Example:
- A form is displayed on a web application that contains some text fields
- These text fields data are not validated on the client/server side so it lets any data in
- The data entered is directly used in building an SQL query
- A malicious user enters some bad data in the text field which contains an executable SQL statement to corrupt the database or display unintended results
- So, instead of executing "SELECT * FROM products WHERE id_product=$id_product", the application executes "SELECT * FROM products WHERE id_product=$id_product UNION Select * from USERS"
Example:
- A real website displays a form containing name etc.
- Since there is a bug in the server side code, it lets any text to be entered in the text field
- A malicious user enters a text which contains some javascript embedded in script tags
- The server side application persists this data into database
- The application has a web page that displays a list of all names
- When a real user retrieves this webpage, it displays the names but also executes javascript
- When the user submits or performs some action on this webpage, it sends cookies etc to a malicious website.
CORS - Cross Origin Resource Sharing
CSRF - Cross Site Request Forgery
This attack happens if a user does not logout from a good website. Say for example, a good website transfers money using this URL: amount=100.00&routingNumber=1234&account=9876
A evil website may have HTML code with hidden input fields for amount, routing number and account. It may have an image that says "Win MoneY" which when clicked will submit the hidden form fields to the URL for the good website. Since the user is already authenticated and forgot to logoff, the transaction will be executed without the user knowing about it.
One solution is to use the Synchronizer Token Pattern. This solution is to ensure that each request requires, in addition to our session cookie, a randomly generated token as an HTTP parameter. When a request is submitted, the server must look up the expected value for the parameter and compare it against the actual value in the request. If the values do not match, the request should fail.
We can relax the expectations to only require the token for each HTTP request that updates state. This can be safely done since the same origin policy ensures the evil site cannot read the response. Additionally, we do not want to include the random token in HTTP GET as this can cause the tokens to be leaked. So, the new URL looks like this:
amount=100.00&routingNumber=1234&account=9876&_csrf=
You will notice that we added the _csrf parameter with a random value. Now the evil website will not be able to guess the correct value for the _csrf parameter (which must be explicitly provided on the evil website) and the transfer will fail when the server compares the actual token to the expected token.
https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html
If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Improper identity and access management
CSRF - Cross Site Request Forgery
This attack happens if a user does not logout from a good website. Say for example, a good website transfers money using this URL: amount=100.00&routingNumber=1234&account=9876
A evil website may have HTML code with hidden input fields for amount, routing number and account. It may have an image that says "Win MoneY" which when clicked will submit the hidden form fields to the URL for the good website. Since the user is already authenticated and forgot to logoff, the transaction will be executed without the user knowing about it.
One solution is to use the Synchronizer Token Pattern. This solution is to ensure that each request requires, in addition to our session cookie, a randomly generated token as an HTTP parameter. When a request is submitted, the server must look up the expected value for the parameter and compare it against the actual value in the request. If the values do not match, the request should fail.
We can relax the expectations to only require the token for each HTTP request that updates state. This can be safely done since the same origin policy ensures the evil site cannot read the response. Additionally, we do not want to include the random token in HTTP GET as this can cause the tokens to be leaked. So, the new URL looks like this:
amount=100.00&routingNumber=1234&account=9876&_csrf=
You will notice that we added the _csrf parameter with a random value. Now the evil website will not be able to guess the correct value for the _csrf parameter (which must be explicitly provided on the evil website) and the transfer will fail when the server compares the actual token to the expected token.
https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html
If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Improper identity and access management
- forget password mgmt features
Not implementing API keys for clients
Denial of service
- flooding a website/webservice with requests so that legitimate users can't use it
No comments:
Post a Comment