointing out its security flaws. • There are two basic phases of the testing – Reconnaissance – Application Exploitation
Reconnaisance Phase • Passive • gather as much info about targeted network. • network itself not accesed. • Active • interact directly with targeted devices. • to identify OS, running services and potential vulnerabilities. • Application Scanning • automatized scanning of web applications. • results can present a general idea of the application • guidance in exploiting existing flaws.
Passive Phase • Maltego – OSINT (Open Source Intelligence) type. – group of tools using publicly available data. – uses lists of indexes and databases to search for info. • Discover Scripts – OSINT type. – integrates search and scanning utilities in Kali linux OS
Active Phase • Ettercap – open source multi platform tool for network traffic sniffing – it can capture comm. between two users in a network. – used for gather sensitive informations like password. • Nmap – it can find connected networks end devices,open ports. – it can build a network map – versions of OS, services and running daemons etc
Application Scanning • Arachni – automatized multi-platform tool for security audits. – using asynchronous HTTP requests, parallel processing of javascript op's and multi-thread scanning. – integreted browser engine , scans web app using advan. tec • OWASP ZAP (Zed Attack Proxy) – Proxy ( comm. capturing) , Scanner (passive,active) Fuzzer (sequ. sends dangerous payload to identify vulnerability), spider(traverse all web pages) ,forced browsing (discover direct access to files stored on the server)
Web Application Exploitation • SQL Tools – SQLMap • open source tool for testing database part of web app • typical exploitation is SQL injection • in case of succesfull exploitation, the SQLmap can access shell • data can be saved in a file ,if attack is succesfull – NoSQLMap • currently supports only MongoDB, but extensions of NoSQL databases like CouchDB, Redis and Cassandra are planned. • attack itself can take a few minutes , depends on scope.
Web Application Exploitation • Password Attacks – Hashcat • open source tool supporting many hash algorithms.(SHA,MD) • computation run either on CPU or GPU (parallelized arch) – cudaHashcat for Nvidia – oclHashcat for AMD • hashcat contains following attack modes – straight (classical dictionary attack) – combination (words connected from multiple dictionaries) – brute-force (mask specification allows to omit unused password comb.)
Web Application Exploitation • Burp Suite • Web Vulnerability Scanner • Proxy (captures and modify communication) • Spider (create map of web application and send forms) • Intruder (realizes attack based on performed analysis) • Repeater (repeatedly modifies HTTP requests &analyze replies) • Sequencer (analyzes the level of security tokens randomness)
Web Application Exploitation • BeEF (Browser Exploitation Framework) – focused on XSS attacks – BeEF is modular framework – main functionality is hooking process.
Web Application Vulnerabilities • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF) • Insecure Direct Object Reference • SQL Injection • Broken Authentication and Session Management
Cross Site Scripting (XSS) • Malicious code that can change the look and function of a legitimate web application. • More widespread now because of move to more rich Internet applications using dynamic content and JavaScript and the latest AJAX trend. • It can be identified using OWASP ZAP and exploit using BeEF.
Cross Site Scripting (XSS) • Impact of XSS – Data residing in web page can be sent anywhere in the world. – Facilitates many other types of attacks (CSRF, Session Attacks) – site's behaviour can be hijacked.
Cross Site Scripting (XSS) • Demo – WebGoat Stored XSS
Preventing XSS • Escape all user input when it is displayed – Escaping converts the output to harmless html entities • <script> becomes &lt;script&gt; • but still displayed as <script> • Ensure your filter uses a white list approach – Filters based on blacklisting have historically been flawed • E.g. PHP, Ruby on Rails sanitize method – New encoding schemes can easily bypass filters that use a blacklist approach
Cross Site Request Forgery (CSRF) • A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application. • Occurs when an authenticated user unknowingly initiates a request • XSS facilitates CSRF via “Link Injection”
Cross Site Request Forgery (CSRF) http://yourbank.com/transfer? to_account=my_account_number&amount=all_of_your_money
Preventing CSRF • Add a secondary authentication mechanism –Such as an impossible to guess token • Require a confirmation page before executing potentially dangerous actions • Eliminate XSS vulnerabilities • Use POST as your form action and only accept POST requests on the server for sensitive data !
Insecure Direct Object Reference • A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. • Attackers can manipulate those references to access other objects without authorization. • E.g. /BankAccount.jsp?acct_nmbr=123 –The hacker modifies the parameter to view another users account
Insecure Direct Object Reference
Session Attacks Session Fixation Session Hijacking • The hacker predicts a valid session key (usually via phishing) • The hacker masquerades as another user by stealing the users session id (usually via XSS)
Insecure Direct Object Reference • Demo – Bypass a path based access control scheme
Preventing Direct Object Reference • Properly validate data! • All input data MUST be validated server side for each request – client side validation is EASILY bypassed • Do not expose internals to the user • Such as IDs (if possible/necessary) • Use an indirect reference map with hard to guess keys (hash) • POST /BankAccount.jsp?acct_nmbr=d83OJdm3 • The server then uses the key to get the real value »Key: d83OJdm3 value: 123
SQL Injection • SQL injection is a security vulnerability that occurs in the database layer of an application. • Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements.
SQL Injection • Login Example Attack – Text in blue is your SQL code, Text in orange is the hacker input, black text is your application code • Dynamically Build SQL String performing authentication: – “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’”; • Hacker logs in as: ‘ or ‘’ = ‘’; -- – SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --‘ and password=‘’
SQL Injection • Demo – SQL String Injection
Preventing SQL Injection • Use Prepared Statements (aka Parameterized Queries) – $id=1234 – “select * from accounts where id = “ + $id vs – “select * from accounts where id =1234” • Escape questionable characters (ticks, --, semi-colon, brackets, etc.) • Validate input – Strong typing • If the id parameter is a number, try parsing it into an integer
Broken Authentication and Session Management • Account credentials and session tokens are often not properly protected. • Attackers compromise passwords, keys, or authentication tokens to assume other user's identities.
Authentication Checks • Never store passwords in plaintext – Encrypt or Hash+Salt (preferred) • Architect applications to check every request to see that the authentication data is still valid • Issue a new session token when a change in privilege occurs • If you absolutely must use “remember me” functionality, use a difficult to guess authentication cookie • Authentication data is sent with every request, so protect it
Preventing Authentication and Session Attacks • Use built in session management! • Use secure randomly generated session keys to make prediction impossible –Don’t expose the user to session ids if possible • Use reasonable session timeouts
Preventing Authentication and Session Attacks • Demo – Session Fixation
Thank You ------------------------------------

