Professional Documents
Culture Documents
BACHELOR OF TECHNOLOGY
IN
COMPUTER SCIENCE AND ENGINEERING
Submitted by
RAKESH DAMA
(17AK1A0586)
Under the esteemed guidance of
Dr. K. Nawaz
and
Dr. S. Jumlesha
Department of CSE.
RAKESH DAMA
(17AK1A0586)
Submitted towards the Partial Fulfilment Of The Requirements For The Award Of
The Degree Of Bachelor of Technology In Computer Science And Engineering from
JNUTA, Anantapuramu during the year 2020 – 2021.
On an enterprise level, attacks on computer systems can also breach millions of pieces of
personal data, including credit card information. Governments are also vulnerable to attacks that
expose sensitive data.
Cybersecurity involves everyone and every entity - from you and your neighbors, to
organizations, to companies, to governments.
The Internet has completely revolutionized the way we communicate with each other
and share information. Many of us spend hours on social media and online group chats. Nearly
all institutions have some sort of computer system administration to keep track of accounts, and
buying and selling things on the Internet is now the norm. One by one, even medical
equipment, transportation systems, and vacuums are connected to the web.
CYBER SECURITY
INTRODUCTION
There’s no turning back, even as more connections to the Internet lead to more privacy
concerns and security risks. We don’t want strangers to access our accounts, or our credit card
numbers. Along with practicing personal security, organizations and businesses also need to do
their part to implement the right protections.
Cybersecurity is the field of study and practice that responds to these challenges as technology
evolves. In a formal definition by CISCO:
Confidentiality
This pillar of the triad refers to protecting private information from eyes that shouldn’t
have access to it. Confidentiality is the need to enforce access - who can see this, and who
shouldn’t? For example, we don’t want to give our social security number to just anyone, but we
trust that the institutions we give them to - like tax services - implement the right security
measures to keep it secret. So what tools are used to guarantee the right access?
Integrity refers to data integrity here. We need security controls that protect data from
being changed or deleted. We must also ensure that the damage can be reversed if data was
changed accidentally or by the wrong person. Some techniques related to integrity are:
Keeping backups of the data in its correct state, and logging versions
Using cryptography to securely check for changes
Keeping track of digital signatures to prove integrity of data
Availability
This last pillar refers to data being consistently, reliably available to those authorized. For
example, when you login to a social media account and want to set your privacy settings, you
expect all the correct settings you had set before to appear immediately. The social media
company ensures that even with high traffic, information gets to your screen. How is this
accomplished?
The OWASP Top 10 is a standard awareness document for developers and web
application security. It represents a broad consensus about the most critical security risks to web
applications.
A1:2017-Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur
when untrusted data is sent to an interpreter as part of a command or query. The attacker’s
hostile data can trick the interpreter into executing unintended commands or accessing data
without proper authorization.
A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly
protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify
such weakly protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data may be compromised without extra protection, such as encryption at rest or in
transit, and requires special precautions when exchanged with the browser.
SQL injection is a web security vulnerability that allows an attacker to interfere with the
queries that an application makes to its database. It generally allows an attacker to view data
that they are not normally able to retrieve. This might include data belonging to other users, or
any other data that the application itself is able to access. In many cases, an attacker can modify
or delete this data, causing persistent changes to the application's content or behavior.
In some situations, an attacker can escalate an SQL injection attack to compromise the
underlying server or other back-end infrastructure, or perform a denial-of-service attack.
What is the impact of a successful SQL injection attack?
A successful SQL injection attack can result in unauthorized access to sensitive data,
such as passwords, credit card details, or personal user information. Many high-profile data
breaches in recent years have been the result of SQL injection attacks, leading to reputational
damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an
organization's systems, leading to a long-term compromise that can go unnoticed for an extended
period.
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which
arise in different situations. Some common SQL injection examples include:
Retrieving hidden data, where you can modify an SQL query to return additional
results.
Subverting application logic, where you can change a query to interfere with the
application's logic.
UNION attacks, where you can retrieve data from different database tables.
Examining the database, where you can extract information about the version and
structure of the database.
Blind SQL injection, where the results of a query you control are not returned in the
application's responses.
Most instances of SQL injection can be prevented by using parameterized queries (also known as
prepared statements) instead of string concatenation within the query.
