Common Security Vulnerabilities
Security is an important part of any application. It is more important in the case of web applications , considering the large number of users to which web applications are exposed. So for any web applications security is a indispensable aspect.It’s always better to consider the security aspects of the application and check for any flaws in the security than to be a victim of a security attack later on.
Vulnerability is any weakness or flaw in the application that exposes the application to the attacker who can use it to perform unauthorized actions such as retrieving confidential information.
Many website security problems come from believing that users will perform only the actions that they are supposed to perform. A malicious user may try to perform the actions that he is not supposed to.
Software vulnerability is one of the biggest challenges of the software industry. Particularly public web sites are more prone to vulnerability attacks since they are exposed to lot many users.Vulnerability is an important factor for any application because attacker can exploit the application vulnerability for:
•Use the vulnerability to retrieve important information,
•Authenticate as another user or
•Even delete the important data.
And in today’s world there is no shortage of good hackers who can easily detect the vulnerabilities in the application.
OWASP which stands for "Open Web Applications Security Project" is a set of protocols that let us prepare security vulnerabilities as they happen. OWASP categorizes the vulnerabilities into different categories some of which are:
XSS (Cross Site Scripting) Vulnerability Commonly abbreviated as XSS ,this vulnerability is about how the browser can be used to execute malicious script or code.
SQL Injection Vulnerability In this type of attack SQL commands are executed through the web page input fields.
Cross Site Request Forgery (CSRF Or XSRF) users are manipulated into providing sensitive information through a forged website.
Broken Authentication and Session Management This is related to user authentication and session management.The goal of the attacker here is to impersonate as the original user.
Before implementing measures for avoiding the vulnerabilities it's important to understand some details about these
XSS (Cross Site Scripting) Vulnerability
Commonly abbreviated as XSS , browser is used to execute malicious script. This injection happens without the user's knowledge in the background. The injected script is executed as if it came from the original website. The script can then perform activities intended by the malicious user.
XSS scripts can also be persisted to the database, in which case they run for every user, or they may be executed immediately by the attacker.
We can categorize XSS as follows:
Reflected XSS Vulnerability
In this type of XSS the script is immediately returned back to the browser and is then executed. The script in this type of XSS is not stored on the server.
Following is an example of Reflected XSS.
A web page displays input fields. Application assumes that the user will enter plain text.And the application will work fine if user enters plain text.
User is supposed to enter name and address but a mischievous user can enter a script in the name field.
Attacker can perform any harmful activity using this script.
Though this is a very basic example ,consider the consequences if the script is used to post the data on the page to another site or if the script is permanently stored on the server in the database,which is another type of XSS called persistent XSS.
Persistent XSS Vulnerability
In this type of Cross Site Scripting attack the script is permanently stored on the server. So the script is executed for every request from every user thus creating a bigger security risk. This is more difficult to execute for the attacker but is also very dangerous vulnerability since it can affects all the users.
If we have a welcome message that is displayed on all the pages as:
Welcome <asp:Label runat ="server" Text='<%DataBinder.Eval("Name")%>'></asp:Label>
Script can also post the data of the users to a different website.So this could result in the data of the users being stolen.
DOM based XSS Vulnerability
In this type the script can be either persisted on the server or not. Thus this can be of type Persistent or reflected.
To prevent XSS always HTML encode the user entered values.
Many web frameworks such as asp.net controls HTML encodes the assigned values by default.But ensure to HTML encode the values in input controls.
SQL Injection Vulnerability
SQL Injection allows a malicious user to execute commands in our database in ways not anticipated by us. The commands are executed using the privileges granted to our application’s login account.
So if the applications database login account has privilege to modify or even delete database then SQL Injection can have much more severe consequences.
Following are the factors which can cause SQL vulnerability
- Constructing SQL statements at run time without using the parameters for user input values
- Not validating user input values
Following is a basic example of SQL Injection vulnerability which can be used to perform SQL Injection attack.
select name, category from categories where catId like '%" + catId + "%'
This is a dynamic SQL query which is constructed at runtime. catId is a variable whose value is being passed from the front end.Now in a normal scenario the value of the cat variable will be the value of a particular category which the user has access to.But consider the consequence of setting the value of catId equal to 1 OR 1=1.
