Java Reference
In-Depth Information
user logs in to the Web application. For instance, Bob is an attacker who wants to steal Scott's
session and gain access to his email account. Bob accesses his email, for which the email applica-
tion issues him a session ID. Bob then resets the browser to the login page. Scott notices the open
browser window with the email site open and logs into the Web application. he vulnerable email
site logs in Scott with Bob's previously existing session (which is still valid) and using that session
ID, Bob maliciously gains access to Scott's email account.
A variety of social engineering options are at the attacker's disposal to carry out a session ixa-
tion attack. Phishing attacks are also used to deliver session ixation attacks to the victim.
7.2.1.4 Man-in-the-Middle
he
man-in-the-middle attack
or MITM is utilized extensively to steal user credentials from oper-
ating systems, network devices, and Web applications alike. he man-in-the-middle attack is car-
ried out when the attacker intercepts communication lowing between the server and client or
two systems communicating with each other. Web applications are also subject to the MITM
attack as username and password credentials are passed over a network using the HTTP protocol.
Encrypting traic between server and client is one of the popular ways of ensuring that an attacker
who intercepts network traic cannot view user credentials in cleartext while being transmitted
over the network.
7.2.1.5 Forceful Browsing
Forceful browsing is also a common attack against a vulnerable Web application. Web appli-
cations have several links and pages that are not visible to the user or not accessible by the
user because they aren't referenced by the Web application. Attackers may be able to manually
crawl the Web application for unprotected links and gain access to information through pages
that are not referenced by the application. For instance, the Web application has an admin
page at https://www.vuln-app.com/site/admin/admin.jsp. his page is the admin dashboard,
which has been not been referenced in the Web application. An attacker can crawl all the
directories and iles of Web application and come across this unprotected page, which con-
tains sensitive information, thereby leading to a security breach. Forceful browsing is caused
by leaving unprotected links and pages not secured by access control or not deined through
strong authorization.
Another example of forced browsing
*
is when the authorization for certain pages and links is
enforced through client-side mechanisms like JavaScript. he user can disable JavaScript or use a
Web application proxy to easily access restricted links and perform unauthorized actions on the
Web application.
7.2.2 User Credentials—Usernames and Passwords
he use of usernames and passwords for authentication is ubiquitous in any application. Most
applications ranging from desktop applications, network management applications, operating
systems to Web applications have relied extensively on usernames/user IDs and passwords for
*
An example of the attack can be found at Abhay Bhargav's blog—http://citadelnotes.blogspot.com/2009/05/
overreliance-on-javascript-pen-testers.html.
Search WWH ::
Custom Search