The following code is vulnerable to SQL injection because the user input is concatenated directly
into the query:
This code can be easily rewritten in a way that prevents the user input from interfering with the
query structure:
statement.setString(1, input);
Parameterized queries can be used for any situation where untrusted input appears as data within
the query, including the WHERE clause and values in an INSERT or UPDATE statement. They
can't be used to handle untrusted input in other parts of the query, such as table or column names,
or the ORDER BY clause. Application functionality that places untrusted data into those parts of
the query will need to take a different approach, such as white-listing permitted input values, or
using different logic to deliver the required behavior.
For a parameterized query to be effective in preventing SQL injection, the string that is used in
the query must always be a hard-coded constant, and must never contain any variable data from
any origin. Do not be tempted to decide case-by-case whether an item of data is trusted, and
continue using string concatenation within the query for cases that are considered safe. It is all
too easy to make mistakes about the possible origin of data, or for changes in other code to
violate assumptions about what data is tainted.
BROKEN AUTHENTICATION
In this section, we'll look at some of the most common authentication mechanisms used
by websites and discuss potential vulnerabilities in them. We'll highlight both inherent
vulnerabilities in different authentication mechanisms, as well as some typical vulnerabilities that
are introduced by their improper implementation. Finally, we'll provide some basic guidance on
how you can ensure that your own authentication mechanisms are as robust as possible.
What is the impact of vulnerable authentication?
The impact of authentication vulnerabilities can be very severe. Once an attacker has
either bypassed authentication or has brute-forced their way into another user's account, they
have access to all the data and functionality that the compromised account has. If they are able to
compromise a high-privileged account, such as a system administrator, they could take full
control over the entire application and potentially gain access to internal infrastructure.
Even compromising a low-privileged account might still grant an attacker access to data
that they otherwise shouldn't have, such as commercially sensitive business information. Even if
the account does not have access to any sensitive data, it might still allow the attacker to access
additional pages, which provide a further attack surface. Often, certain high-severity attacks will
not be possible from publicly accessible pages, but they may be possible from an internal page.
In this section, we will discuss what access control security is, describe privilege
escalation and the types of vulnerabilities that can arise with access control, and summarize how
to prevent these vulnerabilities.
What is access control?
Access control (or authorization) is the application of constraints on who (or what) can
perform attempted actions or access resources that they have requested. In the context of web
applications, access control is dependent on authentication and session management:
Authentication identifies the user and confirms that they are who they say they are.
Session management identifies which subsequent HTTP requests are being made by
that same user.
Access control determines whether the user is allowed to carry out the action that they
are attempting to perform.
Broken access controls are a commonly encountered and often critical security
vulnerability. Design and management of access controls is a complex and dynamic problem that
applies business, organizational, and legal constraints to a technical implementation. Access
control design decisions have to be made by humans, not technology, and the potential for errors
is high.
Vertical access controls
Vertical access controls are mechanisms that restrict access to sensitive functionality that
is not available to other types of users.
With vertical access controls, different types of users have access to different application
functions. For example, an administrator might be able to modify or delete any user's account,
while an ordinary user has no access to these actions. Vertical access controls can be more fine-
grained implementations of security models designed to enforce business policies such as
separation of duties and least privilege.
Horizontal access controls are mechanisms that restrict access to resources to the users
who are specifically allowed to access those resources.
With horizontal access controls, different users have access to a subset of resources of the
same type. For example, a banking application will allow a user to view transactions and make
payments from their own accounts, but not the accounts of any other user.
XML EXTERNAL ENTITY (XXE) INJECTION
In this section, we'll explain what XML external entity injection is, describe some
common examples, explain how to find and exploit various kinds of XXE injection, and
summarize how to prevent XXE injection attacks.
XML external entity injection (also known as XXE) is a web security vulnerability that
allows an attacker to interfere with an application's processing of XML data. It often allows an
attacker to view files on the application server filesystem, and to interact with any back-end or
external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying
server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-
side request forgery (SSRF) attacks.
How do XXE vulnerabilities arise?
Some applications use the XML format to transmit data between the browser and the
server. Applications that do this virtually always use a standard library or platform API to
process the XML data on the server. XXE vulnerabilities arise because the XML specification
contains various potentially dangerous features, and standard parsers support these features even
if they are not normally used by the application.
