Web application threats pdf

Logs are parsed manually or automatically. If attackers exploit vulnerabilities in an enterprise web app, a company may face large financial and reputation losses. A good trend is that companies take web app security seriously now even when their apps are for internal use only. It is not so easy to achieve and then maintain a high web app security level. While pursuing this objective, it is important to adhere to two important rules as follows:. The Lvivity team has a pool of experience in developing web apps.

We pay considerable attention to the security of the products we are working on. If you are looking for a reliable technology partner to assist you with such a project, please contact us to find out more. What Is Code Refactoring? Definition, Benefits and Best Practices. Broken Authentication Many apps require user identification to start working. How to prevent broken authentication vulnerabilities: Most attacks of this kind occur due to using a password-only authentication method.

Switch to multi-factor authentication. Authentication failures have to be logged and, if they recur, a warning has to be sent to administrators. Login and Password Theft Users often take this issue lightheartedly and create far too simple passwords that are the same for different websites. How to prevent login and password theft vulnerability: Prevent visitors from using simple passwords.

This vulnerability where malicious man in middle attacker B. There are three Injection vulnerability is when an application sends known types of XSS: Stored or Persistent, Reflected or untrusted data to an interpreter and received data is Non-Persistent and DOM Based, We will discuss these interpreted as commands instead of data.

There are with examples. Example: Assume that application is having two roles Admin and User. More advanced version of session cookie to the www. This is also called as One-time Attack. The data referencing a logged this with requirement of user opt-in for these in user is stored in the query string parameter of URL. In this web threat, page content does not change, but the client side script present D.

This can be considered attack which eventually executes the attack on the server. This link and sends HTTP request to www. This established example. The attacker crafts and stores a malicious script on www.

Application www. When Victim accesses www. Server considers this as a legitimate redirected to home page as session contains valid request and process the transaction. Introduction session ID, making it possible to use an existing session Web applications have long been victim of attacks. The ID leads to Session Fixation attack. Developers, testers, designers or architects websites and brought them to their knees.

This may result in false have run havoc on millions of un patched machines of presumptions of product security. It is often seen that, not just end consumers but corporates as well. Living in when an issue gets reported from the field, it is because an era where most of our work gets done digitally, in of overlooking certain parts of product which are some way or other, it is almost a scary thought to have assumed to be vulnerability free.

They should have very little application software is strong enough to face any or no knowledge about the product and what it does to reasonable security threat from external entities.

There exist groups of certified It becomes very important for us to identify all the security professionals who are equipped with knowledge vulnerabilities of the system and come up with action and tools to assess the security strength, and overall plan of how to address them. Detection of vulnerabilities vulnerabilities of the system. Occasionally, a responsible the code base to production servers. In this section, we organization should employ external groups to scan their discuss how security and penetration testing can help in website and provide a security report on overall product getting an unbiased external perspective on exposed security.

This process of security testing where the tester vulnerabilities of the product. Penetration tools and is given an opportunity to find the strength of product practices are discussed next. We then introduce Burp security and enlist all its vulnerabilities using tools and Suite tool which is one of the popular tools for web techniques is called penetration testing.

During this security assessment. Web Security and Penetration Testing information found during penetration testing. Once the A well-planned security testing is important before report is provided, organization needs to work on it releasing the product to production environment.

Security testing is apart from the regular functional A fresh run of penetration testing may be required once testing which is to be conducted for verifying and organization completes the security patching of the validating the product functionality.

Quality metrics that product. Per authors, a penetration test should the applications tested for security. In many aim to determine the feasibility of a security attack from organizations, web surety team is created who work full external entity or to check if anyone has already been time of product security and they are complimented by successful in attacking the system.

Components of a security leads in individual teams who analyse the such a security audit includes: Level 1 — High level product security right from the inception of a project till assessment -Review of data policies, procedures, it is deployed to production servers.

Security leads of the guidelines and standards. Level 2 — Network evaluation team need to analyse which methodologies need to be Information procurement including preliminary scanning used for testing the software security of the product. In of folder structure, open ports etc. Level 3 — Penetration cases where minor updates are being pushed live, then test - systematically attacking the application from view security testing is concentrated on the delta changes that of an attacker to find weak stops to compromise the is done as part of that release.

A good security test plan system. Penetration tools and practices Fault Injection, Vulnerabilities scanning, Byte code Some of the practices for systematically exploiting the analysis, Penetration testing system and finding the weak links as part of penetration International Journal of Scientific Research in Science and Technology www.

