Web Application Exploits


Web Evolution

  1. Static content:-  Server serves web pages created by people.

  2. Dynamic content via server-side code:- Server generates web pages based on input from user and a database using code executed on server.
    E.g. - CGI scripts (Perl, Python, PHP, Ruby, Java, ASP, etc.)

  3. Dynamic content via client-side code:- Code embedded in web page is executed in browser and can manipulate web page as a data structure (Domain Object Model = DOM)
    E.g. JavaScript, VBScript, Active X controls, Java applets

  4. AJAX (Asynchronous JavaScript and XML):- Framework for updating page by communicating between browser and remote servers.


Attack Surface

Web applications have a large attack surface = places that might contain vulnerabilities that can be exploited. A vault with a single guarded door is easier to secure than a building with many doors and windows.


These were divided into six categories:

  1. Broken Authentication (62%) - This vulnerability relates to the application’s login mechanism, which may enable the attacker to guess username and passwords and thus launch a brute-force attack.

  2. Broken Access Controls (71%) - The application fails to properly protect access to sensitive information. An attacker can be able to view other user’s personal information.

  3. SQL Injection (32%) - This allows the attacker to submit arbitrary input to the application and interfere with the application’s back-end database. An attacker may be able to modify or retrieve data from the application or execute commands on the database.

  4. Cross-site Scripting (94%) - This vulnerability enables the attacker to input malicious javascript to the application and potentially gain access to their data, or carrying other attacks against them.

  5. Information Leakage (78%) - In this case the application exposes sensitive data or information that might be useful for the attacker when targeting the application.

  6. Cross-site Request Forgery (92%) - This allows the attacker to create malicious and unintended actions in the application with other user’s behalf.


The OWASP Top 10 - 2013 Release Candidate includes the following changes as compared to the 2010 edition: