8.Locks HexConnections CodeGlobe

The popularity of web applications is constantly growing as businesses and corporations host several services through them. However, companies and businesses that do have web applications still face the threat of vulnerabilities. A vulnerability is a flaw in your system that hackers may exploit to obtain unauthorized access, run malicious code, install malware, and perhaps steal sensitive information. Remediating these attacks could be near impossible, especially since most small businesses, corporations, and even daily users lack the resources to fix several vulnerabilities at a time. 

 As Cyber-attacks become a critical risk for every company, the lack of security knowledge and carelessness at the application layer is the root cause of the different types of vulnerabilities that pollutes many web applications today. In general, a vulnerability scanner will scan your environment and compare it to a vulnerability database, or a list of known flaws. However, in order to grasp what vulnerabilities you may be facing, it is best to start with the basics. Throughout this article, we will go through web application vulnerability fundamentals and how they may or may not be affecting your system.

Vulnerability Basics

Buffer Overflow

Buffer Overflow Basics

To correctly manage buffer overflow vulnerabilities, you should first understand what they are, the threats they pose to your applications, and the tactics attackers utilize to successfully exploit these flaws. When a program attempts to put more data in a buffer than it can store, or when a program attempts to place data in a memory region past a buffer, a buffer overflow problem occurs. In doing so, this can destroy data & the application, and possibly even trigger the execution of malicious code, allowing cybercriminals to gain unauthorized access to systems and networks. Although buffer overflow concerns are among the most well-known forms of software vulnerabilities, they continue to pose a risk to both companies and small organizations.

Buffer Overflow Exploit

Attackers use a buffer overflow to corrupt a web application’s execution stack, execute arbitrary code, and take over a machine. Flaws in buffer overflows can exist in both application servers and web servers, especially web applications that use libraries like graphics libraries. Buffer overflows can also exist in custom web application codes.

Types of Buffer Overflow Vulnerabilities

According to OWASP, there are two types of Buffer Overflow Attacks:

  • Stack-based buffer overflows: The stack-based Buffer overflow attack occurs when an attacker sends data containing malicious code to an application, which stores the data in a stack buffer. This overwrites the data on the stack, including its return pointer, which hands control of transfers to the attacker.
  • Heap-based buffer overflows: A heap overflow attack is a type of buffer overflow attack that specifically targets the heap. It involves the attack flooding a program’s memory space beyond the memory it uses and the data in the heap is overwritten to exploit some aspect of the program. An attacker can grant themselves access by overwriting data or can overwrite a pointer to point to a certain piece of code that can do worse than gaining access.

Heap-based buffer overflow example:

https://lh6.googleusercontent.com/_P9hXdKsFbYGYid8vsXjipvtT_uqWJN75zDLZt2glWZJSxztxsWuoVBVQ-Ju8t4Nmrnts2TpDXmOqS9_0r6UnhOT8ygDFZVG3mXVtHGwAo4H60kFZpI-FSBznMb-rlfOAMhn5uDteFaV_ahkhXE

The buffer is allocated heap memory with a fixed size but there is no guarantee the string will not exceed in size hence causing an overflow.

Stack-based buffer overflow example:

https://lh3.googleusercontent.com/V4aQ3JtqYWy4-HvCQaTksBhhK1gmHQFU1I7nZHF646ailU2NbFFci6og9_sCaxmTxXld4hzd5DjS4S8V3PyjAVF8POY8o-98HjoUeq9Ewxd5kzJsNMZ0iGH4RE74XMuvA4vEbJVD9XZve8fLnBQ

This piece of code allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address that resolves to a very large hostname, then the function may overwrite sensitive data or even relinquish control flow to the attacker.DoS:

DoS Basics

A DoS attack, or Denial of Service attack, is an attack meant to shut down a machine or network, making it and its services inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users, such as employees or account holders, of the service. Thankfully, when it comes to DoS attacks, the remediation process is quicker since they are easier to block and are easier to trace since only a single device is in play.

Types of DoS Attacks

  • Buffer Overflow: Buffer Overflow attacks, as listed above, are a common type of DoS attack. It relies on sending an amount of traffic to a network resource that exceeds the default processing capacity of the system.
  • Ping of Death: Attackers send spoofed, enlargened, or malicious packets that ping every computer on the targeted network. The target responds and becomes flooded with responses from the malicious packet. It is also known as ICMP Flood and Smurf Attack. Essentially, an IP4 packet has a maximum size of 65,535 bytes. When an attacker sends a packet larger than that size, the target system will break it down into smaller sized packets, allow the packets through, and when it gets pieced back together, it causes a buffer overflow which can cause the machine to freeze or crash.
  • SYN Flood: A SYN Flood attack exploits the TCP handshake. In this attack, the attacker sends a SYN message. Unfortunately, the handshake is left incomplete, either because the server does not acknowledge the SYN message or because it sent back a SYN/ACK message and the attacker never sent back an ACK message. Doing this leaves the connected host in an occupied status and unavailable to take further requests. Attackers will increase the number of requests, populating all open ports and preventing anyone from connecting to the network.
  • Teardrop: In a teardrop attack, IP data packet fragments are sent to the target network. The network then reassembles the fragments into the original packet. The process of reassembling these fragments exhausts the system and it ends up crashing. In some cases, they might even try to find a TCP/IP vulnerability and proceed to do the same thing. Ultimately, the server is unable to reassemble these packets, causing an overload.

