Proceedings of the International Conference on Inventive Research in Computing Applications (ICIRCA 2018)

IEEE Xplore Compliant Part Number:CFP18N67-ART; ISBN:978-1-5386-2456-2

Web Application Vulnerabilities – The Hacker’s

Treasure
Nirmal K B. Janet R. Kumar
NIT Trichy, India Assistant Professor Sr. Consultant
405913007@nitt.edu NIT Trichy, India Wipro Technologies, India
janet@nitt.edu rajagopal.kumar4@gmail.com

Abstract – In today’s online era, a web application is an integral secure frameworks. An important phase of the software
part of every business. A web application may be a single page development life cycle addresses a major part of the security
HTML website or a large web portal that offers various services aspect of a web application. This is the web application
on a web browser. There are many tools and methodologies vulnerability assessment/ Penetration testing phase. Two
that are relied upon to develop a web application. The
major methods are used in this phase. One is the manual web
development methodologies incorporate specialized
frameworks, libraries in order to have the application more application software vulnerability assessment and the other
standardized and have it developed at a rapid pace to meet is the automated software vulnerability assessment method.
market demands. Web applications (web app) are hardened to Tools aid in the web application vulnerability phase to
mitigate security issues which are commonly referred as web identify common vulnerabilities that have sailed through the
application vulnerabilities. A web app security vulnerability is development phase. In spite of having secure web
any kind of loop hole that allows an attacker to break into the application development framework for software
web application to perform undesired actions on the target development and application vulnerability assessment
website. This may range from a cross site scripting (XSS) to phases for identification of web vulnerabilities, open security
vulnerabilities like Server Side Request Forger (SSRF) and its
researches and responsible disclosure ventures have proved
implications like XML External Entity (XXE). Though web
applications are hardened to mitigate vulnerabilities, large that web applications are susceptible for vulnerabilities that
scale web applications are still vulnerable post release in most cannot be fully vetted merely by using secure frameworks.
cases. As a part of security research, critical vulnerabilities on Once a web application is on the internet, it attracts the
large scale web applications were identified and the same were interest of a group of cyber Security researchers who
reported to the concerned security research team. The constantly analyze the web application with a security eye.
reporting was acknowledged and mitigated through Their keep interest on having secure web applications result
appropriate channels. Common Vulnerabilities and Exposures in the identification of security vulnerabilities on production
(CVEs) were filed on Microsoft and CISCO products and the environment which are then reported through appropriate
same were logged in National Vulnerability Database (NVD).
channels for mitigation.
Insights and tenets regarding web application and its
vulnerabilities are highlighted in this manuscript. This being on the positive side, on the negative side, there
Index Terms – Online Security, Web application vulnerability, are hackers who constantly crave for web application
Phishing, Pharming vulnerabilities to exploit and attack the target web
application for personal, financial and political gains. Once
I. INTRODUCTION a hacker identifies a loop hole on a target web application,
Web Applications are the gateways for most of the business he tends to exploit the same in a repudiated manner leaving
in today’s cyber era. These web applications are developed no traces in server logs.
using various technologies and programming languages. Hackers constantly hunt for web app vulnerabilities. On
State of the art software technologies incorporate security discovering a vulnerability on a web application, they do not
framework within the Software Development Framework report it as required. Most of the large scale web application
which enables software developers to incorporate security companies and businesses lay down clear rules and policies
aspects to the web application. Considering the vast area of on how a web application vulnerability should be handled
online security, it is practically impossible for an out of the and reported if found in their web portal. Failing to adhere
box software development framework to address the entire to responsible vulnerability disclosure policies often violates
security needs of a web application that is developed. A web the Terms and Conditions with regard to the usage of the web
application vulnerability might also refer to a loop hole in the application portal. Triggering automated security
implication of a business logic that is often not addressed by

