Web security attacks and their prevention

Sep 29, 2019 by - Category - Backend

Session Hijacking

In the session, hijacking attacker steals the active session of a user. Session is being stored at server-side as well as a cookie is created in the client browser with the name of PHPSESSID. So anyone can access it using `document.cookie` in console or as an alert message.

There are a couple of ways to prevent it.

1. session_start([ 
      ‘cookie_httponly’ => true, 
      ‘cookie_secure’ => true 
   ]);
2. ini_set( ‘session.use_only_cookies’, TRUE );
   ini_set( ‘session.use_trans_sid’, FALSE );
   ini_set( ‘session.cookie_lifetime’, 1200 )

XSS Attack

In this attack, a code is injected into a page through a web form or as a query string. The code injected may be a js, CSS, flash, HTML etc. To prevent it below steps need to be taken care of 

X-XSS-Protection

X-XSS-Protection is a header that is used to prevent XSS attack. For enabling it we need to do below changes in our httpd.conf file in the apache web server or we can do it by setting X-XSS-Protection to 1 in the header in web application init function.

In Apache

Header set X-XSS-Protection “1; mode=block”
Restart the apache to verify

In PHP Script

 header("X-XSS-Protection: 1");

In below screenshot disabled the XSS-Protection by setting the value to 0 and you can see that in second screenshot how the js code being injected in page and displaying an alert.

Cross-Site Request Forgery (CSRF)

In this attack, end-user executes unwanted action. In CSRF attack the actions are only staged changing request not to theft the data.

Preventions:

  • Use a secret token that is being sent in each form post and matched with the token generated on the server-side.
  • Use an only POST request

As in the below image, you can see a hidden variable _csrf contain an encrypted token. So to prevent CSRF attack this token must be matched with the token generated at the server-side.

$tokenLength = 32;
$_SESSION[‘csrfToken'] = substr(base_convert(sha1(uniqid(mt_rand())), 16, 36), 0, $tokenLength);

Sample Code block to prevent CSRF Attack

<?php
session_start();
$tokenLength = 32;
$_SESSION['token'] = substr(base_convert(sha1(uniqid(mt_rand())), 16, 36), 0, $tokenLength);
$_SESSION['token-expire-time'] = time() + 600; //10 minutes
if ($_SESSION['token']==$_POST['token']) {
    if (time() >= $_SESSION['token-expire-time']) {
      //Here either we redirect to a 404 page or show some exception
    } else {
     // Request will be processed as usual.
    }
}
?>

Session Prediction

As the name indicates the attacker predict the session id and bypass the authentication schema of an application. In this attack, the attacker analyzes the generation process of session id. Based on the analysis of session id generation process the attacker predicts a valid session-id and using it gain access to the application.

The session ID contains information in the form of a string of fixed width like as above attached screenshot the length is 32 characters. To avoid prediction random generation is very important. As in the example in the attached figure, the session ID variable is represented by PHPSESSID and its value is “user01”, There may be a chance if we use it like “user02” and gain the access of application without prior authentication.


Password attack

Password is a very important part of a personal user account. It is used for authenticating a user for an application. There are some techniques used for this attack

  • Brute Force: Try with generating random password
  • Dictionary Attack: A list of most commonly used password

To prevent this attack we need to create a policy for password ie
Combination of upper and lower case letter, number, symbol, minimum 10 character and should not be last 4 password used in the past.

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + 17 =