Attacks on web applications open wide opportunities for intruders: this is the theft of critical information or sensitive information; Breaking business logic for financial gain; Also, a successful attack of a web application can be a harbinger of hacking the company’s corporate network. In this article, I’ll talk about the evolution of Web application attacks.
OWASP TOP 10
Classic vulnerabilities are currently represented by the OWASP TOP 10 list:
- A1 Code Implementation
- A2 Incorrect authentication and session management
- A3 Crossite scripting
- A4 Unsafe direct object references
- A5 Unsafe configuration
- A6 Sensitive data leakage
- A7 Lack of access control to the functional level
- A8 Cross-site request forgery
- A9 Using components with known vulnerabilities
- A10 Non-redirected redirects
Attacks on web applications are applicable to this list, but not all are common everywhere and occur every day.
A good example of identifying a particular vulnerability is the unofficial HackerOne disclosure timeline: http://h1.nobbd.de/index.php . As we can see, SQL injections prevail, client-side attacks, etc.
Types of Attacks
There are two types of attacks: non-targeted and targeted. Non-targeted “hit the squares”, and implement one or two vectors of attacks, do not always implement the purpose of the attack. As a rule, they are distinguished by primitiveness. We see such attacks every day, presented in the form of exploitation of a particular vulnerability, attempts to gain access to critical files, etc.
Targeted attacks are distinguished by many vectors, high professionalism of attackers and effectiveness. These make up about 5% of the total number of attacks, but they are much higher in efficiency than non-target ones.
Non-targeted attacks are usually automated and performed using various operating systems: from vulnerability scanners to scripts and utilities. They differ, as a rule, by several signs (User-Agent, application vector, IP range). For example, an attempt to detect /uploadify/uploadify.php – a vulnerability in the MODX module.
Statistics of non-targeted attacks are as follows:
- The most popular attacks:
- Attempts to detect SQL Injection: – 85%.
- Attempts to identify access to critical folders and files: – 7%.
- Attempts to use known (sensational) exploits – 5%.
- Attempts to implement the detection of Cross-Site Scripting – 3%.
This concerned automated systems. If the site is attacked by an attacker who knows the Web application and its vulnerable components, the attack becomes more targeted and effective.
Evolution of attacks
The evolution of attacks on web applications can be viewed from several angles:
- Complicating web applications – as a consequence, more opportunities for error;
- The complexity of the architecture – as a consequence, more opportunities for error;
- Popularization of “kulhaker” – as a consequence more material in the open access, more attacks;
- Apparent impunity.
I will leave the ethical framework outside this article and want to talk about the technical side.
The emergence of new vectors is due to the use of new technologies or the identification of vulnerabilities in the old. Also, some of the vulnerabilities can be “overboard” and for many years not used, such as XML External Entities: the first mentions date back to 2002 , the specific vector of 2009 , mass exploitation began from 2011-2012 almost everywhere, for example, phpmyadmin . XXE vulnerabilities were found (within the framework of BugBounty programs) on the resources of Yandex, Vkontakte, Uber and many others.
Another important factor in the development of attack vectors is the introduced protective means. We installed a vulnerable web application, specifying the type of vulnerability and protecting the Web application with the protection service: http://vulns.pentestit.ru .
The vulnerable parameter is kc_ad. Attackers primarily try to identify the presence of an injection with the symbol of quotation marks, the classic of the genre:
Vulnerability on the site is present, but it will not be possible to develop it immediately, so attackers use tampering techniques to attempt to bypass defenses:
Such circumvention methods do not allow us to exploit the vulnerability, so attackers begin to use the more sophisticated evasion techniques (about which I wrote in this article: methods for circumventing Web application security when SQL injection is used .
This is transformed into the following queries:
http://vulns.pentestit.ru/wp-content/plugins/kittycatfish-2.2/kittycatfish.js.php Parameter kc_ad=%27%2F%2A%2A%2FanD%2F%2A%2A%2F3083%2F%2A%2A%2FbEtWEEN%2F%2A%2A%2F3083%2F%2A%2A%2FanD%2F%2A%2A%2F3083–%2F%2A%2A%2FiGqe&ver=2.0
Thus, it can be noted that at the moment almost all known vulnerabilities are exploited, with an amendment to the implementation of protection mechanisms in the development of applications, as well as the protective equipment used. Also, this is due to a large number of tools for attacking web applications.