Attack definitions and application security terms
Just in case you are new in the web application security space, we’ve included a few glossary terms to give you a baseline understanding of the technology.
Application Exceptions are vulnerabilities where unexpected inputs can trigger inappropriate exceptions, or error responses disclosing implementation information, such as a stack trace.
Application Path Disclosure
It is common for attackers to manipulate application input parameters in order to elicit application exceptions. Often, application exceptions give out information about paths of application components. Such exceptions may also reveal paths to important resource files and directories where sensitive information may be stored. The attackers can then make use of this path information to make more focused attacks on such resources and components.
Authentication Bypass technique is used by an attacker to get access to private pages of the victim without giving username and password. The attacker injects a specially crafted SQL query as the username or password. If the injected input is not filtered by the application, and is actually processed as part of an SQL query, one of these two injections is likely to log the attacker in as a valid user of the application.
Blind SQL Injection
Blind SQL Injection is a vulnerability caused by a web application sending user input into a SQL query without validation. It is a type of SQL Injection vulnerability, where an attacker infers information from differences in responses observed for different injections.
Browse HTTP from HTTPS List
Browse HTTP from HTTPS List is a vulnerability allowing HTTPS pages to be accessed via HTTP, thus disclosing potentially sensitive information. Also, the availability of particular pages outside of a secured context can cause legitimate users to believe that the session is secure, and therefore submit private information in clear text.
Brute Force Login
A Brute-Force Login attack is where a hacker attempts to discover user names and passwords by systematically trying large numbers of modified dictionary words. Depending on the password's length and complexity, there could be an infinite number of possible combinations. To speed things up a bit, a brute-force attacks start with dictionary words or slightly modified dictionary words because most people use those rather than a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks.
Buffer overflow vulnerabilities affect web applications that require user input. The application stores the input in a buffer which is of a fixed size, as defined by the programmer. When the input that is sent to the application is more than the buffer capacity and the buffers are left unchecked, buffer overflow occurs. The severity depends on the user input. If a malicious code executes as a result of the overflow, it can even compromise the whole system.
Business Logic Attacks
A Business Logic Attack is an attack which targets the logic of a business application. The business application may be an online clothing shop, an online ticketing service for a theater, or even an Internet poll. As opposed to “traditional”, technical, application attacks, for example, XSS or SQL Injection, business logic attacks do not contain malformed requests and include legitimate input values making this sort of attack difficult to detect. Furthermore BLAs abuse the functionality of the application, attacking the business directly. A BLA is further enhanced when combined with automation where botnets are used to challenge the business application. These automated attackers are called Business Logic Bots (BLBs).
Check Basic Auth over HTTP
Check Basic Auth over HTTP is a vulnerability that occurs due to the disclosure of credentials that occurs anytime “Basic Auth” is used by an application which has any non-SSL pages.
Check HTTP Methods
Check HTTP Methods is a vulnerability where HTTP methods such as TRACE, and others, are not disabled by the web server, and could be abused.
Clickjacking involves an attacker embedding a page from a vulnerable web application, as a hidden or transparent iframe, inside a page from the attacker that is designed to mislead a victim. The page from the attacker is designed to motivate the user to click on a location. The transparent iframe (from the vulnerable application) is overlaid on top of the attacker‘s page such that this click is, unbeknownst to the user, a click on an element of the transparent iframe. Because this click is actually on an element of the transparent iframe (sourced from the vulnerable application), then, if the user already has an active authenticated session with the vulnerable application, this click can initiate an unintended transaction with the vulnerable application – such as perhaps transferring funds to the attacker.
Credit card Disclosure
Valid credit card numbers may be used by attackers for acquiring personal information, identity theft or sometimes to authorize transactions over telephone, that is credit card fraud. Hence, disclosure of valid credit card numbers by a Web application is a vulnerability called as Credit Card Disclosure.
Cross-Frame Scripting is a vulnerability that enables an attacker to launch a Phishing attack to exploit unknowing users of the vulnerable web application. The attacker simply embeds a page from the target application inside an HTML frame on his own page, with matching content provided on his page. An unsuspecting user may visit this page by mistake and a script on the attacker‘s page may get access to content and user input from the inner page. It can also very easily send this information to the attacker‘s server.
