In this article, I would like to share some common web application attacks and HTTP headers for protection by the attacks.
CSRF(Cross-Site Request Forgery) is an attack that impersonates a trusted user and sends a website unwanted commands. This can be done, for example, by including malicious parameters in a URL behind a link that purports to go somewhere else.
Reflected Cross-Site Scripting occurs when an attacker injects executable code into an HTTP response. When an application is vulnerable to this type of attack it will send back unvalidated input to the client. It will enable the attacker to steal cookies, perform clipboard theft and modify the page itself.
An example is
http://example.com/index.php?user=<"script">alert(123)"script">. If the user parameter inserts into DOM, it will be executed.
Stored Cross-Site Scripting occurs when the application stores user input which is not correctly filtered. It runs within the user’s browser under the privileges of the web application.
You should not insert untrusted data into DOM & use HTML escape before inserting.
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.
The attacker wants you to click something that you don”t actually want to click, and they do it by hiding the link/button behind something else that they can trick you into clicking on.
A brute force attack is a trait-and-error method used to obtain information such as a user password or personal identification number(PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security, analysts to test an organization’s network security.
SQL Injection consists of injection of a partial or complete SQL query via user input. It can read sensitive information or be destructive as well.
Take the following example:
SELECT * from user where id = $id
If the user enters
2 or 1 = 1, the query becomes the following:
SELECT * from user where id = 2 or 1 = 1
If the above query run, an attacker may get all user information.
Command Injection is a technique used by an attacker to run OS commands on a web server. With this approach, an atter might even get passwords to the system.
In practice, if you have a URL like:
It could be turned into:
In this example
%3B becomes the semicolon
cat /etc/passwd can be run.
To defend against this kind of attacks make sure that you always filter/sanitize user input.
Theis kind of attack exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly.
([a-zA-Z]+) are vulnerable Regexp as a simple input like
aaaaaaaaaaaaaaaaaaa! can cause heavy computation.
You can easily check that your regexp is Evil Regexes or not by safe-regex.
$ node safe.js '(beep|boop)*'
Typical examples of HTTP headers for security are as follows:
||Enforce browsers to use HTTPS connections to server|
||Provide clickjacking protection|
||Enable the Cross-Site Scriptings(XSS) filter built into most recent web browsers|
||Prevent browsers from MIME-sniffing a response away from the declared content-type|
||Prevent a wide range of attacks, including Cross-Site scripting and other Cross-Site injections|
*Strict-Transport-Security (HSTS)** header enforces secure (HTTP over SSL/TLS) connection to the server.
If you define
max-age in HSTS, a browser should automatically convert all HTTP requests to HTTPS.
Testing for it is pretty straightforward:
curl -s -D- https://twitter.com/ | grep -i Strict
X-Content-Type-Optionsresponse HTTP header is a maker used by the server to indicate the MINE types advertised in the
Content-Typeheaders should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.
Content Security Policy(CSP) is an added layer of security that helps to detect and migrate certain types of attacks, including Cross-Site Scripting(XSS) and data injection attacks.
An example of CSP is
Content-Security-Policy: default-src 'self' *.mydomain.com in HTTP header. The header info shows trusted domain and its subdomains.
|Secure||A browser to only send the cookie if the request is being sent over HTTPS.|
|Domain||Compare against the domain of the server in which the requested URL. If the domain(sub-domain) matches then the path attribute will be checked next.|
|Path||If the path matches, then the cookie will be sent in the request.|
|Expires||The cookie is valid until the set date is exceeded.|
You have to test to check for certificate information by nmap, like this:
nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com
You can test SSL/TLS vulnerabilities with SSLyze:
./sslyze.py --regular example.com:443
🖥 Recommended VPS Service
VULTR provides high performance cloud compute environment for you.
Vultr has 15 data-centers strategically placed around the globe, you can use a VPS with 512 MB memory for just $ 2.5 / month ($ 0.004 / hour).
In addition, Vultr is up to 4 times faster than the competition, so please check it => Check Benchmark Results!!