About Web Application Security - OWASP
Security is a very important topic and has gained a lot of prominence in recent years. Developing a secure Web application is a very difficult task nowadays, as there are several technologies involved and consequently several types of attacks that can be carried out against Web applications, with new vulnerabilities and attacks coming up over time.
In companies, in general, it’s common to find some infrastructure environments with outdated software such as operating system, DBMS, application servers and libraries in general. But a large part of the attacks occurs because of vulnerabilities present in the application itself. The software developer has a very important role to codify the best algorithms and to have knowledge of numerous technologies and standards for Web development and the system administrator to design and maintain a good infrastructure environment. In this scenario get up the role of the security professional to make analyzes and security tests in conjunction with the system development and administration team. Therefore it’s very important that companies invest enough in information security, so as not to lose the confidence of their clients and avoid possible damages.
Let's talk about some vulnerabilities that are commonly found in Web applications.
- SQL Injection
Sample/imagine that this is a form field.:[ '; delete from usuarios; ]
Notice that the command is simple, but this attack can cause catastrophic damage to a company. We are in this illustrative example trying to insert an SQL statement that serves to delete all records from the user's table of the application. Of course, this assuming that the name of the table that stores the users of the application is users.
In addition to entering SQL commands to erase application information, you can also enter commands to obtain sensitive user information. As was the case with large companies like Yahoo, eBay in the past.
Sample II/imagine that this is a form login field.:Username: [ 'or 1 or 'a'= 'a ]Password: [ * * * * * * * * * ]
In this other example, we are testing a possibility of concatenating the login and password parameters directly in the String that assembles the SQL command. This is exactly what generates the vulnerability if it were possible to generate the SQL statement:
select * from users where login = '' or 1 or 'a' = 'a' and password = '12345678'
Final result: FALSE or TRUE OR True AND false
And this logical operation will result in true, as if the query had returned a valid user registry of the database, thus causing the application to log in normally.
- Cross-site Scripting
Samy developed a script that made users who visited his profile, automatically add him as a friend, and also added on the victim's page a category called My Heroes with the text: but most of all, Samy is my hero. By the way, Samy had few friends =) … 0/ and less than 24 hours, Samy was the most popular user on Myspace, hitting the mark of 1 million friends.
To check more details of this beautiful story, visit https://samy.pl/popular/
- Cross-Site Request Forgery
To learn more about these attacks and many others as well as how to prevent them in Web applications, I recommend that you follow the work of OWASP (https://owasp.org), a leading open community focused on application security.
The Open Web Application Security Project is an open community, started in 2001, to enable organizations to keep their applications reliable, with a focus on security. The project offers free documents, tools, forums and security studies.
One of the most popular documents among information security professionals in the Top 10, an elaborate study-based list containing the top 10 most critical risks in applications. The document outlines the risks in detail, shows examples of how they work, and also teaches you how to prevent them.
For those who work or are learning about this field of information security, I strongly recommend analyzing and testing the Owasp Juice Shop Project application.
Owasp Juice Shop Project focuses on the practice of CTFs. CTF stands for Capture the flag. They are competitions that involve diverse competences of the professionals of this field.
I want to contribute more in my free time. I hope you find something that brings value to you. If you are new to the area tell me your difficulties, if you already act, we will share knowledge and techniques.
Do not hesitate to contact me!
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!