Ovely permissive CORS

Origin header is sent by the browser in a CORS request and indicates that origin request. It may be spoofed outside the browser, so need to check that application-level protocols for protect sensitive data.

Access-Control-Allow-Origin is a response header used by a server to indicate which domains are allowed to read the response.

Insecure configurations as for example using '*' wildcard as value of the Access-Control-Allow-Origin header means all domains are allowed. Other insecure example is when the server returns back the Origin header without any additional checks, what can lead to access of sensitive data. This configuration is very insecure, and is not acceptable, except in case of a public API that is intended to be accessible by everyone.

add_header Access-Control-Allow-Origin $cors_header;

add_header Access-Control-Allow-Credentials true;

Web Application Source Code Disclosure Pattern Found

It is possible to retrieve the source code from server side script and also may possible to expose the business logic or sensitive information such as username and password.

Possible Causes

· Patches for 3rd. party products were not installed

· Temporary files were left in production environment

· Debugging information was left by the programmer in web pages

Application source code should not be accessible to web users, as it may contain sensitive application information and back-end logic.

It can give an attacker useful guidance for future exploitation. Leakage of sensitive information may carry various levels of risk and should be limited whenever possible.

Recommendation

There are many ways to revealing application source code. To ensure that your application does not allow web users access to source code. [1] Check that all system patches related to source code disclosure are installed. [2] Check that no application source code is left in HTML comments. [3] Check that all source code files are removed from the production environment

Validation Rule

You can add input validation to Web Forms pages by using validation controls.

To make sure that all the required parameters exist in a request, use the "RequiredFieldValidator" validation control. This control ensures that the user does not skip an entry in the web form.

To make sure user input contains only valid values, you can use one of the following validation controls:

[1] "RangeValidator": checks boundary value in between specified lower and upper boundaries. You can check ranges within pairs of numbers, alphabetic characters, and dates.

[2] "RegularExpressionValidator": checks that the entry matches a pattern defined by a regular expression. Validation allows to check for predictable sequences of characters, such as those in social security numbers, e-mail addresses, telephone numbers, postal codes, and so on.

Anti Forgery Token Prevention

Anti-Forgery Token

It is help to prevent the CSRF attack, ASP.NET MVC uses anti forgery token.

1.       The client request HTML page contain a FORM.

2.       The server include two token in the response. One tone is the cookie, second token is palce in the hidden form field. Token are randomly generated not be guessable.

3.       When client submit the form, it must send both tokens back to the server.

4.       If request does not include both token server disallow the request.

<form action=”path” method=”post”>

<input name=”_requestverificationtoken” type=”hidden”

                                Value=”fhsdvjknsdfk634754795jnskdji8yh”/>

<input type=”submit” value=”submit”/>

</form>

Due to same origin policies malicious page can’t be read the token. Because of this anti forgery token works.

IN MVC

To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper method

@using (Html.BeginForm("Manage", "Account")) {

    @Html.AntiForgeryToken()

}

CSRF(Cross Site Request Forgery)

Defense CSRF(Cross site request forgery)

1.       Check standard header to verify the request is the same origin

a.       The origin request is coming from (Source origin)

b.      The origin request is going to (target origin)

2.       Check CSRF token

d           Validate the cookie token and form token

Configure the webSEAL to validate the referrer header incoming HTTP request

Difference between multiple security terms

Encoding	Encryption	Hashing
Maintaining data usability	Maintaining data confidentiality	Validating the integrity of content
Reversed data by  employing same algorithm	Reversed data by  secret key	Validate through the signature
No secret key	Use key	Signature by a sender

SQL Injection	Blind SQL Injection
Display error message	Does not see an error message
It does not ask ant question	It ask a true and false question to database
Attacker see the result	Attacker not see the result

SQL Injection	Cross-Site Scripting
Inserting query syntax	Embedded script tags in URL
Attacker send simple text based syntax	Attacker send simple text based script
Injecting SQL field value in the form of regular expression	Simple HTML tags in the form of the regular expression
It can be easily effected	It can be affect with average vulnerability

Cross-Site Scripting	Cross-Site Request Forgery
It doesn’t need authentication	Authenticated Session
Escape the basic validating	Server trust the user
Need of java script	Not need of javascript
A site that is vulnerable to XSS attacks is also vulnerable to CSRF attacks	A site that is completely protected from XSS types of attacks is still most likely vulnerable to CSRF attacks.

