Chapter 4: WEB SECURITY

Web application attacks exploit weaknesses in websites to compromise data, sessions, or availability.
Understanding common attack types helps organizations protect users, systems, and services.

Website Defacement

• Definition: An attack where an intruder gains unauthorized access to a website and alters its content.
  --
• Common Forms:
  • Posting messages like “This site was hacked by…”
  • Replacing or modifying original page content in a derogatory way
    --
• Motivations:
  • Earlier: Done for curiosity, challenge, or fun
  • Today: Often driven by ideology or protest
• Modern Context: Frequently linked to hacktivism — malicious internet activism targeting organizations with opposing viewpoints

DoS / DDoS Attack

• Definition: An attack aimed at making a website unavailable rather than stealing data.
• How It Works:
  • Flooding a server with excessive or malformed requests
  • Overwhelms server resources so it cannot respond to legitimate users
    --
• Types:
  • DoS (Denial of Service): Attack from a single source
  • DDoS (Distributed Denial of Service): Attack from multiple sources, making it harder to stop
    --
• Motivations: Often linked to hacktivism, but can also be financially or politically motivated
• Mitigation:
  • ISPs and firewall rules can reduce basic DoS attacks
  • Advanced attacks exploit application or platform vulnerabilities
    --
• Example: Abusing a search function using wildcards (*) or code injection to exhaust server resources

HTTP Response-Splitting Attack — Summary

• Definition: A protocol manipulation attack where HTTP responses between client and server are altered.
• Target: Web applications that use HTTP for data exchange.
  --
• How It Works:
  • Attacker injects malicious input into HTTP headers
  • Causes the server to send split or manipulated responses
    --
• Why It’s Possible:
  • HTTP communication is clear text
  • Weak or missing input validation in the web application
    --
• Impact:
  • Can lead to content injection, cache poisoning, or session hijacking
• Root Cause: Poor handling and validation of user-supplied input

Cross-Site Request Forgery (CSRF) — Summary

• Definition: An attack that exploits an already authenticated user session to perform unauthorized actions.
• Root Cause: Web applications that use persistent authentication (users stay logged in).
  --
• How It Works:
  • Attacker tricks a logged-in user’s browser into sending a request
  • The request is processed as if it came from a legitimate user
    --
• Attack Method:
  • Malicious links or embedded content (e.g., images, scripts)
  • Browser automatically follows the link and submits the request
    --
• User Awareness: The attack happens without the user knowing
• Example Impact: Password changes, fund transfers, or account modifications
• Key Issue: Lack of proper CSRF protection and request validation

Deep Linking Vulnerability — Summary

• Category: Security misconfiguration
• Definition: Occurs when security controls are not enforced across all pages of a website.
  --
• How It Happens:
  • Authentication or integrity checks exist only on entry-level pages
  • Deeper pages lack the same security validation
    --
• Common Scenario:
  • User logs in and navigates deep into the site
  • User bookmarks a protected page URL
    --
• Security Risk:
  • The bookmarked or known URL can be accessed without authentication
  • Attackers can bypass security controls by directly accessing deep links
    --
• Why It’s Hard to Detect: Vulnerability exists within internal site paths, not the homepage
• Key Issue: Inconsistent application of security checks across the website

Man-in-the-Middle (MitM) / Sniffing Attack — Summary

• Definition: An attack where an intruder intercepts and possibly alters communication between two parties without their knowledge.
• Goal: Steal or manipulate sensitive information.
  --
• How It Works:
  • Attacker secretly places themselves between the user and the server
  • Eavesdrops on data being transmitted (sniffing)
    --
• Data at Risk:
  • Login credentials
  • Banking and financial information
  • Personal or private messages
    --
• Attack Types:
  • Network-based: Compromising network communication channels
  • Application-layer: Manipulating or altering data at the application level
• Key Risk: Lack of secure, encrypted communication

Cookie Tampering — Summary

• Definition: An attack where an intruder modifies website cookies to gain unauthorized access or privileges.
• What Are Cookies: Small data files stored on the client side and sent with each request.
  --
• How the Attack Works:
  • Attacker edits cookie values using browser developer tools or injected JavaScript
  • Modified cookies are sent back to the server
    --
• Common Targets in Cookies:
  • Session IDs
  • User roles or privilege levels
  • Credentials or trust-based data
    --
• Example:
  • Changing role=user to role=admin
  • Gaining admin access if the server does not validate the cookie
    --
• Key Risk: Storing sensitive data in cookies without validation or protection
• Important Note: Base64 encoding is not encryption and does not protect sensitive data

Cookie-Based Session Attacks — Summary

• Why Cookies Matter: HTTP is stateless, so cookies store session information such as session IDs.
• Risk: If session cookies are compromised, attackers can take over user sessions.
  --
• Common Cookie-Based Session Attacks:
  • Session Hijacking: Attacker steals a valid session cookie and takes over an active user session.
  • Session Spoofing: Attacker forges or reuses session identifiers to impersonate a user.
  • Session Fixation: Attacker forces or tricks a user into logging in with a known session ID, then hijacks it.
    --
• Impact:
  • Unauthorized access
  • Identity impersonation
  • Data manipulation or theft
• Root Issue: Insecure handling and protection of session cookies

Cross-Site Scripting (XSS) — Summary

• Definition: A critical vulnerability where attackers inject malicious scripts into web pages viewed by other users.
• Injection:
  • Malicious code (usually JavaScript) is inserted into user inputs
  • Common sources: comments, forums, forms, input fields
    --
• Victim Interaction:
  • When a user visits the affected page, the browser executes the injected script
  • Browser treats it as trusted site content
    --
• Exploitation:
  • Steals cookies and session data
  • Impersonates users
  • Performs unauthorized actions
  • Redirects victims to malicious or phishing sites
    --
• Impact: Account compromise, data theft, malware delivery
• Root Cause: Improper input validation and output encoding