3. Broken Authentication and Session Management
Authentication and session management includes all parts of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be destabilized by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require re-authentication even if the user has a valid session id.
Web applications must establish sessions to keep track of the stream of requests from each user. HTTP does not provide this capability, so web applications must create it themselves. Frequently, the web application environment provides a session capability, but many developers prefer to create their own session tokens. In either case, if the session tokens are not properly protected, an attacker can hijack an active session and assume the identity of a user. Creating a scheme to create strong session tokens and protect them throughout their lifecycle has proven elusive for many developers. Unless all authentication credentials and session identifiers are protected with SSL at all times and protected against disclosure from other flaws, such as cross site scripting, an attacker can hijack a user’s session and assume their identity.
2. Cross Site Scripting (XSS)
Cross-site scripting holes are web application security weaknesses that allow attackers to avoid client-side security patterns. By finding ways of injecting malicious code into web pages, an attacker can gain important access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.
XSS vulnerabilities have been reported and exploited since the 1990s. Some prominent sites that have been affected in the past are the social networking sites Twitter, Facebook, MySpace, and Orkut. In recent years, cross-site scripting flaws surpassed buffer overflows to become the most common publicly-reported security vulnerability, with some researchers claiming that as many as 68% of websites are likely open to XSS attacks.
1. SQL Injection
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark “–“. Subsequent text is ignored at execution time.