Java Reference
In-Depth Information
cognizance of this issue and have perpetrated several attacks that have rendered applications open
to these unwanted elements and have also resulted in the compromise of user accounts of other
users in the application. Some of the attacks against access control systems of Web applications
are as follows:
◾
Cross-site request forgery
Session hijacking
◾
◾
Man-in-the-middle
Session ixation
◾
◾
Forceful browsing
7.2.1.1 Session Hijacking
Sessions are an integral aspect of a Web application. Sessions ensure that the stateless HTTP
protocol is able to track the state between multiple connections from the same user. Sessions are
identiied using session IDs, which are used by the server to keep track of the communication
between the server and the user of the Web application. Sessions are provided to the user when
he/she logs into the system and are destroyed when the user logs out of the system.
Session hijacking is the technique used to capture a legitimate user's session ID while the ses-
sion is still in progress. Sessions can be hijacked by the attacker brute-forcing random session IDs
until he/she reaches a legitimate session of a user. Several Web applications do not generate strong
random session IDs and as a result are easily guessable. For instance, some Web applications gener-
ate session IDs like 0001 and 0002, which are numbers or characters in a series, and this provides
an attacker with easy access to another user's session as the attacker can increment digits to gain
access to sessions of other users in the system. Session hijacking can also be performed with other
attacks like phishing and cross-site scripting.
7.2.1.2 Cross-Site Request Forgery
Cross-site request forgery is also known as CSRF or XSRF. Cross-site request forgery is a deadly
attack against a Web application. A CSRF attack occurs when an attacker is successfully able to pass
a phantom request to the Web application on behalf of the user without the user's knowledge. For
instance, a user is logged in to his banking Web application and simultaneously logged into his email
application. he user receives an email instructing him/her to visit a particular link. he link in real-
ity is a hidden request to the banking application that transfers $1000 from the user's account to the
attacker's account. If the banking application is vulnerable to CSRF, this request would be processed
and the banking application would transfer the said amount to the attacker's account. his is success-
ful because the legitimate user is logged into the banking application with a properly issued session
ID and the user would be completely unaware of the request made by the attacker to the banking
application. While CSRF is technically not considered as an attack on the access control system, the
attack is made successful because of unauthenticated requests to a vulnerable Web application result-
ing in a change of state and possible exposure of sensitive information.
7.2.1.3 Session Fixation
Session ixation is also a popular attack against Web application access control. he attack is car-
ried out when a vulnerable application does not invalidate existing session credentials when the
Search WWH ::
Custom Search