Penetration testing is carried caution before choosing a tool as the tool itself might be out in 3 phases [7]: Preparation contract signing etc. Execution execution of penetration testing using tools Hence, using software from known and reputed sources and Delivery Security report evaluation and is recommended.

Detection of Web Threats using Burp Suite designated for conducting the penetration tests are required to exhibit ethical behaviour and not disclose Based Burp Suite from Portswigger [13] is a web and misuse any information found during penetration security assessment tool. It is used for automatically testing.

Before performing actual penetration testing, a crawl and scan websites for over known military based approach of finding maximum vulnerabilities which includes OWASP Top Ten web information about the attack surface is carried out. This security risks. Using Burp Suite, one can scan for is referred to as, reconnaissance process. It involves vulnerabilities, intercept browser traffic, automate gathering information about attack surface, determining custom security attacks.

It supports several attack the network range and the active machines in the insertion points inside HTTP headers, parameter names, network along with their open ports which can be cookies, URL path etc. Burp suite is an ideal tool for exploited as access points. Network mapping and web security penetration testers.

It has capabilities to knowing more about operating system which is running perform static code analysis as well. Along with all these on the systems and the services which are running on capabilities, it provides best in class automated security them.

The pre-tests which are carried out to achieve the test report. We will share details on how we need to above objectives are: Foot printing — Accessing the analyse Burp Suite report, later in the paper. Burp Suite security profile of an organization. Free edition has limited capabilities, while information on operating system etc. We will show mapping the network to give a bigger picture of the some of the configuration and capabilities with attack surface for systematic attack.

There are certain specialized tools available for Step 1: After creating a custom project, we need to add penetration testing which have been discussed by Varun target scope listing all the web domains that we wish to M Deshpande et. Some of them are listed here: scan. When the target scope is defined, that path taken by an IP packet from source to sink. This helps sub domains. Hence, it is important to list all required in debugging issues with bottleneck, network congestion sub domains in the app.

A security tester can choose as per application There are several other notable penetration testing tools requirements, various attack insertion points. However, the tester needs some amount of training to use them and we need to execute International Journal of Scientific Research in Science and Technology www. Step 5: Usually, Burp suite is not run on production servers.

Instead, it is run specifically on selected production replica or QA servers. We need to ensure that all the scoped domains mentioned in Step 1 are covered under this host name resolution of current step.

Security tester tries to access all the functionalities provided by the web application, end-to-end. He also tries to scan for any accessible web services which can be exploited. This is configurable under sovereign country. It is vulnerabilities. Burp suite takes care of forwarding the IP packets competitive. In this section, we discuss some of the and returning the response back to the client.

As recommendations from security community to ensure mentioned in Step 2, intercept can be turned on or off web security vulnerabilities are mitigated or avoided at based on project requirements.

Proxy setting can be performed easily using Internet Explorer. In case, it is configured in same machine, home compared to the functional requirement and performance. IP address can be mentioned. Lately, this trend is changing and organizations have Step 7: Once the security testing starts, HTTP requests started to adopt security best practices into their and response start getting logged in Burp Suite under development life cycle.

Automated development life cycle framework for software delivery. It has evolved over time Step 8: Once security testing is complete, the and it has helped Microsoft achieve great results in the vulnerabilities which are detected in the web application process. These which are briefly explained here. The above code uses JavaScript. It adds a hyperlink with an onclick event. Note : the value you get may be different from the one in this webpage hacking tutorial, but the concept is the same.

What are Web Threats? SQL Injection — the goal of this threat could be to bypass login algorithms, sabotage the data, etc. Denial of Service Attacks — the goal of this threat could be to deny legitimate users access to the resource Cross Site Scripting XSS — the goal of this threat could be to inject code that can be executed on the client side browser. Form Tampering — the goal of this threat is to modify form data such as prices in e-commerce applications so that the attacker can get items at reduced prices.

The code can install backdoors, reveal sensitive information, etc. How to protect your Website against hacks? An organization can adopt the following policy to protect itself against web server attacks. SQL Injection — sanitizing and validating user parameters before submitting them to the database for processing can help reduce the chances of been attacked via SQL Injection.

Proper configuration of networks and Intrusion Detection System can also help reduce the chances of a DoS attack been successful.

Cross Site Scripting — validating and sanitizing headers, parameters passed via the URL, form parameters and hidden values can help reduce XSS attacks. Form tempering — this can be prevented by validating and verifying the user input before processing it. Code Injection - this can be prevented by treating all parameters as data rather than executable code.