Information Security (CE5006)

Unit-6
Web Application
Security
Prof. Dipak Dabhi

dipak.dabhi@utu.ac.in

Unit-6 Weightage : 10% (6 Marks)

 Outline
1. Web application security - Common issues in web apps
2. Basic web security model
3. Password vulnerabilities
4. Local and remote file inclusion
5. HTTPS
6. CAPTCHA
7. User authentication and session management for web apps

Unit-5 Network Security CGPIT 2

Common issues in web apps
Web Application Security and its importance.
• Web application security is the process of protecting websites and online services against different security
threats that exploit vulnerabilities in an application's code.

• It is a branch of cyber security that deals with the protection of websites, web based applications and online
services against a number of malicious threats that can disrupt the functionality of a website or a web-based
application.

• Importance

The 3 reasons why web application security is so important include

• 1) preventing the loss of sensitive data,

• 2) understanding that security is about more than just testing

• 3) security is required to maintain business reputation and minimize losses (the cost of a hacked business can
be more than just financial).
Working of web application security
Types of web application attacks:
1. SQL Injection:

• This kind of attack is made by using a malicious SQL code that allows an attacker to retrieve
information by manipulating the backend database.

• It further allows the attacker to have a direct look at lists, table deletion or alteration and have
unauthorized administrative access.

• These attacks occur predominantly due to unsanitary data used by the application.
Types of web application attacks:
2. Cross-site Scripting (XSS):

• Another injection attack that is common, with moderate technical impact, XSS is used to access
accounts, modify or deface sites or certain content as per the attacker’s intent, execute scripts to
hijack user sessions, or redirect users to unauthorized or malicious sites that can cause further
damage.

• XSS is typically injected in two ways – stored XSS and reflected XSS.

• When malicious code is directly injected into an application, the method is termed as stored XSS.
Reflected XSS takes place when an attacker intentionally makes a malicious code bounce off an
application to enter a user’s browser.

• These attacks are usually injected through comments and forms or other data input sources.
Types of web application attacks:
3. Cross-site Request Forgery (CSRF):

• Unwanted transfer of funds, request to change password or data theft all fall into this bucket.

• This kind of attack is caused by the injection of a malicious web application that forces a browser
to perform non-monitored or restricted action in a site that the user is logged into at that
moment.
Most Common Website Security Vulnerabilities
1. SQL INJECTIONS

• SQL injection is a type of web application security vulnerability in which an attacker attempts to use application code to
access or corrupt database content.

• If successful, this allows the attacker to create, read, update, alter, or delete data stored in the back-end database.

• SQL injection is one of the most prevalent types of web application security vulnerabilities.

2. CROSS SITE SCRIPTING (XSS)

• Cross-site scripting (XSS) targets an application's users by injecting code, usually a client-side script such as JavaScript,
into a web application's output.

• The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the
attacker.

• XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface websites or redirect
the user to malicious sites.
3. BROKEN AUTHENTICATION & SESSION MANAGEMENT

• Broken authentication and session management encompass several security issues, all of them
having to do with maintaining the identity of a user.

• If authentication credentials and session identifiers are not protected at all times, an attacker
can hijack an active session and assume the identity of a user.

4. INSECURE DIRECT OBJECT REFERENCES

• Insecure direct object reference is when a web application exposes a reference to an internal
implementation object.

• Internal implementation objects include files, database records, directories and database
keys.

• When an application exposes a reference to one of these objects in a URL, hackers can
manipulate it to gain access to a user's personal data.
5. SECURITY MISCONFIGURATION

• Security misconfiguration encompasses several types of vulnerabilities all centered on a lack

of maintenance or a lack of attention to the web application configuration.

• A secure configuration must be defined and deployed for the application, frameworks, application
server, web server, database server and platform.

• Security misconfiguration gives hackers access to private data or features and can result in a complete
system compromise.

6. CROSS-SITE REQUEST FORGERY (CSRF)

• Cross-Site Request Forgery (CSRF) is a malicious attack where a user is tricked into performing an action
he or she didn't intend to do.

• A third-party website will send a request to a web application that a user is already authenticated against
(e.g. their bank).

• The attacker can then access functionality via the victim's already authenticated browser.
user authentication and session management
User authentication

• User authentication is a method that keeps unauthorized users from accessing sensitive information.

• For example, User A only has access to relevant information and cannot see the sensitive information of
User B.

• Cybercriminals can gain access to a system and steal information when user authentication is not secure.

