Web Application Threats - 1
Most security breaches occur in web applications, rather than in web servers, as web applications might contain bugs due to
... [Show More] coding issues in the development phase. Consequently, web applications are prone to various types of threats, some of which are outlined below:
▪ Injection Flaws Injection flaws are the most common application vulnerabilities that allow untrusted user-supplied data to be interpreted and executed as a command or query. The attackers inject malicious code, commands, or scripts into the input gates of flawed web applications in such a manner that the applications interpret and run with the newly supplied malicious input, which in turn allows the attackers to extract sensitive information. Such injection flaws are commonly found in in SQL, NoSQL, and LDAP queries as well as OS commands. Injection flaws have been regarded as the topmost security vulnerability in web applications in 2017 by the Open Web Application Security Project (OWASP).
▪ SQL Injection
In this type of attack, the attacker injects malicious SQL commands or queries as input data. This helps them bypass the security measures of the web application and retrieve sensitive content from the database server.
▪ Cross Site Scripting In this type of attack, the attackers bypass the client's ID security mechanisms and gain access privileges. Subsequently, they inject the malicious scripts into specific fields in the web pages. These malicious XSS scripts can rewrite the HTML content of a website, hijack user sessions or redirect users to malicious websites, and deface website. XSS is one of OWASP's top 10 web application security vulnerabilities for 2017.
▪ Cross Site Request Forgery In this attack method, an authenticated user is made to perform certain tasks on the web application that is chosen by an attacker. For example, an attacker can make a user click on a particular link sent via email or chat. ▪ Broken Access Control
This is a method in which an attacker identifies a flaw in access-control policies and exploits it to bypass the authentication mechanism. This enables the attacker to gain access to sensitive data, modify access rights, or operate accounts of other users. This is a part of 2017 OWASP top 10 security vulnerabilities.
▪ Broken Authentication
Attackers exploit implementation flaws in the authentication and session management functions of a web application to obtain administrative privileges or impersonate other users. Common vulnerable areas include timeouts, secret questions, and password management. Broken authentication is one of OWASP's top 10 web application security vulnerabilities for 2017.
▪ Buffer Overflow
The buffer overflow of a web application occurs when it fails to guard its buffer properly and allows writing beyond its maximum size. Thus, it overwrites adjacent memory locations. There are multiple forms of buffer overflow, including heap buffer overflows and format string attacks. The purpose of these attacks is to corrupt the execution stack of the web application.
▪ Cookie Poisoning
Cookie poisoning refers to the modification of a cookie for bypassing security measures or gaining unauthorized access to information. In this type of attack, the attackers bypass the authentication process by altering the information present inside a cookie. Once the attackers gain control over a network, they can modify its content, use the system for a malicious attack, or steal information from the users' systems.
▪ Sensitive Data Exposure
Sensitive information, such as account records, credit-card numbers, passwords, or other authenticated information are generally stored by web applications either in a database or on a file system.
If the developers make any mistakes while enforcing encryption techniques on a web application or ignore the security aspects of some parts of the application, attackers can easily exploit those flaws to gain unauthorized access to sensitive information. Sensitive data can be exploited and misused by both insiders and outsiders to perform identity theft, credit-card fraud, and other cybercrimes. This threat is included in OWASP top 10 security vulnerabilities for 2017.
▪ Information Leakage
refers to a drawback in a web application where the application unintentionally reveals sensitive information to an unauthorized user. Such information leakage can cause great losses to a company.
Hence, the company needs to employ proper content filtering mechanisms to protect all its information or data sources, such as systems or other network resources, from information leakage.
▪ Improper Error Handling
This threat arises when a web application is unable to handle internal errors properly. In such cases, the website returns information, such as database dumps, stack traces, and error codes, in the form of errors.
▪ Insufficient Logging & Monitoring Log files keep records of the actions and events that occur while an application/service is running. This vulnerability occurs when the logs do not record security-critical events or provide unclear warnings or error messages. The lack of log monitoring or the maintenance of logs at insecure locations greatly increases the chance of a major security incident. Moreover, insufficient logging and monitoring practices leave no audit trail for forensic analysis, making the detection of any malicious behavior exceedingly difficult for forensic investigators. It is one of 2017 OWASP's top 10 web application security vulnerabilities.
▪ Path/Directory Traversal
When attackers exploit HTTP by using directory traversal, they gain unauthorized access to directories, following which they may execute commands outside the web server's root directory.
▪ Parameter/Form Tampering
This type of tampering attack aims at manipulating the communication parameters exchanged between a client and server to make changes in application data, such as user IDs and passwords with event logs or the cost and quantity of products.
In order to improve the functionality and control of the application, the system collects such information and stores it in hidden form fields, cookies, or URL query strings.
