Nowadays, it’s the era of online shopping , banking etc. In fact every single thing that once people had to go outside and get is now available online. People get their stuffs at their doorsteps just by accessing a website that has been developed by just some random guys.
Now the question that arises is, when you get all the luxury of buying things even without stepping out of your house, do you think the transaction you made is actually safe?
Well, as the saying goes, every coin has two sides, every application built for a good purpose will also be utilized in a bad way. And the bad way is also called as a threat to the application.
Web applications can be built using many languages like ASP.NET, Java, ASP, PHP etc. According to the white hat security report for 2014, ASP.NET with 28.1% is the most preferred framework for developing web applications followed by Java with 24.9%.
So, ASP.NET being a popular framework for building web applications, there will be several threats that is faced by the applications as well.
Web developers should hence safeguard the web applications or websites from the following five threats:
1. Cross-site scripting
2. Information leakage
3. Content spoofing
4. SQL Injection
5. Insufficient transport layer protection
1. Cross Site Scripting (XSS):
Suppose you have a form that has an input field that asks for name, it works fine now as the person did not add any script.
Suppose instead of the name, the person adds an HTML script, then the attacker can misuse the information written in the second text box that is the password.
This is how XSS, can happen using text boxes. To prevent this .NET has included the validate request property of the page directive. We should set ValidateRequest=”true” so as to catch the attack.
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="cross_scripting.WebForm1" ValidateRequest="true" %>
When we set this and run the above web form with script injected in the text box, we get the following output:
But this is not the only way we can ensure it does not happen, we can also encode all the user inputs and also validate them depending on the type, length etc.
2. Information Leakage
This is a type of attack that happens when the attacker gets to know sensitive information like system data or error messages that occurs. By knowing the same, it helps the attacker to plan an attack as he gets clues on how to break into the system.
So what are the types of information that the attacker can gather? Version of the software used, errors, debugging information, login Id and System type.
Example: Consider the error message that we got when we tried to insert script into a text box.
From this we get to know the whole stack trace of the error and also the version information. By getting the version information, the attacker can get information on the type of framework used to build the application and also the vulnerabilities of the same, which can lead to an attack.
So, how does ASP.NET solve this problem?
One way in which the developer can save the application is by redirecting the page to an error page, that does not show the entire details of the error, for example, in a login page if the password entered is wrong, then the error should be displayed as “incorrect user name or password”, instead of “incorrect password”. By doing so, the attacker does not have an idea about which data is correct. Another way is to test your code on how it gives the error and also audit the code.
3. Content Spoofing
It is a type of attack in which the attacker presents a fake or modified website to the user as if it were legitimate. This is similar to XSS where in a code can be injected in a place the attacker finds vulnerability.
For Example, text based injection:
This injection is carried out in the same way as HTML injection. The only difference is, instead of HTML tags, the crafted URL is created by adding or changing the actual data with a false one. Once the URL is changed, the valid web page renders the injected textual content and displays false information to the user.
4. SQL Injection
This is an attack that “inserts” or “injects” an SQL query via the input data from the client to the application. If the SQL injection is successful then the attacker can read, modify and execute administration operations on the database.
This kind of attack normally happens in web pages like login page, search pages, feedback forms, where there will be an SQL query written to contact the data base directly.
Suppose we have a login page, with user name and password fields, then the query for the authentication for the login page is:
String query= SELECT uid FROM tbl_login WHERE username= ‘uname’ AND password= ‘pwd’
If the value of the user name and password comes directly from the user input, this can make the application vulnerable to SQL injection.
Suppose instead of the value “pwd”, the attacker enters something like this:
String query= SELECT uid FROM tbl_login WHERE username= ‘uname’ AND password= ‘abc’ OR ’1’=’1’
Now here the ‘1’=’1’ part will return true, no matter what the first part contains. Thus, it allows a user to bypass the login without actually knowing the correct combination of the user name and password.
One way in which ASP.NET provides a solution to SQL Injection is by using LINQ to SQL queries. For example, the above query to the tbl_login can be written as:
Var query = from test in tbl_login where text.uname == username and test.pwd==password select test;
5. Insufficient Transport Layer Protection
This kind of attack is caused by application that does not take measures for protecting the network traffic. Normally, website uses Secure Socket Later (SSL) or Transport Layer Security (TLS) to provide security to the transport layer, but if the web site is not configured properly to use this, then it will be susceptible to threats.
Example of a threat is, when an application uses SSL/TSL during authentication and fails to use it elsewhere in the application or when they use expired certificates.
The benefits of transport layer security is:
1. The protection of web application data from client to server.
2. The server validation component of TLS that provides authentication of the server to the client.
3. It also guarantees integrity and replay prevention from TLS data through the built-in controls.
Now that you know the kind of threats that can affect a web application, you must look out for it and take care of these during the design and development phase.
Got a question for us? Mention them in the comments section and we will get back to you.