Unit 7

Web Application and Data Base Security

Web Application Security
• Web application security is the practice of protecting
websites, applications, and APIs from attacks. It is a
broad discipline, but its ultimate aims are keeping web
applications functioning smoothly
and protecting business from cyber vandalism, data
theft, unethical competition, and other negative
consequences.
• The global nature of the Internet exposes web
applications and APIs to attacks from many locations
and various levels of scale and complexity. As such, web
application security encompasses a variety of strategies
and covers many parts of the software supply chain.
What are common web application security risks?

• Zero-day vulnerabilities: These are vulnerabilities unknown to an

application’s makers, and which thus do not have a fix available. We now
see more than 20,000 zero-day vulnerabilities every year. Attacks look to
exploit these vulnerabilities quickly, and often follow up by seeking to
evade protections put in place by security vendors.
• Cross site scripting (XSS): XSS is a vulnerability that allows an attacker
to inject client-side scripts into a webpage in order to access important
information directly, impersonate the user, or trick the user into revealing
important information. Learn more about how to prevent XSS attacks.
• SQL injection (SQLi):SQLi is a method by which an attacker exploits
vulnerabilities in the way a database executes search queries. Attackers
use SQi to gain access to unauthorized information, modify or create new
user permissions, or otherwise manipulate or destroy sensitive data. Learn
more about how to prevent SQL injections.
• Denial-of-service (DoS) and distributed denial-of-service (DDoS)
attacks: Through a variety of vectors, attackers are able to overload a
targeted server or its surrounding infrastructure with different types of
attack traffic. When a server is no longer able to effectively process
incoming requests, it begins to behave sluggishly and eventually deny
service to incoming requests from legitimate users.
• Memory corruption: Memory corruption occurs when a location in
memory is unintentionally modified, resulting in the potential for
unexpected behavior in the software. Bad actors will attempt to sniff out
and exploit memory corruption through exploits such as code injections or
buffer overflow attacks.
• Buffer overflow: Buffer overflow is an anomaly that occurs when software
writing data to a defined space in memory known as a buffer. Overflowing
the buffer’s capacity results in adjacent memory locations being
overwritten with data. This behavior can be exploited to inject malicious
code into memory, potentially creating a vulnerability in the targeted
machine.
• Cross-site request forgery (CSRF): Cross site request
forgery involves tricking a victim into making a request that
utilizes their authentication or authorization. By leveraging
the account privileges of a user, an attacker is able to send a
request masquerading as the user. Once a user’s account has
been compromised, the attacker can exfiltrate, destroy or
modify important information. Highly privileged accounts such
as administrators or executives are commonly targeted.
• Credential stuffing: Attackers may use bots to quickly input
large numbers of stolen username and password
combinations into a web application’s login portal.
If credential stuffing gives the attacker access to a real user’s
account, they may steal the user’s data or make fraudulent
purchases in the user’s name.
• age scraping: Attackers may also use bots to steal content from
webpages on a large scale. They may use this content to gain a
pricing advantage over a competitor, imitate the page owner for
malicious purposes, or other reasons.
• API abuse: APIs, or Application Programming Interfaces, are
software that allow two applications to communicate with each
other. Like any type of software, they may have vulnerabilities that
allow attackers to send malicious code into one of the applications
or intercept sensitive data as it moves from one application to
another. This is an increasingly common attack type as API use
increases. The OWASP API Top ten list succinctly summarized key
API security risks organizations face today.
• Shadow APIs: Development teams work quickly to meet business
objectives, frequently building and publishing APIs without
informing security teams. These unknown APIs may expose
sensitive company data, operating in the “shadows” as security
teams tasked with protecting APIs are unaware of their existence.
• Third-party code abuse: Many modern web applications use
a variety of third-party tools — for example, an ecommerce
site using a third-party payment processing tool. If attackers
find a vulnerability in one of these tools, they may be able to
compromise the tool, and steal the data it processes, prevent it
from functioning, or use it to inject malicious code elsewhere in
the application. Magecart attacks, which skim credit card data
from payment processors, are an example of this attack type.
These attacks are also considered to be browser supply chain
attacks.
• Attack surface misconfigurations: An organization’s attack
surface is its entire IT footprint that could be susceptible to
cyberattacks: servers, devices, SaaS, and cloud assets that are
accessible from the Internet. This attack surface can remain
vulnerable to attack due to certain elements being overlooked
or misconfigured.
 What are important web application security
strategies?
• DDoS mitigation: DDoS mitigation services sit between a server and the
public Internet, using specialized filtration and extremely high bandwidth
capacity to prevent surges of malicious traffic from overwhelming the server.
These services are important because many modern DDoS attacks deliver
enough malicious traffic to overwhelm even the most resilient servers.

• Web Application Firewall (WAF): Which filter out traffic known or

suspected to be taking advantage of web application vulnerabilities. WAFs
are important because new vulnerabilities emerge too quickly and quietly for
nearly all organizations to catch on their own.

