Most common Web vulnerabilities
In this article, divy is going to try to demonstrate in a superficial way, what are this kind of attacks, how you can find them, and how you can mitigate them.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
You just took a user input without checking it as a result it does malicious activity in your database.
The impact of SQL injection is horrible. OWASP guidelines classifies it as P1 vulnerability. It may lead from accessing your full database till destroying your database and to the getting OS shell. It means an attacker may have your right to work on your database.
How can we reproduce:
- First, crawl the whole website and find ‘?id=x (x is an integer)’ parameter.
- Let say x=2, try ‘?id=2’”\’ and if content of that webpage changes then you may have SQL injection.
- Then open your terminal and run “sqlmap –url http://target.com –dbs”
Here you are running a program sqlmap, specifying a target and telling to give you list of databases the website is having. If you get the list of databases, then you just hack a website.
If you check taking money from someone, then why not checking user input? That little input can actually destroy your vast database.
So, try to take a request from a server rather than a user. If taking input from the user is necessary, then sanitize each and every input.
Don’t worry, a real-life example is coming right up.
Let’s say you are a shopkeeper and accepted money with COVID-19 too, and give it to your valid customer.
How can we reproduce:
- First, crawl the entire website and find any parameter which reflects.
- Let say search=xss, try ‘search=/<>’ and if input of yours in webpage reflects, then you may have XSS.
- Then give a payload in the parameter and run the malicious url, and if you get a pop up, then you definitely have XSS.
The impact of XSS is vast. What I meant is there is no limitation of XSS, on one hand an attacker can get your precious cookie and, on another hand, if XSS comes in a hand of brilliant black hat hacker the entire web page may suffer DOS due to stores XSS.
Sanitize each and every user input and in case of search parameter eliminate all special character if possible.
Command injection is a cyber-attack that involves executing arbitrary commands on a host operating system (OS).
I guess I don’t have to give an example for that.
How can you find command execution?
- Mostly you have to hunt input fields for this vulnerability.
- Let’s say you have occupation field ‘occup=hr’ then rewrite this field and intercept it with burp.
- Write ‘occup=hr || ping 127.0.0.1’ and forward it.
- If the response takes some time and then responds, then it is a command injection, but it isn’t a security vulnerability yet because it is just pinging its local host.
- At this stage you confirm that you have a command injection in your hands so write ‘occup=hr || ls && cat /etc/passwd’ and if it provides you the same, then it is a critical security vulnerability.
So, let’s talk about impact on command injection. If an attacker found a command injection, then there will be two situations:
- He has no brains to escalate his privilege, then he can read as many files as he can or the files he has access to.
- Suppose he got brains, and he escalated his privilege; he can even delete your whole website from the web server.
Never ever make your server run commands, which is client sided.
Click jacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. This vulnerability arises when a website is embedding a legitimate website.
Didn’t understand? Why am I here?
Okay, suppose you went to an ATM machine and realize that there is a fake keypad above the real one. And that keypad was implemented to gain your CVV!
Same is click jacking.
How can you carry out click jacking?
- Copy the following and give the url.
<p>Website is vulnerable to clickjacking!</p>
- Then save it in html format and run in your browser. If the website loads, then it is vulnerable to click jacking.
So, you have already guessed the impact of this attack. I sent you a link say ‘faceb00k.com’ and you opened and saw facebook login page and it actually is. And you entered your credentials and started surfing, but those credentials were actually passed through my website and then went to actual facebook. It sounds so much fun, doesn’t it? Then imagine it is implemented on a bank website. Horrible!!!
Prevent other websites to embed your website.
Cross Site Request Forgery (CSRF)
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. a malicious
Oof, I hate vulnerability definition, don’t you?
Let’s say in your house your mother has cookies and your brother has access to it but you don’t. So, you tricked your brother and you gain those cookies. That’s the CSRF.
How you can produce CSRF?:
- Make sure the user is logged in during this time.
- Log in as attacker account and
- Change the password or any field but don’t let it flow
- Intercept that request, modify it and generate CSRF PoC.
- Now, send that HTML page to the user.
- And when the user opens the link while he is still authenticated,
- the CSRF attack is successful.
So, what will be the impact of CSRF? I mean, it is only a user is making a request on behalf of an attacker. Then suppose it is a bank website and a user actually requested to change his password to what the attacker wanted and to disable his 2FA too!!!
How nasty would be that:-0
Implement a CSRF token and make server verify that token.
