Professional Documents
Culture Documents
A Multidimensional View
of Critical Web Application
Security Risks: A Novel
Attacker-Defender PoV
EXECUTIVE SUMMARY
Web applications have evolved to meet a wide range of business requirements. The increasing
complexity of these applications significantly augments the attack surface of the
infrastructure and thus leaves an organization open to potential security threats. With the
various user-interactive functionalities such as login, registration, payment, etc. that deal
with underlying components such as databases, lightweight directory access protocol
(LDAP) repositories greatly increase the attack surface area and become prime areas of
focus for hackers. These functionalities act as entry and exit points to the application and
underlying infrastructure.
Successful penetration through the application layer leads to attacks that may cause remote
code execution with web server privileges, unauthorized access to information stored in a
web server, website content defacement, deletion of files in the web server and denial of
service. Any of these outcomes can damage the organizations reputation. The fundamental
security problem with web applications is that all user input is considered untrusted; this
requires the implementation of a number of security mechanisms to enable applications to
defend themselves against attack. Figure 1 (see next page) depicts vulnerability distribution
for 2016 across different verticals.
2
Cognizant 20-20 Insights
50%
40%
40%
30% 23%
20%
11% 11%
10% 8%
3% 4%
0%
e
rs
es
il
st g
S
lit d
nc
ta
ita an
gi rin
BF
he
nc
s
Re
ra
ic
Lo tu
Ot
sp el
ie
su
Ho rav
d ac
Sc
In
an uf
fe
an
Li
M
Source: Cognizant (based on 2016 engagement experiences)
Figure 1
This white paper illuminates various defense small to complex web application owned by
mechanisms that can be applied to key different industry sectors such as banking,
functionalities of a web application to secure healthcare and retail. Authentication services
them from being attacked. Based on our project limit unauthorized users in conjunction with
engagements in the year 2016, the vulnerability certain other protected features of the
distribution across the different functionalities application. Authentication functionalities such
are highlighted in Figure 2 (see next page). as login and logout, in our view, are more often
subject to design weaknesses than any other
Our attacker-defender approach considers security mechanisms employed in web
common functionalities in any web application applications. Authentication technologies vary
from an attackers perspective and then presents from HTML form-based authentication,
the defense techniques to be employed in order multifactorial mechanisms such as combining
to secure the application. The following sections passwords and physical tokens, client secure
elucidate the attacker and defender approach for socket layer (SSL) certifications and smartcards,
different functionalities commonly found in a HTTP basic and digest authentication, and
web application. Windows integrated authentication using NTLM
or Kerberos protocols.
LOGIN/LOGOUT Attacker-Defender Approach
User authenticity has become a necessity in To gain a cohesive understanding of application
almost every web application and is typically security issues, a slightly modified attack tree
managed through the login and logout function- can be deployed. The tree will represent several
alities. These functionalities are the front line of possible attacks that are targeted at a specific
defense for an application and are seen in every functionality, along with the corresponding
1,740
2000
1,673
1600
1,229
1200
959
903
800
442
285
275
249
202
400
189
155
140
123
106
125
102
94
89
89
80
79
58
64
111
59
44
35
51
22
0
2012 2013 2014 2015 2016
Login / Logout Payment Search
Registration File Upload / Download Privileged User Functionality
Source: Cognizant (based on 2016 engagement experiences)
Figure 2
mitigation techniques to hamper the attack. query has already been defined in the first
Figure 3 (see next page) depicts such an attack step, it is not possible for malformed data in
tree for login/logout functionality, which includes the second step to interfere with the query
attack methods and attacks that aim to gain user structure. One of the most powerful controls,
credentials. The tree also enlists the remediation if done well, is validation of the input that an
methods to defend against the attacks. application receives. It can be as simple as
strictly typing a parameter and as complex as
Injection using regular expressions or business logic to
Attacker: Injection flaws such as SQL, SQLi, validate input.
bSQLis, NoSQLi, HQL injection and LDAP
There are two different types of input
injection occur when untrusted data is sent
to an interpreter as part of a command or validation approaches: whitelist validation
(inclusion or positive validation) and blacklist
query. The attacker usually sends simple
validation (exclusion or negative validation).
