Web Application Security consists of several security controls that ensure that a web application:
- Functions as expected.
- Cannot be exploited to operate outside the borders.
- Cannot initiate operations that should not be performed.
Web Applications have become ubiquitous after the expansion of Web 2.0, where Social Media Platforms, E-Commerce websites, and email clients have filled the internet spaces in recent years.
As applications use and store even more sensitive and comprehensive data, they become more attractive targets for attackers.
Common Methods of Attack
The three most common vulnerabilities in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control.
SQL is the most common Database software used, and hosts large amounts of payment data, PII data, and internal business records.
SQL Injection is an attack that uses malicious SQL code for backend database manipulation to access information that is not intended to be displayed.
The starting point for this, is a command like the one below:
This will return ALL rows from the “Users” table, because OR 1=1 is always TRUE. Continuing with this, this method will also return passwords if any.
Imagine an attack like this carried out against a large social media company, or a large e-commerce business, and one can begin to see how much sensitive data can be obtained with just one command.
Broken Access Control
Broken Access Control (BAC) has moved up the ranks of the OWASP top ten from the fifth to the most common Web Application Security Risks. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category during a recent OWASP test.
The most common types of BAC, are Vertical and Horizontal privilege escalation. Vertical privilege escalation occurs when a user can exalted their privileges and to perform actions, they should not have access to perform.
CVE-2019-0211, which is an Apache Local Privilege Escalation. This critical vulnerability, as of 2019, affects Apache HTTP servers running on Unix systems, especially those that use the mod_prefork, mod_worker, and mod_event libraries.
This gives attackers the ability to execute unprivileged scripts, which can lead to root access and compromise shared hosting services. Exploiting this flaw requires manipulating shared-memory regions within Apache worker processes, which must be done before Apache graceful restart.
Below is a screenshot of the POC code. As one can see, a level of technical ability is required in this area, however, vertical privilege escalation can easily occur when a user’s permissions are over-authorized, or revoked when they leave a business.
This brings us back to the principle of least privilege, a ubiquitous term found throughout the IT world, which is now becoming more common as we realize how important web applications have become.
Horizontal Privilege Escalation is when a user gains access to data they shouldn’t otherwise have access to, but that data is held at the same level as their own permissions. This can be seen by a standard user accessing the data of another standard user. Although it is not allowed, the privileges do not rise vertically, but spread horizontally. This is sometimes seen as more dangerous, because it happens without raising any alert in the security systems.
As the BAC has declined over the past two years, it is important to note:
- Relying only on obfuscation is not an adequate access control method.
- If a resource is not intended to be publicly accessible, it should be inaccessible by default.
- Developers should clearly specify allowed access for each resource at the code level, with deny access as the default setting.
Best Practices – Read between the Lines (of the code!)
To maintain security, developers must verify incoming data, implement parameterized queries when interacting with databases, and apply effective session management techniques to protect the sensitive data. Most of these rely on both the security of web browsers, but also on the back-end security of web servers that deliver web content, which leads to a differentiation of web security duties.
The biggest problem that arises here, is that while Web Application Firewalls (WAFs), can reduce these risks, most of the responsibility for the safe implementation of the lands inside the web lies at the feet of the developers who put these together. site. Cybersecurity can often be an afterthought, which prioritizes functionality.
Practical Example – Input Validation
Input Validation is the simplest and most effective way to implement secure coding, in this example to prevent SQL injection.
- User Input: The user provides input, for example:
- Sanitization: User input is not entered directly into the SQL query. Sanitized and treated as data, not as SQL code.
- Query Execution: SQL query is executed with user input as parameter:
- As such, the query enters the backend as below:
In this code, (user_input,) is a tuple containing the user’s input. The database driver takes care of escaping and properly handling this input. This ensures that the input is treated as a data value, not executable SQL code.
If the user input contains a malicious code, such as “105 or 1=1,” it is not executed as SQL. Instead, it is treated as a value that is compared to the UserId in the database.
The database driver automatically handles escaping input, preventing it from affecting the structure of the SQL query or introducing security vulnerabilities.
Web Application Firewalls (WAFs)
WAF operates at layer 7 of the OSI model, and acts as a reverse proxy, ensuring that client traffic passes through the WAF before entering the backend server. WAF rules or policies protect against documented vulnerabilities in these backend servers and filter malicious traffic.
There is a plethora of WAFs on the market, and all of them can provide a strong defense against newer attacks, and contribute well to a defense in depth approach, the practice of security coding is something that ensures the foundations of the web application is safe and will not fall victim to more complex or new attacks in the future.
WAFs are currently moving towards a hybrid security model that uses behavioral analysis technologies to detect malicious threats, and further mitigate the threats of more advanced ‘bots. ‘ which is used for low-effort attacks on websites.
The main disadvantage of using a WAF, besides the increased latency and HTTP overhead, is the fact that a WAF can be bypassed by using a 0-day exploit against a web application, which Safe coding and proper sanitization will reduce against more effectively. offsetting all Web application security to WAF. It is important to remember that WAF is only one layer of security, and not the entire solution.
Incident Response and Remediation
SecurityHQs suggestions to reduce attacks:
- Using a WAF as a first line of defense is essential to ensure the business can defend against multiple attacks.
- Make sure that the most recent and stable standard algorithms and protocols are used, this should be paired with proper key management.
- Encrypt data in transit using secure protocols such as TLS with forward secrecy (FS) ciphers, server cipher prioritization. Enforce encryption using directives such as HTTP Strict Transport Security (HSTS).
- Enable bot management strategies on websites and have a documented incident response plan.
- Ensure secure development practices are in place, with a documented process for testing new features of web applications and ensuring input validation is deployed.
- This should be accompanied by ensuring the principle of least privilege.
Note: This article was expertly written by Tim Chambers, Senior Cyber Security Manager at SecurityHQ