978-1-5386-2456-2/18/$31.00 ©2018 IEEE 58

 Proceedings of the International Conference on Inventive Research in Computing Applications (ICIRCA 2018)
IEEE Xplore Compliant Part Number:CFP18N67-ART; ISBN:978-1-5386-2456-2

vulnerability scan using tools on a live portal violates the methods where their identity is hidden or kept clean. Once a
vulnerability hunt policy in majority of the web applications. vulnerability is identified, they often target for a repudiated
Web app administrators and owners should take extreme way of exploitation of the assessed vulnerability.
precautions before opening up their portal for public Leveraging the security loop hole in the web application,
vulnerability hunting, bug bounty programs. Hackers tend they exploit the weakness of the web application for financial
to take advantage of such programs to evade criminal gains in most scenarios. Common web application
consequences of their illegal actions on web portals. Web vulnerabilities and their exploitation aspects are discussed.
Applications are written in both, weak typed and strong Session sniffing, Session prediction, Session Fixation, HTTP
typed languages [2]. Response splitting, etc. are some of the prominent session
based vulnerabilities [6]. Leaky or Guessable Session
Identifiers have been a major factor for session related web
II. VULNERABILITY ASSESSMENT VS EXPLOITATION vulnerabilities [8]

For security research on a web application, researchers are Vulnerability exploitation may result in undesired
encouraged to conduct web application vulnerability consequences for the web portal users. Hackers use the
assessment within the frame of the security vulnerability exploited vulnerability in various ways which include direct
disclosure guidelines laid out. Exploitation of the loop hole and indirect ways of exploitation.
as a part of security research is often illegal and might result Examples of common web application vulnerabilities
in negative consequences. Vulnerability assessment refers to includes SQL injection, XSS, CSRF.
the procedure followed in order to identify the security
weakness on a target web portal. Exploitation is having the A. Cross Site Scripting (XSS):
security weakness leveraged to accomplish actions that are
not permitted by the web application usage policy. An XSS vulnerability may be exploited directly or indirectly.
Hackers steal sensitive information which is not limited to
A. Example –SQL Injection terms of assessment vs cookie data by exploiting XSS vulnerability. In general, there
exploitation: are three kinds of XSS.

Vulnerability assessment on a parameter name might include i. Reflected Cross Site Scripting
the following. ii. Stored/ Persistent Cross Site Scripting
iii. DOM Based Cross Site Scripting
&name = X
The fourth category is Universal XSS (UXSS) which is less
&name = X’ AND 1=1— common where the client browser or a browser extension is
&name = X’ AND 0=1— vulnerable for script injection.

&name = <blank> Statistics and security research proves that XSS vulnerability
is very much prevalent in today’s web applications though
The above Boolean type of blind SQL Injection statements they are hardened to mitigate the vulnerability.
will assist in identification of SQL Injection which can be
termed as Vulnerability Assessment on name parameter on An instance of XSS was reported on CISCO ACNS [1]
the target portal. Hackers target web applications that are vulnerable for XSS
Vulnerability exploitation on a parameter name might and inject scripts onto the vulnerable web application. When
include the following. In this case, there is a clear indication a victim lands on the web page, the injected script executes
that there is an attempt to steal information from the database in the context of the victim. The victim cab be vulnerable
by exploiting SQL injection. for session cookie stealing, key logging, etc. as a result of the
attack.
&name = Daniel union all SELECT
NULL,NULL,COLUMN_NAME,NULL,NULL FROM B. Cross Site request Forgery:
INFORMATION_SCHEMA.COLUMNS WHERE
Cross Site Request Forgery (CSRF) web vulnerability is
TABLE_NAME = 'staff_password'--
exploited by hackers to perform undesired actions on user’s
authenticated sessions. A CSRF attack can be carried out
once a user is authenticated to a legitimate target web portal.
III. WEB VULNERABILITY EXPLOITATION - THE HACKER’s
TARGET In today’s online era, most of the websites and web portals
deal with authentication mechanisms to protect user’s data.
Hackers assess a target portal for web vulnerabilities under Exploiting CSRF, an attacker will be able to craft and trigger
the banner of vulnerability assessment or through repudiated a HTTP request on behalf of the victim.

978-1-5386-2456-2/18/$31.00 ©2018 IEEE 59

 Proceedings of the International Conference on Inventive Research in Computing Applications (ICIRCA 2018)
IEEE Xplore Compliant Part Number:CFP18N67-ART; ISBN:978-1-5386-2456-2

Hackers target web applications that are vulnerable for CSRF V. SECURE CODE REVIEW AND PENETRATION TESTING
for various operations, including complete account
Secure Code review and penetration testing of web
compromise.
applications are two important security phases in software
development lifecycle that helps to identify and mitigate
major web application vulnerabilities. Secure code review is
the process of reviewing the raw source code for potential
software vulnerabilities. Hybrid program analysis and
machine learning techniques are also used to predict web
application vulnerability [5]

Example of a Secure Code Review instance:

During a secure code review, it will be possible to identify

vulnerabilities including instances of potential SQL Injection
by evaluating the raw source code.

