Module in ITWS-04 (Web Systems Vulnerabilities)

UNIT I. INTRODUCTION TO WEB VULNERABILITIES

Learning Objectives
At the end of the unit, the student will be able to:
1. Define and have an understanding of the terms threat, vulnerability, attack and web application
vulnerability.
2. Identify the different kinds of attacks on web applications.
3. Define the good habits of a security-conscious developer.

THREATS, VULNERABILITIES AND ATTACKS

A threat is any potential event that could harm an asset, malicious or otherwise. In other words, any bad
thing that can happen to your assets, is a threat.

A vulnerability is a weakness which allows for an attack. This may be due to poor design, configuration
errors or improper and insecure coding techniques. Low input validation is an example of a weakness in an
application layer which can lead to input attacks.

An attack is an action exploiting a vulnerability or making a threat. Examples of attacks include sending
malicious input to an app, or flooding a network to attempt to deny service.

To sum up, a threat is a future occurrence that can adversely affect an asset, while the vulnerability in your
system is exploited by a successful attack.

WHAT IS A WEB APPLICATION VULNERABILITY?

A web application vulnerability is a weakness or misconfiguration in a website or web application code

Web application vulnerabilities involve a system flaw or weakness in a web-based application. They have
been around for years, largely due to not validating or sanitizing form inputs, misconfigured web servers, and
application design flaws, and they can be exploited to compromise the application’s security. These vulnerabilities
are not the same as other common types of vulnerabilities, such as network or asset. They arise because web
applications need to interact with multiple users across multiple networks, and that level of accessibility is easily
taken advantage of by hackers.

ANATOMY OF AN ATTACK

 Survey and Assess

Surveying and assessing of the future target are performed in parallel. The first step normally taken by an
intruder is to survey the possible target to define and assess its characteristics.
These characteristics can include its supported services and protocols along with possible vulnerabilities as well as
entry points. To plan an initial attack, the attacker uses the information gathered in the survey and assess phase.

Exploit and Penetrate

Having assessed the potential target, the next move is to exploit and penetrate. If the network and host are
completely protected, then the next platform for attack will be your application.
The easiest way for an attacker to get into an application is through the same entrance that legitimate users use, for
example, through the logon page of the application or a page that does not require authentication.

Escalate Privileges

After attackers managed to enter an application or network by injecting code into the application or
creating an authenticating session with the operating system, They will immediately try to escalate privileges. In
particular, they are looking for administrative rights that are offered by accounts that are members of the
Administrators group. They 're just searching for the high degree of rights the local network account provides.

A primary protection against privilege escalation attacks is the use of least privileged service accounts in
the application.

Maintain Access

When an intruder has obtained access to a network, he takes steps to encourage future access and cover his
or her tracks.
Popular approaches to encouraging potential access and making them easier include planting of backdoor
programs or the use of an established account lacking strong security. Usually, covering tracks includes clearing
logs, and hiding tools.
Log files should be secured, and should be periodically examined. Analysis of the log file will also show the early
signs of an attempted break-in before the harm is done.
Deny Service

Attackers who are unable to get access also launch a denial-of-service attack to discourage anyone from
using the device. For other attackers, their target from the beginning is the denial of service to the application.

WHAT KINDS OF ATTACKS ARE WEB APPLICATIONS VULNERABLE TO?

There are three possible scenarios where web applications are vulnerable to attacks: (a) when users
provide information, (b) when information is provided to users and (c) in other cases.

When Users Provide Information

One of the most common types of web applications allows users to enter information. Later, this
information may be stored and recovered. Right now, however, we are concerned simply with the data, imagined
to be harmless, that people type in.

Human Attacks

Humans are capable of using any technology either in a helpful or harmful way. While you are generally not
legally responsible for the actions of people who use your online applications, being a good netizen requires you to
take some level of responsibility for them. Moreover, in practical terms, dealing with malicious users can consume
a significant amount of resources, and their actions can do real damage to the reputation of the site that you have
worked so hard to create.

Most of the following behaviors could be considered as annoyances rather than attacks, because they do
not involve an actual breach of the security of the application. However, these disruptions are still violations of the
policy and social contract, and to the extent that they can be discouraged by the programmer, they are still
violations of the social contract.

• Abuse of Storage: With the popularity of weblogging and message board systems, a lot of sites allow
their users to keep a journal or post photos. Sites like these may attract abusers who want to store,
without fear that it can be traced back to their own servers, not journal entries or photos but rather
illegal or inflammatory content. Or abusers may simply want free storage space for large quantities of
data that they would otherwise have to pay for.

• Sock Puppets: Any site that solicits user opinions or feedback is vulnerable to the excellently named
Sock Puppet Attack, where one physical user registers under either a misleading alias or even a number
of different aliases in order to sway opinion or stuff a ballot. Posters of fake reviews on Amazon.com
are engaging in sock puppetry; so are quarrelsome participants on message boards who create multiple
accounts and use them to create the illusion of wide-ranging support for a particular opinion. A single
puppeteer can orchestrate multiple conversations via different accounts. While this sort of attack is
more effective when automated, even a single puppeteer can degrade the signal-to-noise ratio on an
otherwise interesting comment thread.

• Defamation: Related to sock puppetry is the attacker’s use of your application to post damaging things
about other people and organizations. Posting by an anonymous user is usually no problem; the
poster’s anonymity degrades the probability of its being believed, and anyway it can be removed upon
discovery. But an actionable posting under your own name, even if it is removed as soon as it is noticed,
may mean that you will have to prove in court that you were not the author of the message. This
situation has progressed far enough so that many lists are now posting legal disclaimers and warnings
for potential abusers right up front on their lists.

• Griefers, trolls and pranksters: While possibly not quite as serious as the malicious liars described
previously, the class of users commonly known as griefers or trolls or pranksters are more annoying by
a factor of 10, and can quickly take the fun out of participating in a virtual community. Griefers are
 users who enjoy attacking others. The bullies you find as a new user in any online role-playing game
are griefers, who, hiding behind the anonymity of a screen name, can be savagely malicious. Trolls, on
the other hand, enjoy being attacked as much as attacking. They make outrageous assertions and post
wild ideas just to get your attention, even if it’s negative. Pranksters might insert HTML or JavaScript
instructions into what should have been plaintext, in order to distort page appearance; or they might
pretend to be someone else; or they might figure out some other way to distract from what had been
intended to be serious business. These users destroy a community by forcing attention away from ideas
and onto the personalities of the posters

Automated Attacks

Attacks in this class exploit the power of computers to amplify human effort. These scripted attacks, or
robots, slow down services, fill up error logs, saturate bandwidth, and attract other malicious users by advertising
that the site has been compromised. They are particularly dangerous because of their efficiency.

• Worms and viruses: Probably the most prominent form of automated attack, and certainly the most
notorious, is the worm, or virus, a small program that installs itself onto your computer without your
knowledge, possibly by attachment to an email message, or by inclusion into a downloaded application.
There is a small technical difference between the two; a worm is capable of existing by itself, whereas a
virus must piggyback onto an executable or document file. The primary purpose of a worm or a virus is
to duplicate itself by spreading to other machines. A secondary purpose is to wreak havoc on its host
machine, deleting or modifying files, opening up backdoors (which outsiders might use to, for example,
forward spam via your machine), or popping up messages of various sorts. A worm or virus can spread
itself throughout the Internet within minutes if it uses a widespread vulnerability.

• Spam: Spam is the sending of unsolicited (and often unwelcome) messages in huge quantities. It is an
automated attack of a different sort, because it gives the appearance of being normal, albeit excessive,
usage. It doesn’t take long for users to be trained to recognize spam (or at least most spam); it takes
servers (which carry out the hard work of transfer) quite a bit longer. But spam causes both to suffer
from an unwelcome burden of service.

• Automated user input: Other kinds of attacks automate the providing of input (supposedly from users)
in various settings. o An organization running Internet portal services might decide to attract users by
offering free services like email accounts or offsite storage. Such services are extremely attractive both
to legitimate users and to abusers, who could, for example, use free email accounts to generate spam.

o Political or public interest organizations might create a web application where users are
allowed to express their preferences for candidates and issues for an upcoming election.
The organization intends to let users’ expressed preferences guide public opinion about
which candidates are doing better than others, and which issues are of more interest to the
public. Such online polls are a natural target for a malicious organization or individual, who
might create an automated attack to cast tens or hundreds of thousands of votes for or
against a particular candidate or issue. Such ballot stuffing would create an inaccurate
picture of the public’s true opinions.

o An organization might create a website to promote interest in a new and expensive product,
an automobile, a piece of electronic equipment, or almost anything. It might decide to create
interest in the new product by setting up a sweepstakes, where one of the new products will
be given away to a person chosen by random from among all those who register. Someone
might create a robotic or automated attack that could register 10,000 times, thus increasing
the chances of winning from, say, one in 100,000 (0.001%) to 10,000 in 110,000 (9.99%).

