Web Security

Lecture 
Different Web Application Attacks
Client side attack
Web application Architecture

  Web system consists of:

  web browser at user end.
  User is connected to web application through internet.
  Web server receives request from browser, processes them and
passes dynamic part to application server.
  All requests for database access are passed to database server.
  The results are shipped back to web browser
Different attacks

  Web applications are subjected various attacks,

targeting :
  web server
  database server
  web browser.

  Web browser are targeted by hackers through
content spoofing, cross site scripting and session
fixation attack.

  Server side systems consisting of web server and
database server are subjected different kinds of
attack for instance path traversal, denial of service
attack, SQL injection and Xpath injection.
Different attacks
Client side attack

  Content Spoofing:
  malicious hackers would create fake website with look similar to
original one to make user believe that the site is legitimate.
  Attacker would than send specially crafted links through email
to user.
  These links would make user believe that the content is coming
from trusted website, but in fact they would be from external
source. Sometimes also called phising
Example

  Content spoofing can be done if web page is dynamically
generated using frames.

  Location of frame can be specified by URL parameter value.

  Attacker can change this value to take user to different web
page

  If the original URL is:
http://abc.example/page?frame_src=http://abc.example/file.html

  The attacker would replace frame_src parameter to take user to
different link.
http://abc.example/page?frame_src=http://attacker.example/
foreign.html

  The user would believe that content is coming from original
domain, but in fact he is directed to attacker system.
Example
Content Spoofing:

  Threats

  Victims can lose confidential information to attacker like bank account
number, credit card number etc.

  Difficult to track attacker, they would collect information in 2-3 days
than would close his site, making it them

  Sometimes they are present in third countries so difficult to arrest


  Countermeasure:
  Educating user to directly type URL of bank, rather than clicking on
links in email and not to respond to email with HTML embedded forms.
  Making them aware of HTTPS in the address bar and SSL padlock
icon, SSL certificate which are used for authenticity.
  Using antivirus software to filter spam.
  Disabling HTML functionality of email.
Client side attack

  Cross site scripting (XSS):

  Malicious code is executed in user’s browsers which are usually
written in VBScript, ActiveX, java etc.
  The code is echoed by web site to user’s browser, where is
placed in web site by attacker using message boards, bulletins
etc.
  When these pages are viewed by user, the script present in
messages is executed at user end.
  These scripts may read, modify or transmit data accessible by
client’s browser.