• Cybercriminals can gain access to a system and steal information when user authentication is not secure.
The data breaches companies like Adobe, Equifax, and Yahoo faced are examples of what happens when
organizations fail to secure their user authentication.

• Hackers gained access to Yahoo user accounts to steal contacts, calendars and private emails between
2012 and 2016.
• Authentication and session
management process.
user authentication and session management
Session Management

• Session management refers to the process of securely handling multiple requests to a web-based application or
service from a single user or entity.

• Websites and browsers use HTTP to communicate, and a session is a series of HTTP requests and transactions
initiated by the same user.

• Typically, a session is started when a user authenticates their identity using a password or another authentication
protocol.

• Session management involves the sharing of secrets with authenticated users, and as such, secure
cryptographic network communications are essential to maintaining session management security.
 Password vulnerabiliritieS
• Weak passwords and password reuse are still some of the most serious concerns for security.

• There are several ways to increase password security but they are often not adopted by users and
administrators.

• Here’s how you can make sure that sensitive data in your web application is not compromised due
to insecure user passwords.

Password Rule of Thumb

• Remember these three tips next time you are prompted to change your password:

• The best way to keep data safe and secure is changing your password every six months to one year.

• When creating a new password, never slack! Create a strong, unique passwords for every login or device
you own.

• Include a combination of letters, numbers, and symbols when creating your password.
 local and remote file inclusion
Local file Inclusion

• An attacker can use Local File Inclusion (LFI)

to trick the web application into exposing or
running files on the web server. An LFI
attack may lead to information disclosure,
remote code execution, or even Cross-site
Scripting (XSS). Typically, LFI occurs when an
application uses the path to a file as input. If
the application treats this input as trusted, a
local file may be used in the include
statement.
 local and remote file inclusion
Remote File inclusion
• Remote File inclusion is another variant to the File Inclusion vulnerability, which arises when the URI
file is located on a different server and is passed to as a parameter to the PHP of a
“include_once”, “require”, or “require_once”. functions either

• The Remote File Inclusion vulnerabilities are easier to exploit but are less common “include”,
say in 1 of the 10 web-
applications. Here thus, instead of accessing a file on a local server, the attacker could simply inject his/her vulnerable
PHP scripts which are hosted on his remote web-application into the unsanitized web application’s URL, which thus
might lead to disastrous results as:

• Allowing the attacker to execute remote commands on a web server as [RCE].

• Provides complete access to the server.

• Deface parts of the web, or even steal confidential information.

• Implementation of Client-Side attacks as Cross-Site Scripting (XSS).

Why Remote File Inclusion Occurs
• Unlike Local File Inclusion, this remote file
inclusion vulnerability also occurs due to the
poorly written PHP server-side codes where
the input parameters are not properly
sanitized or validated.
CAPTCHA
• CAPTCHA stands for the Completely Automated Public Turing test to tell Computers and Humans
Apart.

• CAPTCHAs are tools you can use to differentiate between real users and automated users, such
as bots.

• CAPTCHAs provide challenges that are difficult for computers to perform but relatively easy
for humans.

• For example, identifying stretched letters or numbers, or clicking in a specific area.

Creating a CAPTCHA
• The first step to creating a CAPTCHA is to look at the different ways humans and machines process
information.

• Machines follow sets of instructions. If something falls outside the realm of those
instructions, the machine isn't able to compensate.

• A CAPTCHA designer has to take this into account when creating a test.

• For example, it's easy to build a program that looks at metadata -- the information
on the Web that's invisible to humans but machines can read.

• If you create a visual CAPTCHA and the image's metadata includes the solution, your CAPTCHA will
be broken in no time.
Working of CAPTCHA
• CAPTCHAs work by providing information to a user for interpretation. Traditional CAPTCHAs provided distorted or overlapping
letters and numbers that a user then has to submit via a form field.

• The distortion of the letters made it difficult for bots to interpret the text and prevented access until the characters were
verified.

• This CAPTCHA type relies on a human’s ability to generalize and recognize novel patterns based on variable past experience.

• In contrast, bots can often only follow set patterns or input randomized characters.

• This limitation makes it unlikely that bots will correctly guess the right combination.

• Since CAPTCHA was introduced, bots that use machine learning have been developed.

• These bots are better able to identify traditional CAPTCHAs with algorithms trained in pattern recognition.

