This article looks at five common Web application attacks, primarily for PHP applications, and then presents a case study of a vulnerable Website that was found through Google and easily exploited. Each of the attacks we'll cover are part of a wide field of study, and readers are advised to follow the references listed in each section for further reading. It is important for Web developers and administrators to have a thorough knowledge of these attacks. It should also be noted that that Web applications can be subjected to many more attacks than just those listed here....
You may know ASP.NET, but if you don't understand how to secure your applications, you need this book. This vital guide explores the often-overlooked topic of teaching programmers how to design ASP.NET Web applications so as to prevent online thefts and security breaches.
You'll start with a thorough look at ASP.NET 3.5 basics and see happens when you don't implement security, including some amazing examples. The book then delves into the development of a Web application, walking you through the vulnerable points at every phase.
Syngress would like to acknowledge the following people for their kindness
and support in making this book possible.
Syngress books are now distributed in the United States and Canada by
O’Reilly Media, Inc.
1. Vulnerability Description
Flickr is almost certainly the best online photo management and sharing application in the world. As of June 2009, it claims to host more than 3.6 billion images. In order to allow independent programmers to expand its services, Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. The Flickr's API consists of a set of callable methods, and some API endpoints.
Web now widely used by business, government, individuals
but Internet & Web are vulnerable
have a variety of threats
denial of service
need added security mechanisms
Most Web application vulnerabilities rely on a hacker’s ability to input invalid data or malicious
code into the application using techniques such as the ones described. For developers with time-
to-market deadlines, it is virtually impossible to comb through code and test every possible
permutation of a malicious technique a hacker may attempt.
As more users are connected to the Internet and conduct
their daily activities electronically, computer users have become
the target of an underground economy that infects hosts
with malware or adware for financial gain. Unfortunately,
even a single visit to an infected web site enables the attacker
to detect vulnerabilities in the user’s applications and force
the download a multitude of malware binaries.
Session handling, credit card transactions, and password recovery are just a few examples of
Web-enabled business logic processes that malicious hackers have abused to compromise major
websites. There are many forms of business logic vulnerabilities commonly exploited by attackers.
These vulnerabilities are routinely overlooked during QA because the process is intended to test
what a piece of code is supposed to do and not what it can be made to do.
Of the current attacks on Web applications, those based
on script injection are by far the most prominent. For ex-
ample, script injection is used in cross-site scripting 
and Web application worms [2, 24].
A script injection vulnerability may be present when-
ever a Web application includes data of uncertain origin
in its Web pages; a third-party comment on a blog page
is an example of such untrusted data.
Web applications provide end users with client access to
server functionality through a set of Web pages. These
pages often contain script code to be executed dynami-
cally within the client Web browser.
Most Web applications aim to enforce simple, intu-
itive security policies, such as, forWeb-based email, dis-
allowing any scripts in untrusted email messages.
In this thought-provoking anthology, today's security experts describe bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. Beautiful Security features a collection of essays and insightful analyses by leaders such as Ben Edelman, Grant Geyer, John McManus, and a dozen others who have found unusual solutions for writing secure code, designing secure applications, addressing modern challenges such as wireless security and Internet vulnerabilities, and much more.
SQL injection vulnerabilities have been described as one of the
most serious threats for Web applications [3, 11]. Web applica-
tions that are vulnerable to SQL injection may allow an attacker to
gain complete access to their underlying databases. Because these
databases often contain sensitive consumer or user information, the
resulting security violations can include identity theft, loss of con-
ﬁdential information, and fraud. In some cases, attackers can even
use an SQL injection vulnerability to take control of and corrupt the
system that hosts the Web application.
The first important question is “What is a Web application”? Although most people have an
intuitive notion of what comprises a Web-enabled application, rarely do we think about its scope
and complexity. Web applications are typically multi-layered entities that include code and data
residing in many places within the enterprise (see Figure 1) that can be accessed directly or
indirectly from the Internet. Some parts of the application are typically developed in house are
unique to the enterprise while others are purchased from an external vendor (e.g.
SQL injection attacks pose a serious security threat to Web appli-
cations: they allow attackers to obtain unrestricted access to the
databases underlying the applications and to the potentially sensi-
tive information these databases contain. Although researchers and
practitioners have proposed various methods to address the SQL
injection problem, current approaches either fail to address the full
scope of the problem or have limitations that prevent their use and
If a company’sWeb site is used to collect, compile, or process customer data, that company has an added point of vulnerability. The increased
vulnerability in this situation arises from the potential of a hacker breaking into the Web site and stealing data such as names, address,
account information, or credit card numbers. In addition, if the Web site is integrated with back-end applications or connected to other
systems in the enterprise, there is a greater possibility that hackers and information thieves can access more sensitive information that
otherwise may be kept private.
Taking the network scenario of Figure 1, there will be web interfaces (routers and serv-
ers), BACnet/IP controllers (connected to interesting devices that are network accessible),
and operator workstations that may have vulnerable OS as well as configuration files and
other interesting data and resources.
The following table is adapted from a Drexel report on network security [Eisenstein et al.,
2003a] and lists known IT threats to a BACnet network connected to the public Internet.