Insecure Cryptographic Storage

● Description

Insecure Cryptographic storage is a common vulnerability which exists when the sensitive data is not stored securely.

The user credentials, profile information, health details, credit card information, etc. come under sensitive data information on a website.

This data will be stored on the application database. When this data are stored improperly by not using encryption or hashing*, it will be vulnerable to the attackers.

(*Hashing is transformation of the string characters into shorter strings of fixed length or a key. To decrypt the string, the algorithm used to form the key should be available)

Implication

·        By using this vulnerability, an attacker can steal, modify such weakly protected data to conduct identity theft, credit card fraud or other crimes.

Vulnerable objects

·        Application database.

Examples

In one of the banking application, password database uses unsalted hashes * to store everyone's passwords. An SQL injection flaw allows the attacker to retrieve the password file. All the unsalted hashes can be brute forced in no time whereas, the salted passwords would take thousands of years.

(*Unsalted Hashes – Salt is a random data appended to the original data. Salt is appended to the password before hashing)

Recommendations

1.     Ensure appropriate strong standard algorithms. Do not create own cryptographic algorithms. Use only approved public algorithms such as AES, RSA public key cryptography, and SHA-256, etc.

2.     Ensure offsite backups are encrypted, but the keys are managed and backed up separately.

Failure to restrict URL Access

Description

Web applications check URL access rights before rendering protected links and buttons. Applications need to perform similar access control checks each time these pages are accessed.

In most of the applications, the privileged pages, locations and resources are not presented to the privileged users.

By an intelligent guess, an attacker can access privilege pages. An attacker can access sensitive pages, invoke functions and view confidential information.

Implication

·        Making use of this vulnerability attacker can gain access to the unauthorized URLs, without logging into the application and exploit the vulnerability. An attacker can access sensitive pages, invoke functions and view confidential information.

Vulnerable objects:

·        URLs

Examples

1.     Attacker notices the URL indicates the role as "/user/getaccounts." He modifies as "/admin/getaccounts".

2.     An attacker can append role to the URL.

Recommendations

1.     Implement strong access control checks.

2.     Authentication and authorization policies should be role-based.

3.     Restrict access to unwanted URLs.

Insufficient Transport Layer Protection

Description

Deals with information exchange between the user (client) and the server (application). Applications frequently transmit sensitive information like authentication details, credit card information, and session tokens over a network.

By using weak algorithms or using expired or invalid certificates or not using SSL can allow the communication to be exposed to untrusted users, which may compromise a web application and or steal sensitive information.

Implication

·        Making use of this web security vulnerability, an attacker can sniff legitimate user's credentials and gaining access to the application.

·        Can steal credit card information.

Vulnerable objects

·        Data sent over the network.

Recommendations

  1. Enable secure HTTP and enforce credential transfer over HTTPS only.
  2. Ensure your certificate is valid and not expired.

Examples:

1. An application not using SSL, an attacker will simply monitor network traffic and observes an authenticated victim session cookie. An attacker can steal that cookie and perform Man-in-the-Middle attack.

Comments

Post a Comment

Hello,

Thank you for reading blogs and your lovely comment. We hope you like this blogs.

Have a nice day!

Again Thanks,
Rk Thakur

Popular posts from this blog

Hacker

•  A hacker may refer to any of the following: Computer hacker1. A hacker is a term that first started being used in the 1960s and described a programmer or someone who hacked computer code. Later the term evolved into an individual who had an advanced understanding of computers, networking, programming, or hardware, but did not have any malicious intents. In 1981, Ian Murphy, also known as "Captain Zap", became the first hacker to be convicted of hacking. He hacked into the AT&T computer network and modified the billing rates system, changing the internal clocks so that cheaper late-night rates were billed to customers during mid-day hours. Today, a malicious hacker is usually referred to as a malicious user, black hat, or criminal hacker, which describes any individual who illegally breaks into computer systems to damage or steal information. Some people who consider themselves leet may refer to themselves as a leet haxors, h4x0rs, or HaXXorZ. However, often these users
Read more

How to Hack a Website: Online Example

•  More people have access to the internet than ever before. This has prompted many organizations to develop web-based applications that users can use online to interact with the organization. Poorly written code for web applications can be exploited to gain unauthorized access to sensitive data and web servers. In this article, we will introduce you to  web applications hacking techniques and the counter measures you can put in place to protect against such attacks . What is a web application? What are Web Threats? A web application (aka website) is an application based on the client-server model. The server provides the database access and the business logic. It is hosted on a web server. The client application runs on the client web browser. Web applications are usually written in languages such as Java, C#, and VB.Net, PHP, ColdFusion Markup Language, etc. the database engines used in web applications include MySQL, MS   Server, PostgreSQL, SQLite, etc. Most web applications are ho
Read more