Web Application Security

OWASP Top 10

The Open Web Application Security Project (OWASP) is a non-profit organization that provides unbiased and practical information about application security. The OWASP Top 10 is a list of the ten most critical security risks to web applications. The list is updated every three years by a team of security experts from around the world.

  1. Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's malicious data can trick the interpreter into executing unintended commands or accessing unauthorized data.
  2. Broken Authentication: Broken authentication occurs when an attacker can compromise passwords, keys, or session tokens to assume the identity of another user. This can lead to unauthorized access to sensitive data or functionality.
  3. Sensitive Data Exposure: Sensitive data exposure occurs when an application fails to adequately protect sensitive data, such as financial information, health records, or personal information. Attackers can exploit this vulnerability to steal or manipulate sensitive data.
  4. XML External Entities (XXE): XXE vulnerabilities occur when an application processes XML input from untrusted sources without disabling external entities. Attackers can exploit this vulnerability to read files, scan internal systems, and perform denial-of-service attacks.
  5. Broken Access Control: Broken access control occurs when an application fails to restrict users from accessing unauthorized functionality or data. Attackers can exploit this vulnerability to view sensitive files, modify other users' data, or change access rights.
  6. Security Misconfiguration: Security misconfiguration occurs when an application is not securely configured, such as default accounts, unnecessary services, or missing security headers. Attackers can exploit this vulnerability to gain unauthorized access, escalate privileges, or execute arbitrary code.
  7. Cross-Site Scripting (XSS): XSS vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping. Attackers can exploit this vulnerability to execute malicious scripts in the context of a victim's browser, leading to session hijacking, defacement, or data theft.
  8. Insecure Deserialization: Insecure deserialization occurs when an application deserializes untrusted data without proper validation or integrity checks. Attackers can exploit this vulnerability to execute arbitrary code, escalate privileges, or perform denial-of-service attacks.
  9. Using Components with Known Vulnerabilities: Using components with known vulnerabilities occurs when an application includes outdated or insecure libraries, frameworks, or software components. Attackers can exploit these vulnerabilities to compromise the application, steal sensitive data, or gain unauthorized access.
  10. Insufficient Logging and Monitoring: Insufficient logging and monitoring occur when an application fails to generate, store, or analyze sufficient logs to detect and respond to security incidents. Attackers can exploit this vulnerability to maintain persistence, evade detection, or escalate privileges.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS attacks can be used to steal sensitive information, hijack user sessions, deface websites, or distribute malware. There are three main types of XSS attacks:

  1. Stored XSS: Stored XSS occurs when an attacker injects a malicious script into a web application, and the script is stored on the server and executed whenever a user accesses the affected page. This type of XSS attack is persistent and can affect multiple users.
  2. Reflected XSS: Reflected XSS occurs when an attacker injects a malicious script into a URL or form input, and the script is reflected back to the user in the server's response. This type of XSS attack is non-persistent and requires the victim to click on a specially crafted link.
  3. DOM-based XSS: DOM-based XSS occurs when an attacker injects a malicious script into the Document Object Model (DOM) of a web page, and the script is executed by the victim's browser. This type of XSS attack is client-side and does not involve server-side processing.

Prevention

To prevent XSS attacks, web developers should follow best practices such as:

  • Input Validation: Validate and sanitize all user input to prevent malicious scripts from being executed.
  • Output Encoding: Encode user input before displaying it in web pages to prevent script injection.
  • Content Security Policy (CSP): Implement a Content Security Policy to restrict the sources of content that can be loaded on a web page.
  • HTTPOnly and Secure Cookies: Use HTTPOnly and Secure flags on cookies to prevent XSS attacks from stealing session tokens.
  • X-XSS-Protection Header: Enable the X-XSS-Protection header to enable the browser's built-in XSS filter.
  • Use Libraries and Frameworks: Use secure libraries and frameworks that provide built-in protection against XSS attacks.
  • Security Headers: Implement security headers such as X-Content-Type-Options, X-Frame-Options, and Referrer-Policy to enhance web application security.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and remediate XSS vulnerabilities.
  • Security Awareness Training: Educate developers, testers, and users about the risks of XSS attacks and how to prevent them.
  • Bug Bounty Programs: Implement bug bounty programs to incentivize security researchers to report XSS vulnerabilities responsibly.
  • Incident Response Plan: Develop an incident response plan to respond to XSS attacks and other security incidents effectively.

