C1.1 Description

Applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards, and discussion forums are being used by small and large organizations. Every week hundreds of vulnerabilities are being reported in these web applications, and are being actively exploited. The number of attempted attacks every day for some of the large web hosting farms range from hundreds of thousands to even millions.

All web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, Perl, etc) and all types of web applications are at risk from web application security defects, ranging from insufficient validation through to application logic errors.

The most exploited vulnerabilities are:

• PHP Remote File Include: PHP is the most common web application language and framework in use today. By default, PHP allows file functions to access resources on the Internet using a feature called "allow_url_fopen". When PHP scripts allow user input to influence file names, remote file inclusion can be the result. This attack allows (but is not limited to):
  
  
  
  • Remote code execution
  
  
  • Remote root kit installation
  
  
  • On Windows, internal system compromise may be possible through the use of PHP’s SMB file wrappers
  
  
  
  


• SQL Injection: Injections, particularly SQL injections, are common in web applications. Injections are possible due to intermingling of user supplied data within dynamic queries or within poorly constructed stored procedures. SQL injections allow attackers:
  
  
  
  • To create, read, update, or delete any arbitrary data available to the application
  
  
  • In the worst case scenario, to completely compromise the database system and systems around it
  
  
  
  


• Cross-Site Scripting (XSS): Cross site scripting, better known as XSS, is the most pernicious and easily found web application security issue. XSS allows attackers to deface web sites, insert hostile content, conduct phishing attacks, take over the user’s browser using JavaScript malware, and force users to conduct commands not of their own choosing – an attack known as cross-site request forgeries, better known as CSRF.


• Cross-site request forgeries (CSRF): CSRF forces legitimate users to execute commands without their consent. This type of attack is extremely hard to prevent unless the application is free of cross-site scripting vectors, including DOM injections. With the rise of Ajax techniques, and better knowledge of how to properly exploit XSS attacks, CSRF attacks are becoming extremely sophisticated, both as an active individual attack and as automated worms, such as the Samy MySpace Worm.


• Directory Traversal: Directory traversal (file access via ".." or many encoded variants) allows attackers access to controlled resources, such as password files, configuration files, database credentials or other files of the attacker’s choosing.