10%

Try : Insurtech, Application Development

Edtech(5)

Events(31)

Interviews(10)

Life@mantra(10)

Logistics(1)

Strategy(14)

Testing(6)

Android(41)

Backend(28)

Dev Ops(2)

Enterprise Solution(20)

Frontend(28)

iOS(38)

Javascript(13)

AI in Insurance(24)

Insurtech(57)

Product Innovation(34)

Solutions(13)

Augmented Reality(7)

Customer Journey(7)

Design(6)

User Experience(21)

Artificial Intelligence(93)

Bitcoin(7)

Blockchain(14)

Cognitive Computing(7)

Computer Vision(6)

Data Science(13)

FinTech(41)

Intelligent Automation(25)

Machine Learning(43)

Natural Language Processing(10)

[Part 2] Web Application Security Testing: Top 10 Risks & Solutions

By :
7 minutes, 29 seconds read

In the previous article, we discussed risks and web application security testing measures for 5 types of attacks-

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting
  4. Indirect object security reference
  5. Security misconfiguration

Link – Part 1

Now let’s continue with the remaining 5 web application security threats.

6. Sensitive data exposure

Broken authentication and inefficient session management leads to sensitive data exposure. Examples of applications vulnerable to sensitive data exposure.

  • Data stored in plain text, such as passwords or credit card data 
  • Lack of HTTPS on authenticated pages
  • Hashed passwords with lack of salt, making the password easily cracked
  • Tokens disclosed in public source code
  • Browser header caching sensitive data

I would suggest going through the part 1 of this series for in-depth knowledge about this vulnerability.

7. Cross-site forgery

Cross-Site Request Forgery (CSRF) or session riding- attacks, an attacker forces a victim to make an inappropriate web request such as a fraudulent bank transaction. For example, an attacker tricks the victim client into calling a banking function in a vulnerable page that transfers money from the victim’s to the attacker’s account. The victim triggers the attack by following an attacker’s link or visiting an attacker’s page. The vulnerable server page doesn’t recheck the authenticity of the victim’s request and allows proceeding the transfer.

The following steps detail the anatomy of a CSRF attack:

  1. The attacker finds a functionality in a web application that is vulnerable to CSRF.
  2. Attacker builds a link invoking the vulnerable function and by passing the required parameters, executes the attack.
  3. The Attacker then waits until the victim client authenticates with the vulnerable web application.
  4. Attacker tricks the victim client into following the malicious link.
  5. Victim client sends a forged request to a vulnerable server.
  6. Vulnerable server allows and executes the forged request.

For example, the link might look like this when the payload is to transfer money from the victim’s to the attacker’s account:

/makeTransfer?amount=1000&dest=attacker@attackersite.com

The following link sends an email titled ‘Hello’ to johny@example.com – 

/sendMail?to=johny@example.com&title=Hello&body=I+did+not+send+this

Basic test for cross-site request forgery

You can follow these test steps to test against CSRF bugs-

  1. Find a web application page that triggers/performs an action upon user request.
  2. Construct a page containing a link or redirect that sends a forged request to the application server. This link usually contains a tag such as an img or iframe with the source address pointing to the request.

<a href=”http://bank.com/transfer.do?acct=MARIA&amount=100000″>View my Pictures!</a>

<img src=”http://bank.com/transfer.do?acct=MARIA&amount=100000″ width=”1″ height=”1″ border=”0″>

  1. Note that the links above will generate a GET request. In order to test for POST requests you must create a page containing a form with the URL parameters passed as hidden input, and add a script to automatically submit the form:
 <form action=”http://bank.com/transfer.do” method=”post”>
     <input type=”hidden” name=”acct” value=”MARIA”>
     <input type=”hidden” name=”ammount” value=”100000″>
</form>
<script>
     document.forms[0].submit();
</script>
  1. Open an Internet browser and log in to the web application as a legitimate user.
  2. Open the page built in step 2 (follow the link if necessary).
  3. Confirm if the request was successful.
  4. Repeat test case for every application create/update/delete/mail action.

Expected result: the test fails if the application trusts and processes the forged request.

Also, attackers can manipulate cookies.

Another example,

Suppose, we allow users to post images on our forum. What if one of our users post this image?

<img src= “http://foo.com/logout”>

This is not really an image. But, it will force the target URL to be retrieved by any random user who happens to browse that page — using their browser credentials! From the webserver’s perspective, there is no difference whatsoever between a real user initiated browser request and the above image URL retrieval.

If our logout page was a simple HTTP GET that requires no confirmation, every user who visits that page would be immediately logged out.

Consider these examples of cross-site forgery: CSRF token leakage through Google Analytics, deleting account and erasing imported contacts, change any user ZONE, Add optional two factor mobile number

8. Missing function level access control

If the authentication check in sensitive request handlers is insufficient or non-existent, the vulnerability is Missing Function Level Access Control.

How to test for missing function level access control?