More Related Content

What's hot

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Sandeep Kumbhar
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
Akansha Kesharwani
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 

What's hot (20)

Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Xss attack
Xss attackXss attack
Xss attack
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Web application security
Web application securityWeb application security
Web application security
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 

Similar to Vulnerabilities in modern web applications

www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
webre24h
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
a
aa
a
Sandeep Kumar
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
DNN
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
owasp-pune
 

Similar to Vulnerabilities in modern web applications (20)

www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
a
aa
a
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 

Recently uploaded

React Native vs Flutter - SSTech System
React Native vs Flutter - SSTech SystemReact Native vs Flutter - SSTech System
React Native vs Flutter - SSTech System
SSTech System
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdfAWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
karim wahed
 
WEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service ProvidersWEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service Providers
Severalnines
 
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
onemonitarsoftware
 
Safe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work PermitsSafe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work Permits
sheqnetworkmarketing
 
introduction of Ansys software and basic and advance knowledge of modelling s...
introduction of Ansys software and basic and advance knowledge of modelling s...introduction of Ansys software and basic and advance knowledge of modelling s...
introduction of Ansys software and basic and advance knowledge of modelling s...
sachin chaurasia
 
Leading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptxLeading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptx
taskroupseo
 
dachnug51 - Whats new in domino 14 .pdf
dachnug51 - Whats new in domino 14 .pdfdachnug51 - Whats new in domino 14 .pdf
dachnug51 - Whats new in domino 14 .pdf
DNUG e.V.
 
Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.
shivamt017
 
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTIONBITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
ssuser2b426d1
 
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
bhatinidhi2001
 
What is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for FreeWhat is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for Free
TwisterTools
 
Intro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AIIntro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AI
Ortus Solutions, Corp
 
NYC 26-Jun-2024 Combined Presentations.pdf
NYC 26-Jun-2024 Combined Presentations.pdfNYC 26-Jun-2024 Combined Presentations.pdf
NYC 26-Jun-2024 Combined Presentations.pdf
AUGNYC
 
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
Semiosis Software Private Limited
 
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
Hironori Washizaki
 
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdfdachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
DNUG e.V.
 
NBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial CompanyNBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial Company
NBFC Softwares
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
akshesh doshi
 

Recently uploaded (20)

React Native vs Flutter - SSTech System
React Native vs Flutter - SSTech SystemReact Native vs Flutter - SSTech System
React Native vs Flutter - SSTech System
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdfAWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
 
WEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service ProvidersWEBINAR SLIDES: CCX for Cloud Service Providers
WEBINAR SLIDES: CCX for Cloud Service Providers
 
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...
 
