Notes

Sec20 - Web Application Vulnerabilities

3 min read

Race Conditions

  • Definition: When the outcome depends on the timing/sequence of concurrent processes.
    • Dereferencing: Code attempts to remove a pointer pointing to a memory location.
  • Exploits:
    • Dirty COW: Linux copy-on-write flaw to write to read-only mappings.
    • TOCTOU: Time-of-Check to Time-of-Use inconsistencies.
  • Mitigations:
    • Locks & Mutexes: Enforce exclusive access to shared resources.
    • Deadlock Prevention: Design/test locks to avoid hanging states.

Buffer Overflows

  • Definition: Writing beyond an allocated memory buffer.
  • Mechanism:
    • Stack Smashing: Overfill stack, NOP slide, overwrite return address to jump to attacker code.
    • Integer Overflow: Arithmetic exceeds variable bounds, causing adjacent memory corruption.
  • Mitigations:
    • Patch Management: Keep software up to date.
    • Secure Coding: Input validation & boundary checks.
    • ASLR: Randomize memory addresses.
    • DEP: Mark data regions non-executable.

Authentication Flaws & Insecure References

  • Broken Authentication:
    • Causes: Weak/guessable passwords, plaintext creds, no lockout/captcha, predictable session tokens.
      • Example: https://url.com/id=1234
    • Protections: MFA, strong-password policy, rate-limiting, HTTPS + Secure/HttpOnly cookies.
  • Insecure Direct Object References (IDOR):
    • Risk: Changing object IDs (e.g. ?id=123) to access unauthorized data.
    • Protections: Enforce authorization checks, use indirect references/tokens, audit access controls.

Improper Error Handling

  • Definition: Revealing sensitive info or crashing due to unhandled exceptions.
  • Consequences: Exposed stack traces, DB dumps, system crashes, injection vectors via error messages.
  • Best Practices:
    • Custom, generic user-facing errors; log details internally.
    • Include error logic in security reviews & pen tests.
    • Test with Burp Suite/OWASP ZAP for edge-case errors.

Improper Headers

  • Definition: Missing or misconfigured HTTP response headers.
  • Key Headers & Benefits:
    • HSTS: Enforce HTTPS.
    • HPKP: Resist impersonation with fraud certs.
    • X-Frame-Options: Prevent clickjacking.
    • X-XSS-Protection: Enable browser XSS filter.
    • X-Content-Type-Options: Disable MIME sniffing / dictate content type
    • CSP: Restrict loaded resources.
    • X-Permitted-Cross-Domain-Policies: browser permission to handle data across multiple domains. Loaded as XML cross-domain policy file
    • Referrer-Policy: governs which referrer info should be included
    • Expect-CT: Certificates compliances
    • Feature-Policy: enable/disable of various browser features & APIs
  • Best Practices:
    • Review/update headers regularly.
    • Test with SecurityHeaders.io, OWASP ZAP, Burp Suite.
  • Common Attacks:
    • CSRF, XSS, Downgrade Attack, Cookie hijacking, User impersonation, clickjacking

Code Signing

  • Definition: Digitally signing executables/scripts to verify author & integrity.
  • Process: Hash code → encrypt with private key → attach signature.
  • Limitations: Doesn’t guarantee code safety; vulnerable if signing environment is compromised.

Vulnerable Components

  • Client vs. Server Processing: Client-side code (e.g., JS) more exposed to manipulation.
  • APIs & Formats:
    • REST/JSON: Prone to injection if inputs unsanitized.
    • SOAP: Verbose, unencrypted headers—requires strict input/output sanitization.
      • SOAP doesn’t have secure encrypted header while REST does
  • Browser Extensions & HTML5: Risky if untrusted; watch cross-domain messaging, geolocation.
    • tab nabbing, websockets, cross origin resource sharing, server sent events, sandbox frames
  • AJAX: (Async web applications) Same-origin policy applies; keep session state secure.
  • Machine Code & Bytecode: specific to processor; x86, arm
    • Bytecode aka intermediate code by Java VMs then translate into machine code

Software Composition

  • SCA (Software Composition Analysis): Identify vulnerabilities in open-source libs/deps.
  • Risks: Outdated 3rd-party code → XSS, SQLi, CSRF, clickjacking.
    • Example: Equifax breach via unpatched Apache Struts (CVE-2017-5638).
  • Tools: OWASP Dependency-Check, Dependency-Track.
  • Mitigations: Monitor CVEs, apply timely patches, avoid unsafe functions (strcpy, gets), enforce regression testing.
  • Common: poor exception handling, security misconfigs, weak crypto (RC4, DES), information disclosures, end of support or end of life, code injections, regression issues

Graph View