• API gateways: Which help identify overlooked ‘shadow APIs,’ and block
traffic known or suspected to target API vulnerabilities. They also help
manage and monitor API traffic.
• DNSSEC: A protocol which guarantees a web
application’s DNS traffic is safely routed to the correct
servers, so users are are not intercepted by an on-path
attacker.
• Encryption certificate management: In which a third
party manages key elements of the SSL/TLS encryption
process, such as generating private keys, renewing
certificates, and revoking certificates due to
vulnerabilities. This removes the risk of those elements
going overlooked and exposing private traffic.
• Bot management: Which uses machine learning and
other specialized detection methods to distinguish
automated traffic from human users, and prevent the
former from accessing a web application.
• Client-side security: Which checks for new third-party
JavaScript dependencies and third-party code changes,
helping organizations catch malicious activity sooner.
• Attack surface management: actionable attack
surface management tools should provide a single place
to map your attack surface, identify potential security
risks, and mitigate risks with a few clicks.
What application security best practices should
organizations expect from their vendors?

• Requiring input validation: Blocking improperly formatted data

from passing through the application’s workflows helps prevent
malicious code from entering the application via an injection
attack.
• Using up-to-date encryption: Storing user data in an encrypted
fashion, along with using HTTPS to encrypt transmission of inbound
and outbound traffic, helps prevent attackers from stealing data.
• Offering strong authentication and authorization: Building in and
enforcing controls for strong passwords, offering multi-factor
authentication options including hard keys, offering access control
options, and other practices make it harder for attackers to
fraudulently access user accounts and move laterally within your
application.
What application security best practices should
organizations expect from their vendors?

• Keeping track of APIs: Tools exist to identify

overlooked ‘shadow APIs’ that could constitute an
attack surface, but API security becomes easier when
APIs never get overlooked in the first place.
• Documenting code changes: Which helps security
and developer teams fix newly introduced
vulnerabilities sooner.
Ethical Considerations and Legal
Implications:
• Seeking out web vulnerabilities should only be done ethically and
legally. Unauthorized testing of websites or web applications, even
with good intentions (like discovering a flaw), is illegal and can lead
to serious consequences, such as criminal charges or lawsuits.
• Responsible and Legal Approaches:
• Penetration Testing: This is typically done with explicit permission
from the website or organization to test for vulnerabilities.
• Bug Bounty Programs: Many companies run legal programs
where security researchers can search for vulnerabilities in
exchange for rewards.
• Security Audits: Conducting security assessments on behalf of
clients or as part of a compliance process.
Tools for Seeking Web
Vulnerabilities:
• Burp Suite: A powerful tool for inspecting, modifying, and
scanning web traffic to identify vulnerabilities.
• OWASP ZAP: An open-source web application security scanner
for identifying common web vulnerabilities.
• Nikto: A web server scanner that checks for various
vulnerabilities like outdated software and insecure configurations.
• SQLmap: An automatic tool for detecting and exploiting SQL
injection vulnerabilities.
• Acunetix: A commercial web application security scanner.
• Wapiti: A web vulnerability scanner that detects various types of
vulnerabilities like XSS, SQLi, and more.
What is Directory Traversal?

• Directory traversal, also known as path traversal or

directory climbing, is a vulnerability in a web application
server caused by a HTTP exploit.
• The exploit allows an attacker to access restricted
directories, execute commands, and view data outside
of the web root folder where application content is
stored.
• By manipulating input parameters or file paths, an
attacker can navigate through the file system and gain
unauthorized access to sensitive files or directories.
 How Does Directory Traversal Work?
• Directory traversal attacks manipulate variables that
reference file paths within web applications. The
attacker modifies the path variables to move upwards in
the directory structure or to traverse to different
directories. This is typically done using specific
sequences like `../` or `..\` in Unix and Windows
systems, respectively.
• An attacker might use the sequences in a URL or input
field in an attempt to trick the server into returning a
file from outside of the document’s root directory.
• Requesting a URL like the example above attempts to
have the server return a sensitive system file.
• Attacks stemming from directory traversal can be
damaging if they’re used to display system files or
download sensitive information. It can allow an attacker
to view, edit, or execute arbitrary files on the server’s
file system, leading to a potential compromise of the
server.
What’s the Difference Between Local File Inclusion
and Directory Traversal?

• Local File Inclusion (LFI) allows an attacker to include a file,

usually exploiting a script on the server, and execute it from a
local directory within the server. This vulnerability occurs when a
web application uses unsanitized user input to construct a file
path for execution. LFI allows the execution of scripts, which
could potentially lead to a full system compromise.
• Directory Traversal attacks, or path traversal, aim to access
files in a directory that the attacker should not have access to by
manipulating variables that reference file paths. The attacker
doesn’t necessarily need to execute a file, as the main goal is to
read sensitive files to gather data. This type of attack is often
used to gather information to inform future attacks.
Example of a Directory Traversal
Attack
• In this example, imagine a simple web application that
allows users to view an image file. The application
might use a query parameter to determine which file to
display.
• For example, a URL might look like
`http://website.com/view?file=logo.png`.