Denial of Service (DoS)

Denial of service attacks are most common to take website and servers down. It is easy to attack and hard to protect. The way to prevent of an attack is to block the response to the attackers. Catch the attacker as early as possible after the request has been received by the web server.

There are two challenges to blocking the attacks

               Identify the attackers

               Block the response only to the attackers

First to catch the request as early as possible, an HttpModule is the right place. It is executed before any page or any other handler so the impact on the server can be minimized. This HttpModule monitors all requests and block requests coming from IP addresses that make many requests in a short period of time. After a while the attacking IP address gets released from blocking.

Implementation

Download the DosAttackModule.cs file below and put it into the App_Code folder of your website. Then add the following lines to the web.config’s <system.web> section:

< httpModules >

< add type = " DosAttackModule " name = " DosAttackModule " />

</ httpModules >

SQL Injection

Nowadays SQL injection is a common attack that use malicious SQL injection code for database manipulation to access information.

                                                                                OR

When exploiting SQL injection, the web application display error message from the database. Database complaining that the query syntax is incorrect.

                                                                                OR

Gain the unauthorized access to the website through the SQL Injection and take the information.

How to exploit:-

EX

Take a simple username (admin) and password we choose

‘ OR ‘a’=’a

From users WHERE user=’admin’ AND password=’ ‘ OR ’a’=’a’

‘a’ = ‘a is a true value

Let's analyze

Username=’admin’ AND Password=’’ OR ‘a’=’a’

Means username password true

Use Burp suite tool and inject the customize attack through Intruder

Here we introduce some SQL attack.

 or 1=1
or 1=1--
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'# ………….etc

How to Fix:-

1.       Use stored procedure

2.       Use parameterize query

3.       Limit database permission and privilege

4.       Avoid display database error directly to the user

5.       Use the regular expression to identify the text block and sql statements

Security Testing Procedure and Approaches

Security Testing

It is a type of software testing that checks whether the application or product is secured or not.

                                                Or

Security testing is performed to check whether there is any information leakage.

                                                Or

The goal of security testing is to identify the threats in the system and measure security risk.

                                                Or

Check the loopholes, weakness, and vulnerabilities of the web application.

                                                Or

Ensure that application is free from any loopholes or weakness.

Type of Security Testing

Vulnerability scanning: - This is done by the automated software to scan a system.

Security scanning: - Identify the network and system weakness and also provide the solution for reducing the risk.

Penetration Testing: - It is also known as pen test. Hacker malicious attack on the loophole or weakness of the system.

Risk Assessment: - Check the potential risk is either high or low. Analyze and evaluate the risk with the particular threats.

Security Auditing:-In this inspection of code line by line. It is a manual measurable technique of a system or application.

Ethical hacking:-It is systematical attempts to penetrate malicious script to exploit computer system or network on the behalf of the owner.

Procedure of web application security testing:-

1.       Scope of the application

2.       Check static and dynamic pages

3.       Identify the all login role of application

4.       Gather the information about the application

5.       Make profiling of the threats or security related test data.

6.       Security-related tools

7.       Test according to the threats profiling

8.       Scan application according to the threats profiling

9.       Report creation

Report submission

Approaches of web application security testing

·         Passive Approach- Actions taken to monitor the security

·         Understand the logic of the application

·         Information Gathering

·         Understand all the login role of the application

·         Active Approach-Covers all actions designed to prevent a breech

·         Configuration Management Testing.

·         Testing for file extensions which is a need or not need

·         Test file name without script tag

·         Test old, backup, temporary file not be left

·         Testing for HTTP methods

·         Testing for the business logic of the application

·         Testing for XSS(cross-site scripting)

·         Testing for SQL injection

·         Authentication Testing

·         Credentials transport over an encrypted channel

·         Testing false login credential to account lockout

·         Brute Force Testing

·         Testing for bypassing authorization schema

·         Session Management Testing

·         Test all headers for mitigating the XSS and CSRF

·         Testing for Cookies attributes- http only, secure and time validity

·         Testing for CSRF(cross-site request forgery)