Bobcares

Security Testing of Web Applications (III/III)

by | Aug 17, 2010

Last week I spoke about SQL injection attacks used to try and gain access to the Administrative Interface on an application sever. This week I will be talking about three other methods used to try and do the same.

Parameter Tampering:

Parameter tampering is a form of hacking that creates a change in the url associated with a web page. The web parameter tampering attack is based on the manipulation of parameters exchanged between client and server. This parameter tampering is used to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or url query strings.

One of the most common tools used to minimize the potential of parameter tampering is firewall. As part of the operation of a firewall, each parameter or identifying data that defines a web page must be verified in order to allow full access to the page. If any single parameter does not meet with the standards established during the implementation of the firewall, access is blocked and cannot be secured by a hacker.

Various other settings can be put in place to limit the ability of a hacker to make use of parameter tampering. Like a firewall, these settings verify the status of all parameters and make sure nothing is wrong. This verification process will look at the numeric range that was set for the web page as well as the minimum and maximum lengths of the entered strings that are applied to the page. If any parameter does not match the original configuration, then access is denied.

Both whitelisting and blacklisting are employed as tools to limit parameter tampering. Whitelisting essentially works to accept only input that is allowable by the current security settings. Blacklisting focuses more on refusing to allow access, using any input that is not specifically included in the security protocols. Depending on the degree and type of security protection desired, one or both of these tools may be employed simultaneously.

 

Cross-Site Scripting:

Cross-site scripting attacks occur when the attacker takes advantage of a web application and creates a request with malicious data (such as a script) that is later presented to the user requesting it. The malicious content is usually embedded into a hyperlink. If the user then follows the link, the malicious data is sent to the web application, which in turn creates an output page for the user. The user, however, is normally unaware of the attack, and assumes the data originates from the web server itself, leading the user to believe this is valid content from the Web site. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them.

For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum. The purpose of the malicious script is to attack other forum users who happen to select the hyperlink. It could copy user cookies and then send those cookies to the attacker.

The following are the general approaches to prevent cross-site scripting attacks:

  • Encode output based on input parameters.
  • Filter input parameters for special characters.
  • Filter output based on input parameters for special characters.

 

Buffer Overflow:

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers. This may corrupt or overwrite the valid data held in them. Although it may occur accidentally through programming error. Buffer overflow is an increasingly common type of security attack on data integrity. This may damage the user’s files, change data, or disclose confidential information. Code security is the best possible solution to avoid buffer overflow. Avoid standard unsafe functions in coding to prevent buffer overflow.

 

Incomplete development processes leave the web application at risk. Well, to achieve greater level of application security, mature development practices that will not leave any loop holes to attackers need to be implemented. I hope these posts will help you on your way there.

 


About the Author :

Dhanya P.B. joined Bobcares in October 2006. Initially working in the Technical Support department, she later moved to our Software Development department where her talents truly shined. She has been working as a dedicated software tester for the past two and a half years and is passionate about learning the rhythms of various Software Testing Techniques. In her free time she listens to soft music and enjoys cooking.


0 Comments

Never again lose customers to poor
server speed! Let us help you.