The best way to find out if an application fails to properly restrict function level access is to verify every application function-

  1. Does the UI show navigation to unauthorized functions?
  2. Are server side authentication or authorization checks missing?
  3. Are server side checks solely rely on information provided by the attacker?

Using a proxy, browse the application with a privileged role. Then revisit restricted pages using a less privileged role. If the server responses are alike, the My Organization application is probably vulnerable.

In one potential scenario an attacker simply forces the browser to target URLs. Consider the following (non-My Organisation) URLs which should require authentication. One also requires admin rights to access the “admin_getappInfo” page.

http://example.com/app/getappInfo

http://example.com/app/admin_getappInfo

If a non-authentic user (attacker) gets access to either page, then it means — unauthorized access was allowed. This flaw may lead the attacker to access more unprotected admin pages.

Example of missing function level access control atack – Delete Credit Cards from any Twitter Account.

9. Shellshock and Heartbleed attacks

Shellshock

It is a remote command execution vulnerability in Bash. A series of random characters, () { :; }; , confuses Bash because it doesn’t know what to do with them, so by default, it executes the code after it.

More on — manually exploiting shellshock vulnerability

Tools for checking Shellshock

Through command line:

To determine if your Linux or Unix system is vulnerable, type the following in the command line-

 env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
 vulnerable
 this is a test
 An unaffected (or patched) system will output:
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x’
           this is a test

Online tools – 

  1. Penetration testing tools
  2. Shellshock bash vulnerability test tool

Heartbleed

It is a critical bug in OpenSSL’s implementation of the TLS/DTLS heartbeat extension. It allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.

An attacker can trick OpenSSL into allocating a 64KB buffer, copy more bytes than is necessary into the buffer, send that buffer back, and thus leak the contents of the victim’s memory, 64KB at a time.

Web application security testing tools for heartbleed attack

  1. defribulator v1.16 : Command→ python ssltest.py example.com (ssltest.py file is available with me)
  2. Online tool: Filippo
  3. For android, you can download Bluebox open SSL scanner

Also read – Heartbleed bug FAQs, Bugs and solutions

How to prevent heartbleed attack?

  • Upgrade the OpenSSL version to 1.0.1g
  • Request revocation of the current SSL certificate
  • Regenerate your private key
  • Request and replace the SSL certificate

Examples of Heartbleed security attacks: information disclosure on Concrete5, port 1433, server returning more data

10. Unvalidated redirects and forwards

Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect.

It is possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

How to test unvalidated redirects and forwards?

Spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.

Web application security testing: preventing unvalidated redirects

  1. Simply avoid using redirects and forwards.
  2. If at all you’re using redirects/forwards, do not allow the url as user input for the destination. In this case, you should have a method to validate the URL.
  3. If you  cannot avoid user input, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  4. Map any such destination input to a value, rather than the actual URL or portion of the URL. Ensure that server side code translates this value to the target URL.
  5. Sanitize input by creating a list of trusted URL’s (lists of hosts or a regex).
  6. Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Consider these examples: open redirect, open redirect in bulk edit

So, this was all about prevailing risks and web application security testing measures to prevent your website from attackers. For further queries & doubts, feel free to write to hello@mantralabsglobal.com

About the author: Rijin Raj is a Senior Software Engineer-QA at Mantra Labs, Bangalore. He is a seasoned tester and backbone of the organization with non-compromising attention to details.

Related:

Cancel

Knowledge thats worth delivered in your inbox

MantraTalks Podcast with Parag Sharma: Delivering Digital-first Health Experiences for Patient Care in the New Normal

6 minutes read

The healthcare industry took the brunt of the Covid-19 pandemic from the very beginning. It was, and still is, a humongous task for hospitals to deal with the rising number of COVID patients as well as handling the regular consults. 

To delve deeper into the state of healthcare in the COVID times, we interviewed Parag Sharma, CEO, Mantra Labs Pvt Ltd. Parag shares his insights on how technology can help in delivering digital-first health experiences for patient care in the New Normal.

Parag is a product enthusiast and tinkerer at heart and has been at the forefront of developing innovative products especially in the field of AI. He also holds over ten years of experience working in the services line and has been instrumental in launching several startups in the Internet & Mobile space. His rich domain expertise and innovative leadership have helped Mantra climb to the top 100 innovative InsurTechs in the World – selected by FinTech Global. 

Catch the interview:  

Connect with Parag- LinkedIn

COVID-19 and Its impact on Healthcare Organizations

Considering the COVID situation, according to you how has COVID-19 impacted the IT & service operations among healthcare organizations?

Parag:  Since the onset of COVID-19, the healthcare sector has been deeply impacted. Institutions are facing a serious crunch in manpower. IT support systems which were usually manned and managed by a large team of IT professionals are not available in the same strength. Resource allocation’ is one of the biggest concerns due to physical and mental exhaustion of the healthcare workforce. 

