AoC 2022 Day 14: Securing Web Applications

Web Application

A software program that we may access using a web browser is known as a web application. The user does not need to install a web application on their machine in order to use it, in contrast to computer programs and smartphone applications. We only need a web browser, such Firefox, MS Edge, Google Chrome, or Safari, to use a web application.

The user enjoys a number of benefits. A user can access a web application from a Microsoft Windows system, a Mac machine, or a Linux system because it simply requires a web browser. The user can access the web application if they are capable of using a contemporary web browser. Even though they are using different platforms, they will be able to see the same interface and have a very comparable experience. They can even use a web browser on their cellphones to access the same web application, and their experience will only be impacted by the size and content that the screen can display.

Moreover, there are many advantages for the software developer. Instead of developing an application for macOS, another for MS Windows, and a third for ChromeOS, they only need to build one web application and ensure that it is compatible with the different modern browsers.

The following are some examples of popular web applications:

  • Webmail: Examples include Tutanota, ProtonMail, StartMail, and Gmail.
  • Online Shopping: Some examples are Etsy, Amazon, eBay, and AliExpress.
  • Online Banking: Modern banks increasingly allow clients to carry out their banking operations from a web browser.
  • Online Office Suite: Consider, for instance, Microsoft Office 365, Zoho Office, and Google Drive.

As web technologies advance, the number and types of web applications keep increasing.

Database

Whenever talking about web applications, database systems must be brought up. A lot of web applications require access to enormous amounts of data. Even the most simple web application for online shopping needs to save data on the products that are available, the customers, and the purchases. We need a way to effectively read from and write to the existing data as well as hold such information. The solution is to use a database management system.

There are two popular database models:

  • Relational Database: It stores the data in tables. Tables can share information. Consider the basic example with three tables: productscustomer_details, and purchases. The purchases table would use information from the products table.
  • Non-Relational Database: It is any database that does not use tables. It might store the data in documents, and graph nodes, among other types.

In general, a web application must frequently query the database to perform tasks like information search, record addition, and record update.

Access Control

Consider the case where you are using an online shop as a customer. After logging in successfully, you should be able to browse the available products and check products’ details and prices, among other things. Depending on the online shop, you might be able to add a question or a review about the product; however, as a customer, you should not be able to change the price or details. That’s due to access control.

Who has access to what data and resources is determined by access control, a security feature. Access control sets the proper access level after authentication. A vendor should be able to alter the prices or descriptions of their products, like in the case of online shopping. They shouldn’t be able to alter the data pertaining to other vendors, though. On the other side, a client should be allowed to access the data but not change it.

However, due to various programming or design mistakes, access control is sometimes not appropriately imposed.

Web Application Vulnerabilities

The OWASP was established to improve software security. The OWASP Top 10 list aims to raise awareness regarding common security issues that plague web applications. This list would help software developers avoid common mistakes to build more secure products. Other users, such as penetration testers and bug bounty hunters, can use this list to serve their purposes.

When a user can modify the input to avoid authorisation because of lax access control, the condition is referred to as IDOR. Prior to being included in Broken Access Control in 2017, IDOR was ranked number four on the OWASP Top 10 list in 2013. To find out more about IDOR, consider the following examples.

Let’s say that a user of ID 132 is directed to the following URL after logging in to the system: http://santagift.shop/account/user_id=132. However, they soon discover that they can browse other users’ profiles by changing the user_id value from 132 to other values expected to match existing user IDs. Although the system should deny them access to the new URL due to lack of authorization, an IDOR vulnerability will let the user display such unauthorized pages. In the figure below, the user managed to access the user’s account page with the ID 101.

Figure showing IDOR vulnerability by changing the user ID in the URL

Consider the example where requesting an invoice generates a link similar to this: http://santagift.shop/invoices?download=115. To test for vulnerabilities, one would replace 115 with another number, as shown in the image below. The system is vulnerable if it lets them access other users’ invoices.

Figure showing IDOR vulnerability by changing the download file ID in the URL

The impact of an IDOR vulnerability might let you reset the password of another user. For instance, after logging in, a malicious user might start with the URL to change their password and replace their username with that of another user. For example, the attacker would replace their username yeti in the URL http://santagift.shop/account/changepassword=yeti with another valid username and attempt to change their password, as shown in the figure below. The impact of an IDOR vulnerability can be high.

~ Source: Tryhackme.

Challenge Solution

Leave a Reply

Your email address will not be published. Required fields are marked *