In this article, I would like to share some common web application attacks and HTTP headers for protection by the attacks.
🐝 Attacks
Cross-Site Request Forgery
CSRF(Cross-Site Request Forgery) is an attack that impersonates a trusted user and sends a website unwanted commands. This can be done, for example, by including malicious parameters in a URL behind a link that purports to go somewhere else.
Reflected Cross-Site Scripting(XSS)
Reflected Cross-Site Scripting
Reflected Cross-Site Scripting occurs when an attacker injects executable code into an HTTP response. When an application is vulnerable to this type of attack it will send back unvalidated input to the client. It will enable the attacker to steal cookies, perform clipboard theft and modify the page itself.
An example is http://example.com/index.php?user=<"script">alert(123)"script">
. If the user parameter inserts into DOM, it will be executed.
Stored Cross-Site Scripting
Stored Cross-Site Scripting occurs when the application stores user input which is not correctly filtered. It runs within the user’s browser under the privileges of the web application.
Protection
You should not insert untrusted data into DOM & use HTML escape before inserting.
clickjacking
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.
https://www.owasp.org/index.php/Clickjacking
The attacker wants you to click something that you don”t actually want to click, and they do it by hiding the link/button behind something else that they can trick you into clicking on.
https://helmetjs.github.io/docs/frameguard/
Brute Force Attacks
A brute force attack is a trait-and-error method used to obtain information such as a user password or personal identification number(PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security, analysts to test an organization’s network security.
https://www.techopedia.com/definition/18091/brute-force-attack
SQL Injection
SQL Injection consists of injection of a partial or complete SQL query via user input. It can read sensitive information or be destructive as well.
Take the following example:
SELECT * from user where id = $id |
If the user enters 2 or 1 = 1
, the query becomes the following:
SELECT * from user where id = 2 or 1 = 1 |
If the above query run, an attacker may get all user information.
Command Injection
Command Injection is a technique used by an attacker to run OS commands on a web server. With this approach, an atter might even get passwords to the system.
In practice, if you have a URL like:
https://example.com/downloads?file=sample.pdf |
It could be turned into:
https://example.com/downloads?file=%3Bcat%20/etc/passwd |
In this example %3B
becomes the semicolon;
, so cat /etc/passwd
can be run.
To defend against this kind of attacks make sure that you always filter/sanitize user input.
😀 ReDoS
Theis kind of attack exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly. ([a-zA-Z]+)
are vulnerable Regexp as a simple input like aaaaaaaaaaaaaaaaaaa!
can cause heavy computation.
You can easily check that your regexp is Evil Regexes or not by safe-regex.
$ node safe.js '(beep|boop)*' |
🎂 HTTP headers for protection
Typical examples of HTTP headers for security are as follows:
Header Name | Description |
---|---|
Strict-Transport-Security (HSTS) |
Enforce browsers to use HTTPS connections to server |
X-Frame-Option |
Provide clickjacking protection |
X-XSS-Protection |
Enable the Cross-Site Scriptings(XSS) filter built into most recent web browsers |
X-Content-Type-Option |
Prevent browsers from MIME-sniffing a response away from the declared content-type |
Content-Security-Policy |
Prevent a wide range of attacks, including Cross-Site scripting and other Cross-Site injections |
Strict-Transport-Security (HSTS)
*Strict-Transport-Security (HSTS)** header enforces secure (HTTP over SSL/TLS) connection to the server.
If you define max-age
in HSTS, a browser should automatically convert all HTTP requests to HTTPS.
strict-transport-security:max-age=61138519 |
Testing for it is pretty straightforward:
curl -s -D- https://twitter.com/ | grep -i Strict |
X-ContentType-Options
The
X-Content-Type-Options
response HTTP header is a maker used by the server to indicate the MINE types advertised in theContent-Type
headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.
🐰 Use Content Security Policy
Content Security Policy(CSP) is an added layer of security that helps to detect and migrate certain types of attacks, including Cross-Site Scripting(XSS) and data injection attacks.
An example of CSP is Content-Security-Policy: default-src 'self' *.mydomain.com
in HTTP header. The header info shows trusted domain and its subdomains.
🚕 Session Management
Cookie Flag
Flag | Description |
---|---|
Secure | A browser to only send the cookie if the request is being sent over HTTPS. |
HttpOnly | Help prevents attacks such as Cross-Site Scripting because it does not allow the cookie to be accessed via JavaScript. |
Cookie Scope
Factor | Description |
---|---|
Domain | Compare against the domain of the server in which the requested URL. If the domain(sub-domain) matches then the path attribute will be checked next. |
Path | If the path matches, then the cookie will be sent in the request. |
Expires | The cookie is valid until the set date is exceeded. |
👽 Secure Transmission
You have to test to check for certificate information by nmap, like this:
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com |
You can test SSL/TLS vulnerabilities with SSLyze:
./sslyze.py --regular example.com:443 |
🐹 Special Thanks
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://developer.mozilla.org/en-US/docs/Glossary/CSRF
🖥 Recommended VPS Service
VULTR provides high performance cloud compute environment for you.
Vultr has 15 data-centers strategically placed around the globe, you can use a VPS with 512 MB memory for just $ 2.5 / month ($ 0.004 / hour).
In addition, Vultr is up to 4 times faster than the competition, so please check it => Check Benchmark Results!!