Vyoms
Bookmark and Share Rss Feeds
Click here to register on Shine.com - India's Fastest growing Job site!
Web Application Security Testing - Part 4 | Articles | Recent Articles | News Article | Interesting Articles | Technology Articles | Articles On Education | Articles On Corporate | Company Articles | College Articles | Articles on Recession
Hot Jobs
leftMenu Bullet Freshers Jobs
leftMenu Bullet Experienced Jobs
leftMenu Bullet Government Jobs
leftMenu Bullet Walkin Jobs
Placement Section
leftMenu Bullet Company Profiles
leftMenu Bullet Interview Questions
leftMenu Bullet Placement Papers
Interview Ebook
Get 9,000+ Interview Questions & Answers in an eBook.
Interview Questions & Answers Kit
  • 9,000+ Interview Questions
  • All Questions Answered
  • 5 FREE Bonuses
  • Free Upgrades
Resources @ VYOMS
leftMenu Bullet Companies In India
leftMenu Bullet Consultants In India
leftMenu Bullet Colleges In India
leftMenu Bullet Exams In India
leftMenu Bullet Latest Results
leftMenu Bullet Notifications In India
leftMenu Bullet Call Centers In India
leftMenu Bullet Training Institutes In India
leftMenu Bullet Job Communities In India
leftMenu Bullet Courses In India
leftMenu Bullet Jobs by Keyskills
leftMenu Bullet Jobs by Functional Areas
Learn @ VYOMS
leftMenu Bullet GATE Preparation
leftMenu Bullet GRE Preparation
leftMenu Bullet GMAT Preparation
IAS Preparation
leftMenu Bullet SAP Preparation
leftMenu Bullet Testing Preparation
leftMenu Bullet MBA Preparation
News @ VYOMS
leftMenu Bullet Freshers News
leftMenu Bullet Job Articles
leftMenu Bullet Latest News

VYOMS TOP EMPLOYERS

Wipro Technologies
Tata Consultancy Services
Accenture
IBM
Satyam
Genpact
Cognizant Technologies

Home » Articles » Web Application Security Testing - Part 4

Web Application Security Testing - Part 4



Search Jobs:
(For ex: Software Testing Jobs, Java Jobs, .Net Jobs)
 


Article Posted On Date : Friday, February 05, 2010


Web Application Security Testing - Part 4
Advertisements

 This article is fourth article in the series of web application security testing. In the first three articles, we have built the base by making you familiar with the difference in web application and client server application, how gathering data about the application is important and popular attacks like SQL injection, Cross site scripting and directory traversing.

In this part we will explore how to attack server by exploiting the known limitations of language in which they are implemented. Broadly, we will cover buffer overflow, Canonicalization and Null strings related attacks.

 Buffer Overflow

Buffer overflow is probably one of the most notorious and oldest attack. This vulnerability has been around for more than three decades. In the very simplistic term, A buffer overflow is the result of stuffing more data into a buffer than it can handle. This vulnerability is mostly exposed in situations where programs processing the input data is failed to check the size of input data it is processing.

You might think how it can affect security of the system ? When input data is larger than the space allocated for it, it overflows into other memory location on the execution stack. This overflow results into the corrupted memory locations in the execution stack because it overwrites the data present in the execution stack. In most cases, application will crash because of this, because it can not handle the corrupted execution stack.

This vulnerability becomes very dangerous when input data overflow into memory that will be used in choosing which instruction to execute next. In carefully crafted data, input data can become the instruction to the computer. This causes input data to change the execution sequence of the machine and allow attacker to run arbitrary code on the web server, This vulnerability is exposed most notoriously by the worms such as CodeRed, Nimda, Slammer etc. If you are interested more in the topic, you might find reading Smashing the Stack for Fun and Profit very interesting.

It is very easy to conduct this attack, you need to give input much larger than your program is designed to handle. You also need to make sure that you do not rely completely on the client side validation. You need to supply large input data by bypassing the client side validation and ensure that server side code handles this as well. If your web application or environment is not secured against this attack, it can crash your web server or operating system as well. You can also use tool such as SPIKE Proxy  for automated buffer overflow testing of Web Application. When using any tool for this testing, be aware of the false positives. This vulnerability, if present in your web application can have very dire consequences and hence it is very important to make sure that you filter out all the false positives generated from any tool.

It is very easy to protect your application against this attack. You can either find out the size of data and allocate memory accordingly. Alternatively, you can also terminate input data at a sensible size and ignore everything else.