Safe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work PermitsSafe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work Permits
 
introduction of Ansys software and basic and advance knowledge of modelling s...
introduction of Ansys software and basic and advance knowledge of modelling s...introduction of Ansys software and basic and advance knowledge of modelling s...
introduction of Ansys software and basic and advance knowledge of modelling s...
 
Leading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptxLeading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptx
 
dachnug51 - Whats new in domino 14 .pdf
dachnug51 - Whats new in domino 14 .pdfdachnug51 - Whats new in domino 14 .pdf
dachnug51 - Whats new in domino 14 .pdf
 
Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.
 
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTIONBITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
 
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
 
What is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for FreeWhat is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for Free
 
Intro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AIIntro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AI
 
NYC 26-Jun-2024 Combined Presentations.pdf
NYC 26-Jun-2024 Combined Presentations.pdfNYC 26-Jun-2024 Combined Presentations.pdf
NYC 26-Jun-2024 Combined Presentations.pdf
 
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
 
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...
 
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
 
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdfdachnug51 - HCL Sametime 12 as a Software Appliance.pdf
dachnug51 - HCL Sametime 12 as a Software Appliance.pdf
 
NBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial CompanyNBFC Software: Optimize Your Non-Banking Financial Company
NBFC Software: Optimize Your Non-Banking Financial Company
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
 

