Web Application Vulnerabilities

I'm working with Web Application Firewalls (WAF) lately where I have to interact closely with developer teams to know how applications work to apply security policies for protection of the layer 7 against XSS attacks, SQL injection attacks or CSRF attacks. Actually, it's important to know how web application work to allow the maximum length of the URI, the amount of bytes sent for each request/response, the kind of encoding, the parameters' value, etc.

Web Application Firewalls are appliances, physical or virtual, which should be full proxies to analyse traffic in both direction (requests and responses) for blocking malicious patterns. In fact, this is a Benefit of Layer 7 Load Balancing, that along with attack signatures, they are able to block the most Top 10 Critical Web Application Security Risks of OWASP. Thanks to the Hack-it-yourself auction website of F5 Networks and my last Ethical Hacking course, I'm going to show you some Web Application Vulnerabilities.

Parameter Tampering

This is an Insecure Direct Object Reference Attack where the attacker can access to internal objects like URLs, parameters, files, directories, hidden fields, and database keys without authorization. For instance, the attacker can change the account number of the next URL and he can access to another account without authorization:


Hidden Field Manipulation

This is another Insecure Direct Object Reference Attack where the attacker can get and modify hidden fields from the HTML for skipping steps in application wizards, modifying dynamic parameters, changing the access controls profile in a web application, etc. For instance, the attacker can change the price of a product in the client-side with a Web Proxy to buy cheaper in e-commerce applications.

Forceful Browsing

This is a Missing Function Level Access Control where there are security misconfigurations which can be used for sensitive data exposure by attackers. For example, the attacker can jump from www.website.com/ to the unauthorized resource www.website.com/include for reading old or backup files in a website compromising passwords.

Cross Site Scripting (XSS)

This is a common attack that runs the hacker's JavaScript in the client-side. For example, the attacker can use this kind of attack for redirecting the browser to a malicious website, stealing cookies and passwords, or even scanning the internal network. The JavaScript can be uploaded to our website inside forms or other text inputs and when clients visit our website, or click the resource, they will run the malicious script.

Injection attacks

This is another common attack where the attacker injects sentences against an interpreter like SQL, OS or LDAP. The most common attack is SQL injection (SQLi) where the attacker queries directly to the database engine for stealing/reading the whole database, tables and even write or delete data. It can be also used for bypassing the authentication process in the login form, for instance, with the next sentence:

SELECT * FROM users WHERE username = `admin` OR 1=1 `

These are some Web Application Attacks which are easy to block with a WAF but very difficult with an IPS or a layer 4 firewall.

Regards my friends, I'm wondering, should we learn about OWASP at University?