Hospitals are facing issues such as operational disruption due to staff quarantine, supply-chain delays and sudden decline in patient footfalls, difficulty in sustaining fixed costs, etc. People are not comfortable getting out of the safety confinements of their homes due to the rising risk of getting infected with the virus. Hospitals will have to reassess their future strategy and budgets in light of the uncertain economic situation.

Preparing for the Future

What can hospitals do to ensure the continuity of their customer-facing operations in the wake of a second Pandemic wave?

Parag: There are many things that hospitals can do to manage themselves in this hour of crisis. Being more digital than what they are would be one step forward for all of them. They can bring their IT systems to the cloud so that the person can access data and manage their work remotely. They can enable their patients to book appointments and enquire about services through apps and chatbots which won’t require them to call the reception or come to the hospital. These are some of the services which hospitals can provide to their customers with minimum physical contact. 

Related: Manipal Hospital’s move to a self-service healthcare mobile application

Hospitals can extend Telehealth services to their patients. Recently, telehealth has proved to be useful especially when there is asymmetry between the number of patients and healthcare providers. I think it will be very useful for healthcare institutions to deploy telehealth solutions to provide medical facilities to people who have so far been outside the benefits of healthcare.

New Expectations in Health Experiences

Is consumer behavior defined by the ‘new normal’ going to change the way we access healthcare from this point on?

Parag: Yes, people will expect a completely different way to access healthcare services from now on. Hospitals should gear-up and rise to this occasion. The pandemic has also provided a new opportunity to adopt a completely different approach in the way healthcare is delivered. They always felt that medical care cannot be provided remotely but now this is happening and people are appreciating remote healthcare services. Hospitals and healthcare institutions are convinced that telehealth and remote care will be more successful soon.

Technology in Healthcare can Bridge Operational Gaps

What are the operational challenges, as far as digital capabilities go, that hospitals are facing currently? And, what steps must they take to bridge these gaps?

Parag: Operational challenges are not just digital challenges. But a lot of these challenges can be addressed with technology. For example, Electronic Health Records which hospitals manage within the premises can be moved to the cloud so that the person can access these records on the cloud itself and need not come to the hospital. 

Related: Medical Image Management: DICOM Images Sharing Process

Secondly, if you deploy telehealth and telemedicine solutions, irrespective of where your patients are or doctors are, hospitals can deliver the required care to its patients. You can even extend your diagnostics services to your patients by giving them an application through which they can seamlessly book appointments for consults, diagnostics, or pathological services and resolve their queries, etc. Simply by giving a seamless interface either through bots or applications can go a long way in providing better health experiences to the customers.

Role of Chatbots in Superior Customer Experiences

According to you, what role does chatbots powered by Artificial Intelligence have in the Healthcare CX landscape?

Parag: Chatbots are the simplest example of the implementation of AI-based technology in healthcare. There are a lot of things which bots can do simplistically. For example, if a patient wants to book an appointment with the doctors, instead of going through a complex web applications and interfaces, what if I can simply write “I want to book an appointment with the doctor Dr. XYZ at 4 pm” and the bot can figure out in case the time slot is available with that particular doctor, it will confirm the appointment followed by a payment process if the payment has to be made upfront. 

Apart from this, you can extend your bots to provide e-consultations where doctors can do remote consultations via audio and video features of a chatbot. So there is a huge scope for bots beyond answering routine queries by customers or booking appointments. It does not stop just there. You can extend chatbot functionalities to support functions such as admin, HR, finance, and business process efficiency so that they can provide better services to their customers.

Related: Healthcare Chatbots: Innovative, Efficient, and Low-cost Care

Chatbot Use Cases in Healthcare

Could you tell us some possible bot use cases for delivering better customer experiences to digital health users?

Parag: Apart from booking appointments and resolving customer queries, these bots can conduct remote consultations, internal processes, health symptom checker, out-patient video consultation, second opinion consultation, ordering medicines, psychological counseling & mental wellness, scenario-based risk advice, Heroism Recognition for employees, etc. Also, it can be further extended to help patients enquire about health insurance related queries, and all the interactions between insurance companies and hospitals can be provided to the patient. 

Related: Healthcare & Hospitals Use Cases | Digital Health

The Road Ahead

COVID-19 has forced hospitals to revise patient support strategy with limited operational staff that is bringing every day a new challenge. A way out is to heavily rely on digital innovation.

In India we have a disparity between the no. of healthcare providers and care seekers. Without technology, I don’t think there is any way healthcare institutions will be able to scale to a level where they can provide meaningful services to such a large number of people. Hospitals can invest in setting up an information exchange; making the process as seamless as possible; and removing all possible inefficiencies from the supply chain through technology.

Future growth for hospitals will come from digital technology because patients will opt more for digital platforms. And it is up to hospitals to catch up with the pace at which modern technology is developing. We, at Mantra Labs, have achieved several use cases including hospitals/diagnostic centers that are able to deliver superior health experiences.

Cancel

Knowledge thats worth delivered in your inbox

Loading More Posts ...
Go Top
bot

May i help you?

bot shadow

Our Website is
Best Experienced on
Chrome & Safari

safari icon