Web vulnerabilities and countermeasures

Abstract

This study investigates the top three OWASP web application security flaw and explores the cyber-attacks which are resulted from the flaws. Cyber-attacks such as session sniffing, session hijacking, SQL injection and cross-site scripting are studied and demonstrated on a vulnerable site created by the author.

The top three security flaws are SQL injection, broken Authentication and session management and cross site scripting. Methods of prevention and detection of these flaws will also be discussed. These flaws will be present in the vulnerable site to demonstrate the aforementioned cyber-attacks.

The author will assume two roles in this experiment, an attacker role and a victim role. The author will follow the appropriate steps that an attacker would undertake to explore and exploit web application vulnerabilities. This is done by first testing to see if the web application has the vulnerabilities present, before attacking the web application. The attacks will take place on the vulnerable site. The attacker will use a Mozilla Firefox browser hosted on a virtual machine, Oracle Virtual Box. The attacker site, which belongs to the attacker, will also be used to keep a log of the sensitive data the attacker has acquired.

Recommendations on how the implementation of vulnerable site could be improved are also discussed. As there is always a trade-off between performance and security in web applications, it is always best to study and understand the basic requirements of the web application before developing them.