ITS 4050 - Internet and Web Security

Chapter 6, Introducing the Web Application Security Consortium

This lesson presents some material from chapter 6. Objectives important to this lesson:

1. Threats to web applications
2. Common attacks
3. Common weaknesses
4. Mitigating attacks
5. Mitigating weaknesses
   

Concepts:

Chapter 6

Page 149 presents a short discussion about the level of commerce on the Internet creating a need for more and more security, particularly in the area of applications that support sales, banking, and personal data storage. It also intoduces us to the Web Application Security Consortium (WASC), whose home page can be found with the line in this sentence. Navigation of their site is a bit challenging, so I recommend running a web search for them, which will produce links to various parts of their site, including projects, threat classifications, and an incident database. Okay, I just documented those three for you. There are more sections on their site.

Page 150 begins a discussion of the 34 attack classes listed by the WASC. Eight of the ten threats listed by the OWASP in the previous chapter are part of the 34 here, and so are other topics we have covered. Let's look at a sample of the infornation we have not discussed.

1. Authentication Account Lockout Policy - This is the Active Directory policy that locks an account after a number of failed consecutive attempts to log in. Most users run into it, often due to having a cap lock turned on. The text points out that the lockout policy makes a brute force authentication attack take longer, if it is turned on. The text tells us that the lockout duration period is set to 30 minutes by default, but only if the account lockout threshold (the number of consecutive failures) is set to something other than 0. What the text does not mention that the default value of 0 for lockout threshold actually means there is no threshold, so the account never locks. This is fine for a home system that will never hold secure data (yeah...right...) but not for anything else.
2. Credential/Session Prediction - If your system assigns session IDs by a predictable algorithm, such as the use of current date and part of the user ID mentioned in the text, then it becomes possible to predict the ID a user must have and to take over a current session that user has connected. This eliminates the need to harvest the session ID from traffic to and from the user. Obviously, session IDs should be more complex and less predictable.
3. XML Attacks - The text presents several attacks based on XML, notably on pages 164, 166, and 167. XML is used for database documentaion, and for control of data on web systems. Note, for example, the External Entity attack that interfaces with an XML parser to retrieve a password file from a web server.
   

The remainder of the chapter (ten more pages) discusses common web site weaknesses, as noted by the WASC. We have discussed several before. Some may have been common in the past, but should be less so now, such as directory indexing. (I would expect a 404 error instead.) Several focus on careful processing of user input, and more careful processing of information given to the user about the components and functions of the web site. Information passing in either direction should be validated before it is sent to the next stage or processing or display.