Cross-Site Request Forgery
Cross-site Request Forgery vulnerabilities allow unauthorized requests from a victim’s machine to improperly initiate transactions using an existing authenticated session.
A data breach is the unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media.
Denial of Service Attacks
Denial of Service (DoS) attacks are commonly used to disturb the normal operation of applications. DoS attacks take advantage of a weakness in the system or application and cause it to crash or stop responding. Although this attack does not provide the attacker with any escalated system access, it disturbs the operation of the site.
Directory Browsing is a vulnerability caused by unintentionally disclosing directory listings to users.
File and Directory Discovery
File and Directory Discovery is a collection of vulnerabilities all related to being able to access resources that should not be accessible.
Using forceful browsing, attackers may gain access to restricted parts in the Web server directory. This kind of attack occurs when the attacker "forces" a URL by accessesing it directly instead of following links.
Form Caching is a vulnerability caused by allowing browser caching of sensitive form field values which could later be displayed to a different user on the same client.
Form Submitted Without Using POST
Forms submitted without using POST is a vulnerability where a form with sensitive information is submitted via a GET. This type of submission can result in disclosure of the submitted values.
Frame Injection occurs if a URL specified in a parameter is used as source of frame or iframe of a particular page. If the application does not properly validate this parameter, the attacker can inject a URL of his own choice and the application will blindly load the page of attacker‘s site in a frame.
HTTP Response Splitting
HTTP Response Splitting is a vulnerability allowing an attacker to structure a request that results in two responses, the second of which is totally under the control of the attacker.
Ineffective Session Termination
The ineffective session termination vulnerability exists if the application does not invalidate the session-id(s) after a log-out request. Since the terminated session is valid after logout, attacker can access the victim session using previous session data. This leads to the potential identity theft of the victim who owns the session.
Web application input and command checks SmartAttacks in this package test how your site handles application exceptions, scripts, buffer overflow, and certain legal characters, as well as UNIX or Windows command vulnerabilities.
Integer Overflows are caused in a program when integer values are not checked for limits before performing assignments or calculations. When an integer variable is assigned a value beyond the allowed range, an overflow occurs, due to which the variable is assigned an incorrect value. Integer overflows cannot be detected after they have occurred, since the program does not have any way to check the correctness of the calculation. Although integer overflows can introduce unexpected code execution paths, they are not easy to exploit. However, integer overflows can cause buffer overflow checks to return incorrect results and thus increase chances of buffer overflow attacks despite precautionary measures in the code.
Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
Non-Masked Password is a vulnerability typically caused by a failure to use the HTML password input field type which masks passwords from being displayed.
Non-SSL Form is a vulnerability caused by allowing submission of sensitive form data without using SSL encryption.
Non-SSL Password is a vulnerability caused by a failure to submit passwords via SSL.
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Their mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all materials are available under a free and open software license.
(AKA Payment Card Industry Data Security Standard) The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.
PCI compliance 6.6
PCI 6.6 regulation stipulates that that web-facing applications must be protected against known attacks by applying either of the following methods: a web application firewall, source code scanning, black box testing, manual pen testing, or manual code review.
Password Auto complete
Password Autocomplete is a vulnerability caused by allowing caching of passwords by browsers.
Phishing is one of the most common techniques employed in identity theft, currently the fastest growing crime. In phishing attacks, a hacker creates a fake web site that resembles a legitimate institution‘s web application, often reusing content from the legitimate server. The fake web site can capture personal information entered in forms by users. When unsuspecting users submit their login names and password information to the fake site, the security of both the web application and the user‘s personal information is compromised.
Remote File Inclusion
Remote File Inclusion is a vulnerability where a submitted value is used directly, without sanitization, to reference any specified URL.
The SANS Institute, founded in 1989, provides computer security training, professional certification through GIAC (Global Information Assurance Certification), and a research archive - the SANS Reading Room. It also operates the Internet Storm Center, an Internet monitoring system staffed by a global community of security practitioners.
