10%

Try : Insurtech, Application Development

Edtech(5)

Events(31)

Interviews(10)

Life@mantra(10)

Logistics(1)

Strategy(14)

Testing(7)

Android(43)

Backend(28)

Dev Ops(2)

Enterprise Solution(20)

Frontend(28)

iOS(39)

Javascript(13)

AI in Insurance(26)

Insurtech(57)

Product Innovation(34)

Solutions(13)

Augmented Reality(7)

Customer Journey(7)

Design(6)

User Experience(21)

Artificial Intelligence(94)

Bitcoin(7)

Blockchain(14)

Cognitive Computing(7)

Computer Vision(6)

Data Science(13)

FinTech(41)

Intelligent Automation(25)

Machine Learning(43)

Natural Language Processing(10)

HealthTech(5)

mHealth(3)

Telehealth Care(1)

[Part 2] Web Application Security Testing: Top 10 Risks & Solutions

By :
7 minutes, 29 seconds read

In the previous article, we discussed risks and web application security testing measures for 5 types of attacks-

  1. Injection
  2. Broken authentication and session management
  3. Cross-site scripting
  4. Indirect object security reference
  5. Security misconfiguration

Link – Part 1

Now let’s continue with the remaining 5 web application security threats.

6. Sensitive data exposure

Broken authentication and inefficient session management leads to sensitive data exposure. Examples of applications vulnerable to sensitive data exposure.

  • Data stored in plain text, such as passwords or credit card data 
  • Lack of HTTPS on authenticated pages
  • Hashed passwords with lack of salt, making the password easily cracked
  • Tokens disclosed in public source code
  • Browser header caching sensitive data

I would suggest going through the part 1 of this series for in-depth knowledge about this vulnerability.

7. Cross-site forgery

Cross-Site Request Forgery (CSRF) or session riding- attacks, an attacker forces a victim to make an inappropriate web request such as a fraudulent bank transaction. For example, an attacker tricks the victim client into calling a banking function in a vulnerable page that transfers money from the victim’s to the attacker’s account. The victim triggers the attack by following an attacker’s link or visiting an attacker’s page. The vulnerable server page doesn’t recheck the authenticity of the victim’s request and allows proceeding the transfer.

The following steps detail the anatomy of a CSRF attack:

  1. The attacker finds a functionality in a web application that is vulnerable to CSRF.
  2. Attacker builds a link invoking the vulnerable function and by passing the required parameters, executes the attack.
  3. The Attacker then waits until the victim client authenticates with the vulnerable web application.
  4. Attacker tricks the victim client into following the malicious link.
  5. Victim client sends a forged request to a vulnerable server.
  6. Vulnerable server allows and executes the forged request.

For example, the link might look like this when the payload is to transfer money from the victim’s to the attacker’s account:

/makeTransfer?amount=1000&dest=attacker@attackersite.com

The following link sends an email titled ‘Hello’ to johny@example.com – 

/sendMail?to=johny@example.com&title=Hello&body=I+did+not+send+this

Basic test for cross-site request forgery

You can follow these test steps to test against CSRF bugs-

  1. Find a web application page that triggers/performs an action upon user request.
  2. Construct a page containing a link or redirect that sends a forged request to the application server. This link usually contains a tag such as an img or iframe with the source address pointing to the request.

<a href=”http://bank.com/transfer.do?acct=MARIA&amount=100000″>View my Pictures!</a>

<img src=”http://bank.com/transfer.do?acct=MARIA&amount=100000″ width=”1″ height=”1″ border=”0″>

  1. Note that the links above will generate a GET request. In order to test for POST requests you must create a page containing a form with the URL parameters passed as hidden input, and add a script to automatically submit the form:
 <form action=”http://bank.com/transfer.do” method=”post”>
     <input type=”hidden” name=”acct” value=”MARIA”>
     <input type=”hidden” name=”ammount” value=”100000″>
</form>
<script>
     document.forms[0].submit();
</script>
  1. Open an Internet browser and log in to the web application as a legitimate user.
  2. Open the page built in step 2 (follow the link if necessary).
  3. Confirm if the request was successful.
  4. Repeat test case for every application create/update/delete/mail action.

Expected result: the test fails if the application trusts and processes the forged request.

Also, attackers can manipulate cookies.

Another example,

Suppose, we allow users to post images on our forum. What if one of our users post this image?

<img src= “http://foo.com/logout”>

This is not really an image. But, it will force the target URL to be retrieved by any random user who happens to browse that page — using their browser credentials! From the webserver’s perspective, there is no difference whatsoever between a real user initiated browser request and the above image URL retrieval.