text-based messages that exploit the syntax
of the targeted interpreter. Almost any source Phishing Through Frames
of data can be an injection vector, including
Attacker: Phishing is a scenario which
internal sources.
involves an e-mail message that asks users to
Defender: The most effective way to prevent update their personal information with a link
injection attacks is to use parameterized to a spoofed website. Frames are a popular
queries (prepared statements) for all database method of hiding attack content due to their
access. This two-step method incorporates uniform browser support and easy coding
potentially tainted data into all types of SQL style. The page linked to within the hidden
queries: first, the application specifies the frame can be used to deliver additional
structure of the query, leaving placeholders content, retrieve confidential information
for each item of user input; second, the such as session IDs, or do something more
application specifies the contents of each elaborate such as executing screen-grabbing
placeholder. Because the structure of the and key-logging while the user is exchanging
4
Cognizant 20-20 Insights
FUNCTIONALITY
Login/Logout Functionality
ATTACK METHODS
ATTACKS
MITIGATION
Figure 3
6
Cognizant 20-20 Insights
FUNCTIONALITY
Payment Functionality
ATTACK METHODS
ATTACKS
MITIGATION
White list validation should apply Enable the no-cache/no-store flag. Proper SSL certification should be
to all the user-controlled data. enabled with standard
Output encoding should apply to cryptographic algorithms.
the server response. Standard cryptographic
algorithms (NIST/local policy)
Escape the malicious characters.
should be used to encrypt the
sensitive data.
White list validation should apply
to all the user-controlled data.
Session value is properly
Parameterized data passed to the invalidated at server side.
application. Application should not
display the detailed error Unique token value should be used
message. in each session.
Implement secure session
management. Use strong session
Pass the unique token value to IDs, protect them in transit and
each request. regenerate session identifiers at
frequent intervals.
Figure 4
Retrieving Sensitive Data from a Temp File Figure 4 (see previous page) depicts an attack
Attacker: It is possible for an attacker to tree for payment functionality, comprising attack
gather sensitive information about the methods, types of attacks that aim to gain
payment application such as usernames, sensitive user payment information and various
passwords, credit card data, account numbers, mitigation techniques.
machine names and/or sensitive file locations.
SEARCH
Defender: Clear all parameters, sensitive
information and input values when the page is Search functionality is commonly used in most
being loaded/reloaded. applications to enable users to discover content
FUNCTIONALITY
Search Functionality
ATTACK METHODS
ATTACKS
MITIGATION
White list validation should apply White list validation should apply Sanitize the response header
to all the user-controlled data. to all the user-controlled data. when user input is reflected in the
Output encoding should apply to Parameterized data passed to the response header.
the server response. application.
Escape the malicious characters. Application should not display the
detailed error message.
Figure 5
8
Cognizant 20-20 Insights
contained in a data repository. Search pages are application are not always legitimate users, the
usually constructed with a single form field and a application should validate unauthorized inputs
submit button. A search query would display before they are processed.
both the matched results and the searched-for
text. Attackers often attempt to exploit search Attacker-Defender Approach
functionality behaviors to execute unintended Enumerating User Information
queries or malicious scripts.
Attacker: Enumeration is the first stage of
Attacker-Defender Approach the attack; it is the process used to gather the
information about a target application by
HTTP Response Splitting
actively connecting to it and identifying the
Attacker: A response splitting attack is user account, system account and admin
possible only if there is a proxy server used by account. It is also an activity in which an
multiple users to connect to various websites. attacker tries to retrieve valid usernames
The attacker will be able to modify the request from a web application. If the system is
header with a value and two responses, vulnerable to this attack, the attacker may be
separated by %0d%0a (CRLF) code. able to obtain a list of existing usernames in
Immediately after sending the first request, the system by submitting input (valid and
the attacker sends a second request for a invalid usernames) and analyzing the server
valid publicly accessible page on the site/ response (error messages). The scope of this
server. test is to verify if it is possible to collect a set
of valid usernames by interacting with the
Defender: Use server side validation and
applications authentication mechanism. The
disallow CRLF characters in all requests where
attacker can then run a dictionary attack to
user input is reflected in the response header.
further exploit the obtained information.