SQL Disclosure is a special kind of a SQL Injection vulnerability. SQL Injection is a type of attack that allows a remote user to pass SQL commands and strings to a back-end database. By exploiting SQL injection vulnerabilities an attacker can gain access to sensitive information and potentially gain full control over the system on which the database is installed. An attacker may make use of a SQL Disclosure vulnerability to gain sensitive information without having the required privileges or to locate generic SQL Injection vulnerabilities. He starts by trying to cause an error in the processing of a SQL query, thereby generating a SQL exception. If such exceptions are suppressed by the application, he may use the Blind SQL technique to locate a SQL Injection vulnerability.
SQL Error Message
SQL Error Message is a vulnerability that helps an attacker formulate more accurate SQL Injection strings. It may also be used as a ‗locator‘ attack that precedes a real SQL Injection attack. When looking for a SQL Injection vulnerability, an attacker will first inject some SQL characters such as ‗,--,# so as to try to generate an error in the application. If the error gets displayed in the resulting page, the attacker gains valuable information about the Web application.
SQL Error Message
SQL Error Message, or SQL Exception, is a vulnerability caused by a Web application using user input in a SQL query without validation. If such input causes errors in the execution of the query, and if these errors are shown to the user, then this is a SQL Error Message vulnerability.
SQL Injection is a technique by which attackers can execute SQL statements of their choice on the backend database by manipulating the input to the application.
Secure Socket Layer (SSL) gives us assurance of two things. Firstly when a client connects to a web server, the client can be sure that it is talking to the right server by checking the certificate the server sends it. Secondly, SSL assures you of the confidentiality of the data, as the client and the server exchange encrypted messages that cannot be understood by anybody else.
HTTPS web servers supporting weak ciphers are vulnerable to a breach of secure communication. Such servers, if they are using expired certificates, expose users of applications hosted on them to Phishing attacks.
Session Hijacking vulnerabilities that allow users to submit ID information from previous sessions to retrieve information for which they are not authorized.
Session ID Length
Session ID Length is a vulnerability where session ids are considered too guessable. Session ids with less than 128 bits are not recommended.
At the core of any web-based application is the way in which it maintains state and thereby controls user-interaction with the site. Session Management broadly covers all controls on a user from authentication to leaving the application. HTTP is a stateless protocol, meaning that web servers respond to client requests without linking them to each other. Even simple application logic requires a user's multiple requests to be associated with each other across a "session”.
Source Code Disclosure
Source code disclosure attacks allow a malicious user to obtain the source code of a server-side application. This vulnerability grants the attacker deeper knowledge of the Web application logic.
URL in query
URL in Query is a vulnerability where URLs are directly used in query string parameters or cookies. Such usage is commonly something that can be tampered with, and is a disclosure of how such resources are referenced (aka Direct Object Reference). The SmartAttack examines all such requests and matches content that appears to be in the style of an absolute or relative URL.
Username or Password in the HTTP Request
Username or Password in HTTP Request is a vulnerability reporting inappropriate disclosure of these credentials.
A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application.
Web Application Firewall (WAFs)
A Web Application firewall analyzes the requests at the application level. WAFs are used for specific applications like a web server or a database server. WAFs protect the web server from HTTP based attacks and monitor the requests for attacks that involve SQL Injection, XSS, URL encoding, etc. However, WAFs can’t protect against attacks that require an understanding of the business context - this includes most attacks that rely on variable manipulation. Some WAF vendors include Imperva, Citrix, Barracuda, and Breach (acquired by Trustwave).
Web Application Security
Web application security is a branch of Information Security that deals specifically with security of websites and web applications. At a high level, web application security draws on the principles of application security but applies them specifically to Internet and web systems. Typically web applications are developed using programming languages such as PHP, Java EE, Java, ASP.NET, C#, VB.NET or Classic ASP.
Web Application Security Vulnerability Scanner
A web application security vulnerability scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. They perform a black-box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks.
Web Server Vulnerabilities
Web Server Vulnerabilities are a variety of CVE style vulnerabilities regarding known security flaws in known versions of various software infrastructures, such as Apache, PHP, Oracle, etc.
A website defacement is an attack on a website that changes the visual appearance of the site. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. A message is often left on the webpage stating his or her pseudonym and the output from "uname -a" and the "id" command along with "shout outs" to his or her friends. Sometimes, the Defacer makes fun of the system administrator for failing to maintain server security. Most times, the defacement is harmless, however, it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware.