What is a web application?
1) a web application is a software application that is
> hosted on a web server
> accessed using a web browser or HTTP/HTTPS user agent
2) developed in different ways, and with different programming languages (ASP.NET, PHP, JAVA)
3) multi-tiered application
- 3 or more tiers, each with different functions
> presentation (user interface)
> business logic (processing)
> database (database access)
4) uses HTTP protocols
- inclusive of HTTPS (http with encryption)
Web application attacks
- web applications are an essential element of organizations today
- the web browser makes a request using HTTP to a web server, which may be connected to an application server
What is HTTP?
Hypertext transfer protocol (HTTP)
- set of rules governing the communication process between web client and web server
- browser sends HTTP request to web server
eg : request to view webpage, download images etc - web server returns HTTP response to browser
eg : HTML page, images etc - stateless protocol
> request-response oriented protocol
> client and server does not remember state of each other
GET method (HTTP request)
- data sent using name/value pair appended to URL
- query length is limited
- data CAN BE SEEN in address bar (at the end)
POST method (HTTP request)
- data sent as part of the HTTP request entity body
- can be used to send large amount of data because data sent as input stream
- data HIDDEN from users
What are cookies?
- websites use cookies to store user-specific information on user’s computer
eg : travel itinerary (travel websites), “remember me” login, shopping cart
- typically used to identify repeat visitors
- only the website that created a cookie can read it
- attackers can steal cookies (cookie-jacking/session-hacking) to track user online activities/impersonate logins
how do they steal the cookies?
> MITM attacks during transmission
> cross site scripting (XSS) to steal cookie from client
> spyware can read plaintext cookie on device
Types of cookies
1) first-party cookie
- created by the website that the user is currently visiting
2) third-party cookie
- created by a website that the user is not currently visiting
- created by script from other websites embedded in the page by the owner of the current website
- track user preferences, from for eg social media likes
3) session cookie
- used to identify unique visitors and logged-in users
- stored in RAM and deleted when browser is closed
4) persistent cookie
- recorded on computer’s hard drive
- not deleted when browser closes
- may have expiry date
5) secure cookie
- encrypted; used ONLY when browser visits over secure connection
Risk of cookies
1) pose security and privacy risks
- may be stolen and used to impersonate users
- used to tailor advertising (privacy risk)
- can be exploited by attackers
2) to remove cookie risks, disable cookies and delete ALL existing cookies on a client (web browser)
3) if cookies are disabled, some websites may not function properly or will have less features
- “remember me” won’t work
- certain preferences or settings may not be remembered
- unable to maintain login
Session management
- HTTP is stateless
- most web applications use client-side identification (session ID) and server side storage to maintain state
session ID :
> piece of data is used in network communications (often over HTTP) to identify a session
> sent back and forth between web server and client
where can the session ID be stored in?
- embedded in the URL (GET)
- stored within the fields of a form and submitted to the application (typically hidden, and submitted with HTTP form POST method)
- in a cookie
Session ID in URL
- can be used even if client web browser has high security settings and disabled use of cookies
disadvantages :
- any person using same computer can retrieve URL through browser history
- URL information logged by intermediary systems (other computers in the Internet)
- attack just by modifying URL and session ID
- if client surf new site, URL containing session ID can be sent to new site via HTTP REFERER field
HTTP REFERER : an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), from which the resource has been requested
Session ID in hidden post fields
- not as obvious as URL based information, need additional tool to manipulate the values
- attacks can be carried out using commonly available tools
- can also be used even if client web browser has high security settings, and disabled use of cookies
Session ID in cookies
- session IDs can be stored in a cookie and sent back and forth between server and client
- session ID cookies can be stolen
Secure session management (security measures)
1) session ID
- should be random and unpredictable
- long enough so that brute force guessing is not feasible
2) secure transmission
- use encryption (HTTPS) when sending session information
3) length of session validity
- client cancellation
- session time-out
-service-side revocation
4) session verification
- ensure correct session ID length, no unexpected information
5) re-authenticate all significant system actions and re-issue new tokens
