Web applications are vulnerable to

attacks from the moment they go online.

Web attacks - exploit vulnerabilities in
web servers, and programming flaws in
web applications.

End-users and the organisations that
provide web services need to protect
their systems from being compromised.
Lets have some look on the general
trends of attacks and their potential
impacts.
Victims of web attacks are tricked into
accessing a malicious website
Organizations who do not safeguard
their systems against these attacks run
the risk of considerable financial loss or
destruction of reputation.
The Italian Job Web attack:
Redirecting visitors to another website,
where a malicious JavaScript would install a
key logger and a Trojan downloader
program on their PCs to test and see if they
could be compromised further.
The MySpace Phish / Drive-by attack
Several hundred MySpace profiles were
discovered injected with links to phishing
sites
Cross Site Scripting Attack (XSS)
SQL Injection (SQLI)
Cross Site Request Forgery (CSRF)
Web Parameter Tampering
Cookie Poisoning

Cross Site Scripting Attack (XSS)
Type of injection, in which malicious
scripts are injected into trusted web sites.
XSS attacks occur when an attacker
uses a web application to send
malicious code, generally in the form of
a browser side script, to a different end
user.
An attacker can use XSS to send a
malicious script to an unsuspecting user.
The end users browser has no way to
know that the script should not be
trusted, and will execute the script.
The malicious script can access any
cookies, session tokens, or other sensitive
information retained by the browser and
used with that site.
Countermeasures for XSS
1. Filtering for XSS
Passing all external data through a filter
which will remove dangerous keywords such as
infamous <SCRIPT> tag, JavaScript commands
etc.
Depending on the backend technology used
by the server various libraries can be used for
filtering such as xssprotect, Jersey XSS filter.
Countermeasures for XSS
2. Escaping the XSS
Disabling the executing of the Scripts
If an attacker manages to put a script on
your page, the victim will not be affected
because the browser will not execute the
script if it is properly escaped.
Escaping HTML is easy, but to ensure
optimum security towards XSS various
escaping libraries can be used
Countermeasures for XSS
2. Escaping the XSS
Escaping Libraries
ESAPI by OWASP Java, .Net, PHP, Cold
Fusion, Python
AntiXSS best suited for Microsoft based
technologies
SQL Injection (SQLI)
Most common application layer attack
techniques used today
Attackers take advantage of improper
coding of web applications
SQL commands are injected into a
login form to gain access to the data
stored in the database.
SQL Injection (SQLI)
Three main forms of SQL Injection
Redirection and reshaping a query
Error message based
Blind Injection
Blind Injection is one of the most
important form of SQLI
SQL Injection (SQLI)
Example:
SELECT * FROM users WHERE name = '' OR '1'='1';
The above SQL query will cause the selection of
all user information stored in the users table.
Countermeasures for SQL Injection (SQLI)
Analysing the present state of security by
performing a thorough audit of website
Using best coding techniques for web
applications.
Regularly performing a web security audit after
each change and addition to web components
Limiting the Permission on the database logon
used by the web application


Cross Site Request Forgery (CSRF)
Malicious exploitation of a website in which a
user will transmit malicious requests that the
target website trusts.
Attacker will trick a victim into accessing a
website or clicking a URL link that contains
malicious or unauthorized requests.
CSRF attack will use the identity and privileges
of the victim and impersonate them in order to
perform any actions desired by the attacker.
Cross Site Request Forgery (CSRF)
Browser includes session cookie of the user,
basic authentication credentials, IP address of
the user etc. If users authentication session is
still valid, an attacker can use CSRF to launch
any desired requests against the website.
Countermeasures for CSRF
Use of Secret cookie
Accept POST request only
URL Rewriting
Users must logout from web applications
Using browser with safety i.e., not to save any
login credentials on the web browser
Web Parameter Tampering
Certain Parameters in the URL or web page
form field data entered by a user are changed
without that users authorization.
This points the browser to a link, page or site
other than the one user is intends to visit.
Countermeasure for Web Parameter
Tampering
Validation of Parameters in terms of:
1. Minimum and Maximum allowable length
2. Allowable Numeric Range
3. Allowable character Sequences and Pattern
Web Application firewall can provide some
protection against parameter tampering ,
provided it is configured for the site in use.
Cookie Poisoning
Modification of a cookie by an attacker to
gain unauthorized information about the user
such as Identity theft.
Using this information, one can open new
accounts and gain access to the existing
accounts

Cookie Poisoning
Cookies maintain bits of information that
allow web sites you visit to authenticate your
identity, speed up your transactions, monitor
your behaviour, and personalize their
presentations for you.
Attacker examines a cookie to determine its
purpose and edit it so that it helps them get
user information from the Web site that sent the
cookie.
Countermeasures for Cookie Poisoning
Encrypting sensitive information in the cookies
A digital signature is created that is used to
validate the content in all future
communications between the sender and the
recipient.
If the content is tampered with, the signature
will no longer match the content and will be
refused access by the server