SOC - Web Vulnerabilities (Lesson)

Web Vulnerabilities

Introduction

In this lesson, you will learn why websites are so vulnerable. Why is it so hard to write secure web code? One reason may be that web programming education usually does not include security concepts. However, even programmers who are aware of security risks find it difficult to create truly secure websites because websites must be available to anyone and most websites allow user interaction.

It would be much easier to have a static page, open only to authenticated users who can’t have any interaction with the page. But that would take us back to the 1990s, so not really a solution… Instead, cybersecurity professionals wage an ongoing battle against various vulnerabilities.

The Open Web Application Security Project (OWASP) is a non-profit organization that gathers and shares data about the most commonly exploited web application vulnerabilities. The goal of OWASP is to help web developers improve the security of their code by publishing a list of common vulnerabilities every 2-3 years.

2021 OWASP Top Ten Web Application Security Risks

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery

The OWASP risks are ranked based on the severity of the vulnerabilities, how often the security issues are seen, and the degree of their possible impacts.  The detailed information available on the OWASP site includes guidance on writing code to avoid or fix these vulnerabilities. You will have an opportunity to learn more about solutions later in this lesson.

Stateless vs Stateful Protocols

However, let’s get back to our discussion of why websites are so vulnerable. As mentioned already, in the old days, like the 1990s, users could access a website multiple times but each access would be a new event to the web server because it used the HTTP protocol, which is stateless.  This means that the website will not automatically retain any information about previous activity from a web client.

However, websites want to give users content that is interactive, like keeping track of user preferences, shopping carts, etc. To keep track of the user visit (aka session), the web server needs to use technology besides HTTP to save details, such as preferences and activities.  This will make the browsing session stateful and, thus, interactive. A stateful protocol maintains session information across multiple requests. This means the server keeps track of the state of communication with each client, allowing for a continuous conversation or transaction over several requests. Transmission Control Protocol (TCP) is a stateful protocol, maintaining a connection and state information about the session during the communication process.

HTTP vs HTTPs

Do you remember the difference between HTTP and HTTPs from a previous lesson? HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) are protocols used for transmitting data over the Internet, primarily used to load webpages through a web browser. While HTTP is the foundation of data communication on the Internet, HTTPS provides a secure version of HTTP by encrypting the data in transit. This makes HTTPS essential for maintaining privacy and security online, especially for transactions and sensitive information. The widespread adoption of HTTPS in recent years reflects its importance in ensuring a safer Internet environment.

Session Management

A key ingredient to interactive browsing is that a browser remembers you while you move from page to page on the website. Session is defined as a user’s visit to a website during a specific time frame. To give continuity during that visit, the website must recognize THIS browser on THIS IP address plus THIS username if logged in.

Websites use Session IDs, which are unique codes assigned to the user’s connection for a period of time to keep track of the website state and associate that state with a user. It can be a cookie, URL, or form field (like logins). Session IDs are used to identify the user throughout their stay on a website.

Session Hijacking

If a malicious actor gets hold of your active session ID, they may be able to authenticate and interact with the website as if they are you, by impersonating you -- not good! This is called session hijacking.

Session hijacking is a common part of web attacks.  Note that this will often be just one piece of the attack. For example, when an attacker targets a network, they will want to have administrative rights to make changes or execute scripts.  By hijacking a session, they will be able to access that account without cracking or stealing the password.  While the Session ID is still unexpired, the malicious actor can create new administrative accounts or execute the malware, yikes!

Session hijacking methods include:

  • Predicting the Session ID based on the information about what ID format is used on that website.
  • Forcing the Session ID using a phishing attack or exploit.
  • Capturing the Session ID through sniffing or AiTM attacks. Adversary in the Middle, remember?
  • Manipulating Session IDs contained in the URL.

Fortunately, most websites do have an expiration time on the session ID to limit how long it can be used. This helps to mitigate the risk of session hijacking.

Cookies

You are probably thinking – “Freshly baked cookies with a glass of cold milk, yum!” Not those cookies, sorry!

Small packets of data created by the web server, known as cookies, are stored on the user’s computer with information like user preferences, reference data, or a session ID.

There are two types of cookies used to track session data:

  • Persistent – meaning websites set an expiration date on the cookie. Average cookie life is 30 days. However, for users with profile information for that website, the expiration date will be much longer.
  • Non-Persistent – meaning websites do not set an expiration date, so the cookie lasts until the browser is closed. An example of a non-persistent cookie could be an e-commerce site where the user puts items in a cart without logging in. The items will stay in that cart for a period of time or until the browser is closed because that non-persistent cookie is meant to be useful for only a short period of time.

Those non-stop cookie pop-ups are due to GDPR rule that requires websites to inform you about tracking and get consent to install cookies. The General Data Protection Regulation (GDPR) is a regulation on data protection and privacy. This law was passed by the European Union in 2018. While their technical jurisdiction is only EU countries, because the Internet is global, almost all websites comply with GDRP regulations to avoid any issues or accidentally incurring fines.