Figure 5 (see previous page) depicts an attack
Defender: The effective way to prevent
tree for search functionality attacks that aim to
enumeration attacks is to add CAPTCHA in
execute unintended payloads, plus defensive
the registration page. Also, display only the
remediation techniques.
customized error messages to the user
interface, and disable the unnecessary
REGISTRATION comments in the source code to prevent the
Registration is a basic and essential function. attacker from gathering information from the
Self-service registration functionality allows new error messages.
users to register or enroll in the application by
Automated Multiple Registration
providing personal details such as username,
date of birth, e-mail address, security questions, Attacker: The attacker tries to increase the
etc. The new user is registered if all provided size of the request by appending an enormous
details fit according to the applications amount of data that is sent to the server. This
requirements, thus allowing users to log in could result in a delayed response or server
thereafter. Since all users who try to log into the hanging. The attacker can also send
n number of requests to the server for Decrypt the SSL Certificate if Weak Cipher
registering multiple times to cause the denial Is Enabled in the Application
of service attacks.
Attacker: All systems and applications
Defender: The most effective way to prevent utilizing the SSL with cipher-block chaining
automated multiple registration is to validate mode ciphers may be vulnerable.
the content length and check for the file size By decrypting this SSL certificate, an attacker
that is being passed in the request. If the can gain access to sensitive data passed
content size is more than the specified limit, within the encrypted web session, such as
drop that particular request. If there are too passwords, cookies and other authentication
many requests in the queue, then the tokens. These can then be used to gain more
upcoming request should be automatically complete access to a website (impersonating
dropped without serving. Approaches such as that user, accessing database content, etc.).
a one-time password, generating QR code and
Defender: It is important to check the SSL
using CAPTCHA riddles should be
configuration being used to avoid putting in
implemented to reduce the impact of this
place cryptographic support that could be
attack.
easily defeated. Accordingly, an SSL-based
Sniffing the Unencrypted Data Channel service should not offer the possibility to
Attacker: This is a type of cyberattack where choose a weak cipher suite. A cipher suite is
a malicious user inserts him/herself into a specified by an encryption protocol (e.g., DES,
conversation between two parties, RC4, AES), the encryption key length (e.g.,
impersonates both parties and gains access 256 bits) and a hash algorithm (e.g., SHA,
to information that the two parties were MD5) used for integrity checking.
trying to send to each other. This attack allows
Forge the Self-Signed Certificate
a malicious user to intercept, send and receive
data meant for someone else and gain access Attacker: The attackers usually use
to the unauthorized resources. self-signed digital certificates or stolen
certificates that are accepted as valid by most
Defender: Use strong encryption standards browsers. The browsers display a warning
between the client and the server; also, the message when encountering errors during
server should authenticate the clients SSL certicate validation, but users can
request by presenting a digital certificate, and proceed anyway. This is the typical scenario
only then allow connection to be established . for fake SSL connections, which triggers
10
Cognizant 20-20 Insights
FUNCTIONALITY
Registration Functionality
ATTACK METHODS
ATTACKS
Enumerating user Sniffing the unencrypted
information data channel
Retrieving sensitive data
Enabling the browser from temp file (Https page Decrypt the SSL certificate if
configuration to get sensitive enabled the cache/store) weak cipher is enabled in the
user data (Autocomplete application
set=ON)
Automated multiple Forgery of the self-signed
Cross-site scripting registration certificate
SQL injection
MITIGATION
Customized error message should be Enable the no-cache/ Proper SSL certification
revealed to the user. no-store flag. should be enabled with
Unnecessary source code comments standard cryptographic
should be disabled. algorithms.
Figure 6
a certicate warning, caused primarily by vulnerable parameters. RFI attacks are highly
server miscongurations. However, these automated, judging by traffic shape (e.g.,
alerts are often ignored by users who trust consistency and rate) and characteristics
forged SSL certificates. (e.g., distinctive HTTP headers), making them
very suitable for mitigation via reputation-
Defender: Browser vendors could mitigate based blacklists. By exploiting RFI vulnerability,
this cyber threat by adopting HTTP Strict an attacker can inject a c99 shell to attack a
Transport Security, Public Key Pinning and web server. Scripts also can be injected
TLS Origin Bound Certificates, and by through RFI in order to deface the websites.
