Thilan Dissanayaka Web App Hacking Apr 26

Common Web Application Attacks

SQL Injection (SQLi)

What it is: SQL Injection happens when an attacker manipulates a web application's SQL queries by injecting malicious SQL code. If user inputs are not properly sanitized, attackers can gain unauthorized access to databases, extract data, or even modify or delete records.

Example:

SELECT * FROM users WHERE username = '$username' AND password = '$password';

If an attacker inputs admin' --, it can comment out the rest of the SQL query and log in without a password.

Prevention:

Use prepared statements (parameterized queries).

Use ORM (Object-Relational Mapping) libraries carefully.

Validate and sanitize user inputs.

Limit database permissions (least privilege).

Cross-Site Scripting (XSS)

What it is: XSS attacks occur when an attacker injects malicious scripts into web pages that are then served to other users. The script can steal cookies, session tokens, or perform actions on behalf of the user.

Types of XSS:

Stored XSS (malicious input is permanently stored, e.g., in a database).

Reflected XSS (malicious input is reflected immediately off the server).

DOM-based XSS (client-side JavaScript improperly handling user input).

Example:

<script>alert('Hacked!');</script>

Prevention:

Escape all user input before rendering it to the page.

Use frameworks that automatically handle escaping (e.g., React).

Implement Content Security Policy (CSP).

Validate and sanitize inputs.

Cross-Site Request Forgery (CSRF)

What it is: CSRF tricks a victim into submitting a malicious request unknowingly. If the user is authenticated, the application processes the request with the user's privileges.

Example: A malicious email link that causes a user to unknowingly transfer money.

Prevention:

Use anti-CSRF tokens.

Implement SameSite cookie attributes.

Require re-authentication for critical actions.

Remote Code Execution (RCE)

What it is: RCE allows attackers to run arbitrary code on a server or application, leading to complete system compromise.

Example: If a web app allows users to upload files without proper validation, an attacker might upload a malicious script and execute it on the server.

Prevention:

Never directly execute user input.

Validate and sanitize file uploads.

Keep software and libraries updated.

Use safe APIs for executing system commands.

Command Injection

What it is: Similar to RCE, but more specific: command injection involves injecting system-level commands through a vulnerable application.

Example:

<?php system("ping " . $_GET['ip']); ?>

If not sanitized, an attacker could execute:

http://example.com/ping.php?ip=127.0.0.1; cat /etc/passwd

Prevention:

Never concatenate user input with shell commands.

Use APIs that separate code from data (e.g., execFile instead of exec).

Validate and sanitize inputs.

File Inclusion Vulnerabilities (LFI/RFI)

What it is:

Local File Inclusion (LFI): An attacker includes local files on the server.

Remote File Inclusion (RFI): An attacker includes remote files, possibly from their own server.

Example:

<?php include($_GET['page']); ?>

Prevention:

Validate and sanitize filenames and paths.

Maintain a whitelist of allowed files.

Disable remote file inclusion (allow_url_include in PHP).

Broken Authentication

What it is: When authentication mechanisms are improperly implemented, attackers can compromise passwords, keys, or session tokens.

Example:

Predictable login URLs

Weak password reset mechanisms

Prevention:

Implement strong password policies.

Use multi-factor authentication (MFA).

Secure session management.

Avoid exposing sensitive information.

Security Misconfiguration

What it is: Default settings, unnecessary services, or incomplete setups can expose applications to attacks.

Example:

Directory listings enabled

Default admin accounts still active

Error messages revealing stack traces

Prevention:

Regularly review and harden server configurations.

Disable unused features.

Conduct security audits.

Insecure Deserialization

What it is: When untrusted data is used to abuse the logic of an application during the deserialization process, leading to RCE, privilege escalation, or replay attacks.

Prevention:

Never accept serialized objects from untrusted sources.

Implement integrity checks (e.g., signatures).

Prefer simple data formats like JSON over complex objects.

Business Logic Vulnerabilities

What it is: Attackers exploit flaws in the logic or workflow of an application (e.g., bypassing payment after purchasing items).

Prevention:

Conduct thorough security testing.

Understand and protect critical workflows.

Implement strict server-side validation.

  1. Open Redirection What it is: Open Redirection occurs when a web application redirects users to a different domain without properly validating the redirect URL. Attackers can use this to trick users into visiting malicious sites.