If our logout page was a simple HTTP GET that requires no confirmation, every user who visits that page would be immediately logged out.

Consider these examples of cross-site forgery: CSRF token leakage through Google Analytics, deleting account and erasing imported contacts, change any user ZONE, Add optional two factor mobile number

8. Missing function level access control

If the authentication check in sensitive request handlers is insufficient or non-existent, the vulnerability is Missing Function Level Access Control.

How to test for missing function level access control?

The best way to find out if an application fails to properly restrict function level access is to verify every application function-

  1. Does the UI show navigation to unauthorized functions?
  2. Are server side authentication or authorization checks missing?
  3. Are server side checks solely rely on information provided by the attacker?

Using a proxy, browse the application with a privileged role. Then revisit restricted pages using a less privileged role. If the server responses are alike, the My Organization application is probably vulnerable.

In one potential scenario an attacker simply forces the browser to target URLs. Consider the following (non-My Organisation) URLs which should require authentication. One also requires admin rights to access the “admin_getappInfo” page.

http://example.com/app/getappInfo

http://example.com/app/admin_getappInfo

If a non-authentic user (attacker) gets access to either page, then it means — unauthorized access was allowed. This flaw may lead the attacker to access more unprotected admin pages.

Example of missing function level access control atack – Delete Credit Cards from any Twitter Account.

9. Shellshock and Heartbleed attacks

Shellshock

It is a remote command execution vulnerability in Bash. A series of random characters, () { :; }; , confuses Bash because it doesn’t know what to do with them, so by default, it executes the code after it.

More on — manually exploiting shellshock vulnerability

Tools for checking Shellshock

Through command line:

To determine if your Linux or Unix system is vulnerable, type the following in the command line-

 env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
If the system is vulnerable, the output will be:
 vulnerable
 this is a test
 An unaffected (or patched) system will output:
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x’
           this is a test

Online tools – 

  1. Penetration testing tools
  2. Shellshock bash vulnerability test tool

Heartbleed

It is a critical bug in OpenSSL’s implementation of the TLS/DTLS heartbeat extension. It allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.

An attacker can trick OpenSSL into allocating a 64KB buffer, copy more bytes than is necessary into the buffer, send that buffer back, and thus leak the contents of the victim’s memory, 64KB at a time.

Web application security testing tools for heartbleed attack

  1. defribulator v1.16 : Command→ python ssltest.py example.com (ssltest.py file is available with me)
  2. Online tool: Filippo
  3. For android, you can download Bluebox open SSL scanner

Also read – Heartbleed bug FAQs, Bugs and solutions

How to prevent heartbleed attack?

  • Upgrade the OpenSSL version to 1.0.1g
  • Request revocation of the current SSL certificate
  • Regenerate your private key
  • Request and replace the SSL certificate

Examples of Heartbleed security attacks: information disclosure on Concrete5, port 1433, server returning more data

10. Unvalidated redirects and forwards

Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect.

It is possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

How to test unvalidated redirects and forwards?

Spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.

Web application security testing: preventing unvalidated redirects

  1. Simply avoid using redirects and forwards.
  2. If at all you’re using redirects/forwards, do not allow the url as user input for the destination. In this case, you should have a method to validate the URL.
  3. If you  cannot avoid user input, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  4. Map any such destination input to a value, rather than the actual URL or portion of the URL. Ensure that server side code translates this value to the target URL.
  5. Sanitize input by creating a list of trusted URL’s (lists of hosts or a regex).
  6. Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Consider these examples: open redirect, open redirect in bulk edit

So, this was all about prevailing risks and web application security testing measures to prevent your website from attackers. For further queries & doubts, feel free to write to hello@mantralabsglobal.com

About the author: Rijin Raj is a Senior Software Engineer-QA at Mantra Labs, Bangalore. He is a seasoned tester and backbone of the organization with non-compromising attention to details.

Related:

Cancel

Knowledge thats worth delivered in your inbox

Virtual health: Delivering care through technology

8 minutes, 52 seconds read

Virtual Care, Telehealth, Telemedicine, etc. are terms used very synonymously. Indeed they are interrelated, however, Virtual Care is a broader term in which healthcare providers use digital tools to communicate and deliver care to their patients. Telehealth and Telemedicine are a part of Virtual Care where doctors deliver care to their patients, remotely via phone, video, or instant messaging. Virtual health includes care delivery beyond video consultation where hospitals provide services using technology such as wearables for remote monitoring, instruments for post-op care and second opinions, e-pharma services, and medical information, etc. 

