Common techniques for attacking Web Applications

Common techniques for attacking Web Applications

Target:

Servers and clients that use HTTP protocol, and Web applications that run on servers.

Attack basics:

HTTP is a common protocol mechanism. In Web applications, all the content of the HTTP request received from the browser can be freely changed or tampered with on the client, web applications may receive completely different and tampered content from the server.

Target audience:

URL query fields or forms, HTTP headers, Cookit, and so on.

Load attack code in HTTP request packets to initiate Web application attacks. The attack code is passed in through URL query fields or forms, HTTP headers, Cookit, and other methods, if the Code has a security vulnerability, attackers can obtain the management permission and request the content to be changed or obtained.

Attack method:

Active and passive attacks

Active attacks: Active attacks targeted at servers

Active Attack refers to the attack mode in which attackers pass in attack code by directly accessing Web applications. Because this mode directly attacks resources on the server, attackers need to be able to access those resources.

The Representative attacks in the active attack mode are SQL injection attacks and OS command injection attacks.

SQL injection attacks

This attack is mainly targeted at databases used by Web applications and is generated by running illegal SQL statements.

Attack Mode: When a Web application searches, adds, or deletes data in a database table, it uses SQL statements to connect to the database for corresponding operations, therefore, if a vulnerability exists when an SQL statement is called, an invalid SQL statement will be injected. Therefore, you can perform corresponding attack processing in the address bar of the Web. For example, if -- is added to a URL and -- indicates the meaning of the comment in an SQL statement, some content is commented out to attack attackers.

Attack impact: illegal viewing or tampering with data in the database, avoidance of authentication, execution of programs associated with the database server business

OS command injection attacks

This attack uses Web applications to execute illegal operating system commands for attack purposes. As long as the Shell function can be called, there is a risk of being attacked.

Attack Mode: A Web application uses Shell to call operating system commands. If a vulnerability exists in Shell calling, attackers can execute illegal OS commands. That is to say, various programs installed on the OS can be executed through OS injection attacks. For example, send a consulting email to inject attacks.

Passive attacks: Server-targeted passive attacks

A passive attack is an attack mode that uses a trap policy to execute attack code. During a passive attack, the attacker does not directly launch an attack on the target Web application, the general attack method is to set a trap for the user to trigger. After the recruitment, the user's browser will send an HTTP request containing the attack code to the target Web application and run the attack code. Based on the attack code, attackers can steal user personal information and tamper with and abuse user information. This attack mode is also vulnerable to enterprise intranet attacks.

Typical attacks include cross-site scripting attacks, cross-site request forgery, and HTTP header injection attacks.

Cross-Site Scripting

XSS and Cross-Site Scripting are attacks that are carried out by using illegal HTML code or JavaScript code in the browser of a website registered users with security vulnerabilities.

Attack Mode: attackers write scripts to set a trap. When a user runs on his or her browser, the user is accidentally attacked.

Attack impact: attackers use fake input forms to defraud users of personal information and use scripts to steal Cookit values. without the knowledge of attackers, attackers can send malicious requests and display forged articles or images.

XSS is a passive attack triggered by attackers using preset traps. For example, add specific script code to the URL to obtain the personal login information of the hacker and steal Cookit from the user (obtained through Js ).

Cross-Site Request Forgery

CSRF is a passive attack that allows an attacker to forcibly update an unexpected personal information or set information for authenticated users through a set trap. Impact: use authenticated user permissions to update settings, use authenticated user permissions to buy products, and use authenticated user permissions to post comments on the message board. And so on

HTTP header Injection Attack

This attack mode refers to an attack where an attacker inserts a line break into the response header field and adds any response header or body. It belongs to the passive attack mode. The attack that adds content to the first body is called the HTTP Response Truncation Attack.

Attack Mode: the Web application sometimes assigns the values received from the outside to the response header field Location and Set-Cookit. HTTP header injection inserts a line feed to launch an attack when some response header fields need to process output values.