Hackers use tools such as WebScarab and Paros proxy to launch this type of attack. Successful exploitation might lead to other attacks such as file inclusion and XSS.
▪ Denial-of-Service (DoS) A denial of service (DoS) attack aims at terminating the operations of a website or server by making its resources unavailable to clients. For example, a DoS attack may shut down the functioning of a website related to banking or an email service for a few hours or even days, resulting in the loss of both time and money.
▪ Unvalidated Input In this type of attack, attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, query strings, etc. to bypass a security measures in a system. User login IDs and other related data get stored in cookies, which become a source of attacks. Examples of attacks that cause unvalidated input include SQL injection, cross-site scripting (XSS), and buffer overflows.
▪ Security Misconfiguration
The lack of a repeatable security-hardening process at any layer of the application stack, which includes web servers, databases, frameworks, host OSes, application servers, and storage devices, can lead to a security misconfiguration vulnerability.
The use of default configurations, passwords, or out-of-date software can increase the risk of an attack. This is included in OWASP 2017 top 10 security vulnerabilities.
▪ Log Tampering
Web applications maintain logs to track the usage patterns, such as admin login credentials and user login credentials. The attackers usually inject, delete or tamper the web application logs to engage in malicious activities or hide their identities
Computer forensics
refers to a set of methodological procedures and techniques to identify, gather, preserve, extract, interpret, document and present evidence from computing equipment that is acceptable in a court of Law
Cybercrime is defined
as any illegal act involving a computing device, network, its systems, or its applications. It is categorized into two types based on the line of attack: internal attacks and external attacks
Computer crimes
pose new challenges for investigators due to their speed, anonymity, volatile nature of evidence, global origin of the crimes and difference in laws, and limited legal understanding
Approaches to manage cybercrime investigations include
civil, criminal, and administrative approaches
Digital evidence is
"any information of probative value that is either stored or transmitted in a digital form". It is of two types: volatile (Power off its lost) and non-volatile (now difference if off)
Forensic readiness refers to
an organization's ability to optimally use digital evidence in a limited period of time and with minimal investigation costs. Helps maintain Business Continuity. Practice Drills.
'
Plan:
1. Identify potential evidence required.
2. Determine Source
3. Define Policy
4. establish Policy
5. Identify if Full/formal investigation is required.
6. create process for documenting procedure
7. Legal advisory board
8. Keep Incident response team ready.
includes technical and non-technical actions that maximize an organization’s competence to use digital evidence.
Organizations often include computer forensics as part of their
incident response plan to track and prosecute the perpetrators of an incident
Which of the following is true regarding computer forensics?
Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them.
Which of the following is not an objective of computer forensics?
Document vulnerabilities allowing further loss of intellectual property, finances, and reputation during an attack.
What is not an impact of cybercrime?
Huge financial gain
Which of the following is true of cybercrimes?
Investigators, with a warrant, have the authority to forcibly seize the computing devices.
Which of the following is true of civil crimes?
The initial reporting of the evidence is generally informal.
Which of the following is a user-created source of potential evidence?
Address book
Which of the following is a computer-created source of potential evidence?
Steganography
Under which of the following conditions will duplicate evidence not suffice?
When original evidence is in possession of the originator
Rules
Rule 101: Scope (in US)
Rule 102: Purpose (truth & Just)
Rule 103: Rulings on Evidence
Rule 104: Preliminary Questions
Rule 105: Limited Admissibility(proper scope)
Rule 502: Attorney-Client Privilege and Work Product; Limitations on Waiver
Rule 608: A Witness’s Character for Truthfulness or Untruthfulness
Rule 609: Impeachment by Evidence of a Criminal Conviction
Rule 614: Court’s Calling or Examining a Witness
Rule 701: Opinion Testimony by Lay Witnesses
Rule 705: Disclosing the Facts or Data Underlying an Expert’s Opinion
Rule 801: Definitions That Apply to This Article; Exclusions from Hearsay
Rule 803: Exceptions to the Rule Against Hearsay–Regardless of Whether the Declarant is Available as a Witness
Rule 804: Exceptions to the Rule Against Hearsay–When the Declarant is Unavailable as a Witness
Rule 901: Authenticating or Identifying Evidence
Rule 1001: Definitions that apply to this article
Rule 1002: Requirement of the Original
Rule 1003. Admissibility of Duplicates
Rule 1004. Admissibility of Other Evidence of Content
Minimizing the tangible and intangible losses to the organization or an individual is considered an essential computer forensics use.
True
Cybercrimes can be classified into the following two types of attacks, based on the line of attack.
Internal and external
Espionage, theft of intellectual property, manipulation of records, and Trojan horse attacks are examples of what?
Insider attacks or primary threats
External attacks originate from outside of an organization or can be remote in nature. Such attacks occur when
there are inadequate information-security policies and procedures. [Show Less]