Cookie Theft

Many web servers use cookies as their method of authenticating users to the website. User authenticates themselves, given a cookie, and browser uses it as a token so the website can track activity through pages of the website.

Here are some of the problems:

  • The original authentication transaction is encrypted but the exchange of the cookie is typically not encrypted.
  • The cookie can be easily intercepted and stolen – yikes!
  • A stolen authentication cookie can be used to access the user’s personal pages on websites they have visited, like social media sites or even a banking website.

Hacker Activity, mail, bait, key logger, ddos, clickjacking, fake w.a.p., cookie theft, viruses

Websites have become extremely invested in using cookies as they not only provide a method for session IDs but also help keep track of preferences, track browsing activities for help in targeting ads, and in some cases even hold credit card or password information. Thus, websites are not moving away from cookies despite their use by hackers as an attack vector.  Websites keep trying to make cookies more secure and hackers keep coming up with ways to bypass these measures because cookies are just such a great target. 

Attacking Session IDs

A proxy is a common method of attacking session management like cookies.  The proxy application is set up so that it intercepts all browser activity before it is encapsulated and sent out on the Internet.  By intercepting cookies or passwords, the hacker can either learn information or even change the data. 

Intercepting Proxy is an app that is configured to sit between the client browser and a web server.  It is used as an adversary-in-the-middle (AiTM) to allow interception and modification of all traffic between the two systems. For example, one tool is BurpSuite.

Burpsuite logo

Intercepting Proxy tools are used for good (web developers) or bad (cyber criminals) purposes:

  • To capture cookies or session IDs to reuse later.
  • To investigate how a web server formats its cookies so you can forge one.
  • To intercept a cookie to change a parameter like password or user privileges.

Securing the Browser

As you have learned in this lesson, websites are very vulnerable. What can we do to avoid or at least minimize browser-related threats? The two most important rules are:

  1. Make sure you are using an updated version of the browser! That applies to all devices – laptops, phones, etc.
  2. Do not click on questionable ads or clickbait stories or go to questionable websites!

Other rules include:

  • Not using the browser while logged in locally with an admin level account.
  • Turning on the pop-up blocker.
  • Reducing the number of extensions. While some extensions provide valuable features, third-party add-ons can impact security.
  • Setting browser settings to restrict or limit scripts and cookies.
  • Clearing browser cache and cookies regularly!

Browser Cache

The browser cache is a temporary storage area on your computer or mobile device where web browsers keep copies of recently accessed web pages, images, and other content. This caching mechanism speeds up website loading times on subsequent visits because the browser can retrieve data from the cache instead of downloading it again from the internet. While caching improves efficiency and user experience, it also introduces several security and privacy issues:

  • Privacy Leaks: Cached data can reveal a user's browsing history to anyone with access to their device. If shared or accessed without proper security measures, sensitive information, such as personal details, financial data, and browsing habits, can be exposed.
  • Cache Poisoning: This is a more sophisticated attack where an attacker manipulates the cached content of a website on a user's computer. By injecting malicious content into the cache, attackers can redirect users to phishing websites or expose them to malicious code, even if the original website is secure.
  • Cross-site Scripting (XSS) Attacks: If a browser cache does not adequately separate data cached for different websites, there could be potential for cross-site scripting attacks. In such cases, malicious scripts cached from one website might be executed in the context of another, compromising security and privacy.
  • Data Integrity Issues: Cached data may become outdated or corrupted, leading to the display of incorrect information or the malfunctioning of web applications. This can pose a security risk if critical updates or security patches are not reflected promptly to the user.

How to Clear Cookies in Google Chrome Video

Creative Commons License - Video Source Links to an external site.

Which Browser Activity

Reflection and Wrap-up

In this lesson, we have learned about the inherent vulnerabilities of websites and the complexities involved in writing secure web code. A significant challenge in web security is the balance between user interactivity and accessibility, which often opens avenues for various vulnerabilities. We explored the reasons behind these vulnerabilities, including the educational gap in web programming regarding security, the necessity for websites to be open for user interaction, and the shift from stateless to stateful protocols to enhance user experience. This shift has introduced complexities in session management, leading to vulnerabilities like session hijacking and cookie theft.

The lesson highlighted the 2021 OWASP Top Ten Web Application Security Risks, providing a roadmap for developers to mitigate common vulnerabilities. We also discussed the evolution from HTTP to HTTPS for secure data transmission, the importance of managing session IDs and cookies securely, and strategies to secure the browser and browsing experience. The lesson emphasized the ongoing battle between cybersecurity professionals and attackers, highlighting the critical role of updated knowledge and practices in safeguarding web applications.

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON. Video courtesy of oncampusthl, CC-BY