Lab 5 was continued after Mr. Zaki finished his Lab 4. In Lab 5, Mr Zaki has briefly explained about the web application security. What is web application? In software engineering, a web application or called webapp is an application that is accessed via web browser over a network such as the internet or an intranet. Web applications are popular due to the ubiquity of web browsers and the convenient of using a web browser as a client. The ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers is a key reason for their popularity. An increase in the usage of web applications is directly related to an increase in the number of security incidents for them. The Open Web Application Security Project (OWASP) is an open community that focuses on improving the security of application software.
The top 10 web vulnerabilities based on OWASP top 10 2007 are listed which are cross site scripting, injection flaws, malicious file execution, insecure direct object reference, cross site request forgery, information leakage and improper error handling, broken authentication and session management, insecure crypto storage, insecure comms, and failure to restrict URL access. But in this Lab 5, we are only going to learn 3 vulnerabilities. We performed real attacks against web applications by using WebGoat and Web Scarab in this lab exercise.
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. So, WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. Another tool that required doing the exploiting simulation is the WebScarab. WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation that implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations of requests and responses that have passed through WebScarab.
At the end of this Lab 5, I have learned how to exploit the web application vulnerabilities. Besides that, I can also list down the prevention method that can be taken to overcome web application vulnerabilities.
No comments :
Post a Comment