Attack impact: set any Cookit information, redirect to any URL, and display any subject (HTTP Response Truncation Attack)

Attack case:

1. Add % 0D % 0A (line break in HTTP packet) after the URL, and then obtain the information of the first attack field compiled by the attacker, for example, Set-Cookit to obtain the corresponding Cookit value.

2. HTTP response Truncation Attack: insert two % 0D % 0A strings side by side and send them. Use two consecutive line breaks to separate the HTTP header from the subject, in this way, the spoofed subject can be displayed for attack purposes. With this attack method, the user who has triggered the trap will see the forged Web page, and then let the user enter personal information to achieve the same effect of cross-site scripting attacks.

3. cache pollution: Misuse of HTTP/1.1's multi-response and return function will cause the cache server to cache any content. Users who use this Cache Server, when you browse an attacked website, you will constantly browse the replaced Web page.

Other attack methods:

Mail header injection attacks

This attack mode refers To the mail sending function in the Web application. Attackers initiate an attack by adding illegal content To the mail header or Subject. Websites with security vulnerabilities can send advertising or virus emails to any email address.

Attack case: the attacker uses the following data as the mail address to initiate a request, and then adds % 0D % 0A to the end to indicate a line break in the mail message. After using this feature, the attacker can append the mail address, using two consecutive linefeeds may tamper with the text of the email and send it. In the same way, it is possible To rewrite any mail headers such as To and Subject, and add attachments To the text.

 

Directory traversal attacks

A directory traversal attack is an attack that allows users to access a file directory that has no intention of disclosing it.

Attack Mode: When a Web application is used to process files, the specified external file name may have a vulnerability .. /.. the relative paths such as/etc/passed are located on the absolute path. Therefore, any file or file directory on the server may be accessed. Attackers can browse, tamper with, or delete files on the Web server.

Remote File Inclusion Vulnerability

This attack mode means that when some script content needs to be read from other files, attackers can use the URL of the specified external server to act as the dependent file for the script to read, an attack that can run any script. This is a major security vulnerability in PHP. For PHP's include or require, this function can be used to set and specify the URL of an external server as a file name, however, this function is ineffective by default after PHP5.2.0 because it is very dangerous.

How can this cause security vulnerabilities?

Security vulnerabilities caused by setup or design defects

Incorrect settings of Web servers or security vulnerabilities caused by design problems.

1. Forced browsing

Browse the files that were originally involuntarily published from the files placed in the public directory of the Web server. This vulnerability may expose the customer's personal information, information that can be accessed by users who have access permissions, and files that have not been connected to the outside world. A good practice is to hide its URL. This is because when a file name or file directory index is directly displayed, some methods may cause URL leakage.

2. Incorrect error message processing

The Web application error information contains information useful to attackers, including the error information thrown by the Web application and the error information thrown by the database and other systems.

Error message thrown by a Web application: This section uses the authentication error information of the authentication function as an example to describe the incorrect error message processing method. Similar to a specific reminder when a user fails to log on, the user is prompted for registration and other information. Attackers can use this information to determine whether the user is registered. We recommend that you keep the content of the reminder message to the "authentication error" level only.

Database and other system error messages: When an unexpected error message is entered, the database error is reminded. Attackers can read database information such as MySQL from the reminder message, which may inspire SQL injection attacks.

3. Open redirection

Redirect a specified URL to a malicious Web site. Then, the user will be directed to that website. For example, http: // example /? Redirect = ***. The attacker can specify the redirection parameter to rewrite the URL to the configured Web site. It may be used as a stepping stone for phishing attacks.

Security vulnerabilities caused by session management negligence

If session management is neglected, the user's authentication status may be stolen. For example, session hijacking (obtaining the user's session ID through some means, disguising the user to achieve the attack effect) and Session Fixation attacks (forcing the user to use the session ID specified by the attacker is a passive attack).