• The server-side code handling this might look

something like this in PHP:
• Under normal circumstances, this would work fine. The
`file` parameter defines which file to display to the
user, so `file=logo.png` would show the logo image.
• However, an attacker could manipulate the `file`
parameter to move up directory levels and access
restricted files. By using the directory traversal
sequence `../`, they can move up one directory.
• If the attacker requests the following URL, they could
view the contents of a sensitive system file containing
user account information.
• The manipulated server-side code would look like this:
• This results in the server navigating to:

After resolving the relative directory `../`, it

points to
• This effectively allows the attacker to view this system
file.
• To prevent such an attack, developers must sanitize all
user inputs and restrict the type of input that can be
processed. By ensuring that all inputs follow a certain
format — such as checking that the input is a valid
filename and does not contain directory traversal
sequences — these vulnerabilities can be effectively
neutralized.
What are the Risks of Directory
Traversal?
• Directory traversal can lead to unauthorized access of sensitive information
stored in files outside of the web root directory. This could include: system
files, configuration files, or even user data. The unauthorized access of
confidential data is a direct breach of privacy and can lead to information theft.
• Attackers can read and also modify or delete critical files, causing serious
system malfunctions or service disruptions. This can lead to significant
downtime, loss of productivity, and even financial loss.
• Successful directory traversal attacks can provide attackers with the ability to
carry out damaging attacks. For instance, gaining access to certain system
files can provide valuable information about the server’s structure,
configuration, and the security measures that are in place. Taken together, this
is information that can be used to construct more sophisticated attacks in the
future.
• Directory traversal is a serious security risk that can lead to the compromise of
privacy, integrity, and availability of web servers and applications.
Tools Used by Attackers to Locate Directory Traversal
Vulnerabilities

1.Burp Suite: This is a comprehensive web application security testing

platform. It includes a variety of tools, including a scanner that can
automatically detect directory traversal and other common vulnerabilities. Its
Intruder tool can also be used to test for traversal vulnerabilities manually.
2.OWASP ZAP (Zed Attack Proxy): This is a free, open-source web
application security scanner developed by the Open Web Application Security
Project (OWASP). It can identify a wide range of vulnerabilities, including
directory traversal.
3.Nikto: A server scanner that checks servers for dangerous files, outdated
server software, and other problems. It can also detect directory traversal
vulnerabilities.
4.DotDotPwn: This tool, as its name suggests, is specifically designed to test
for directory traversal vulnerabilities. It operates by sending specially crafted
requests to the server and analyzing the responses.
5. Metasploit: This is a penetration testing framework
that contains modules for testing a wide range of
vulnerabilities, including directory traversal.
6. DirBuster: A tool from OWASP that aims to find
hidden directories and files from servers. It can also help
in finding directory traversal endpoints.
Preventing Directory Traversal
Attacks
1.Input validation: This is the first line of defense against directory
traversal attacks. Ensure all user inputs are validated and sanitized
before they are processed. Reject any suspicious input containing
special characters like `../` or `..\` used in directory traversal.
2.Use of allow lists: Instead of blocking known bad inputs (a
blocklist), it’s more effective allow known, good inputs (an allow
list). For instance, if your application needs to access specific files,
list those files and only allow access to them.
3.Avoid using user input for file operations: If possible, avoid
using user input to access files. If you must, ensure the input is
strongly validated and does not contain directory traversal
sequences.
4. Use of built-in functions to normalize paths: Many
programming languages offer functions that can normalize paths
and remove any directory traversal sequences. For instance, in PHP,
you can use the `realpath()` function, and with JavaScript, the
`getCanonicalPath()` method can be used.
5. Least privilege principle: Ensure applications run with the
least privileges necessary. This can limit a potential directory
traversal attack as the attacker can only gain access to limited
resources.
5. Regular security testing: Test applications regularly for
security vulnerabilities. Tools like Burp Suite, OWASP ZAP, Nikto,
DotDotPwn, Metasploit, and DirBuster can help identify potential
directory traversal vulnerabilities.
6. Incident response: As soon as a breach is detected,
follow an established incident response (IR) plan. This
usually includes isolating the affected system to prevent
further compromise, conducting a thorough investigation
to understand the extent of the breach, and notifying
affected parties and regulatory bodies if necessary.
7. Patch and update systems: Ensure that systems
and applications are using the latest, patched versions.
Developers and vendors often release updates that fix
security vulnerabilities, including directory traversal.
Regular patching can help mitigate the damage from
known vulnerabilities.