Security Basics

Going to make a few posts on web security since it has been on my mind.

General web security holes fall into three main categories:

1. Vulnerabilities to direct attack
2. Session hijacking vulnerabilities
3. User supplied content based attacks

Vulnerable to Direct Attack

When I mention vulnerabilities to direct attack I envision a person sitting and launching requests against your web server and is able to damage data or access secrets. This is the kind of thing we mainly think about, but is increasingly rare. The infamous SQL injection attacks are examples of this form of attack. Another example is having requests that do not check authentication maybe on the assumption that invalid users would not normally be given the option to make those requests. For example, my old company exposes all the comments just by manipulating the comment id passed by a query. It may be possible for any user to erase every comment in the system.

Session Hijacking

This involves somehow being able to use another persons authentication in order to act with enhanced privileges. This could mean stealing a session id or sneaking in code that will run in the users browser. One example of the first type of attack is being able to sniff someones requests and if the session id is in the URL then their session can be hijacked. Again, my old company has this vulnerability. The other type of attack is a little more subtle. If you can trick an authenticated user into running your code, maybe by tricking them to go to a site you control while authenticated, you can act with their level of privilege.

User supplied content

This is perhaps the most insidious form of attack. This involves uploading data that is stored on the web server and then distributed to other users. Imagine you were able to craft a Facebook post that ran a piece of JavaScript. Every person in your friends list would then view this post and would be running this piece of JavaScript. If this piece of JavaScript was designed to make a new post that replicated itself then you would quickly have millions of people downloading and running this piece of JavaScript. This form of attack is probably the hardest to defend against and has an enormous possibility for replication since your web servers themselves are replicating the issue.