Basic Knowledge for Web Application Security


In this article, I would like to share some common web application attacks and HTTP headers for protection by the attacks.

🐝 Attacks

Cross-Site Request Forgery

CSRF(Cross-Site Request Forgery) is an attack that impersonates a trusted user and sends a website unwanted commands. This can be done, for example, by including malicious parameters in a URL behind a link that purports to go somewhere else.

Reflected Cross-Site Scripting(XSS)

Reflected Cross-Site Scripting

Reflected Cross-Site Scripting occurs when an attacker injects executable code into an HTTP response. When an application is vulnerable to this type of attack it will send back unvalidated input to the client. It will enable the attacker to steal cookies, perform clipboard theft and modify the page itself.

An example is http://example.com/index.php?user=<"script">alert(123). If the user parameter inserts into DOM, it will be executed.

Stored Cross-Site Scripting

Stored Cross-Site Scripting occurs when the application stores user input which is not correctly filtered. It runs within the user’s browser under the privileges of the web application.

Protection

You should not insert untrusted data into DOM & use HTML escape before inserting.

clickjacking

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.

https://www.owasp.org/index.php/Clickjacking

The attacker wants you to click something that you don”t actually want to click, and they do it by hiding the link/button behind something else that they can trick you into clicking on.

https://helmetjs.github.io/docs/frameguard/

Brute Force Attacks

A brute force attack is a trait-and-error method used to obtain information such as a user password or personal identification number(PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security, analysts to test an organization’s network security.

https://www.techopedia.com/definition/18091/brute-force-attack

SQL Injection

SQL Injection consists of injection of a partial or complete SQL query via user input. It can read sensitive information or be destructive as well.

Take the following example:

SELECT * from user where id = $id

If the user enters 2 or 1 = 1, the query becomes the following:

SELECT * from user where id = 2 or 1 = 1

If the above query run, an attacker may get all user information.

Command Injection

Command Injection is a technique used by an attacker to run OS commands on a web server. With this approach, an atter might even get passwords to the system.

In practice, if you have a URL like:

https://example.com/downloads?file=sample.pdf

It could be turned into:

https://example.com/downloads?file=%3Bcat%20/etc/passwd

In this example %3B becomes the semicolon;, so cat /etc/passwd can be run.

To defend against this kind of attacks make sure that you always filter/sanitize user input.

😀 ReDoS

Theis kind of attack exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly. ([a-zA-Z]+) are vulnerable Regexp as a simple input like aaaaaaaaaaaaaaaaaaa! can cause heavy computation.

You can easily check that your regexp is Evil Regexes or not by safe-regex.

$ node safe.js '(beep|boop)*'
true
$ node safe.js '(a+){10}'
false

🎂 HTTP headers for protection

Typical examples of HTTP headers for security are as follows:

Header Name Description
Strict-Transport-Security(HSTS) Enforce browsers to use HTTPS connections to server
X-Frame-Option Provide clickjacking protection
X-XSS-Protection Enable the Cross-Site Scriptings(XSS) filter built into most recent web browsers
X-Content-Type-Option Prevent browsers from MIME-sniffing a response away from the declared content-type
Content-Security-Policy Prevent a wide range of attacks, including Cross-Site scripting and other Cross-Site injections

Strict-Transport-Security (HSTS)

*Strict-Transport-Security (HSTS)** header enforces secure (HTTP over SSL/TLS) connection to the server.

If you define max-age in HSTS, a browser should automatically convert all HTTP requests to HTTPS.

strict-transport-security:max-age=61138519

Testing for it is pretty straightforward:

curl -s -D- https://twitter.com/ | grep -i Strict

X-ContentType-Options

The X-Content-Type-Options response HTTP header is a maker used by the server to indicate the MINE types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

🐰 Use Content Security Policy

Content Security Policy(CSP) is an added layer of security that helps to detect and migrate certain types of attacks, including Cross-Site Scripting(XSS) and data injection attacks.

An example of CSP is Content-Security-Policy: default-src 'self' *.mydomain.com in HTTP header. The header info shows trusted domain and its subdomains.

🚕 Session Management

Cookie Flag

Flag Description
Secure A browser to only send the cookie if the request is being sent over HTTPS.
HttpOnly Help prevents attacks such as Cross-Site Scripting because it does not allow the cookie to be accessed via JavaScript.

Cookie Scope

Factor Description
Domain Compare against the domain of the server in which the requested URL. If the domain(sub-domain) matches then the path attribute will be checked next.
Path If the path matches, then the cookie will be sent in the request.
Expires The cookie is valid until the set date is exceeded.

👽 Secure Transmission

You have to test to check for certificate information by nmap, like this:

nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com

You can test SSL/TLS vulnerabilities with SSLyze:

./sslyze.py --regular example.com:443

🐹 Special Thanks

🖥 Recommended VPS Service

VULTR provides high performance cloud compute environment for you. Vultr has 15 data-centers strategically placed around the globe, you can use a VPS with 512 MB memory for just $ 2.5 / month ($ 0.004 / hour). In addition, Vultr is up to 4 times faster than the competition, so please check it => Check Benchmark Results!!