validating certificates with notaries. In
general, self-signed certificates with pinning In local file inclusion (LFI), which is similar to
are more secure than CA-signed certificates. remote file inclusion vulnerability, only local
files (i.e., files on the current server) are
Figure 6 (see previous page) depicts an attack included. The vulnerability is also due to the
tree for registration functionality, illustrating use of user-supplied input without proper
attack methods and types of attacks that attempt validation. LFI enables an attacker to include
to gain sensitive information from the user. The code that is already hosted on the same web
tree also elaborates several countermeasures. server as the application. LFI vulnerability
exploitation requires that the malicious code
FILE UPLOAD/DOWNLOAD is hosted on the vulnerable server. By using
the presence of LFI, an attacker can execute
Uploaded files represent a significant risk to
the remote code via an Apache server log.
applications. The consequences of unrestricted
Code can also be executed via uploading files
file upload can vary, including complete system
by including some script files in the uploaded
takeover, an overloaded file system or database,
files.
forwarding attacks to back-end systems and
simple defacement. It depends on what the Defender: If the uploaded file needs to be
application does with the uploaded file and stored on the disk, use a server-generated
especially where it is stored. filename. Inspect the content of uploaded
Attacker-Defender Approach files, and enforce a whitelist of accepted,
non-executable content types. Enforce a
Remote File Inclusion (RFI)/Local File
whitelist of accepted, non-executable file
Inclusion (LFI)
extensions. And also ensure that the file
Attacker: Remote file inclusion (RFI) is a type extension matches the actual type of the file
of vulnerability most often found on websites. content. Use a predefined switch/case
It allows an attacker to include a remote file, statement to determine which file to include
usually through a script on the web server. rather than using a URL or form parameter to
The vulnerability occurs due to the use of dynamically generate the path. If uploaded
user-supplied input without proper validation. files are downloaded by users, provide an
An attacker may use streams to exploit RFI accurate non-generic content-type header.
12
Cognizant 20-20 Insights
FUNCTIONALITY
File Upload
ATTACK METHODS
Remote File Inclusion Local File Inclusion Malicious Content Upload (Shell/Batch)
MITIGATION
Use a server-generated filename if storing uploaded If uploaded files are downloaded by users, supply
files on disk. an accurate non-generic content-type header.
Inspect the content of uploaded files, and enforce a Enforce a size limit on uploaded files. Reject
whitelist of accepted, non-executable content types. attempts to upload archive formats such as
Enforce a whitelist of accepted, non-executable file ZIP/war/jar.
extensions.
Figure 7
by the server, it is possible to tamper with with an external malicious code injected on
these values. the path parameters. For example: An attacker
can exploit a file download functionality to
The attacker force-browses into a particular download sensitive configuration files, such
restricted functionality by tampering with as the Web.config, and gain vital information
HTTP query parameters. For example: If a user about the application such as database
is authorized to only view the list of users using
credentials, admin credentials, etc.
www.app.com/users.aspx?fn=view, he may edit
or delete users by force-browsing to www.app. Defender: Perform proper input validation on
com/users.aspx?fn=edit. The attacker retrieves all user-supplied parameters and URI requests.
the data of another user by modifying exposed Restrict the user-defined path within a
system object references. Then the attacker whitelist of allowed paths. The directory/
attempts to obtain other users details by filename should be expanded to its absolute
modifying the primary key value such as a canonical path. Enforce directory level access
database table or record value, exposed by control.
the application.
Forced Browsing
Defender: Do not rely on client-supplied
Attacker: The attacker attempts to access
values of user level or role ID to determine the
the pages of admin/privileged users. He or
access level for a user. Implement proper
she initiates a direct request attack wherein
access control at the server side for all users.
he tries accessing sensitive resources by
Enforce appropriate authorization on all
directly browsing to the URL. For example: An
critical functionalities. Perform authorization
attacker may be able to access administrative
checks at the server side to ensure the user is
pages in www.vulnerableapp.com by browsing
authorized for the requested resource/
to www.vulnerableapp.com/admin.apsx.
function. Do not expose references to system
objects or primary keys. Each use of an object Defender: Do not make the assumption that
reference from an untrusted source must resources can be reached only through the
include an access control check to ensure the user interface or by the menu items displayed
user is authorized for the requested object. to the user. Enforce authorization at the
Use per-user or session-specific indirect server side to ensure the user has the required
object references. For example, instead of privilege to access the page. Do not rely on
using the resources database key, the client side validation. Perform server side
application should map the user indirect access control check for all pages/
reference back to the actual database key on functionalities.
the server.