• Due to this development, newer CAPTCHA methods are based on more complex tests. For example, reCAPTCHA
requires clicking in a specific area and waiting until a timer runs out.
Types of CAPTCHA
1) Text-based CAPTCHAs

• Text-based CAPTCHAs are the original way in which humans were verified.
• These CAPTCHAs can use known words or phrases, or random combinations of digits and letters.
• Some text-based CAPTCHAs also include variations in capitalization.
• The CAPTCHA presents these characters in a way that is alienated and requires interpretation.
• Alienation can involve scaling, rotation, distorting characters.
• It can also involve overlapping characters with graphic elements such as color, background noise, lines, arcs, or dots.
Types of CAPTCHA
2) Image-based CAPTCHAs

• Image-based CAPTCHAs were to

replace
developed text-based ones.

• These CAPTCHAs use recognizable graphical elements,

such as photos of animals, shapes, or scenes.

• Typically, image-based CAPTCHAs require users to

select images matching a theme or to identify images
that don’t fit.
Types of CAPTCHA
3) Audio CAPTCHA

• Audio CAPTCHAs were developed as an alternative that

grants accessibility to visually impaired users.

• These CAPTCHAs are often used in combination with

text or image-based CAPTCHAs. Audio CAPTCHAs
present an audio recording of a series of letters or
numbers which a user then enters.
Types of CAPTCHA
4) Math or Word Problems
• Some CAPTCHA mechanisms ask users to solve a simple mathematical problem such as “3+4” or
“18-3”.

• The assumption is that a bot will find it difficult to identify the question and devise a response.

• Another variant is a word problem, asking the user to type the missing word in a sentence,
or complete a sequence of several related terms.

• These types of problems are accessible to vision impaired users, but at the same time they may
be easier for bad bots to solve.
HTTPS
• HTTPS (Hypertext Transfer Protocol Secure) is a secure version of the HTTP protocol that uses
the SSL/TLS protocol for encryption and authentication.

• HTTPS encrypts nearly all information sent between a client and a web service.

• The HTTPS protocol makes it possible for website users to transmit sensitive data such as credit
card numbers, banking information, and login credentials securely over the internet.

• For this reason, HTTPS is especially important for securing online activities such as shopping,
banking, and remote work. However, HTTPS is quickly becoming the standard protocol for all
websites, whether or not they exchange sensitive data with users.

How is HTTPS different from HTTP?

• HTTPS adds encryption, authentication, and integrity to the HTTP protocol

• The figure illustrates the difference between communication over http and
https:
HTTPS
• As you can see in the above figure, http transfers data between the browser and the web server in
the hypertext format, whereas https transfers data in the encrypted format.

• Thus, https prevents hackers from reading and modifying the data during the transfer between
the browser and the web server.

• Even if hackers manage to intercept the communication, they will not be able to use it
because the message is encrypted.

• HTTPS established an encrypted link between the browser and the web server using the Secure
Socket Layer (SSL) or Transport Layer Security (TLS) protocols. TLS is the new version of SSL.
http vs https

http https
Transfers data in hypertext (structured Transfers data in encrypted format
text) format

Uses port 80 by default Uses port 443 by default

Not secure Secured using SSL technology

Starts with http:// Starts with https://

Advantage of https
• Secure Communication: https makes a secure connection by establishing an encrypted link between the
browser and the server or any two systems.

• Data Integrity: https provides data integrity by encrypting the data and so, even if hackers manage to
trap the data, they cannot read or modify it.

• Privacy and Security: https protects the privacy and security of website users by preventing hackers to
passively listen to communication between the browser and the server.

• Faster Performance: https increases the speed of data transfer compared to http by encrypting and
reducing the size of the data.

• SEO: Use of https increases SEO ranking. In Google Chrome, Google shows the Not Secure label in the
browser if users' data is collected over http.

• Future: https represents the future of the web by making internet safe for users and website owners.
Reference Questions !!
1. Draw and explain CIA triad.
2. Define Authentication, Integrity and Availability.
3. Explain any two characteristics of Information Security.
4. Explain accuracy as characteristics of Information Security.
5. Enlist phases of security development life cycle of a reference model in information assurance &
security.
6. Explain security countermeasures to be taken by an organization as per the reference model of
information assurance & security.
7. Explain top-down approach to implement security in an organization.
8. Explain bottom-up approach to implement security in an organization.
9. Explain information security as business need to an organization.
10. Explain Security Threats.
11. Explain malicious codes.
12. Explain following attacks: 1. Spoofing 2. Spamming
13. Explain following attacks: 1. Buffer overflow 2. Timing Attack.
14. Discuss flooding based DDOS attack.
Thank You

End of Unit-6