Thursday, June 11, 2009

Web application security flaws exposed

Today I participated in the "Hacking 101" event hosted by IBM in Miami. It was a half day seminar, hands-on lab. Very interesting and useful I must admit. They talked about what are the top security issues of web applications today based on the OWASP Top 10 document. The interesting part is that they actually demonstrated some of the security issues discussed. In order to showcase everything, they have a test (fictive) web site set up, namely (you can access it from your own station at will). Let me go through some vulnerabilities covered during the session.

Cross-Site Scripting (XSS) - Number 1 in the Top 10 list.

XSS is basically script embedded into HTML returned from a trusted site. One of the implications is that session tokens can be stolen. Let's see how:

First I search for the string 'Mihai', which will change the browser URL to, printing the result like shown below:

Next step is to change the query string to<script>alert(document.cookie)</script>, resulting in information related to your session being made available:

So the cookie is available to JavaScript. How do we exploit this? First, you need the Tamper Data Mozilla add-on. Once you have it installed, open in by choosing Tools -> Tamper Data. Going back to Firefox, in the search text box enter %3Cscript%3Edocument.write('. Looking into the Tamper Data UI, you can locate the request just made to evilsite, and see that your cookie has been sent to it.

To exploit this vulnerability, one can send an email to the user with a link that has the above script embedded in it. Once the user clicks on it, the request will be sent to, with the script as input for the search text box. When the script is echoed back to the application, it will be executed by the browser and the user cookies will be sent to evilsite.

SQL Injection - Number 2 in Top 10 list.

With SQL Injection, the user input is directly embedded into a SQL statement. One of the implications is that we can access data in a database. Let's say we wanted to log in as administrators into our dummy web site. First step is to get a sense of how the SQL statement is formed. For that, we enter a ' as the user name, followed by anything as password:

The result of trying to log in will be an error page that will display information related to how the SQL statement involving the user name and password is constructed:

Once we know how the query looks like, we can write in the user name field the text ' or 1=1--:

with the results of being signed in as admin:

Of course, IBM has a tool called AppScan that can help in detect all the vulnerabilities I mentioned in this blog. How it works, in a nutshell, is by scaning your web application (i.e. website), identifying the security issues based on some test policies, pointing out the problems , logging the issues, and recommending fixes. Below is a screenshot of AppScan in action (taken from the pdf presentation slides):

If you want to find out more about the event, get the slides, try everything out, go to

All in all, a very informative session!

No comments: