Web Application Attacks – Types, Impact & Mitigation (Part-3)
With this article, we list some of the common web application attacks, impacts, and possible mitigation. In part -3 we are covering the following attacks.
Web Application Attacks
- Cross-site scripting
- Cacheable Pages Discovered
- Referrer Header Not Properly Validated
- Cross-Site Request Forgery
- HTTP Headers – Information Disclosure
- Binary planting
- Binary hardening
Cross site scripting
Assessor observed that application is not validating contents of the input file being uploaded in the application as banner and responding to the browser for execution which leads to XSS (cross-site scripting).
Types- Reflected , stored, DOM
Impact – A browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
The application must perform validation of all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed. Also filter the content of image files being uploaded to the server.
Any meta-characters should be filtered for, in all input accepting fields, both at the client-side as well as sever-side.
Server-side validation is mandatory. The validation should not attempt to identify active content and remove, filter, or sanitize it. Encoding user supplied output can also defeat XSS vulnerabilities by preventing inserted scripts from being transmitted to users in an executable form.
The application must be configured to filter meta-characters and unexpected characters such as:
|<||< or <||)||)|
|>||> or >||#||#|
|&||& or &||%||%|
|“||" or “||;||;|
|‘||' or ‘||+||+|
Cacheable Pages Discovered
When an application allows some web Pages to be cached in the browser memory and thus they can be accessed even after the user has logged out.
Browsers may store a locally cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTP. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.
The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root.
Alternatively, most web development platforms allow you to control the server’s caching directives from within individual scripts. Ideally, the webserver should return the following HTTP headers in all responses containing sensitive content:
• Cache-control: no-store
• Pragma: no-cache
Referrer Header Not Properly Validated
The values passed in the HTTP Referrer header are not being validated properly. Referrer logging is used to allow websites and web browsers to identify where people are visiting them from, for promotional or security purposes. A referrer is a popular tool to combat CSRF (Cross-Site Request Forgery).
An attacker can leverage this flaw to avoid the logging feature of application. Also, this could lead to successful CSRF and referrer spoofing attacks.
The application should validate the values of HTTP Referrer header properly
If a tampered referrer header request is coming from a valid user session then the session should be invalidated and user should be logged out immediately to avoid CSRF attacks.
Cross-Site Request Forgery
It is possible to steal or manipulate customer session and cookies, which may be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.
Impact- This attack forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.
- Add a per-request nonce to URL and all forms in addition to the standard session. This is also referred to as “form keys.
- Add a per-session nonce to URL and all forms
- .NET – add session identifier to View State with MAC
- Checking the referrer in the client’s HTTP request will prevent CSRF attacks. By ensuring the HTTP request have come from the original site means that the attacks from other sites will not function. It is very common to see referrer checks used on embedded network hardware due to memory limitations.
- Page tokens solve a number of security issues. Since a page token is much short-lived, it is now more difficult for attackers to browse a user’s session. The page tokens present on a particular page are valid only till the user clicks one of the links. A soon as the server receives a new request, the old tokens are overwritten with a new set.
HTTP Headers – Information Disclosure
when the HTTP headers received as the response of HTTP service discloses information about the version of the web server.
An attacker can gain sensitive information about the target via HTTP headers. This information can help the attacker to build a platform for further attacks.
It is recommended that information such as internal IP, underlying technology, versions of OS, web server, or application server should not be disclosed via HTTP response headers.
Set the value of “RemoveServerHeader” to “1”
Binary planting is a general term for an attack where the attacker places a binary file containing malicious code to a local or remote file system in order for a vulnerable application to load and execute it.
- Insecure access permissions on a local directory allow a local attacker to plant the malicious binary in a trusted location.
- One application may be used for planting a malicious binary in another application’s trusted location.
- The application searches for a binary in untrusted locations, possibly on remote file systems.
Buffer Overflow Protection- compiler-enforced protection, which implements canary values to change the organization of stack-allocated data.
Binary stirring protects against this by randomizing the instruction addresses every time the executable is launched
Code pointer masking enforces “the correct semantics of code pointers” to protect an application.