Thursday, 8 October 2015

Cross Site Scripting - XSS

Posted By Vivek M

Cross Site Scripting(CSS or XSS),the term first introduced by Microsoft in 2000 is a vulnerability that mainly affects web applications which allow an attacker to inject client side codes  into web pages viewed by other users. It is a general and one of the most common  hacking method used by attackers based on the principle that we can hide scripts behind URLs and web pages.

XSS is mainly classified into three.


DOM Based (AKA Type 0)
    This type of XSS vulnerability exists in the client-side script which resides in the code for a particular website. DOM Based XSS is a form of XSS where the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. JavaScript code sometimes uses objects which are provided by the browser as part of the Document Object Model (DOM) like "document.URL" and "document.location." If such a script uses these document objects to write HTML code to the page without properly encoding the HTML entities, a vulnerability may be present.

Attack scenario:
  1. Trudy, an attacker sends a link which contain malicious script to Alice.
  2. Alice clicks on the link.
  3. Malicious script executes on Alice’s computers local zone.
  4. This will allow Trudy to run commands with the privileges that Alice holds on her own computer.

Non - Persistent (AKA Reflected or Type I)
    This type of XSS vulnerability occurs when the user provides data on the web client and this data is used by the scripts on the web server to generate some results which are to be displayed to the user. These are commonly seen in search engines and in case of submitting forms. If the user provided data is not validated or the script is not sanitized, the results may include client side scripts executed in the browser. A reflected attack is typically delivered via email or a neutral web site. The link looks like a normal trusted link, but clicking the link can cause the victim's browser to execute the injected script.

Attack scenario:
  1. Alice visits a particular website, which is hosted by Bob. Alice needs a username/password pair to log in to the site. The site stores some credit card information of Alice.
  2. Trudy observes that Bob's website contains a reflected XSS vulnerability.
  3. Trudy creates a URL to exploit the vulnerability, and sends  Alice as an e-mail which looks like it was sent by Bob’s server.
  4. Alice visits the URL provided by Trudy while logged into Bob's website.
  5. The malicious script embedded in the URL executes in Alice's browser. The script steals sensitive information (authentication credentials, billing info, etc.) and sends this to Trudy's web server without Alice's knowledge.

Persistent or Stored
    These type of XSS vulnerability arises when the data provided by a user is saved on the web server and later shown to other users in regular browsing without being encoded using HTML entities. An example of this type is the online message boards and social networking sites which allows users to post HTML formatted messages for other users to see.

Attack scenario:
  1. Suppose Bob hosts a website which allow the users to post some data which can be seen by other users.
  2. Trudy, an attacker understand that the site is vulnerable to Persistent XSS and she joins the site as a new user.
  3. Trudy then posts some messages which contain some malicious script. The nature of the post may be controversial in nature in order to increase the view.
  4. When other users view this post, the script included in the post will send the session cookies and other sensitive informations to the Trudy’s web server without the user’s knowledge.
  5. Trudy can later use the session id and other information to log in as other users and post messages on their behalf.


Mitigation
  1. Search input should be sanitized,validated and proper encoding should be given.
  2. Avoid operations like redirection,document overwriting etc. using client side data .
  3. Using safe JavaScript API s.
  4. Simultaneous login from two different ip addresses should be blocked using some security questions.
  5. The website could only display the last few digits of a previously used credit card.
  6. Content Security Policy should be followed.
  7. Proper awareness could be given to the users about the actual links and emails.

Recent News 


  1. Popcorn Time, the BitTorrent-based software that allows users to stream and watch movies, is vulnerable to XSS, local file reading, and remote code execution attacks. [1]
  2. Sales force patches dangerous XSS flaw. [1] [2]
  3. New WordPress XSS Vulnerability Crosses the Privilege Line. [1]

Wednesday, 7 October 2015

Brute Force Attack

Posted By Vivek M

Brute Force attack which is similar to Dictionary attack [1]  , is a form of trial and error method for finding or guessing the encrypted data such as passwords in which every combination of characters are checked until the password is found.
Eg : ‘aaa’ , ‘aab’ , ‘aac’ ….