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is a security vulnerability that allows attackers to trick users into executing unintended actions on a web application in which they are authenticated. CSRF attacks can be used to perform actions such as changing account settings, transferring funds, or deleting data without the user's consent. There are two main types of CSRF attacks:

  1. Synchronizer Token Pattern: The Synchronizer Token Pattern involves generating a unique token for each user session and including it in forms or URLs. When the user submits a form or clicks on a link, the server validates the token to ensure that the request is legitimate.
  2. Double Submit Cookie Pattern: The Double Submit Cookie Pattern involves setting a cookie with a random value and including the same value in a hidden form field. When the user submits the form, the server compares the cookie value with the form field value to prevent CSRF attacks.

Prevention

To prevent CSRF attacks, web developers should follow best practices such as:

  • Use Anti-CSRF Tokens: Implement anti-CSRF tokens using the Synchronizer Token Pattern or Double Submit Cookie Pattern to protect against CSRF attacks.
  • SameSite Cookies: Set the SameSite attribute on cookies to restrict cross-origin requests and prevent CSRF attacks.
  • HTTP Referer Header: Validate the HTTP Referer header to ensure that requests originate from the same domain and prevent CSRF attacks.
  • CSRF Protection Libraries: Use CSRF protection libraries and frameworks that provide built-in protection against CSRF attacks.
  • Security Headers: Implement security headers such as X-Content-Type-Options, X-Frame-Options, and Referrer-Policy to enhance web application security.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and remediate CSRF vulnerabilities.

SQL Injection

SQL Injection is a security vulnerability that allows attackers to execute malicious SQL queries against a web application's database. SQL Injection attacks can be used to bypass authentication, retrieve sensitive information, modify data, or escalate privileges. There are three main types of SQL Injection attacks:

  1. In-band SQL Injection: In-band SQL Injection occurs when an attacker uses the same communication channel to launch the attack and retrieve the results. This type of SQL Injection is the most common and can be further divided into Error-based SQL Injection and Union-based SQL Injection.
  2. Inferential SQL Injection: Inferential SQL Injection occurs when an attacker is unable to see the results of an attack directly but can infer the results based on the application's behavior. This type of SQL Injection is also known as Blind SQL Injection and can be further divided into Boolean-based SQL Injection and Time-based SQL Injection.
  3. Out-of-band SQL Injection: Out-of-band SQL Injection occurs when an attacker uses a different communication channel to launch the attack and retrieve the results. This type of SQL Injection is less common but can be more effective in certain scenarios.

Prevention

To prevent SQL Injection attacks, web developers should follow best practices such as:

  • Parameterized Queries: Use parameterized queries with prepared statements to separate SQL code from user input and prevent SQL Injection attacks.
  • Input Validation: Validate and sanitize all user input to prevent malicious SQL queries from being executed.
  • Least Privilege Principle: Use the least privilege principle to restrict database users' permissions and prevent unauthorized access.
  • ORMs and Libraries: Use Object-Relational Mapping (ORM) frameworks and secure libraries that provide built-in protection against SQL Injection attacks.
  • Security Headers: Implement security headers such as X-Content-Type-Options, X-Frame-Options, and Referrer-Policy to enhance web application security.

Insecure Deserialization

Insecure Deserialization is a security vulnerability that allows attackers to manipulate serialized objects to execute arbitrary code, escalate privileges, or perform denial-of-service attacks. Insecure Deserialization attacks can be used to bypass authentication, execute remote code, or tamper with data. There are two main types of Insecure Deserialization attacks:

  1. Object Instantiation: Object Instantiation occurs when an attacker manipulates serialized objects to create instances of unauthorized classes or execute arbitrary code.
  2. Data Tampering: Data Tampering occurs when an attacker manipulates serialized objects to modify data, escalate privileges, or perform other malicious actions.

PHP Example

class Example {
    public $data;
    public function __wakeup()
    {
        eval($this->data);
    }
}

$serialized = 'O:7:"Example":1:{s:4:"data";s:10:"phpinfo();";}';
$object = unserialize($serialized);

NATIONAL VULNERABILITY DATABASE

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics.

CVE-2024-2961

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

iconv -l | grep -E 'CN-?EXT'

Solution

Comment out the CN-EXT line in the /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf file and sudo iconvconfig to regenerate the cache.