The outbreak of the COVID-19 pandemic gave an impetus to Virtual Care, but even in the Pre-COVID time, the Healthcare sector was slowly gearing up for this next wave in care delivery. What COVID-19 did was, help patients get acclimatized to the digital health tools and services. 

What does Virtual Health help with?

The pandemic has brought the burning issues of the healthcare sector to center stage. Patient experience and access to healthcare services are key differentiators for people while choosing a healthcare provider. Let’s take a look at some of these issues addressed by technology in the healthcare sector-

The increasing number of patients

Apart from the pandemic, there’s already been a rise in the number of patients due to drastic changes in lifestyle and food habits, an increase in pollution levels, increase in new types of viruses, etc. This has caused undue stress on healthcare institutions and workers and has led to the deterioration of the quality of patient care. Virtual Health technology such as mHealth apps, EHR (Electronic Health Record), video conferencing, etc. has helped reduce the pressure on hospitals.

Difficulty in traveling for old patients

The pace of life is increasing at a rapid rate. It is getting insanely difficult for the elder population to navigate through the traffic and commute long distances for a check-up. Many times, they have to depend on their family members to take them to hospitals. Moreover, they are at risk of exposure to viruses in hospitals and clinics. Now that they have had the experience of virtual consultations, they prefer care delivery at home rather than going to hospitals.

Chronic Diseases treatment

The number of people above the age of 45 face health issues. Some patients are suffering from chronic diseases regardless of age. Regular monitoring of their vitals is very important. Moreover people now prefer Virtual healthcare services which are easily accessible and save a lot of time, effort, and money. Now that people have found these services effective, they will opt for online consults rather than frequent in-person visits. 

Post-op Care

The duration of post-operative care is quite long and tedious. If given a choice, people will lean towards wearables which will help keep doctors posted on the status of the treatment. Many times, the cost of post-op care is more than the actual treatment and sometimes is not covered under insurance. Virtual care-delivery services will help reduce the financial burden of people going through these treatments.

Follow-ups/Second opinion  

Some health conditions need multiple follow-ups and second opinions to figure out the right approach to treat the issue. It is much easier for patients to do follow-up consults virtually rather than going through the tedious process of appointment booking, commuting, and waiting for their turn. It helps reduce the queue outside the doctor’s office as well. Some health issues need a second opinion, sometimes both by patients and doctors. Virtual Healthcare technologies make it possible for them to take second opinions from doctors all over the world. With electronic records and image sharing, doctors can diagnose the problem better.

What does Virtual Health include?

Virtual Health can be broadly divided into below applications-

mHealth Applications

mHealth applications have widespread use. From symptom checkers to appointment booking, from fitness trackers to uploading medical records, from video conferencing features to chatbot integrations, mHealth apps are on a rise mainly because of easy accessibility for the tech-savvy customers. According to a study by NCBI, among the 22 selected mHealth apps operating in India, Practo, mfine, DocsApp, 1mg, Netmeds, Lybrate, MediBuddy, and Medlife were found to be the eight most popular ones with over a million downloads and on average four-plus user rating out of five. All the above apps are mainly being used for online consults. This just goes about showing that people prefer having homecare services instead of stepping out. 

E-Triage Tools

The rising number of patients with different stages of COVID symptoms was a task to deal with. E-triage software here enables hospitals to triage patients into different sections when there’s an overload of patients at a particular time. Now, in the case of home care, e-triage tools help patients to access the gravity of their health condition and notify the healthcare provider accordingly. Such tools help reduce A&E waiting time and improve NHS performance. Many companies are building healthcare software integrating the E-triage module within EHR, telemedicine, clinical decision making, billing, etc. In India, Persistent Systems’ cutting edge platform has a Nurse Triage system that enables nurses to see the queue of patients and triage via phone calls. Once the calls are done, a triage report is generated and sent to care providers. Many leading doctors feel that AI in image triage will see a boost in near future.

Remote Patient Monitoring 

There are multiple benefits such as reduced post-op expenditure, time wastage, less exposure to other diseases, etc. The global remote patient monitoring devices market is expected to expand at a CAGR of 7.1% during the forecast period (2019–2027) according to Coherent Market Insights. Some of the top players in this space are Biotronik, Boston Scientific Corporation, CAS Medical Systems, CONTEC MEDICAL, Dragerwerk, GE Healthcare, Guangdong Biolight Meditech, Medtronic, Mindray Medical, Nihon Kohden, Philips Healthcare, Spacelabs Healthcare, Abbott. Companies such as GE Healthcare and Philips Healthcare have done a great job with building remote patient monitoring systems within the hospital premises as well as homecare for COVID patients. The main goal was to reduce the exposure of healthcare workers to at-risk patients. 

