Top Five Web Application Vulnerabilities

Vebjørn MoenSelmersenteret/NoWires.org

Norsk KryptoseminarTrondheim09.11.2004

Top 5

● Top 5 vulnerabilities (src: http://software.newsforge.com/software/04/09/17/1527247.shtml?tid=78&tid=48)– SQL insertion

– Cross Site Scripting (CSS/XSS)

– Session management

– Default/misconfigurations

– Dangerous HTTP methods

SQL insertion

● Problem: Trusting input from client, and passing it on to a SQL server.

● E.g. :SELECT userid FROM tblusersWHERE user = ‘bleh’; EXEC master..xp_cmdshell “cmd.exe /c …”;--‘ AND pass = ‘password’

SQL insertion

• Form fields, URL parameters, cookies, and HTTP headers are all valid input vectors.

• Solution: Define acceptable data and make it as restrictive as possible. If input data is invalid then it should be rejected.

Cross Site Scripting

● Problem: a Web application accepts scripting commands as input, and returns them. – The script seems to appear to originate from the

vulnerable server, which the user trusts, and gives it access to all the user's cookie and session information.

● Example: http://mywebsite.com/login.jsp?msg=<script>alert()</script>

● Solution: Do not reflect values obtained as input back to the browser.

Session management problems

● Problem: the state between your browser and the Web site. – Used to track who are logged in and their access

privileges.● Attackers can access restricted pages without

proper authorization, or manipulate session variables to gain access to other users' accounts. – e.g. manipulating parameters in the URL

Session management problems

● Sessions should always be maintained on the server side.– Don't trust cookies and client-side session values

– Always use a strong unique identifier instead of an integer, email address or account number/name.

● Check for a valid session on each restricted access page whenever the page is requested.

Session management problems

● javascript shopping carts– price is often embedded in html code

– 3. party money collector

– it is possible to change the price (get stuff cheaper...)

Default/misconfigurations(Sample apps/dir listings)

● configuration and installation problems. ● provides an attacker with a starting point for

breaking into the server:– sample applications that are installed by default

– directory listings and permissions

– default software features and configurations

– log and swap files

Default/misconfigurations

● Sample applications that are installed by default can contain information.

● Disclosing scripts that may reveal Web site source code.

● Directory listings can reveal files. ● Default software features may have exploitable

bugs. ● Log files and swap files can be left over from

developers editing Web application pages.

Dangerous HTTP commands

● PUT, DELETE, WebDAV● PUT: upload a script● DELETE: delete all the content of a site – DoS● WebDAV: methods have been used to perform

buffer overflows on Windows servers.

Dangerous HTTP commands cont.

● To test the PUT method, use a tool like curl to attempt a file upload:

curl -T test.html www.mysite.com– try to access the file

● To test the DELETE method, telnet to the Web server and issue the command:

DELETE / HTTP/1.0

Conclusion

● Security problems are caused by errors:– configuration errors

– programming errors

– misplaced trust (e.g. in user input)● Cryptography is failing to protect

– or.. not the final answer● Awareness and theaching