boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ae837183f1ec23c09316de550f35d9b3d6759834
G4G0-2/Penetration Testing/Week 20/Week 20 - Web Application Attacks.md
boris ae837183f1 vault backup: 2025-03-16 18:59:42
2025-03-16 18:59:42 +00:00

4.4 KiB
Raw Blame History

Subtopics: Malicious Software, Attacks on Web Applications, Secure System Development

How Computers Get Compromised:

  • Accessing malicious or infected websites
  • Downloading and installing malware from websites
  • Executing attachments to emails containing exploits and malware
  • Plugging in external devices infected with malware
  • Installing malware/infected software from media
  • Direct attacks from the internet exploiting vulnerabilities in OS or applications
  • Through delivery chain, during assembly or shipment

Malware Types:

  • Backdoor/Trapdoor
  • Logic bomb
  • Trojan horse
  • Worm
  • Virus (polymorphic, metamorphic)
  • Stealth virus
  • Exploit

Exploits:

  • Exploit software/hardware vulnerability
  • Carried in common data formats like PDF, office documents, media files
  • Contains corrupt data types
  • Causes unintended behavior on computers

Backdoor/Trapdoor:

  • Provides remote control capabilities
  • Can reside on the system for long periods before being used
  • Installed by exploit or user (tricked into installing malicious program)
  • Can be installed during design for testing purposes, posing a threat if left in production software

The Cyber Kill Chain (Hutchins Et Al., 2011):

  • Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control (C&C), Action/Exfiltration
  • Timescale for each phase varies from days, months, hours to seconds.
    • Recon; Weaponisation; Delivery; Exploitation; Installation; Command & Control; Action/Exfil

Web Application Security Challenge:

  • Firewall, App Server, Web Server, Hardened OS, Databases, Legacy Systems, Web Services, Directories, Human Resources, Billing, Custom-Developed Application Code
  • Network layer and application layer security are crucial

Application Attacks

  • Application attacks bypass traditional network security measures like firewalls

SQL (Structured Query Language):

  • Interface to relational databases
  • Used for inserting, updating, deleting, and retrieving data in a database

SQL Injection:

  • Databases system misinterpretation of input data
  • Attacker disguises SQL commands as data input
  • Vulnerability exists when web application fails to sanitise data input before sending it to the database

Preventing SQL Injection and XSS

  • Validate all user-entered parameters (data types and lengths)
  • Disallow unwanted data (html tags, JS, SQL commands)
  • Escape questionable characters (ticks, --, semicolons, quotes, etc)
  • Hide information about error handling

Stored XSS

Input script to website disguised as user content Store and display script on page User accesses page Malicious script sent to user

Broken Authentication and Session Management:

  • User authentication does not necessarily provide continuous assurance
  • Insecure implementation of session control with a static session ID passed in the URL
  • Recommendations for session IDs (OWASP)

Method

Log in to application Provide service, user stays logged in Email info about session ID Other user can access website as first user

Fixes

  • Authentication linked to time
  • OWASP recommendations followed
  • Link session ID to IP address, TLS session, etc. Reconnaissance Assignment

OWASP Top-10 Web Application Risks (as of 2017):

  • Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring

Waterfall SDLC vs. Agile Software Development vs. Secure Agile:

  • Waterfall SDLC: Sequential phases (Design, Requirements, Implementation, Verification, Maintenance)
  • Agile Software Development: Iterative sprint cycles based on user stories
  • Secure Agile: Includes additional security steps during project startup, each sprint cycle, and final test and validation
  • Threat modeling in Secure Agile: Identify, analyze, and describe relevant threats using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)

STRIDE

Spoofing - Can an attacker gain access with a false identity? Tampering - Can an attacker modify data as an application runs? Repudiation - If an attacker denies interaction, can we prove it? Information Disclosure - Can an attacker gain PII? Denial of Service - Can an attacker crash or reduce availability? Elevation of Privilege - Can an attacker assume the identity of a privileged user?