Synchronous and Asynchronous Telehealth

Synchronous telehealth, in other words, Telemedicine is where there is a live conversation between the patient and the doctor. Asynchronous telehealth involves the exchange of recorded data e.g. images, video, medical reports, pathology reports between patients and doctors, at times between doctors as well. Similar to mHealth space, companies like Practo, 1mg, Lybrate, Medlife, and Portea Medical in India are some of the top players in telehealth and telemedicine. Lybrate’s USP lies in CMS (Clinical Management System) which helps doctors with tedious tasks of managing patients and providing better care. Meanwhile, Portea Medical’s home consults and pharma delivery have more relevance with the audience as it combines technology with a touch of personalization. 

Digital Therapeutics

Digital Therapeutics delivers evidence-based therapies with the help of software which can be used both as a preventive measure as well as treatment application. The effectiveness of the medication and lifestyle changes on patients are monitored by leveraging technology. In India, major non-communicable diseases that account for 62% of the total mortality rate are CVD, diabetes, respiratory conditions, and cancer. Prominent global players in this space include Noom (US), Livongo Health (US), Omada Health (US), WellDoc (US), Pear Therapeutics (US), Proteus Digital Health (US), Propeller Health (US), Akili Interactive Labs (US), Better Therapeutics (US), etc. Omada Health is the pioneer in the DTx (Digital Therapeutics) that focused primarily on diabetes and pre-diabetes but now is branching out in the mental health space as well. In India, Altran (a part of Capgemini) is into building personalized DTx applications for clients. Whereas a start-up called Wellthy Therapeutics has ready solutions catering to multiple diseases.

Future of Virtual Health

Undoubtedly, there has been a massive increase in the adoption of Virtual Health technologies as people have gotten accustomed to the ease of certain services at home. In the coming future, mHealth apps, remote patient monitoring, and Digital therapeutics see a surge in demand from the customers. According to a study by Markets and Markets, “The global digital therapeutics market is projected to reach USD 6.9 billion by 2025 from USD 2.1 billion in 2020, at a CAGR of 26.7% during the forecast period (2020–2025).” A study by Fortune Business Insights, “The global mHealth market size is projected to reach USD 293.29 billion by 2026, exhibiting a CAGR of 29.1% during the forecast period.” A Research and Markets report says, “The remote patient monitoring market is expected to reach US$31.326 billion by the end of 2023.” Apart from the above, development in digital infrastructure such as virtual health stations where doctors can provide consultations globally, mobile ICUs, MRIs, X-rays, ultrasound equipment, the establishment of rural virtual care units reaching the remote areas of the country are some of the trends which will gain momentum. The focus would always lie upon the personalization of the virtual care experience for patients driven by data exchange and interoperability. 

Indeed, there are certain challenges to the implementation of these technologies, lack of infrastructure, and digital literacy amongst elders and lower strata of society. Many healthcare institutions still have inhibitions while investing in digital technologies fearing rejection from the customers. It will be crucial for care providers to choose the right partner for implementing these technologies and create awareness amongst people to adopt them.  

In a Nutshell

The success of virtual care relies on how well the digital experience is designed for the patient. “By 2025, as many as 95 percent of all customer interactions will be through channels supported by artificial intelligence (AI) technology” – Microsoft. The use of algorithms and AI for personalizing these experiences will be the key. 

Find out more about unchartered territories in ‘Blue Ocean’ of Digital Health. Join our webinar hosted by Parag Sharma (CEO, Mantra Labs) as he shares his insights on untapped opportunities using digital self-care tools within behavioral healthcare & emotional wellness.

Save your spot! 

Further Readings:

  1. Reimagining Medical Diagnosis with Chatbots
  2. HealthTech 101: How are Healthcare Technologies Reinventing Patient Care
  3. What will be the state of the healthcare industry post pandemic?
  4. Healthcare Chatbots: Innovative, Efficient, and Low-cost Care
Cancel

Knowledge thats worth delivered in your inbox

Loading More Posts ...
Go Top
bot

May i help you?

bot shadow

Our Website is
Best Experienced on
Chrome & Safari

safari icon