Wednesday, May 27, 2009

Web Security Attacks

Web Security Attacks

By Ritesh Kapse

 

Web surfing feels both safe and anonymous to the end users but it is not. Active contents like ActiveX, JavaScript, VBScript, Flash and Java applets bring possibility that the web page introduce viruses or other malicious software into the end user’s system.

 

Most visitors to the site are content to the web page usage for which it was created, but few will try to peek at the thing which you didn’t intend for public consumption.

 

Following are few of such techniques which web site hackers might use to exploit security of your web application.

Fig. Web security attacks distribution

 

Session Prediction

Surreptitiously obtaining session information about authorized visitor e.g. session ID is a session prediction attack. Session Id is normally stored in cookies or URL. By predicting session ID values attacker can bypass the authentication schema of any web application. An attacker can predict a valid session ID value and get access to the web application by analyzing session ID generation process. Once identified, hacker might use the same session id information for future visits to that or associated sites.

 

Different versions of Jetty, the popular java web server, are vulnerable to a session id prediction attack. Jetty uses java.util.Random to generate session ids randomly. The internal state of this generator can easily be discovered, leading to an attacker being able to hijack existing and future sessions.

Authentication Hacking

Obtaining login information about user to a website is an authentication hacking attack.               Web Application assigns specific privilege to user based on the identity established by the supplied credentials. In authentication hacking, attacker has to gain access to login prompt and enter correct match of login and password information.

 

Password guessing can be one of most effective techniques to defeat web authentication. Some common username/passwords could be:-

Username

Password

root

root

administrator

administrator

[company_name]

[company_name]

admin

admin

 

If password guessing brings no results, attacker can try dictionary attack which uses pre-computed lists of thousands of combination of words such as usernames and passwords to try to authenticate on the web application. A brute force attack is a technique of trying large number of possibilities. An important measure to stop such brute force and dictionary attack could be by adding random content e.g. image with alpha-numeric character on the login page.

 

 

Fig. Authentication hacking prevention

.

The security of your web application depends on how securely stored and complex the passwords are and ease to reach server.

Cross Site Scripting (XSS/CSS)

Cross site scripting means execution of script which is not a part of web site being accessed. This is one of the most common techniques used by hackers. Hackers may embed JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable web page to fool the user, executing the script on his machine in order to gather information. A dynamic web page that passes parameter to database is vulnerable to XSS. Web applications like shopping cart are vulnerable to XSS.

A simple example could be of a product comment box.

 

Fig. Comment box on vulnerable web site

 

In the above page an attacker has inserted custom JavaScript code which is intended to steel cookie’s of every users visiting the page.

 

Fig. Comment displayed to valid users

 

 

For other valid user logging into the same site, it would look that web site is behaving normally, but in real sense there cookie is being stolen by the attacker.

 

XSS can be used for stealing cookies for session hijacking or executing malicious code on end user machine.

 

 

SQL Injection

In SQL Injection an attacker uses SQL queries on HTML form to gain access over the web site. Victims to this type of attacks are mostly login forms or pages from shopping chart application. The idea is to pass SQL command to database through web application. This attack is made possible due to improper coding.

 

A simple example could be of a login page where user can input username and password.

 

(i) Login Form on vulnerable page

 

Suppose we are using following query in database directly from this

 

select id from USERS_TABLE where email=’${param.email}’ and password=’${param.password}

 

If the variable email and password are requested directly from the login form the security of the web application can easily be compromised. Let’s say hacker inputs following information in the login form.

 

(ii) SQL injection

 

The database query becomes

 

select id from USERS_TABLE where email=’hacker@test.com’ and password=’anything’ or ‘x’=’x

 

The ‘x’=’x’ part of the SQL query guarantees that the query always return true.

 

This can allow the attacker to bypass the login form without actually knowing a valid username/password combination.

 

 

End users and Web administrators need to worry about the confidentiality of data transmitted across the Web. TCP/IP protocol was not designed with required security in mind. Hence, it is possible that when data is being transmitted between web server and browser, someone may be listening in. The fixing should be done on the application level. We need to filter and check all user input before processing any browser request. Problems like SQL injection and cross site scripting should be dealt with. Also, users should be made aware of the risk involved in internet browsing.

 

 

 

Reference:

http://www.w3.org/Security/

http://www.acunetix.com/

http://www.virtualforge.de/

 

 

 


4 comments:

  1. Great tutorial. Thanks :)

    ReplyDelete
  2. It's difficult to find educated people for this subject, however, you
    seem like you know what you're talking about! Thanks

    Here is my weblog: Web Page

    ReplyDelete
  3. What's up, its pleasant post on the topic of media print,
    we all understand media is a great source of facts.


    Here is my web page; Facebook Hacking

    ReplyDelete

Was the information useful?

Followers