SLAC Computer Security
Search SLAC

Case of the Cyber Criminal

Web Development Tips and Best Practices

Primer on Web Application Security

Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and semantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting.
    http://example/foo.cgi?a=1’ < SQL Injection
    http://example/foo.cgi?a=<script> … < Cross-site Scripting (XSS)

Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI.
    http://example/foo.cgi?admin=true < Increase privileges

A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these vulnerabilities with an automated scanning tool.  Logical vulnerabilities are very difficult to test with a scanning tool; these require manual inspection of web application source code analysis and security testing. Web application security vulnerabilities usually stem from programming errors with a web application programming language (e.g., Java, .NET, PHP,  Python, Perl, and Ruby), a code library, design pattern, or architecture. These vulnerabilities can be complex and may occur under many circumstances. Using a web application firewall might control effects of some exploits but will not resolve the underlying vulnerabilities.

Types of Web Application Vulnerabilities

Web applications may have any of two dozen types of vulnerabilities. Security consultants who do penetration testing may focus on finding top vulnerabilities, such as those in a list published by the Open Web Application Security Project ( Other efforts to systematically organize web application vulnerabilities include six categories published by the Web Application Security Consortium ( The following descriptions of web vulnerabilities are modeled on the WASC schema.

Authentication – stealing user account identities
    Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.
    Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.
    Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.

Authorization – illegal access to applications
    Credential / Session Prediction is a method of hijacking or impersonating a user.
    Insufficient Authorization permits access to sensitive content or functionality that should require more access control restrictions.
    Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.
    Session Fixation attacks force a user’s session ID to an explicit value.

Client-side Attacks – illegal execution of foreign code
    Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.
    Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.

Command Execution – hijacks control of web application
    Buffer Overflow attacks alter the flow of an application by overwriting parts of memory.
    Format String Attack alters the flow of an application by using string formatting library features to access other memory space.
    LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input.
    OS Commanding executes operating system commands on a web site by manipulating application input.
    SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.
    SSI Injection (also called Server-side Include) sends code into a web application, which is later executed locally by the web server.
    XPath Injection constructs XPath queries from user-supplied input.

Information Disclosure – shows sensitive data to attackers
    Directory Indexing is an automatic directory listing / indexing web server function that shows all files in a requested directory if the normal base file is not present.
    Information Leakage occurs when a web site reveals sensitive data such as developer comments or error messages, which may aid an attacker in exploiting the system.
    Path Traversal forces access to files, directories and commands that potentially reside outside the web document root directory.
    Predictable Resource Location uncovers hidden web site content and functionality.

Logical Attacks – interfere with application usage
    Abuse of Functionality uses a web site’s own features and functionality to consume, defraud or circumvent access control mechanisms.
    Denial of Service (DoS) attacks prevent a web site from serving normal user activity.
    Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.
    Insufficient Process Validation permits an attacker to bypass or circumvent the intended flow of an application.

How They Hack Your Website: Overview of Common Techniques

Great examples of SQL Injection, Cross Site Scripting (XSS), Authorization Bypass, Google Hacking, Password Cracking and a few defensive measures

Site Hijacking

"Misrepresenting a Web site by stealing and manipulating its content"


Best Practices for Secure Web Development

Owner: SLAC Computer Security
Page Created: 2/2/2010
Last Updated: 07/22/2010
Feedback: Please send to Computer Security Feedback