Server side code for a login box which is potentially

Fig 1. Working of a CSRF attack vulnerable for SQL Injection

To exploit a CSRF attack, an attacker tricks the victim to visit userName = getRequestString("UserName");
a malicious web application or a website that has been hosted userPwd = getRequestString("UserPass");
by the attacker. On visiting the malicious web application,
on behalf of the victim, leveraging the authenticated session sql = "SELECT * FROM Users WHERE username ='" +
cookies on the victim’s web browser of the legitimate target userName + "' AND Password ='" + userPwd + "'"
page, the attacker triggers a HTTP request to the vulnerable
On reviewing the above code snippet, a security code
web application from the victim’s browser. The vulnerable reviewer will be able to infer that the code might be
web application responds to the request normally not vulnerable for SQL Injection. An attacker can insert the
knowing that it was triggered by the attacker on behalf of the following malicious string into the username and password
victim. box in order to access usernames and passwords from the
IV. BUILDING A SECURE WEB APPLICAITON database.

Security research in the area of web application Malicious string: " or ""="
vulnerabilities have paved way for several state of the art
software development frameworks which incorporates The resulting SQL query will be:
security as a part of the framework. One such framework is SELECT * FROM Users where username ="" or ""=""
Spring security framework which is a powerful and AND Password ="" or ""=""
customizable security framework. Research and practical
analysis on web application vulnerability proves that, though The use of parameterized query is a proven method to
a product is developed using a secure framework, it can be mitigate SQL injection attacks on web applications [9]
still vulnerable for a wide range of web app vulnerabilities.
Penetration testing phase, also known as security assessment
Reasons for this includes the fact that secure frameworks are
is a key phase during the SDLC process. During a web
not always fool proof and it depends on the way in which it
application penetration testing phase, the web application is
is customized and used. Security education and awareness
subjected to fuzzing and scanning where various
model is booming in today’s software industry where web
combinations of malicious payloads are injected into the
application developers are trained regarding the security
HTTP request stream and their corresponding response is
aspects. Hands on lab exercises are used for computer
analyzed. Vulnerabilities that have escaped and sailed
security education [7]
through the development process can be identified in this
Apart from secure frameworks, training and other methods, phase. Further, organizations like Microsoft, Google,
it is evident that security is everybody’s responsibility during Facebook etc. have their production environment open for
the development process. During the Software Development security researchers to conduct security testing within their
Lifecycle, from design to delivery, every aspect is to be policy to identify vulnerabilities. Injection of realistic attacks
viewed from a security perspective to have the end product in production Web Applications have proved to be a
hardened to the maximum level. successful methodology in to have the application hardened
[3]. Black box penetration testing is also used to detect

978-1-5386-2456-2/18/$31.00 ©2018 IEEE 60

 Proceedings of the International Conference on Inventive Research in Computing Applications (ICIRCA 2018)
IEEE Xplore Compliant Part Number:CFP18N67-ART; ISBN:978-1-5386-2456-2

vulnerabilities in web services [4] alongside web IX. WEB APPLICATION SECURITY ACROSS DOMAINS
applications.
Web Application vulnerabilities are not restricted or specific
V. TENETS IN LIEU WEB APP SECURITY to a particular domain or industry. This threat spans across
every industry. It is a common misconception that web
i) A software developed using a secure framework might not
vulnerabilities are a threat only to banking and other
be 100% secure. Careful evaluation of the security specs financial domains. Web vulnerabilities can be disastrous for
along the SDLC (software development life cycle) process is all domains ranging from banking, social media to the
required. smallest domain one can imagine of. Likewise, there is no
ii) The general specs of a SDLC involves phases from specific category of vulnerability that can be associated to a
Requirement gathering to product release. Security should particular domain. Vulnerabilities span across all domains
be embedded in each phase of the web application and the common vulnerabilities across major domains was
development. released by Whitehat Security.

iii) Web application developers should be aware of

vulnerabilities and their consequences prior to software
development

iv) Web application security should not be viewed as the job

of InfoSec professionals. Every software developer should
be involved.

v) Post release, the application should be iteratively

evaluated for vulnerabilities using various channels
including Responsible Disclosure – Web app vulnerability
assessment should not be ‘point in time’ based.

Figure 3. Likelihood across Major Industry with regard to

common vulnerabilities [11]

Statistics also shows that the primary driver for resolving

vulnerabilities was to avoid risk that may arise due to the
exploitation of the vulnerability.

Figure 4. Driver for resolving web vulnerabilities [11]

Figure 2. Security during SDLC of web application

978-1-5386-2456-2/18/$31.00 ©2018 IEEE 61

 Proceedings of the International Conference on Inventive Research in Computing Applications (ICIRCA 2018)
IEEE Xplore Compliant Part Number:CFP18N67-ART; ISBN:978-1-5386-2456-2

VII. CONCLUSION

With the rise in need of web application for every business

in today’s cyber era, the need for hardening web application
in terms of security is very critical. A vulnerable web
application affects not only the business, but end users whose
information will be subjected to risk. Hackers are always on
the look-out for the presence of software vulnerabilities on
the web applications which can be leveraged for personal,
financial or political gain. It is the responsibility of every
software professional to have in-depth understanding of web
application vulnerabilities and their practical implications.
At an organizational level, securing products from attackers
who are on the constant look out for web application
vulnerabilities is a key task. Programs including responsible
disclosure and security research initiatives have proved to be
a successful strategy in securing a product post release. CVE
2015-0774 and CVE 2016-0031 were filed on CISCO and
Microsoft products as a part responsible disclosure. The
reporting of CVE 2016-0031 was placed in Microsoft’s
Honor Rolls considering the criticality and the end user
impact.
VIII. REFERENCES

[1] ‘CISCO ACN returns Cross Site Scripting Vulnerability’, site:

https://nvd.nist.gov/vuln/detail/CVE-2015-0774
[2] Jose´ Fonseca, Nuno Seixas, Marco Vieira, and Henrique Madeira,
"Analysis of Field Data on Web Security Vulnerabilities", IEEE
Transaction on dependable and Secure Computing, VOL. 11, NO. 2,
MARCH/APRIL 2014
[3] Jose Fonseca, Marco Vieira, and Henrique Madeira, "Evaluation of
Web Security Mechanisms Using Vulnerability & Attack Injection",
Dependable and Secure Computing, IEEE Transactions (Volume:11 ,
Issue: 5)
[4] Palma Salas, M.I.; Martins, E. "A Black-Box Approach to Detect
Vulnerabilities in Web Services Using Penetration Testing", Latin
America Transactions, IEEE (Revista IEEE America Latina) Year:
2015, Volume: 13, Issue: 3 Pages: 707 – 712
[5] Lwin Khin Shar; Briand, L.C.; Hee Beng Kuan Tan, "Web Application
Vulnerability Prediction Using Hybrid Program Analysis and Machine
Learning", Dependable and Secure Computing, IEEE Transactions
Year: 2015, Volume: 12, Issue: 6 Pages: 688 – 707
[6] Vlsaggio, C.A.; Blasio, L.C., "Session management vulnerabilities in
today's web" Security & Privacy IEEE Year: 2010, Volume: 8, Issue:
5 Pages: 48 - 56
[7] Wenliang Du "SEED: Hands-On Lab Exercises for Computer Security
Education", Security & Privacy, IEEE Year: 2011, Volume: 9, Issue:
5 Pages: 70 – 73
[8] ‘Farrell, S, "Leaky or Guessable Session Identifiers", Internet
Computing, IEEE Year: 2011, Volume: 15, Issue: 1 Pages: 88 – 91
[9] Lwin Khin Shar and Hee Beng Kuan Tan "Defeating SQL Injection",
Published by the IEEE Computer Society, Year: 2013, Volume: 46,
Issue: 3 Pages: 69 – 77
[10] Grobauer, B.; Walloschek, T.; Stocker, E., "Understanding Cloud
Computing Vulnerabilities" Security & Privacy, IEEE Year: 2011,
Volume: 9, Issue: 2 Pages: 50 – 57
[11] “Web Security Statistics Reprot 2015” Whitehat Security, Site:
https://info.whitehatsec.com/rs/whitehatsecurity/images/2015-Stats-
Report.pdf

978-1-5386-2456-2/18/$31.00 ©2018 IEEE 62