Ways to Attack Your Web Application
There are a lot of security issues web developers have to keep in mind during constructing a web application. If your application works with personal data, banks or cryptocurrencies – this information is a good starting point. Every vulnerability in your application can cost a lot in the future so do not be afraid to spend some time examining common security patterns.
Denial of Service
Denial of Service attack used to slow or block access to a web server. The main concept of a web server is to handle a request and send a response. Every server has limited resources to work with. When the amount or quality of requests becomes too large it can freeze or crush a server. There are a few common ways to realize this scenario:
Buffer overflow(buffer overrun) – very popular exploit at the 1990’s – early 2000s and can be actual now. Buffer is the location in RAM that holding temporary data during processing before storing to HDD (SSD). It can contain any processing data: strings, arrays, etc. An attacker finds ways to send more data than the buffer can contain. In the result, we usually have the data corruption, system crash, and server restart. If the vulnerability is not fixed the hacker can hold server in the infinite restart. Can be fixed by validation.
SYN flood (SYN attack) – attack based on a three-way handshake in TCP. It can slow down or lock server connections by sending a huge amount of SYN (synchronize) messages. Can be fixed by filtering, SYN cache or SYN cookies, or by using firewalls and proxies.
Teardrop – this attack involves transferring fragmented overlapping packets to the server. At older versions of operating systems cannot reassemble them and crush. Can be fixed by system upgrade.
Smurf – involves large numbers of ICMP (Internet Control Message Protocol) packets sent to the server. The default behavior of most devices is replied to the client. This cause traffic flood and unavailability of the server. Can be fixed by router configuration.
Distributed Denial of Service (DDoS)
DDoS it’s DoS attack from big amount of distributed machines. For most DDoS attacks nowadays hackers use botnets – a network of devices with connection to the internet with malware coordinating its work. Your tea or coffee maker, robotic vacuum cleaner or smartphone can be used to attack remote resources without your knowledge thanks to malicious code from the web. The defense can vary from different angles of attack type (see above) but most common practice is to use DDoS protection from your providers or special hardware/software.
This kind of attack based on injection into the communication between two or more parties. The most popular type of attack calls active eavesdropping in which victims can not realize that attacker have access to their communication channel. Since most of the attacks can be rarely prevented by developers most common case is to minimize the effects of hijacking. Here 3 basic techniques:
Using MITM criminal can steal session token or another type of identifier to gain access to the resource.
This type relies on traffic analysis. Listening to network traffic and capturing network packets to restore sensitive information.
An attacker intercepts redirection from HTTP to HTTPS for a user and becomes a bridge between server and user.
Main steps to prevent or reduce damage from Man-in-the-Middle attack are using HTTPS only (force HTTPS is now common practice in modern web) and using public key based authentication.
- SSL Stripping (HTTP-downgrading attacks)
SQL Injection is one of the most common techniques to manipulate data. Using correct request with arbitrary SQL code in it. A hacker can achieve different goals: get personal data, add some data without any verification or just drop your entire database. Can be fixed by validating request data and using escaping for special characters.
XSS allows an attacker to compromise any user operations with a web application. There are main categories of this type of attack: reflected, stored and DOM-based. Reflected is the simplest but most popular one uses HTTP request parameters or HTML form. The main approach is to create a URL to a trusted resource but with malicious code inside it. Stored XSS much more tricky, it can help gain access to the server. The most frequent angle of attack is user files or text that can be stored at a server without proper validation. The third one, DOM-based can modify the content and structure of documents from DOM (Document Object Model). All these attacks can be prevented by proper validation.
CSRF is a very dangerous attack focused on users. An attacker uses the mechanism of cookie authentication to get authorized at web app. This exploit can be used because of some types of authentication send automatically cookies to every request to a website. Can be fixed with using header token-based authentication (but it less secure at other aspects) or CSRF-token (partially).
As we can see, the most common and effective attacks using three different ways: service freeze by request flood of remote machines, spy on a user using a connection or protocol vulnerability and inject malicious code into an application using interface or substituting requests to a server. First two angles of attack rarely handling by a developer (there are security specialists from providers or DevOps who manage production deploy). But injection type of attack always relies on web apps code to execute. As you can see, most of the attacks can be prevented by data validation and sticking best practices in authorization mechanism. Keeping the code clean and clear, using stable new versions of libraries and frameworks, using automated testing also helps to deliver a bug-free secure application.
Please, rate my article. I did my best!
Stay tuned. Monthly digest of the best stories.