These type of character set is checked in order to find a successful login. Since all possible combinations are checked, the process may take a long time may be days or months. So automated softwares are used for this purpose and a typical attacker tries to log in thousands of times in a minute.

Brute Force Attack depends on the complexity of the password. If password contain uppercase letters, special characters like @,#,$ etc , numbers etc. it will be much harder to find out using brute force attack. The length of the password is also important.

Prevention Methods 

  1. Many systems restricts the users from entering the wrong username or password after 3 or 4 attempts. The system will either lock the user or will give a time delay for attempting a new password.
  2. Requiring users to have more complex passwords containing at least one symbol, one number, one uppercase letter in their password.
  3. Usage of CAPTCHA is another good way of prevention. Now the attacker with the automated system needs more time because it is harder to find out CAPTCHA than guessing the username and password.
  4.  Requiring the users to have minimum password length of 8 or more.

Most recent famous Brute Force attacks were:

  1. An iCloud hacking tool posted online which allow attackers to log into any iCloud account which results into leakage of private files of many hollywood celebrities. [1] [2]
  2. XMLRPC in wordpress is attacked using Brute Force Attack. [1]
  3. United States Utility Control System was hacked using Brute Force Attack.[1] [2]



Monday, 7 September 2015

SQL Injection Attack


Posted By Vivek M

SQL injection attack which is considered as one of the 15 worst data security breaches of the 21st century, consists of  insertion of malicious SQL query via the input data from the client to the application. Or in other words, malicious SQL statements are inserted into an entry field for execution. Web applications that do not properly validate or clean user input before passing it to database are vulnerable to SQL injection. Through this attack the predefined SQL queries are affected and will give a negative result.


Eg: SELECT id FROM users WHERE username = ’christi’ and password = ’******’ ;


This query can cause SQL injection vulnerability since it can be rewritten as

SELECT id FROM users WHERE username= ‘test123’ or ‘1’=’1’-- and password = ‘asdfgh’ which will result into a successful authentication as the first user from the top of the list.


Cause of SQL Injection Vulnerability

Software applications that accept data from an untrusted source, fail to properly validate and sanitize the data, and subsequently use that data to dynamically construct an SQL query to the database backing that application causes SQL injection vulnerability.


Consequences of SQL Injection Attack

The main consequences of SQL Injection attacks are loss of Confidentiality, enablement of false Authentication, granting of illegitimate Authorization and causing lack of Integrity. SQL injection attack allows an attacker to spoof identity, insert/delete/modify the existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable,copy data, and become administrators of the database server.

Mitigation

Parameterized Statements :

To defend SQL injection attack, user input must not be directly passed in SQL queries. Parameterized queries force developers to define all the SQL code, then pass in each parameter to the query, which allows the database to distinguish between code and data, regardless of what input is supplied.

Enforcement at the coding level:

SQL codes can be avoided with the usage of ORM libraries, Example. Predefined choices can be given for taking the user input which can be established by making simple changes in the server side code.

Escaping:

Every database uses an escaping scheme. Rewriting the SQL queries that handle user input with these escaping schemes avoids any possible SQL injection vulnerabilities. In most databases the single quote character and other special characters are a big issue, the simplest method to avoid them is to escape all single quotes.


Database Permissions:

Database permission should be used avoid SQL injection vulnerability by limiting the permission for different users.

Most recent famous SQL injection attacks were:
  1. The Drupal 7 core is vulnerable to a "Highly Critical" SQL injection bug that could allow an attacker to compromise the site. Citations [1], [2].
  2. The recent incident of the US Navy SQLi database breach exposes the true damage such attacks can yield. Prior to being shut down, the attack cost more than 220,000 naval service members their personal information and cost the Navy more than £300,000 (US$ 500,000) in recovery. Citations [1], [2]
  3. Hackers stole user email address and passwords from UbuntuForums.org which runs on vBulletin. Citations [1] , [2]
  4. Russian hackers hacked 1.2 billion internet credentials and 500 million usernames and passwords. [1] , [2]
  5. John Hopkins University biomedical server hacked and details are published over internet. [1], [2]