1. Web App Exploitation
Web pages, just like the one you are reading now, are generally made of three components, HTML, CSS, and JavaScript. Each of these components has a different role in providing the formatting and functions of a webpage. The structure of a webpage can be compared to a human body: HTML is the bone structure, CSS is the appearance, and JavaScript is the muscles.
1.1 HTML
HTML is the backbone of a webpage; it gives the page its general structure. HTML stands for Hyper-Text Markup Language. HTML is used to determine how the webpage will be displayed. HTML “tags” are used to mark how the page should be structured. For example, this paragraph is marked with “p” tags, which tells the browser to show this text as a paragraph. HTML tags are enclosed in angle brackets (< >). Here is a sample of how a simple HTML page is structured:
<!DOCTYPE html>
<html>
<body>
<h1>Example Heading</h1>
<p>Example paragraph.</p>
</body>
</html>
You can view the HTML source of a webpage in most internet browsers. For Google Chrome, you can right-click the page and select “View Page Source” or use “Ctrl+U.” This will bring up the page's HTML source code. Try right clicking on this page to test this out.
1.2 CSS
CSS determines the appearance of the webpage, much like a person's hair or clothes can change their appearance. CSS stands for Cascading Style Sheet and is a style language used to change and customize the look of HTML pages. CSS can be either included in an HTML file, by using a special tag, or by including the CSS as a separate file, which is more common. If the CSS is included in a file, it will be linked in the page's HTML source. It should look like this: <link href="../style.css" rel="stylesheet" />. See if you can view the CSS of this page.
1.3 JavaScript
JavaScript provides a webpage with much of its functionality, similar to how a person's muscles allow them to move and function. JavaScript is a programming language used throughout the web to do just about anything from login functions to interactive games. Like CSS, JavaScript can be either included as a separate file or in the HTML file itself by using a special “<script>” tag.
Here is an example of a simple JavaScript login form:
1.4 Databases
In addition to these three main components of a webpage, databases can be used to provide additional functionality and information storage. To continue the analogy of a webpage being like a person, a database is akin to the human mind in that both store information for later access. Databases are usually separate from the webpage itself, but the two interact to store and retrieve data. The general structure of a database consists of “Columns,” "Rows,” and “Tables.” A row consists of one or more columns. Rows are entries of data in the database, and a collection of rows and columns are contained in a table. There are many different types of databases; the type we will be focusing on is called SQL (pronounced “sequel”). SQL stands for Structured Query Language and is the most popular database language. SQL databases, much like other computer applications, use a programing language to receive commands. The main syntax statements to understand for this lesson are the “SELECT,” “FROM,” and “WHERE” statements. As their names suggest, the “SELECT” command tells the database to select or retrieve something from a table. The “FROM” statement tells the database which table to select from. Finally, the “WHERE” statement tells the database the condition in which to retrieve the specified information; if the “WHERE” statement is true, the database retrieves the requested information, if not the database retrieves nothing. These three statements can form a command such as “SELECT row FROM table WHERE column value = 'example value'”.
The following is an example command to access data from a database that contains a “userTable” table, a “userEmails” row, and a “username” column: “SELECT userEmails FROM userTable WHERE username = 'jane'”
This statement commands the database to retrieve the emails from the “userTable” for the username “jane.”
2. Security Vulnerabilities
Now that we are familiar with the four main components of a web application, HTML, CSS, JavaScript, and Databases, we can begin to learn about the security concerns associated with each component. The first place a security assessor should start when evaluating the security of a web application is to familiarize yourself with the application and view the source code for the HTML, CSS, and JavaScript. Additionally, it is important to evaluate any interactions involving a database.
2.1 HTML Vulnerabilities
There are a few things to consider when assessing the security of HTML. The number one thing to look for is code comments left by the page developer. Sometimes web programmers will write notes to themselves as comments in the web page's code. These comments can provide a great deal of information about the webpage, such as incomplete parts of a page that may be vulnerable or usernames and passwords of the developer.
2.2 CSS Vulnerabilities
CSS poses very few security concerns because it merely adds style to a webpage. On occasions CSS files may disclose information about the developer, such as an email address; however, most information that would be contained in a CSS file comment is likely accessible elsewhere.
2.3 JavaScript Vulnerabilities
Of the three main elements of a webpage, JavaScript poses the most significant security risk. Because JavaScript is used to give a webpage function, it can sometimes be misused or altered by a malicious user to perform an unauthorized action. Additionally, JavaScript functions are used for form validation; meaning that a JavaScript function is used to process a login or limit input into a form. Therefore, a security specialist should check for insecure JavaScript functions when assessing a webpage or application. Sometimes, in simple JavaScript login forms, the username and password are written in plaintext in the function; be sure to check any login forms for such client-side processing.
2.4 Database Vulnerabilities
Databases on their own do not pose much of a security risk; it is when databases are connected to and used with webpages and web applications that security risks arise. In the above section we looked at a simple SQL statement to retrieve emails from a database: “SELECT userEmails FROM userTable WHERE username = 'jane'”. This statement would work fine for retrieving emails from a database; however, if a user was able to fully control the input to the username field, then a malicious user could retrieve every user's emails. This type of attack is called SQL Injection. For example, if a webpage has a form asking the user to enter his or her name to retrieve his or her emails and does not sanitize the input, then a malicious user could send a malicious command to the database. The malicious user could enter the statement, “jane' OR '1'='1”, in the username field and retrieve every user's emails. The resulting command would look like this: “SELECT userEmails FROM userTable WHERE username = 'jane' OR '1'='1'”
Because “'1'='1'” is always true, the “WHERE” statement would always be true, and the database would retrieve every row in the user table.
Also, SQL Injection can be used to bypass login authentication. For example, if a login page uses a database to store user passwords, a SQL command such as “SELECT user FROM userPasswords WHERE password = 'userInput'” could be used to retrieve a user's password if it is in the database. However, much like the example above, a malicious user could enter a password like “x' OR '1'='1'”. Doing so would result in a command like “SELECT password FROM userPasswords WHERE password = 'x' OR '1'='1'" where again, “'1'='1” is always true and would allow the user to log in even though he or she does not know the password.
3. Summary
Since these four elements work together to form a webpage, they must be assessed together, as well as individually. Many webpages have HTML text boxes which allow users to enter text that is then processed by JavaScript and printed back into the HTML or stored in a database. If the user input is not handled properly, a malicious user could enter a carefully crafted input and compromise the security of the web application. A webpage may have an HTML form for user login where the username and password are sent to a database for processing. If the input is not sanitized properly, a malicious user could gain unauthorized access to the application. A cybersecurity analyst should always check input boxes for such vulnerabilities.