MODULE 25
Web Application Threats
Now that we’ve addressed some specific threats that apply to hosts, let’s look at specific threats from web applications. Note that these are still threats that apply to hosts; they can affect the security of the host as well as the security of the data that web applications access. However, we’ve categorized these a bit differently here, because web application threats can target very specific things on a host and cause some very particular issues. Most web application threats may seem to affect only the browser or any applications that are accessing web-based resources, but this isn’t always the case. In this module, we’ll look at some of these web application threats and how they affect the hosts, as well as how they can be handled securely.
Threats from Web Applications
Threats from web applications come in a few forms, and we’ll discuss the particulars in the next few sections. Unlike our previous discussions on application attacks, which focused on the attacks directed against web applications and which may affect the underlying systems and data, this module centers on web application attacks that can affect hosts, often carried out through vulnerable web applications. These hosts are usually ordinary user machines using client browsers to access web applications. These types of attacks aren’t too terribly hard to understand or even carry out, but they are very serious and account for majority of the web-based attacks that hosts are often subjected to.
Web Application Attacks
Some specific web-based application attacks pose direct threats to individual hosts. Most of these types of attacks involve some type of data manipulation, such as header manipulation, or some type of scripting attack. Some of these are very similar to attacks we described earlier, particularly cross-site request forgery (CSRF) attacks. We’ll take a look at cross-site scripting attacks, header manipulation, cookie attacks, session hijacking, and HTML attachments, as well as how they may affect a host.
Cross-Site Scripting
Cross-site scripting (XSS) is a very common attack that can affect both hosts and web applications. It comes in the form of malicious script content that is injected into a vulnerable web site, usually one that the client browser trusts. Because content from a trusted site often has elevated access to a browser or its components, the malicious content could be sent to a client and have these elevated privileges as well. From there, it can access sensitive information on the client, including content and session cookie information. This information could contain user credentials as well as financial information (in the form of credit card or bank account numbers), for example.
An XSS attack is very common; in fact, these types of attacks are estimated to be a large majority of web-based attacks today, surpassing even buffer overflows in frequency. Many web sites are vulnerable to XSS attacks, usually through malformed HTML requests or via active content and scripting languages such as Java, JavaScript, ActiveX, Visual Basic Script (VBScript), Flash, and others. Although there are many variations of XSS attacks, Figure 25-1 illustrates one way that a simple XSS attack could work.
Figure 25-1 A simple XSS attack
Cookies
Cookies are small text files stored on a browser that contain information about the web sites you visit. In some cases, cookies are used to retain user preferences for the site, but cookies can contain sensitive information, such as user credentials or financial data (credit card information, for example) as well. These last types of cookies are session cookies, since they are (supposedly) not persistent and expire for each session and must be renewed for subsequent sessions. Cookies are stored as text files, and although they are not easily human readable, they are not encrypted. Local shared objects (LSOs, also known as flash cookies) are particular to web sites that use the Adobe Flash player for certain content. Flash cookies are used for storing user information and can be a security concern due to privacy issues.
Attacks that take advantage of cookies usually come in the form of stealing session cookies from a user’s web browser and using the session information contained therein to authenticate as the user. Cookies can be collected via a web-based script or intercepted during a traffic capture using a sniffer. Protecting against cookie-based attacks involves using techniques such as enforcing new session authentication periodically from a web site, cookie expiration, and control of cookie use through the browser security settings. Figure 25-2 shows an example of a basic cookie text file.
Figure 25-2 Example of a cookie file
HTML Attachments
An HTML attachment is basically an HTML file that comes attached to an e-mail. When a user clicks this attachment, it automatically spawns a browser session and could connect to a malicious web site. Once the user is connected to the site, malicious code can be downloaded onto the user’s browser. A common mitigation for this is to strip e-mail attachments that contain HTML files, usually by the mail server or other security software. You could also make use of proxy servers that prevent connections from HTML attachments. Perhaps most importantly, you can educate users on the dangers of clicking unknown attachments or e-mails from unknown persons to mitigate this threat.
Header Manipulation
As part of normal communications with web applications, request and response messages are sent back and forth between the web application and the browser in order for the client to access content in the web application. These HTTP requests and responses have headers that contain information such as commands, directives, and so on. One common attack is to manipulate these headers so they contain malicious information, such as harmful commands and scripts. When the client receives these manipulated headers, they often execute these commands, resulting in malicious actions occurring on the client. Beyond executing simple commands, manipulating HTTP headers can allow an attacker to carry out other attacks, such as cross-site scripting, session hijacking, cookie stealing, and injection attacks. A mitigation for this type of attack is to configure web application servers to ignore client-side headers, since they are usually the source of header manipulation.
Module 25 Questions and Answers
Questions
1. Which of the following web application attacks are caused by compromising a vulnerable web site and uploading malicious code or using malicious links to get a user’s sensitive information?
A. CSRF attack
B. XSS attack
C. Injection attack
D. Defacing attack
2. Which of the following could make a web application vulnerable to an XSS attack? (Choose two.)
A. Weak encryption algorithm
B. Use of Flash, VBScript, or JavaScript
C. Malformed HTML requests
D. Malformed TCP segments
3. Which of the following are small files located on a host that contain session information about visited web sites?
A. Cookies
B. .html files
C. Session keys
D. Applets
4. What types of applications do local shared objects support?
A. Java applets
B. Operating system executable files
C. Microsoft Office content
D. Adobe Flash content
5. All of the following are mitigations against HTML attachment attacks, except:
A. Stripping e-mail attachments containing HTML files
B. Encrypting HTML attachments during transmission
C. Preventing Internet connections from HTML attachments
D. Cautioning users not to click HTML attachments
6. Manipulating __________ is one way to embed malicious commands and directives into HTTP traffic sent back and forth between a client and web server.
A. request packets
B. response segments
C. HTTP headers
D. flash cookies
Answers
1. B. An XSS attack is caused by compromising a vulnerable web site and uploading malicious code or using malicious links to get a user’s sensitive information.
2. B, C. The use of Flash, VBScript, or JavaScript, as well as malformed HTML requests, can be used to create and execute XSS attacks.
3. A. Cookies are small files located on a host that contain session information about visited web sites.
4. D. Local shared objects support Adobe Flash content.
5. B. Encrypting HTML attachments during transmission does not prevent HTML attachment attacks.
6. C. Manipulating HTTP headers is one way to embed malicious commands and directives into HTTP traffic sent back and forth between a client and web server.