12.2 - Web Applications

 12.2 - Web applications 

 

Key Terms: 

  • Web application – Software that has been installed on top of a web server. 

 

Web Application Types 

    • Browser-based – These web applications can run on the browser and have access to data provided by the web server. 
    • Mobile-based – The most common type of web application, they are designed to run on mobile devices. 
    • Client-based – These run on applications that are required to be installed before running. 

 

Web Application Benefits 

Web applications aren’t run locally so the client’s processor isn’t used. Installation administration is easier as there are fewer installations that need to take place. Web applications are also universal and don’t need to be developed for certain operating systems. 

 

Vulnerabilities 

    • Cookies – Due to HTTP not being able to store session information, cookies were introduced to store user preferences and web activities. Cookies contain several parameters including name, value, expiration date, URL and domain. An attacker can steal cookies or craft malicious cookies to cause malicious intent. 
    • Script errors – These vulnerabilities are when web applications aren't programmed correctly. This can be something like an input validation error where user inputs aren't validated correctly. Script errors can share sensitive information, are open to upload bombing and poison null byte attacks. 
    • Session Management – When a client connects to a web application, a session is created. These sessions are uniquely identified with a session ID and store current session information. Once the client disconnects, the session should be correctly removed to ensure the security of the session. If this fails to occur, the session is at risk of being hijacked. Also, weak session IDs can be brute forced by a hacker to steal sensitive information. 

 

Web Application Hacking Methodology 

    1. Footprint web infrastructure. 
    2. Attack web servers. 
    3. Analyse web applications. 
    4. Attack authentication mechanisms. 
    5. Attack authorisation schemes. 
    6. Attack session management mechanisms. 
    7. Perform injection attacks. 
    8. Attack application logic flaws. 
    9. Attack database connectivity. 
    10. Attack web app client. 

 

Countermeasures 

Web applications should use input validation to verify legitimate inputs, filter packets and deny ICMP access, turn off unused ports and services, keep patches up to date, filter user inputs and access databases with non-privileged accounts. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more