o It is not at all unusual for certain kinds of web applications to provide the capability for
users to leave comments or messages on a discussion board or in a guestbook. Stuffing
content in these kinds of situations might seem innocuous, since that input seems not to be
tied to actual or potential value. But in fact, messages containing little or nothing besides
 links to a website have become a serious problem recently, for they can inflate hugely that
website’s search engine rankings, which have all-too-obvious value. Even without this
financial angle, automated bulk responses are an abuse of a system that exists otherwise for
the common good.
o A similar potential vulnerability exists on any website where registration is required, even
when no free services are offered. It may seem that there is little point in an attack that
registers 10,000 fictitious names for membership in an organization, but one can’t
generalize that such abuse is harmless. It might, for example, prevent others from legitimate
registration, or it might inflate the perceived power of the organization by misrepresenting
its number of members. A competitor could attempt to influence an organization by
providing bogus demographic data on a large scale, or by flooding the sales team with bogus
requests for contact.

When Information is Provided to Users

It might seem that the creators of any web application whose business is to provide information to users
would be happy when such information is actually provided. But given the uses to which such information can
sometimes be put, giving out information is not always a pleasure, especially when it winds up being given to
automated processes.

• Harvesting email addresses: It’s commonplace for websites to include an email address. Businesses may
choose to offer users the possibility of contact by email rather than a form, thinking (probably correctly)
that email is more flexible than a form. Individuals and organizations of various kinds will provide email
addresses precisely because they want users to be able to communicate directly with key personnel. Such
websites are open targets for automated harvesting of email addresses. Compiled lists of such addresses
are marketed to spammers and other bulk emailers, and email messages generated from such stolen lists
constitute a significant portion of Internet traffic.

• Flooding an email address: Often a website displays only a specially crafted email address designed for
nothing but receiving user emails, typically something like info@mycompany.com or
contact@something.org. In this case, harvesting is less likely than simple flooding of a single email address.
A quick examination of server email logs shows just how high a percentage of email messages to such
addresses consists of spammers’ offers of cheap mortgages, sexual paraphernalia, Nigerian bank accounts,
and so forth.

• Screen scraping: Enterprise websites are often used to make proprietary or special information available
to all employees of the enterprise, who may be widely scattered geographically or otherwise unable to
receive the information individually. Automated attacks might engage in what is known as screen scraping,
simply pulling all information off the screen and then analyzing what has been captured for items of
interest to the attacker: business plans and product information, for instance. Alternatively, attackers might
be interested in using screen scraping not so much for the obvious content of a website page as for the
information obliquely contained in URIs and filenames. Such information can be analyzed for insight into
the structure and organization of an enterprise’s web applications, preparatory to launching a more
intensive attack in the future.

• Improper archiving: Search robots are not often thought of as automated abusers, but when enterprise
websites contain time-limited information, pricing, special offers, or subscription content, their archiving of
that content can’t be considered proper. They could be making outdated information available as if it were
current, or presenting special prices to a wider audience than was intended, or providing information free
that others have had to pay for.
In Other Cases

Malicious attacks on web applications sometimes aren’t even interested in receiving or sending data.
Rather, they may attempt to disrupt the normal operation of a site at the network level.

• Denial of Service: Even a simple request to display an image in a browser could, if it were repeated enough
times in succession, create so much traffic on a website that legitimate activity would be slowed to a crawl.
Repeated, parallel requests for a large image could cause your server to exceed its transfer budget. In an
extreme case, where such requests hog CPU cycles and bandwidth completely, legitimate activity could
even be halted completely, a condition known as Denial of Service (DoS).

• DNS attacks: The Domain Name System (DNS), which resolves domain names into the numerical IP
addresses used in TCP/IP networking, can sometimes be spoofed into providing erroneous information. If
an attacker is able to exploit a vulnerability in the DNS servers for your domain, she may be able to
substitute for your IP address her own, thus routing any requests for your application to her server.

Activity 1

Instructions: In a document file (can be MS Word, PDF, or Notepad TXT file) answer the question below:

1. Are you familiar with any cyber-attack in the history that have shock the entire cyberworld? Kindly pick
one and make an article about it. On that article explain what vulnerabilities did the hacker exploited for
the attack to succeed.

If you don’t know how to write an article here’s a link you can read:
https://www.indeed.com/career-advice/career-development/how-to-write-articles