Published on Feb 02,2015
629 Views
Email Post

Nowadays, it’s the era of online shopping , banking etc. In fact every single thing that once people had to go outside and get is now available online. People get their stuffs at their doorsteps just by accessing a website that has been developed by just some random guys.

Now the question that arises is, when you get all the luxury of buying things even without stepping out of your house, do you think the transaction you made is actually safe?

Well, as the saying goes, every coin has two sides, every application built for a good purpose will also be utilized in a bad way. And the bad way is also called as a threat to the application.

Web applications can be built using many languages like ASP.NET, Java, ASP, PHP etc. According to the white hat security report for 2014, ASP.NET with 28.1% is the most preferred framework for developing web applications followed by Java with 24.9%.
So, ASP.NET being a popular framework for building web applications, there will be several threats that is faced by the applications as well.

Web developers should hence safeguard the web applications or websites from the following five threats:

1. Cross-site scripting
2. Information leakage
3. Content spoofing
4. SQL Injection
5. Insufficient transport layer protection

1. Cross Site Scripting (XSS):

This is a kind of attack in which the client side scripts can be injected into a web page that is viewed by a different user. The client side scripts is either HTML or JavaScript. There are different ways by which an attacker can inject scripts into the website. It can be through a textbox, query string, retrieved data from an external source, session variables and application variables. Now let us see how cross-site scripting works.

Suppose you have a form that has an input field that asks for name, it works fine now as the person did not add any script.

Capture1

Suppose instead of the name, the person adds an HTML script, then the attacker can misuse the information written in the second text box that is the password.

Capture2

This is how XSS, can happen using text boxes. To prevent this .NET has included the validate request property of the page directive. We should set ValidateRequest=”true” so as to catch the attack.

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="cross_scripting.WebForm1" ValidateRequest="true" %>

When we set this and run the above web form with script injected in the text box, we get the following output:

smallfinal (3)

But this is not the only way we can ensure it does not happen, we can also encode all the user inputs and also validate them depending on the type, length etc.

2. Information Leakage

This is a type of attack that happens when the attacker gets to know sensitive information like system data or error messages that occurs. By knowing the same, it helps the attacker to plan an attack as he gets clues on how to break into the system.

So what are the types of information that the attacker can gather? Version of the software used, errors, debugging information, login Id and System type.

Example: Consider the error message that we got when we tried to insert script into a text box.

stacktrace

version

From this we get to know the whole stack trace of the error and also the version information. By getting the version information, the attacker can get information on the type of framework used to build the application and also the vulnerabilities of the same, which can lead to an attack.

So, how does ASP.NET solve this problem?

One way in which the developer can save the application is by redirecting the page to an error page, that does not show the entire details of the error, for example, in a login page if the password entered is wrong, then the error should be displayed as “incorrect user name or password”, instead of “incorrect password”. By doing so, the attacker does not have an idea about which data is correct. Another way is to test your code on how it gives the error and also audit the code.

3. Content Spoofing

It is a type of attack in which the attacker presents a fake or modified website to the user as if it were legitimate. This is similar to XSS where in a code can be injected in a place the attacker finds vulnerability.

For Example, text based injection:
This injection is carried out in the same way as HTML injection. The only difference is, instead of HTML tags, the crafted URL is created by adding or changing the actual data with a false one. Once the URL is changed, the valid web page renders the injected textual content and displays false information to the user.

4. SQL Injection

This is an attack that “inserts” or “injects” an SQL query via the input data from the client to the application. If the SQL injection is successful then the attacker can read, modify and execute administration operations on the database.
This kind of attack normally happens in web pages like login page, search pages, feedback forms, where there will be an SQL query written to contact the data base directly.

Suppose we have a login page, with user name and password fields, then the query for the authentication for the login page is:

String query= SELECT uid FROM tbl_login WHERE username= ‘uname’ AND password= ‘pwd’

If the value of the user name and password comes directly from the user input, this can make the application vulnerable to SQL injection.
Suppose instead of the value “pwd”, the attacker enters something like this:

String query= SELECT uid FROM tbl_login WHERE username= ‘uname’ AND password= ‘abc’ OR ’1’=’1’

Now here the ‘1’=’1’ part will return true, no matter what the first part contains. Thus, it allows a user to bypass the login without actually knowing the correct combination of the user name and password.

One way in which ASP.NET provides a solution to SQL Injection is by using LINQ to SQL queries. For example, the above query to the tbl_login can be written as:

Var query = from test in tbl_login where text.uname == username and test.pwd==password select test;

5. Insufficient Transport Layer Protection

This kind of attack is caused by application that does not take measures for protecting the network traffic. Normally, website uses Secure Socket Later (SSL) or Transport Layer Security (TLS) to provide security to the transport layer, but if the web site is not configured properly to use this, then it will be susceptible to threats.

Example of a threat is, when an application uses SSL/TSL during authentication and fails to use it elsewhere in the application or when they use expired certificates.

The benefits of transport layer security is:

1. The protection of web application data from client to server.
2. The server validation component of TLS that provides authentication of the server to the client.
3. It also guarantees integrity and replay prevention from TLS data through the built-in controls.

Now that you know the kind of threats that can affect a web application, you must look out for it and take care of these during the design and development phase.

Got a question for us? Mention them in the comments section and we will get back to you. 

Related Posts:

Get Started with Microsoft.NET

Unleash the Power of LinQ, the .NET Way

About Author
Divyamol
Published on Feb 02,2015
Divyamol is passionate about learning new technologies and exploring things around her. She is currently working in Edureka as a Quality Analyst.

Share on

Browse Categories

Comments
0 Comments