XML external entities are a type of custom XML entity whose defined values are loaded
from outside of the DTD in which they are declared. External entities are particularly interesting
from a security perspective because they allow an entity to be defined based on the contents of a
file path or URL.
To perform an XXE injection attack that retrieves an arbitrary file from the server's
filesystem, you need to modify the submitted XML in two ways:
Introduce (or edit) a DOCTYPE element that defines an external entity containing the
path to the file.
Edit a data value in the XML that is returned in the application's response, to make use
of the defined external entity.
For example, suppose a shopping application checks for the stock level of a product by
submitting the following XML to the server:
The application performs no particular defenses against XXE attacks, so you can exploit
the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE
payload:
In this section, we'll explain the basics of information disclosure vulnerabilities and
describe how you can find and exploit them. We'll also offer some guidance on how you can
prevent information disclosure vulnerabilities in your own websites.
Learning to find and exploit information disclosure is a vital skill for any tester. You are likely to
encounter it on a regular basis and, once you know how to exploit it effectively, it can help you
to improve your testing efficiency and enable you to find additional, high-severity bugs.
What is information disclosure?
The dangers of leaking sensitive user or business data are fairly obvious, but disclosing technical
information can sometimes be just as serious. Although some of this information will be of
limited use, it can potentially be a starting point for exposing an additional attack surface, which
may contain other interesting vulnerabilities. The knowledge that you are able to gather could
even provide the missing piece of the puzzle when trying to construct complex, high-severity
attacks.
Occasionally, sensitive information might be carelessly leaked to users who are simply browsing
the website in a normal fashion. More commonly, however, an attacker needs to elicit the
information disclosure by interacting with the website in unexpected or malicious ways. They
will then carefully study the website's responses to try and identify interesting behavior.
Revealing the names of hidden directories, their structure, and their contents via a
robots.txt file or directory listing
Information disclosure vulnerabilities can arise in countless different ways, but these can broadly
be categorized as follows:
Failure to remove internal content from public content. For example, developer
comments in markup are sometimes visible to users in the production environment.
Insecure configuration of the website and related technologies. For example, failing to
disable debugging and diagnostic features can sometimes provide attackers with useful
tools to help them obtain sensitive information. Default configurations can also leave
websites vulnerable, for example, by displaying overly verbose error messages.
Flawed design and behavior of the application. For example, if a website returns
distinct responses when different error states occur, this can also allow attackers to
enumerate sensitive data, such as valid user credentials.
Information disclosure vulnerabilities can have both a direct and indirect impact
depending on the purpose of the website and, therefore, what information an attacker is able to
obtain. In some cases, the act of disclosing sensitive information alone can have a high impact on
the affected parties. For example, an online shop leaking its customers' credit card details is
likely to have severe consequences.
On the other hand, leaking technical information, such as the directory structure or which
third-party frameworks are being used, may have little to no direct impact. However, in the
wrong hands, this could be the key information required to construct any number of other
exploits. The severity in this case depends on what the attacker is able to do with this
information.
Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious
JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can
fully compromise their interaction with the application.
Reflected XSS, where the malicious script comes from the current HTTP request.
Stored XSS, where the malicious script comes from the website's database.
DOM-based XSS, where the vulnerability exists in client-side code rather than server-
side code.
Reflected cross-site scripting
Reflected XSS is the simplest variety of cross-site scripting. It arises when an application
receives data in an HTTP request and includes that data within the immediate response in an
unsafe way.
https://insecure-website.com/status?message=All+is+well.
The application doesn't perform any other processing of the data, so an attacker can easily
construct an attack like this:
https://insecure-website.com/status?message=<script>/
*+Bad+stuff+here...+*/</script>
If the user visits the URL constructed by the attacker, then the attacker's script executes in the
user's browser, in the context of that user's session with the application. At that point, the script
can carry out any action, and retrieve any data, to which the user has access.
Stored XSS (also known as persistent or second-order XSS) arises when an application receives
data from an untrusted source and includes that data within its later HTTP responses in an unsafe
way.
The data in question might be submitted to the application via HTTP requests; for example,
comments on a blog post, user nicknames in a chat room, or contact details on a customer order.
In other cases, the data might arrive from other untrusted sources; for example, a webmail
application displaying messages received over SMTP, a marketing application displaying social
media posts, or a network monitoring application displaying packet data from network traffic.
Here is a simple example of a stored XSS vulnerability. A message board application lets users
submit messages, which are displayed to other users:
<p>Hello, this is my message!</p>
The application doesn't perform any other processing of the data, so an attacker can easily send a
message that attacks other users:
DOM-based XSS (also known as DOM XSS) arises when an application contains some client-
side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing
the data back to the DOM.
In the following example, an application uses some JavaScript to read the value from an input
field and write that value to an element within the HTML:
If the attacker can control the value of the input field, they can easily construct a malicious value
that causes their own script to execute:
You searched for: <img src=1 onerror='/* Bad stuff here... */'>
In a typical case, the input field would be populated from part of the HTTP request, such as a
URL query string parameter, allowing the attacker to deliver an attack using a malicious URL, in
the same manner as reflected XSS.
The actual impact of an XSS attack generally depends on the nature of the application, its
functionality and data, and the status of the compromised user. For example:
In a brochureware application, where all users are anonymous and all information is
public, the impact will often be minimal.
In an application holding sensitive data, such as banking transactions, emails, or
healthcare records, the impact will usually be serious.
If the compromised user has elevated privileges within the application, then the impact
will generally be critical, allowing the attacker to take full control of the vulnerable
application and compromise all users and their data.
Preventing cross-site scripting is trivial in some cases but can be much harder depending on the
complexity of the application and the ways it handles user-controllable data.
Filter input on arrival. At the point where user input is received, filter as strictly as
possible based on what is expected or valid input.
Encode data on output. At the point where user-controllable data is output in HTTP
responses, encode the output to prevent it from being interpreted as active content.
Depending on the output context, this might require applying combinations of HTML,
URL, JavaScript, and CSS encoding.
Use appropriate response headers. To prevent XSS in HTTP responses that aren't
intended to contain any HTML or JavaScript, you can use the Content-Type and X-
Content-Type-Options headers to ensure that browsers interpret the responses in
the way you intend.
Content Security Policy. As a last line of defense, you can use Content Security Policy
(CSP) to reduce the severity of any XSS vulnerabilities that still occur.
How common are XSS vulnerabilities? XSS vulnerabilities are very common, and XSS is
probably the most frequently occurring web security vulnerability.
How common are XSS attacks? It is difficult to get reliable data about real-world XSS attacks,
but it is probably less frequently exploited than other vulnerabilities.
What is the difference between XSS and CSRF? XSS involves causing a web site to return
malicious JavaScript, while CSRF involves inducing a victim user to perform actions they do not
intend to do.
What is the difference between XSS and SQL injection? XSS is a client-side vulnerability that
targets other application users, while SQL injection is a server-side vulnerability that targets the
application's database.
How do I prevent XSS in PHP? Filter your inputs with a whitelist of allowed characters and use
type hints or type casting. Escape your outputs with htmlentities and ENT_QUOTES for
HTML contexts, or JavaScript Unicode escapes for JavaScript contexts.
How do I prevent XSS in Java? Filter your inputs with a whitelist of allowed characters and use a
library such as Google Guava to HTML-encode your output for HTML contexts, or use
JavaScript Unicode escapes for JavaScript contexts.
INSECURE DESERAILIZATION
In this section, we'll cover what insecure deserialization is and describe how it can potentially
expose websites to high-severity attacks. We'll highlight typical scenarios and demonstrate some
widely applicable techniques using concrete examples of PHP, Ruby, and Java deserialization.
We'll also look at some ways that you can avoid insecure deserialization vulnerabilities in your
own websites.
Exploiting insecure deserialization has a reputation for being difficult. However, it can
sometimes be much simpler than you might think. If you're new to the topic of deserialization,
this section contains key background information that you should familiarize yourself with first.
If you already know the the basics of deserialization, you can skip straight to learning about how
to exploit it.
What is serialization?
Serialization is the process of converting complex data structures, such as objects and their
fields, into a "flatter" format that can be sent and received as a sequential stream of bytes.
Serializing data makes it much simpler to:
Crucially, when serializing an object, its state is also persisted. In other words, the object's
attributes are preserved, along with their assigned values.
Serialization vs deserialization
Deserialization is the process of restoring this byte stream to a fully functional replica of the
original object, in the exact state as when it was serialized. The website's logic can then interact
with this deserialized object, just like it would with any other object.
