17 Most Common Web Security Vulnerabilities

A vulnerability is a weakness or gap in a system or application that can be exploited by an attacker to gain unauthorized access or perform malicious actions. Vulnerabilities can exist in a variety of systems and applications, including software, hardware, networks, and operating systems.

There are many different types of web vulnerabilities that can affect web servers, web applications, and web browsers.

Some common types of web vulnerabilities include:

  1. CSRF – Cross Site Request Forgery
  2. XSS – Cross Site Scripting
  3. CRLF – Carriage Return Line Feed
  4. LFI – Local File Inclusion
  5. RFI – Remote File Inclusion
  6. XXE – XML External Entity
  7. XSPA – Cross Site Port Attack
  8. SQLi – SQL Injection
  9. IDOR – Insecure Direct Object References
  10. RCE – Remote Code Execution
  11. SSRF – Server Side Request Forgery
  12. SSI – Server Side Injection
  13. XSSI – Cross Site Script Inclusion
  14. XSLT-SSI – Extensible Stylesheet Language Transformations Server Side Injection
  15. SSTI – Server Side Template Injection
  16. CSWSH – Cross Site WebSocket Hijacking
  17. CSTI – Client Side Template Injection

Let’s explain in detail:

1. CSRF – Cross Site Request Forgery

When a web server is designed to receive a request from a client without any mechanism for verifying whether it was intentionally sent by the authenticated user or not, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authenticated request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

Prevention Tips:-

  • Always use POST method to implement sensitive functionalities.
  • The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is more prone to exposure.
  • OWASP’s CSRF Guard can automatically include such tokens in Java EE, .NET, or PHP apps.
  • Requiring the user to re authenticate, or prove they are a user (e.g., via a CAPTCHA) can also protect against CSRF.

2. XSS – Cross Site Scripting

Cross Site Scripting (XSS) vulnerabilities give attackers the capability to inject client-side scripts into the application, for example, to redirect users to malicious websites, steal session cookies etc.

Cross site scripting can be used to hijack user accounts, spread worms and trojans, access browser history and clipboard contents, control the browser remotely, and scan and exploit online appliances and applications.

There are 3 types of XSS attacks:-

  • Stored XSS (Persistent)
  • Reflected XSS (Non-Persistent)
  • DOM XSS

3. CRLF – Carriage Return Line Feed

CRLF used to refer to Carriage Return (\r) Line Feed (\n). As one might notice from the symbols in the brackets, “Carriage Return” refers to the end of a line, and “Line Feed” refers to the new line. Hence, both CR and LF are used to denote the ending point of a line.

When a user requests content on a website, the server returns the website content along with the HTTP headers. The headers and the contents are separated by a defined combination of CR and LF. It is because of CRLF that a server knows where a new header begins or ends.

A CRLF Injection vulnerability is a type of Server Side Injection which occurs when an attacker inserts the CRLF characters in an input field to deceive the server by making it think that an object has terminated and a new one has begun. This happens when the web application doesn’t sanitize user input for CRLF characters.

CRLF Injection attack has two most important use cases:

  • Log Splitting
  • HTTP Response Splitting

4. LFI – Local File Inclusion

A LFI is, as the title says, a method for servers/scripts to include local files on run-time, in order to make complex systems of procedure calls. Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitizing the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server.

Example: /news.php?page=../../../../../../../../etc/passwd

You may also wish to peruse around in other directories, such as:

  • /etc/shadow
  • /etc/group
  • /etc/security/group
  • /etc/security/passwd
  • /etc/security/user
  • /etc/security/environ
  • /etc/security/limits
  • /usr/lib/security/mkuser.default

PHP has a number of wrappers that can often be abused to bypass various input filters. One example on how to find these particular sites would be to look either for an exploit on exploit-db.com, or do a Google search for dorks:

  • inurl:home.php?pg=
  • inurl:index.php?pg=
  • gallery/displayCategory.php?basepath=
  • jaf/index.php?show=
  • /index.php?action=

5. RFI – Remote File Inclusion

RFI stands for Remote File Inclusion. The main idea behind it is that the given code inserts any given address, albeit local or public, into the supplied include command. The way it works is that when a website is written in PHP, there is sometimes a bit of inclusion text that directs the given page to another page, file or what you have.

This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an inclusion type (like, include (), require () etc.)

RFI primarily affects web applications written in the PHP programming language. PHP is a general-purpose server-side scripting language originally designed for Web development to produce dynamic Web pages. It is among one of the first developed server-side scripting languages to be embedded into an HTML source document, rather than calling an external file to process data. Ultimately, the code is interpreted by a Web server with a PHP processor module which generates the resulting Web page.