File Upload Vulnerability
A local file upload vulnerability is a vulnerability where an application allows a user to upload a malicious file directly, which is then executed.
It’s pretty straightforward.
How to execute this attack:
- Find any webpage which allows you to upload files.
- First, try those company career page which recently rejected you. Put all the virus in their resume upload functionality, kidding 😂.
“NEVER EVER DO THAT, WE ARE NOT RESPONSIBLE FOR ANYTHING”.
- When you found that, just copy the php code, and rename it as file.php.pdf
- If it uploads, keep your listener port on and wait the server to execute.
- It you got a reverse shell then man you have hacked that website.
Impact of file upload functionality:
Think as you are controlling their servers not just a simple website but of course you have to escalate your privilege for that.
It is as dangerous as command injection.
- Never let users to upload php or some extension which can be a malicious code.
- Delete the uploaded file name and give their name yourself before executing.
An Open Redirection vulnerability is when the attackers can control to where a victim is redirected when using a web application, thus allowing them to redirect the victim to malicious websites controlled by the attackers.
Oh God, another technical definition.
Let’s say you went to a 5-star hotel and ordered a world class food, but your order is coming from a road-side food vendor. I would punch the manager in that case.
Same is open redirect vulnerability.
How you can find open redirect:
- Go to Uncle Google and type: ‘site:target.com inurl:redirect,url,uri,dest’
- Let say you found a url ‘target.com/any.php?redirect=http://target….’
- Remove everything after ‘redirect=’ and try this payload.
- If your target redirects according to your payload, then you have found your vulnerability.
So, a website is just redirecting to another website, so what’s harm in that?
Then suppose you just confirmed your cart and during payment you have redirected to another website and you paid an attacker.
Never take a user input through URL, if a user trying to give his input though URL either he is nuts or trying to kick yours.
Insecure communications are when a client and server communicate over a non-secure (unencrypted) channel. Without encrypting the channel, the developer can’t guarantee the integrity of the data. Remember, insecure communication is different from insecure storage.
Failing to securely communicate server-to-server and server-to-client means an attacker can intercept sensitive transactions. This is typically done through man-in-the-middle attacks. Not communicating securely breaks down confidentiality and integrity.
Another technical definition….
Okay, you got me. So, suppose you and your best friend are talking about your nasty behavior, but your mom is listening. How life threatening could it be?
So how you can achieve this:
- First you have to make yourself a man in the middle.
- How to become MITM is not in this article.
- So, an attacker can listen each and every request.
What could be the security impact of insecure communications?
Suppose you are transacting money from your bank account, and I am in a middle of it. And I captured your precious card details, I know you’ll kill me so there is your impact.
Make sure you website is using at least TLS 3.0 version of security and in HSTS.
Password management is insecurely storing of password.
Let’s take an example, if Facebook didn’t store your password securely, anyone could log in your account before you. Facebook’s 553 million user account details have been breached in dark internet. But facebook had a strong hash algorithm and salting policy.
Original Password: Password@123
Salted Password: Password@1231234
Hashed Password: ad82621524e7924cedf2ffddaf70a258ac9da9020be5dcee501b2003fd23f783
There is no way to brute force or to guess this password, and this is an example of strong Password Management.
If your user accounts get hacked easily, you quickly won’t have any users.
Ensuring strong authentication is a mix of pushing your users into good habits and following them yourself. Attackers are constantly trying to find ways to bypass authentication, so you need to make sure you do not permit any vulnerabilities.
Email spoofing is the creation of email messages with a forged sender address. The core email protocols do not have any mechanism for authentication, making it common for spam and phishing emails to use such spoofing to mislead or even prank the recipient about the origin of the message.
Don’t worry, I am still here.
Suppose you received an email from your mother and were actually your friend.
How to send fake emails?
- Go to emkei
- And send to anyone and as many as you like.
If this spoofing contains a legitimate business, then it will lead to critical loss of reputation.
If you have your own business or a website, purchase SPF records for your domain.
A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.
In other programming words, buffer overflow is overflowing buffer memory in an application so much that your input reaches a return value of that application programming and if you actually overflowed buffer and give a reverse shell in its return value, the application will call it and you will have arbitrary code execution.
It is in OWASP Top 10 vulnerabilities and is classified in P1 i.e., critical vulnerability.
You can actually deface that whole application up to server level.
Limit the user input functionality.
Thank you for your time (Divy Tej).