Vulnerabilities of web applications

Though there is a number of web application vulnerabilities, the information security expenditures are not included in budget or even not considered during the project development process.

There is a curious article on the subject in the BYTE magazine, written by Aleksey Lukatsky, the business development manager in Cisco Systems company:

«The author reviewed a number of web sites of some design studios, including famous ones, that offered web design services (rather expensive, I should say). It was surprising that none of them mentioned such concept as “a secure site” in their portfolio.

Moreover, the model contracts contained nothing concerning security…
Is this incompetence or intended reluctance to get involved into an obscure IT field, the one having lots of surprises? Unfortunately, we must admit the former to be the right answer. I’ll try to illustrate this thesis, relying on my experience of participation in numerous web projects...»

The complete article can be found in the Secure site section.

Here are some of the most probable issues:

• Cross Site Scripting
• SQL- injection
• PHP- injection
• HTTP Response Splitting
• HTML code injection
• File Inclusion
• Directory traversal etc.

The above types of vulnerabilities may appear in all web applications whether they developed by an independent specialist or by a famous company. Therefore, the system engineering, thorough testing of the finished application and the scrupulous elaboration of security issues on all stages of development are the factors that allows to eliminate these vulnerabilities.

Cross Site Scripting (XSS)

Cross Site Scripting or XSS is the possibility of injecting arbitrary HTML code into a vulnerable page. The code injecting is effected through all available methods of information input. Any web application that displays any information received from a user is vulnerable to attacks of this class. Such attacks become possible due to unfiltered values of variables received from a user, which may possibly contain scripts (JavaScript, VBScript) or unsafe HTML tags. This type of attack can be used by a malicious person to hijack the value of cookie of different users (including administrators) and users’ sessions. In some cases, it allows to bypass the authentication facility or if SSI (Server Side Includes) are supported then an arbitrary command can be executed on server.

Additional information:

http://www.cgisecurity.com/articles/xss-faq.shtml
http://www.cert.org/advisories/CA-2000-02.html

HTTP Response Splitting

HTTP Response Splitting errors are registered to happen to most web applications and take place when it’s impossible to process user’s input correctly. Remote attacker can send a special HTTP request that will make the web server form the required response stream that will contain two HTTP responses instead of a correct single response. In this case, only the first (false)

HTTP response will be processed by the client. HTTP Response Splitting allows to carry out a number of attacks such as web caсhe poisoning, deface, "cross-user defacement", hijacking users’ pages and cross site scripting.
Additional information:
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

SQL injection

SQL injection is a method to attack database by bypassing firewalls. In this method, parameters passed to database via web applications are verified so that an executed SQL query is modified. For example, by adding different symbols to a parameter, an additional query can be executed along with the intended one.
The attack aims the following:

1. Gain access to data to which access is denied or gain system configuration data that can be used for further attacks. For example, a modified request can return cached user passwords, that can be decrypted (brute forced) in future.

2. Gain access to enterprise workstations via the database server. This can be implemented by means of database procedures and 3GL extension that allow to run various applications.

Additional information:
http://www.securityfocus.com/infocus/1768
http://shiflett.org/php-security.pdf

Code injection

If a web application processes dynamically included files or file paths incorrectly, execution of an arbitrary code (PHP, ASP etc.) on server or retrieving the file contents become possible.  A successfully implemented attack allows a malicious person to bypass the authentication process, execute commands on server, view files and write arbitrary data into a file etc.
Additional information:
http://zend.com/zend/art/art-oertli.php 
http://shiflett.org/php-security.pdf