Let’s suppose the programmer modifies the basic example mentioned above, in order to load the variable values from dynamic source that is controlled by the application user through the “file” HTTP parameter. test.php

<?php
echo “A $color $fruit”;
include $_REQUEST[‘file’];
echo “A $color $fruit”;
?>

6. XXE – XML External Entity

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Accessing a local resource that may not return

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo
[ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
<foo>&xxe;</foo>

Remote Code Execution

If fortune is on our side, and the PHP “expect” module is loaded, we can get RCE. Let’s modify the payload

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo
[<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<creds>
<user>`&xxe;`</user>
<pass>`mypass`</pass>
</creds>

7. XSPA – Cross Site Port Attack

Cross Site Port Attack is an abbreviation of XSPA. In this attack an application processes user supplied URLs and does not verify or sanitize the back end response received from remote servers before sending it back to the client.

An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself. The responses, in certain cases, can be studied to identify service availability like open ports , banner versions etc. and even fetch data from remote services in an unconventional ways.

8. SQLi – SQL Injection

SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker can change the logic of SQL statements executed against the database.

This is a critical vulnerability to have on a web application and should be addressed immediately. All user-controllable data should be validated before any queries are performed on the database and use Prepared Statements (Parameterized Queries).

You may also read:

9. IDOR – Insecure Direct Object References

Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.

This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Example: http://example . com/page?id=123

10. RCE – Remote Code Execution

Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

RCE vulnerabilities are some of the most dangerous and high-impact vulnerabilities in existence. Many major cyberattacks have been enabled by RCE vulnerabilities, including: Log4j, Eternalblue etc.

11. SSRF – Server Side Request Forgery

A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs.

One of the most prevalent examples of an SSRF attack is gaining access to Amazon EC2 instance credentials. The level of damage that can be caused by the attacker depends on the level of access given to the IAM role. The higher the privileges of the role, the bigger the breach.

12. SSI – Server Side Inclusion

Server-side includes (SSI) are a mechanism for employing the web server to perform tasks like displaying files as part of other files or displaying information like the URL of web pages or dates and times dynamically.

Any files that contain SSI directives will need to carry the extension .shtml. Shtml files are normal html documents. The web server only parses files with the extension .shtml for SSI directives. This means that if files ending in .html or .htm contain SSI directives, these directives will not be displayed.

13. XSSI – Cross Site Script Inclusion

XSSI designates a kind of vulnerability which exploits the fact that, when a resource is included using the script tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain.

An attacker can thus read everything that was included using the script tag.

Cross Site Script Inclusion (XSSI) vulnerability allows sensitive data leakage across-origin or cross-domain boundaries. Sensitive data could include authentication-related data (login states, cookies, auth tokens, session IDs, etc.) or user’s personal or sensitive personal data (email addresses, phone numbers, credit card details, social security numbers, etc.).

XSSI is a client-side attack similar to Cross Site Request Forgery (CSRF) but has a different purpose. Where CSRF uses the authenticated user context to execute certain state-changing actions inside a victim’s page (e.g. transfer money to the attacker’s account, modify privileges, reset password, etc.), XSSI instead uses JavaScript on the client side to leak sensitive data from authenticated sessions.

14. XSLT-SSI – Extensible Stylesheet Language Transformations Server Side Injection

XSLT-SSI, or Extensible Stylesheet Language Transformations Server Side Injection, is a technique used to inject malicious code into web pages using server-side XSLT (Extensible Stylesheet Language Transformations). XSLT is a programming language used to transform XML documents into other formats, such as HTML or XML.

XSLT-SSI attacks involve injecting malicious code into web pages by modifying the XSLT stylesheets that are used to transform the pages. This can allow attackers to gain access to sensitive information, such as login credentials or financial data, or to take control of the affected web server.

To protect against XSLT-SSI attacks, it is important to secure web servers and to use proper input validation and sanitization when processing user-submitted data. It is also important to keep web server software and XSLT libraries up to date with the latest security patches.

15. SSTI – Server Side Template Injection

Server Side Template Injection (SSTI) is a type of web vulnerability that occurs when user-supplied input is not properly sanitized before being passed to a web application’s template engine. Template engines are used to generate dynamic web pages by combining templates with data from a server.

SSTI attacks allow attackers to inject malicious code into web pages by manipulating the data that is passed to the template engine. This can allow attackers to gain access to sensitive information, such as login credentials or financial data, or to take control of the affected web server.

16. CSWSH – Cross Site WebSocket Hijacking

Cross Site WebSocket Hijacking (CSWSH) is a type of web vulnerability that occurs when an attacker is able to gain access to a victim’s WebSocket connection. WebSocket is a protocol that allows for real-time communication between a web browser and a server.

CSWSH attacks involve manipulating the WebSocket connection between a client and a server in order to gain unauthorized access to sensitive information or to take control of the server. These attacks can be carried out by manipulating the WebSocket handshake process, or by injecting malicious data into the WebSocket connection.

17. CSTI – Client Side Template Injection

Client Side Template Injection (CSTI) is a type of web vulnerability that occurs when user-supplied input is not properly sanitized before being passed to a client-side template engine. Client-side template engines are used to generate dynamic web pages by combining templates with data from a client, such as a web browser.

CSTI attacks allow attackers to inject malicious code into web pages by manipulating the data that is passed to the template engine. This can allow attackers to gain access to sensitive information, such as login credentials or financial data, or to take control of the affected client.

Leave a Reply