Vulnerabilities in modern web applications

  • 1. NIYAS N S 14CS246 Vulnerabilities in Modern Web Applications
  • 2. Introduction • Trend in modern application design is to move applications into a remote server . • Consistent and quick updates • Application monitoring • and lower requirements on local hardware performance. • eg Office 365, Google Docs etc. • Need good quality of Internet connection • Security
  • 3. Contents • Penetration Testing Tools • Web Application Vulnerabilities • Security Recommendations
  • 4. Penetration Testing Tools • Higher Security risk of remotely run applications has to be verified, expressed, and minimized. • Main goal - improve the application security via pointing out its security flaws. • There are two basic phases of the testing – Reconnaissance – Application Exploitation
  • 5. Reconnaisance Phase • Passive • gather as much info about targeted network. • network itself not accesed. • Active • interact directly with targeted devices. • to identify OS, running services and potential vulnerabilities. • Application Scanning • automatized scanning of web applications. • results can present a general idea of the application • guidance in exploiting existing flaws.
  • 6. Passive Phase • Maltego – OSINT (Open Source Intelligence) type. – group of tools using publicly available data. – uses lists of indexes and databases to search for info. • Discover Scripts – OSINT type. – integrates search and scanning utilities in Kali linux OS
  • 7. Active Phase • Ettercap – open source multi platform tool for network traffic sniffing – it can capture comm. between two users in a network. – used for gather sensitive informations like password. • Nmap – it can find connected networks end devices,open ports. – it can build a network map – versions of OS, services and running daemons etc
  • 8. Application Scanning • Arachni – automatized multi-platform tool for security audits. – using asynchronous HTTP requests, parallel processing of javascript op's and multi-thread scanning. – integreted browser engine , scans web app using advan. tec • OWASP ZAP (Zed Attack Proxy) – Proxy ( comm. capturing) , Scanner (passive,active) Fuzzer (sequ. sends dangerous payload to identify vulnerability), spider(traverse all web pages) ,forced browsing (discover direct access to files stored on the server)
  • 9. Web Application Exploitation • SQL Tools – SQLMap • open source tool for testing database part of web app • typical exploitation is SQL injection • in case of succesfull exploitation, the SQLmap can access shell • data can be saved in a file ,if attack is succesfull – NoSQLMap • currently supports only MongoDB, but extensions of NoSQL databases like CouchDB, Redis and Cassandra are planned. • attack itself can take a few minutes , depends on scope.
  • 10. Web Application Exploitation • Password Attacks – Hashcat • open source tool supporting many hash algorithms.(SHA,MD) • computation run either on CPU or GPU (parallelized arch) – cudaHashcat for Nvidia – oclHashcat for AMD • hashcat contains following attack modes – straight (classical dictionary attack) – combination (words connected from multiple dictionaries) – brute-force (mask specification allows to omit unused password comb.)
  • 11. Web Application Exploitation • Burp Suite • Web Vulnerability Scanner • Proxy (captures and modify communication) • Spider (create map of web application and send forms) • Intruder (realizes attack based on performed analysis) • Repeater (repeatedly modifies HTTP requests &analyze replies) • Sequencer (analyzes the level of security tokens randomness)
  • 12. Web Application Exploitation • BeEF (Browser Exploitation Framework) – focused on XSS attacks – BeEF is modular framework – main functionality is hooking process.
  • 13. Web Application Vulnerabilities • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF) • Insecure Direct Object Reference • SQL Injection • Broken Authentication and Session Management
  • 14. Cross Site Scripting (XSS) • Malicious code that can change the look and function of a legitimate web application. • More widespread now because of move to more rich Internet applications using dynamic content and JavaScript and the latest AJAX trend. • It can be identified using OWASP ZAP and exploit using BeEF.
  • 15. Cross Site Scripting (XSS) • Impact of XSS – Data residing in web page can be sent anywhere in the world. – Facilitates many other types of attacks (CSRF, Session Attacks) – site's behaviour can be hijacked.
  • 16. Cross Site Scripting (XSS) • Demo – WebGoat Stored XSS
  • 17. Preventing XSS • Escape all user input when it is displayed – Escaping converts the output to harmless html entities • <script> becomes &lt;script&gt; • but still displayed as <script> • Ensure your filter uses a white list approach – Filters based on blacklisting have historically been flawed • E.g. PHP, Ruby on Rails sanitize method – New encoding schemes can easily bypass filters that use a blacklist approach
  • 18. Cross Site Request Forgery (CSRF) • A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application. • Occurs when an authenticated user unknowingly initiates a request • XSS facilitates CSRF via “Link Injection”
  • 19. Cross Site Request Forgery (CSRF) http://yourbank.com/transfer? to_account=my_account_number&amount=all_of_your_money
  • 20. Preventing CSRF • Add a secondary authentication mechanism –Such as an impossible to guess token • Require a confirmation page before executing potentially dangerous actions • Eliminate XSS vulnerabilities • Use POST as your form action and only accept POST requests on the server for sensitive data !
  • 21. Insecure Direct Object Reference • A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. • Attackers can manipulate those references to access other objects without authorization. • E.g. /BankAccount.jsp?acct_nmbr=123 –The hacker modifies the parameter to view another users account
  • 23. Session Attacks Session Fixation Session Hijacking • The hacker predicts a valid session key (usually via phishing) • The hacker masquerades as another user by stealing the users session id (usually via XSS)
  • 24. Insecure Direct Object Reference • Demo – Bypass a path based access control scheme
  • 25. Preventing Direct Object Reference • Properly validate data! • All input data MUST be validated server side for each request – client side validation is EASILY bypassed • Do not expose internals to the user • Such as IDs (if possible/necessary) • Use an indirect reference map with hard to guess keys (hash) • POST /BankAccount.jsp?acct_nmbr=d83OJdm3 • The server then uses the key to get the real value »Key: d83OJdm3 value: 123
  • 26. SQL Injection • SQL injection is a security vulnerability that occurs in the database layer of an application. • Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements.
  • 27. SQL Injection • Login Example Attack – Text in blue is your SQL code, Text in orange is the hacker input, black text is your application code • Dynamically Build SQL String performing authentication: – “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’”; • Hacker logs in as: ‘ or ‘’ = ‘’; -- – SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --‘ and password=‘’
  • 28. SQL Injection • Demo – SQL String Injection
  • 29. Preventing SQL Injection • Use Prepared Statements (aka Parameterized Queries) – $id=1234 – “select * from accounts where id = “ + $id vs – “select * from accounts where id =1234” • Escape questionable characters (ticks, --, semi-colon, brackets, etc.) • Validate input – Strong typing • If the id parameter is a number, try parsing it into an integer
  • 30. Broken Authentication and Session Management • Account credentials and session tokens are often not properly protected. • Attackers compromise passwords, keys, or authentication tokens to assume other user's identities.
  • 31. Authentication Checks • Never store passwords in plaintext – Encrypt or Hash+Salt (preferred) • Architect applications to check every request to see that the authentication data is still valid • Issue a new session token when a change in privilege occurs • If you absolutely must use “remember me” functionality, use a difficult to guess authentication cookie • Authentication data is sent with every request, so protect it
  • 32. Preventing Authentication and Session Attacks • Use built in session management! • Use secure randomly generated session keys to make prediction impossible –Don’t expose the user to session ids if possible • Use reasonable session timeouts
  • 33. Preventing Authentication and Session Attacks • Demo – Session Fixation