SQLi

SQLi Basics

SQL Injection is a type of injection attack that makes it possible to execute malicious SQL statements that can control a database server behind web applications. Attackers can use SQL Injection vulnerabilities to bypass application security measures. Attackers can interfere with the queries that get sent to the database, such as modifying or deleting data, and moreover, can cause persistent changes to an application's behavior. Scanning for SQLi vulnerabilities is a must to make sure that important information is not accessed and to furthermore, be able to reinforce your server to mitigate SQL injection attacks. There are many different situational SQLi attacks and different things attackers can do such as the examples listed below:

  • Attackers can retrieve hidden data, where they can modify an SQL query to return additional results and data that would not be normally available otherwise
  • Attackers can change an applications logic by changing a query to interfere with the apps logic
  • Attackers can perform a UNION attack where it is possible to retrieve data from different database tables using the UNION SQL selector
  • Attackers can perform a Blind SQL injection, one of the most well-known attacks, where the results of a query you control are not returned

Cross-Site Scripting (XSS)

XSS Basics

Cross-site scripting targets application users by inserting code, typically a client-side script such as JavaScript, into the output of an online application. The principle of XSS is to change client-side scripts of a web application such that they run in the way that the attacker wishes. XSS enables attackers to run scripts in the victim's browser, allowing them to hijack user sessions or possibly even cause redirects, sending users to malicious sites.  And since XSS allows unauthenticated users to execute code in trusted users' browsers and access certain types of data, an XSS vulnerability also allows attackers to intercept and control data from users. This can lead to an attacker taking control of a site or an application if an administrative or elevated user is targeted. Ultimately, when it comes to XSS, there are two things to remember: 

  • The web application is not the target but rather the user and
  • Attackers plan to manipulate these users by injecting malicious code

Cross-Site Request Forgery (CSRF)

CSRF Basics

Cross-Site Request Forgery is a well known vulnerability, being in the OWASP Top 10 web app security risks. CSRF is a malicious attack that tricks a user into executing an act they did not plan to do. The attacker then can gain access through the victim's already established browser. Web applications such like email clients, Facebook or Instagram, and online banking applications such as chase, are all targets.

I know you might be asking how can an attacker possibly get you to do something unintentionally?! Well there can be a few prerequisites for that. Firstly, they will somehow have to get you to perform an action, preferably a login or email change. For this example, I will be using a log in. Reason being is that they need an active, logged in session to meet certain requirements. They need the session cookie, no extra, special parameters, and they must have the user logged in. Let’s say a user is logged into his bank account at www.citybank.com. After doing some banking, he does not log out. He has auto-save username and password so he does not have to type it in all the time. After doing so, let's say he visits a site called www.fooddelights4you.com. This site may be potentially be set up for CSRF. There could be a line of could somewhere embedded in the site that targets people who bank at www.citybank.com. This line of code can then redirect the user's browser, login to www.citybank.com, and possibly send money to the attacker's specified account. When you get into the nitty gritty of it, it is pretty crazy to think that it can be that simple but having attackers out there whose sole purpose is money, nothing is out of the question.

Remote Code Execution

Remote code execution (RCE) vulnerabilities allow an attacker to execute arbitrary code from a remote device onto a computer. RCE vulnerabilities can lead to attacks that range from malware execution to an attacker gaining full control over a compromised machine. A Remote Code Execution Attack can lead to a full-scale attack that would compromise an entire web application and the webserver. RCE could also lead to privilege escalation, network pivoting, and establishing persistence.

Why are the basics important?

The basics are important because they are the backbone of well-known attacks and even unknown attacks that may not have happened yet. Moreover, it gives you a better understanding of the threat at hand. There is a saying that says “It is important to know the enemy” and that is exactly what we are doing. You want to be educated on what these vulnerabilities are, how they can be used in attacks, and different scenarios in which an attacker might want to exploit these vulnerabilities to fully be able to fight them and to better prepare yourself for them.

Our Thoughts

Educating yourself or your team on the basics of common, and uncommon, vulnerabilities is essential to being able to mitigate these attacks that exploit these vulnerabilities. To better understand your risks, it might be helpful to implement daily vulnerability scanning to minimize the amount of security flaws your applications might have. Make sure to read our Complete Guide to Using Wapiti Web Vulnerability Scanner to further get an idea of how a vulnerability scanner can assist you with your security.