Session Hijacking
Path Traversal
Attacker: The attacker gains access to the
Attacker: The attacker aims to access files active session of an authenticated user and
and directories that are stored outside the using the session gets full access to all
web root folder. This attack can be executed functionalities in the privileges of the
14
Cognizant 20-20 Insights
FUNCTIONALITY
ATTACK METHODS
ATTACKS
MITIGATION
View state should be used to avoid tampering. Use a server-generated filename if storing
Function level access control should be enabled. uploaded files on disk.
Inspect the content of uploaded files, and
enforce a whitelist of accepted,
Whitelist validation should apply to all the non-executable content types.
user-controlled data. Escape malicious
Enforce a whitelist of accepted,
characters in user input.
non-executable file extensions.
If uploaded files are downloaded by users,
Perform server side authorization checks. supply an accurate non-generic
Avoid client side validation. content-type header.
Figure 8
victimized user. If the victim account has frequent intervals. Use unique, sufficiently
elevated privileges, the attacker can even long, random session identifiers to reduce risk
revoke the admin privileges from the victim of brute force attack. Include http only and
account and grant it to him- or herself. secure flags set in cookies in order to avoid
session cookie theft.
Defender: Properly invalidate the session
once the user has successfully logged out. Figure 8 (see previous page) depicts an attack
Maintain a standard session time out say, tree for user privilege management, showcasing
20minutes. Do not use static values of session attacks that exploit vulnerabilities in the
identifiers for the identification of a legitimate application to gain greater privilege access.
user. Do not accept client-supplied session Possible remediation methods for preventing
tokens to prevent session fixation. Regenerate privilege escalation and maintaining access
session IDs after every successful login and at control are also presented.
16
Cognizant 20-20 Insights
Dr. Sivakumar Dr. Sivakumar Kathiresan, B.E., M.E., Ph.D., is a Principal Architect,
Technology, within Cognizants Enterprise Risk and Security Solutions
Kathiresan business unit. In this role, he leads the North American competency,
solutions and pre-sales effort in the organizations integrated
Principal Architect,
Technology vulnerability management services team. He has managed 150-plus
Sivakumar.Kathiresan@ security assessment projects across various industry sectors over
cognizant.com. the last six years. Sivakumar has 22 years of experience, including
industry, research and academia, and has delivered more than
125 knowledge-sharing and solution architect sessions on various
fields of enterprise security at different forums. His current areas
of interest are web security, secure SDLC, advanced log analysis,
application vulnerability correlation, integrated vulnerability
management, advanced persistent threats and management, and
security analytics. Sivakumar received his Ph.D. from the Indian
Institute of Technology, Roorkee; he continues to research the area
of digital security. His certificates include CEH, CISM, Sourcefire,
Qualysguard, Envision, LanDesk and BigData Associate.
ACKNOWLEDGMENTS
The author recognizes the value added by the following Cognizant
associates:
Sivakumar Subramaniam, Head, ITM and IVM.
Sivarama Subramanian Kailasam and the entire IVM delivery
team.
He also acknowledges the contributions to this white paper of the
following Cognizant cybersecurity experts:
1600-plus security consultants specializing in IAM, GRC, data security and application security assessment.
A proven track record and experience in 500-plus client engagements for security services.
Partnership with leading vendors such as IBM, CA, Oracle, Sail Point, Novell, Dell, RSA, HP, Symantec, etc.
ABOUT COGNIZANT
Cognizant (NASDAQ-100: CTSH) is one of the worlds leading professional services companies, transforming clients business, operating and
technology models for the digital era. Our unique industry-based, consultative approach helps clients envision, build and run more innovative
and efficient businesses. Headquartered in the U.S., Cognizant is ranked 230 on the Fortune 500 and is consistently listed among the most
admired companies in the world. Learn how Cognizant helps clients lead with digital at www.cognizant.com or follow us @Cognizant.
Copyright 2017, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means,electronic, mechanical,
photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks
mentioned herein are the property of their respective owners.
TL Codex 2531