Internet Web Application Architecture
Web application security is an integral part in the successful deployment of a web-based environment. Operating in user-space, web applications are not adequately protected by traditional security appliances such as firewalls and intrusion detection or protection systems which work at the network layer. A successful web application attack can bypass the security protection offered by these appliances.
The trend towards increasing interaction between the application and the end-user continues with the advent of Web Services and SOAP or XML based applications which use a range of technologies that are highly interactive and aim to enhance the user experience.
Many web applications are produced using web application frameworks such as J2EE and ASP.NET, while these are often seen there are many application frameworks which are used and the tools and techniques used in a security assessment are often generic to apply across these various development, hosting and operating environments.
Whenever a user interacts with an application there is a threat or risk opportunity for applications and information to be compromised. Often a web application is the only thing standing between an attacker and sensitive business information, currently web applications account for 60-70% of current attacks.
Depending on the functionality offered by a web application an attacker may be able to:
- View or manipulate sensitive information.
- Obtain unauthorised access to an application.
- Be able to take control of the application environment.
Common web application Software Development Life Cycle (SDLC) security issues
- Poor security and compliance requirements definition.
- Inadequate IT Security involvement during definition, design, testing and review.
- Inadequate development team knowledge of application security threats and secure development principles.
- Inadequate security controls throughout the SDLC e.g. threat assessments, change management, testing.
- Inadequate security testing during development.
- Bespoke and rapid development of web applications.
- Inadequate independent and qualified security assessments.
Internet Web Application Security Testing Frameworks
The goals of the Open Web Application Security Project (OWASP) are to become an industry standard for effective web application security, it is an open source initiative maintained and developed by information security professionals. The project promotes security research to find new web-based vulnerabilities and provides a repository for tools and methodologies for conducting web application security assessments.
The specification sets the minimum security baseline for web applications and lists web-based vulnerabilities that are actively sought and exploited by attackers. According to OWASP ten of the most common web application security vulnerabilities seen regularly can be summarised as follows:
1 – Cross Site Scripting (XSS): XSS flaws occur when an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
2 – Injection Flaws: Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
3 – Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts file names or files from users.
4 – Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to get access to other objects without authorization.
5 – Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to do a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
6 – Information Leakage and Improper Error Handling: Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
7 – Broken Authentication and Session Management: Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.
8 – Insecure Cryptographic Storage: Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
9 – Insecure Communications: Applications often fail to encrypt network traffic when it is necessary to protect sensitive communications.
10 – Failure to Restrict URL Access: Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to do unauthorized operations by accessing those URLs directly.
Internet Web Application Security Testing
Web Application security assessments are a ‘point in time’ exercise, assessments should be regular and part of an ongoing assurance process. Assessments should complement other activities such as vulnerability and patch management, any security review needs to be put in the context of business value and risk.
A web application vulnerability assessment report based on the output of automated tools often does not supply enough context to give a clear indication of risk. Web application security reviews should be undertaken by experienced web application testers as the technology and attack vectors evolve rapidly.
Application Mapping: By configuring a browser to use a web proxy tool the web application can be traversed to enumerate the functionality offered by the application. The proxy can then take over the role of spidering the content of the application to give a map of the application and find the content and paths within the site.
Server Mapping: Web and application servers often have default directories, sample applications, administrative areas and other potentially vulnerable content which attempts can be made to find. The web application server may have administrative areas which relate to the content serving and hosting functionality and not application specific administrative access.
It is possible that identified administrative functionality may be accessible through default credentials. There may also be default content installed on the server that is not a part of the application and may be susceptible to vulnerabilities that could be leveraged against the application.
Application Analysis: The entry points within the application where user supplied content is accepted and processed are the key elements for assessment of the input validation applied to this content.
Application Technology: The architecture of web applications often uses a mix of technologies on both the client and server sides. These technologies have their own attack vectors and methods for identifying them, they form components of the overall architecture and cover areas including scripting, application platforms and database interaction.
Client Side Validation: Any input parameters sent to the application coming from the client side are subject to change by the tester. These parameters could include cookies, function parameters or hidden form fields; they can be identified my monitoring the proxy and manipulated client-side. The effects of change can help the tester in determining vectors which may be susceptible and result in improper handling by the application logic.
User Authentication: There will often be an authentication role in a web application which needs users to give valid credentials to use application functionality. This process is a key area for investigation to find if the tester can bypass authentication or assume the identity of another user of the system.
This ability to assume the role of another user can be seen as a form of horizontal escalation in that the testers actions reflect on the identity being abused. Another form of authentication manipulation is vertical privilege escalation where the tester uses a set of user level credentials to assume the identity of a higher level user such as an application administrator.
The ability to re-use a session token without having to re-authenticate to the system may offer avenues for investigation relating to cookie capture and session re-use. There are other vectors including session fixation whereby a tester could start a session and pass that to a valid user and gain access assuming the identity of that user.
Application Logic: The function flow and application logic of a web application can be investigated to see if it is possible to subvert the expected path through the application by performing functions out of order and seeing if the application enforces a logical path to make sure that a series of actions are carried out in a particular order as defined by the business logic.
Input Validation: All user input should be subject to validation at the application level, the effectiveness of the validation can be tested by substituting expected input with unexpected characters. A possible aim would be to give queries to be executed by a backend database server in the form of SQL injection or script to be executed in the context of a browser such as persistent or non-persistent Cross Site Scripting (XSS). Other avenues may include operating system command injection, web server directory traversal and local or remote file inclusion.
3rd Party Applications: These may take the form of an add-in to the application to offer more functionality or may be in the shape of other applications residing on the same platform that are unrelated but share common technologies. These can be investigated to see if they have an impact on the primary application or could be used as a method for gaining access due to any vulnerabilities in their configuration which may offer a jump point into the application being tested.
Indimon Internet Services
Indimon Internet Services has the necessary experience and knowledge to do complex, in-depth internet web application security tests. These tests give clients an accurate view of known weakness and identified vulnerabilities in their internet web applications. This process assists the client by providing the information for them to decide steps which can be taken to improve or enhance the security stance of their internet web applications.