Setting the value of catId as 1 OR 1=1 would result in all the rows in the categories being returned since 1=1 will be true for all the rows.
SQL Injection can be prevented by following certain guidelines:
- Always validating the user input
- Always using the typed parameters when using SQL commands
- Granting limited privileges to the database login used by the application
Compare the below two approaches for fetching the category details from the database
The following code just passes the user input to the SQL command object which allows the attacker to pass any arbitrary SQL Command in the user input
SqlCommand com = new SqlCommand();
com.CommandText = "select name, category from categories where catId like '%" + catId + "%'";
The following code adds the user input to the SqlParameters collection of the Sql command.This validates the input passed to the command as the parameter is type checked so only integer value can be passed.
com.CommandText = "ProcedureName"; com.Parameters.Add("catdId", SqlDbType.Int);
If you have assigned limited privileges to the database login used by the application to access the database then even if the attacker is successful in SQL injection attack he would not be able to do much damage to the database.
Cross Site Request Forgery (CSRF Or XSRF)
One of the most prevalent attacks from online scammers and spammers is the CSRF, where users are manipulated into providing sensitive information through a forged website. Normally attacker uses some form of social engineering to trick the user.
Authenticated user can be tricked by the attacker by different ways such as through fake email links.The attacker executes the action using the authenticated users credential as the attacker can perform any action the authenticated user is privileged to perform.
The attacker typically tricks the victim into:
• Changing password
• Adding a Secondary Email ID
• Various other Techniques by using which the attacker can access the site using the users credentials.
Below is a common example of a CSRF in a website using forms authentication.When a user visists a website and authenticates himself he is issued an authentication cookie which is passed to the website with every subsequent request.
It is using this cookie that the website determines if the user is authenticated or not.Now consider the sceanrio that the user visists some other malicious website and requests some resource.Instead of returning the resource the website can return a script which would update the user's account information such as password.
Some of the ways and precautions to prevent CSRF are
- By using tokens.
- By ensuring the HTTP request have come from the original site means that the attacks from other sites will not function
- Users can log off the site before visiting another
Tokens are long cryptographic values that are difficult to guess. Token will be generated when a user’s session begins is associated with this particular session.This token is included in each request, which is used by the server code to verify the authenticity of the user's request. Since the attacker is not aware of this value hence this prevent CSRF.
Broken Authentication and Session Management
This vulnerability is related to user authentication and session management.The goal of the attacker here is to impersoante as the original user.
User authentication usually involves different mechanisms to manage the users credentials such as
- Login Page
- Forgot Password Option
- Email Password Option
- Change Password Option
Session management is used to manage the requests in a web application.In a web application requests from the same client are linked together using the Session Ids.If session ids are not protected then the attacker can hijack the users session.Since to the web application it is a valid session hence attacker can perform all the activities the user can perform
Consider following URL which contains the session id.This URL displays the details about the user Mike.This is the URL which Mike will see once he is logged in to the samplesite.com.
Now if a the attacker gets this URL then he can assume Mikes identity and can see all his confidential details.This is because session id acts like a token to identify user.
If the session id is stored in a cookie instead of url then there is a less chance of this type of attack.
Session Fixation is a form of attack where the attacker:
- Obtains a valid session id by connecting to the web site
- Tricks a user to use this session id.
- Again connect to the web application by using this session id.
To prevent this type of vulnerability ensure the following are implemented
- Session timeout
- Session invalidated during logout
- User account details such as Id and password are encrypted
Another example of this type of vulnerability can happen when the user types wrong password and website displays a message such as:
"Wrong password entered.Please enter the correct password!"
As the Login page is displaying the message when a wrong password is typed ,an attacker can use brute force attack to guess the correct password.
A better approach is to display a message such as:
"Please verify your credentials!"