Example:

https://example.com/login?redirect=https://evil.com

User thinks they're clicking a safe link but gets redirected to a phishing page.

Prevention:

Validate redirect URLs against an allowlist.

Never accept full URLs from user input; only use relative paths.

Warn users before redirecting to external domains.

  1. Insecure Direct Object Reference (IDOR) What it is: IDOR happens when applications expose internal implementation objects (like database IDs) without proper access control, allowing attackers to access unauthorized data.

Example:

https://example.com/user/12345/profile

Changing 12345 to another user's ID can expose private information.

Prevention:

Implement proper authorization checks for every object.

Avoid exposing predictable identifiers (use UUIDs).

Never trust user-supplied input for authorization.

  1. Server-Side Request Forgery (SSRF) What it is: In SSRF, attackers trick the server into making HTTP requests to internal services that are not meant to be accessible externally (like metadata services).

Example: Accessing AWS metadata server:

http://169.254.169.254/latest/meta-data/

Prevention:

Validate and sanitize all user-supplied URLs.

Implement network layer filtering.

Block requests to internal IP ranges.

  1. Sensitive Data Exposure What it is: Applications sometimes expose sensitive data like passwords, credit cards, or personal info due to inadequate protection (e.g., no encryption).

Prevention:

Use strong encryption for sensitive data (AES-256, HTTPS/TLS).

Never store passwords in plain text (use salted hashes).

Apply strict access control on sensitive endpoints.

  1. Clickjacking What it is: Clickjacking tricks a user into clicking on something different than they intended by overlaying transparent frames or buttons.

Example: An invisible "Like" button over a video player.

Prevention:

Use the X-Frame-Options: DENY or SAMEORIGIN header.

Implement frame-busting JavaScript.

  1. Cross-Origin Resource Sharing (CORS) Misconfigurations What it is: Incorrect CORS settings can allow unauthorized websites to interact with your APIs and steal data or perform actions on behalf of the user.

Prevention:

Always restrict allowed origins (Access-Control-Allow-Origin) to trusted domains.

Avoid using wildcard * unless absolutely necessary (and only for public APIs).

  1. XML External Entity (XXE) Attacks What it is: When an XML parser improperly processes external entities, attackers can read local files, perform SSRF, or execute other malicious actions.

Example:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

Prevention:

Disable external entity processing in XML parsers.

Prefer safer data formats like JSON.

  1. Broken Access Control What it is: Access control issues happen when restrictions on what authenticated users are allowed to do are not properly enforced.

Example: Normal users can access admin endpoints simply by changing the URL.

Prevention:

Enforce server-side access control checks.

Deny by default, allow by explicit permission.

  1. Prototype Pollution (mostly in JavaScript applications) What it is: Prototype pollution allows attackers to manipulate object prototypes, affecting the behavior of the whole application.

Example: Sending { "proto": { "isAdmin": true } } in a request.

Prevention:

Use libraries that protect against prototype pollution.

Deeply clone user-supplied objects carefully.

ALSO READ
SQL injection login bypass
Apr 26 Web App Hacking

SQL Injection (SQLi) is one of the oldest and most fundamental web application vulnerabilities. While it’s becoming rarer in modern web apps due to better coding practices and frameworks,....

GDB reverse engineering tutorial
Mar 23 Web App Hacking

hiii, I selected an interesting topic to discuss. Here, we are going to disassemble a binary file and take a look at what it does. This process is called reverse engineering. Let's run the program....

Building a Web3 CLI Tool for the Ballerina Language: From Idea to Reality
Apr 26 Ballerina

πŸš€ Excited to finally share my journey of building a web3 CLI tool for Ballerina! This tool bridges the gap between Ethereum smart contracts and the Ballerina programming language by automatically....

Factory Pattern explained simply
Apr 26 Design Patterns

# Factory Pattern Imagine you want to create objects β€” but you don't want to expose the creation logic to the client and instead ask a factory class to **create objects for you**. That's....

Build A Simple Web shell
Mar 23 Web App Hacking

A web shell is a type of code that hackers use to gain control over a web server. It is particularly useful for post-exploitation attacks, and there are various types of web shells available. Some of....

ACID Properties in Databases: The Key to Reliable Transactions
Apr 25 Database Systems

When working with databases, one thing is absolutely critical: keeping your data safe, consistent, and reliable. That's where ACID properties come in β€” a set of principles that ensure every....