10 attacks on web applications in action
Currently, almost all developed and developed applications tend to become as accessible as possible to the user on the Internet. The network hosts various applications for more productive work and leisure, such as Google Docs, calculators, emails, cloud storages, maps, weather, news, etc ... In general, everything you need for everyday life. Our smartphones are almost useless without access to the Internet, since almost all mobile applications connect to the cloud, saving our photos, logins and passwords. Even most home devices are constantly connected to the network.
The application layer is the most reliable protection. Vulnerabilities that we will meet here often rely on complex user data entry scenarios, making them difficult to define using intrusion detection systems. This level is the most accessible from the outside. For the normal functioning of the application must be access through port 80 (HTTP) or port 443 (HTTPS).
In the diagram below, the web application is fully accessible from the outside, despite the firewalls and intrusion prevention systems:
')
In 2014, SQL injections were responsible for 8.1 percent of all such attacks. This makes it the third most used type of attack, right after Malvar and DDoS attacks. You can also take a look at a list of other common attacks, such as misconfiguration of security, use of components with already known vulnerabilities and cross-site scripting (XSS). A skilled attacker can easily find these vulnerabilities and exploit them without risk of being detected.
Most of the vulnerabilities were found in the web application's own code, they are called zero-day vulnerabilities. This is all because the vulnerabilities are specific to each application and have never been known before. The best defense against these attacks is to create secure applications. Developers need to be aware of how certain attacks work to create protection directly in their applications.
Training and informing developers about application vulnerabilities is the main goal of the Open Web Application Security Project (OWASP). The organization publishes lists of the ten most common attacks for web applications. This list is updated every three years and was last updated in 2013.
The IBM X-Force Ethical Hacking team used these reports to create a selection of ten videos that demonstrate a series of attacks for each category from the OWASP list. Each video includes information on how to prevent these attacks and how to use automated tools to test the application's exposure to each type of attack. These videos were originally intended for internal use, but then the company decided to provide them in the public domain on the Internet.
We have already talked enough about nothing, let's move on to the video files themselves.
This category of vulnerabilities is used in phishing attacks in which victims are tricked into being redirected to a malicious site. Attackers can manipulate the URLs of the real site to redirect the user to the page they need. You can see how Jonathan Fitz-Gerald demonstrates this attack in the video below:
This category includes various applications that continue to use components even after a vulnerability is discovered in them. Attackers can easily exploit the vulnerabilities of obsolete components on applications that use them, since these vulnerabilities have long been proven and published. Any script kiddie can do this hacking.
This type of attack is used in conjunction with social projects. In the video below, Brennan Brazeau (Brennan Brazeau) demonstrates how an attacker can steal money from a victim’s bank account by using social media - and photos of cats:
This case describes a situation in which the functionality of a higher level is hidden from a lower or unregistered user instead of making changes through access control. John Zaccato demonstrates an attack in which a lower level user gains access to the web application administration interface:
There is no data encryption during the move and at rest. If the web applications you use do not properly protect sensitive data, such as credit cards or authentication data, attackers can steal or modify the data.
In this video, another extremely dangerous category of defects will be investigated, which is associated with incorrect, incorrect configuration of the server or the application itself.
In this video, Fitz-Gerald will demonstrate an attack on an unprotected direct object link, which allows attackers to retrieve data from the server by manipulating file names. You will see how he patiently loads the file until he receives the entire database.
Crossite scripting is a type of vulnerability that allows attackers to insert JavaScript on the pages of real sites. By doing so, they can completely change the content of the site to be able to send the user credentials to any other server. Warren Moynihan will show us how this can be achieved, below:
Brazeau discusses programming flaws that allow attackers to bypass authentication methods used by the application:
Injections allow attackers to change a command's backend request through unauthorized user input. Moynihan will demonstrate several examples of SQL injections and, most importantly, will show how to get the entire user table, including passwords.
That's all. Thank you for your attention.
The application layer is the most reliable protection. Vulnerabilities that we will meet here often rely on complex user data entry scenarios, making them difficult to define using intrusion detection systems. This level is the most accessible from the outside. For the normal functioning of the application must be access through port 80 (HTTP) or port 443 (HTTPS).
In the diagram below, the web application is fully accessible from the outside, despite the firewalls and intrusion prevention systems:
')
In 2014, SQL injections were responsible for 8.1 percent of all such attacks. This makes it the third most used type of attack, right after Malvar and DDoS attacks. You can also take a look at a list of other common attacks, such as misconfiguration of security, use of components with already known vulnerabilities and cross-site scripting (XSS). A skilled attacker can easily find these vulnerabilities and exploit them without risk of being detected.
Most of the vulnerabilities were found in the web application's own code, they are called zero-day vulnerabilities. This is all because the vulnerabilities are specific to each application and have never been known before. The best defense against these attacks is to create secure applications. Developers need to be aware of how certain attacks work to create protection directly in their applications.
Training and informing developers about application vulnerabilities is the main goal of the Open Web Application Security Project (OWASP). The organization publishes lists of the ten most common attacks for web applications. This list is updated every three years and was last updated in 2013.
The IBM X-Force Ethical Hacking team used these reports to create a selection of ten videos that demonstrate a series of attacks for each category from the OWASP list. Each video includes information on how to prevent these attacks and how to use automated tools to test the application's exposure to each type of attack. These videos were originally intended for internal use, but then the company decided to provide them in the public domain on the Internet.
We have already talked enough about nothing, let's move on to the video files themselves.
10. Unverified transition and redirect
This category of vulnerabilities is used in phishing attacks in which victims are tricked into being redirected to a malicious site. Attackers can manipulate the URLs of the real site to redirect the user to the page they need. You can see how Jonathan Fitz-Gerald demonstrates this attack in the video below:
9. Using components with known vulnerabilities
This category includes various applications that continue to use components even after a vulnerability is discovered in them. Attackers can easily exploit the vulnerabilities of obsolete components on applications that use them, since these vulnerabilities have long been proven and published. Any script kiddie can do this hacking.
8. Cross-site request forgery
This type of attack is used in conjunction with social projects. In the video below, Brennan Brazeau (Brennan Brazeau) demonstrates how an attacker can steal money from a victim’s bank account by using social media - and photos of cats:
7. Lack of access control function
This case describes a situation in which the functionality of a higher level is hidden from a lower or unregistered user instead of making changes through access control. John Zaccato demonstrates an attack in which a lower level user gains access to the web application administration interface:
6. Sensitive data exposure
There is no data encryption during the move and at rest. If the web applications you use do not properly protect sensitive data, such as credit cards or authentication data, attackers can steal or modify the data.
5. Incorrect security settings
In this video, another extremely dangerous category of defects will be investigated, which is associated with incorrect, incorrect configuration of the server or the application itself.
4. Unprotected direct object links
In this video, Fitz-Gerald will demonstrate an attack on an unprotected direct object link, which allows attackers to retrieve data from the server by manipulating file names. You will see how he patiently loads the file until he receives the entire database.
3. Crossite scripting
Crossite scripting is a type of vulnerability that allows attackers to insert JavaScript on the pages of real sites. By doing so, they can completely change the content of the site to be able to send the user credentials to any other server. Warren Moynihan will show us how this can be achieved, below:
2. Authentication Damage and Session Management
Brazeau discusses programming flaws that allow attackers to bypass authentication methods used by the application:
1. Injections
Injections allow attackers to change a command's backend request through unauthorized user input. Moynihan will demonstrate several examples of SQL injections and, most importantly, will show how to get the entire user table, including passwords.
That's all. Thank you for your attention.
Source: https://habr.com/ru/post/272205/
All Articles