Many programming languages offer native support for serialization. Exactly how objects are
serialized depends on the language. Some languages serialize objects into binary formats,
whereas others use different string formats, with varying degrees of human readability. Note that
all of the original object's attributes are stored in the serialized data stream, including any private
fields. To prevent a field from being serialized, it must be explicitly marked as "transient" in the
class declaration.
Be aware that when working with different programming languages, serialization may be
referred to as marshalling (Ruby) or pickling (Python). These terms are synonymous with
"serialization" in this context.
It is even possible to replace a serialized object with an object of an entirely different class.
Alarmingly, objects of any class that is available to the website will be deserialized and
instantiated, regardless of which class was expected. For this reason, insecure deserialization is
sometimes known as an "object injection" vulnerability.
An object of an unexpected class might cause an exception. By this time, however, the damage
may already be done. Many deserialization-based attacks are completed before deserialization is
finished. This means that the deserialization process itself can initiate an attack, even if the
website's own functionality does not directly interact with the malicious object. For this reason,
websites whose logic is based on strongly typed languages can also be vulnerable to these
techniques.
However, sometimes website owners think they are safe because they implement some form of
additional check on the deserialized data. This approach is often ineffective because it is virtually
impossible to implement validation or sanitization to account for every eventuality. These checks
are also fundamentally flawed as they rely on checking the data after it has been deserialized,
which in many cases will be too late to prevent the attack.
Vulnerabilities may also arise because deserialized objects are often assumed to be trustworthy.
Especially when using languages with a binary serialization format, developers might think that
users cannot read or manipulate the data effectively. However, while it may require more effort,
it is just as possible for an attacker to exploit binary serialized objects as it is to exploit string-
based formats.
Deserialization-based attacks are also made possible due to the number of dependencies that
exist in modern websites. A typical site might implement many different libraries, which each
have their own dependencies as well. This creates a massive pool of classes and methods that is
difficult to manage securely. As an attacker can create instances of any of these classes, it is hard
to predict which methods can be invoked on the malicious data. This is especially true if an
attacker is able to chain together a long series of unexpected method invocations, passing data
into a sink that is completely unrelated to the initial source. It is, therefore, almost impossible to
anticipate the flow of malicious data and plug every potential hole.
In short, it can be argued that it is not possible to securely deserialize untrusted input.
What is the impact of insecure deserialization?
The impact of insecure deserialization can be very severe because it provides an entry
point to a massively increased attack surface. It allows an attacker to reuse existing application
code in harmful ways, resulting in numerous other vulnerabilities, often remote code execution.
Even in cases where remote code execution is not possible, insecure deserialization can lead to
privilege escalation, arbitrary file access, and denial-of-service attacks
Generally speaking, deserialization of user input should be avoided unless absolutely necessary.
The high severity of exploits that it potentially enables, and the difficulty in protecting against
them, outweigh the benefits in many cases.
If you do need to deserialize data from untrusted sources, incorporate robust measures to make
sure that the data has not been tampered with. For example, you could implement a digital
signature to check the integrity of the data. However, remember that any checks must take place
before beginning the deserialization process. Otherwise, they are of little use.
If possible, you should avoid using generic deserialization features altogether. Serialized data
from these methods contains all attributes of the original object, including private fields that
potentially contain sensitive information. Instead, you could create your own class-specific
serialization methods so that you can at least control which fields are exposed.
Finally, remember that the vulnerability is the deserialization of user input, not the presence of
gadget chains that subsequently handle the data. Don't rely on trying to eliminate gadget chains
that you identify during testing. It is impractical to try and plug them all due to the web of cross-
library dependencies that almost certainly exist on your website. At any given time, publicly
documented memory corruption exploits are also a factor, meaning that your application may be
vulnerable regardless.
CONCLUSION
Cybersecurity is important because it protects all categories of data from theft and
damage. This includes sensitive data, personally identifiable information (PII), protected health
information (PHI), personal information, intellectual property, data, and governmental and
industry information systems. The future of cybersecurity will in one sense be like the present:
hard to define and potentially unbounded as digital technologies interact with human beings
across virtually all aspects of politics, society, the economy, and beyond.
REFERENCES
1. https://www.bugbountyhunter.com/
2. https://owasp.org/www-project-top-ten/
3. https://portswigger.net/