Canonicalization

Before finding out how security of your web application can be compromised by canonicalization (A lso known as C14N ), it is important to understand the meaning of canonicalization. Canonicalization means ensuring that all data is represented in a standard, common form. In the absence of canonicalization, validation might miss some important attack. C14N is needed, because we need to encode certain characters because they have extended meaning in some context. For example, a simple white space character sent by browser is converted in '+' because white space can cause break in CGI parameter sequence.

There are many character sets like ASCII, UNICODE or UTF-8 in use. There could be chances of security risk when browser is working on one set of character representation and server is working on another.  For example, standard characters / is represented as / in HTTP but it can also be represented as %5c and %c0%af . This vulnerability was exposed in IIS 4 or 5 Web server with commands which will potentially allow you access command prompt and execute any commands on that. Another level of complexity can be introduced by double encoding where characters used in encoding are encoded again.

Along with canonicalization, vulnerabilities related to NULL strings can also have major security loop holes in your web application if left undetected. NULL string can also be represented by



Latest News Alerts
Life Insurance Corp LIC recruitment Apprentice Development Officers 2010
Life Insurance Corporation of India LIC India Vacancies for 5578 posts of Apprentice Development Officers Recruitment of Apprentice Development Officers Online applications are invited from eligible candidates for selection and appointment as Apprentice Development Officers in the various officers of LIC of India Online Applications are invited from eligible candidates for selection and appointment as [...]
How to apply Bank of Baroda Probationary Officer Jobs 2010 ?
How to apply Bank of Baroda Probationary Officer Jobs 2010 ? 1. Candidates are required to apply On-Line through website www.bankofbaroda.com No other means/ mode of application will be accepted. 2. Candidates are required to have a valid personal e-mail ID. It should be kept active during the currency of this recruitment project. Bank may [...]
Mayawati presented garland made of hundreds of Rs. 1000 notes
It was a one woman show at the BSP rally marking the 76th birth anniversary of its founder Kanshi Ram on Monday with Chief Minister Mayawati being presented a garland made of hundreds of Rs 1000 notes while other leaders were literally relegated to the background. Unlike previous occasions when the BSP supremo [...]
Dhoni leads Super Kings to a facile win
Chennai Super Kings (CSK) snapped Kolkata Knight Riders’ (KKR) winning streak with a comfortable 55-run victory in the Indian Premier League (IPL) III at the Eden Gardens here on Tuesday. The thumping victory can be attributed to CSK’s better planning, ruthless execution and above all an insatiable hunger to return to winning ways. A [...]
CSIR UGC National Eligibility Test (NET-2010) for JRF Important Dates
CSIR UGC NET JUNE 2010 NOTIFICATION notification no 10-2(5)/2010(i)-E.U.-II CSIR UGC NET JUNE 2010 IMPORTANT DATES Date of examination: 20.06.2010 Date of start of sale of application form through banks and on line submission:16.02.2010 Date of close of sale of application form through banks and online submission:17.03.2010 Important dates Schedule for sale of information bulletin through bank (i) Start [...]
Guru Gobind Singh Indraprasatha University (IPU CET) Exam Notification 2010
IPU CET 2010 Exam Dates (Established by Govt. of NCT of Delhi under the Provisions of Guru Gobind Singh Indraprastha University Act (9 of 1998) Kashmere Gate, Delhi – 110006 Website : www.ipu.ac.in Ph.: 011-23900166 – 68 NOTIFICATION OF DATES OF COMMON ENTRANCE TESTS FOR ACADEMIC SESSION 2010 – 2011 The University is pleased to [...]
DA-IICT Btech (ICT) Admissions 2010
ADMISSIONS TO B.E./B.TECH. DEGREE COURSES 2010 DA – IICT, a UGC recognised university, is a major educational and research institution of the Reliance ADAG. Highly qualified faculty, supported by state – of – the – art e – enabled infrastructure brings research – led teaching to the classroom. The Four – Year B [...]
Punjab Technical University Combined Entrance Test 2010
PUNJAB TECHNICAL UNIVERSITY Ladowali Road, Jalandhar – 144 001 Phone No: 0181-2233877, Fax: 2244008 Website: www.ptu.ac.in COMBINED ENTRANCE TEST (CET -2010) CET-2010 on 2nd May, 2010 (For 85% category, Punjab Residents only) The Punjab Technical University, Jalandhar will hold Combined Entrance Test (CET-2010) on 2nd May, 2010 (Sunday) for admission to 1st year of Engineering & Technology [...]


SPONSORS

FREE JOBS NEWSLETTER
3,11,757 [96,218 + 2,15,539] MEMBERS!
Contact Us | Feedback | Link to Us
Copyright © 2001-2009 VYOMS.com. All Rights Reserved. Home | About Us | Jobs | Contact Us | Privacy Policy | Terms & Conditions.
Disclaimer: VYOMS.com has taken all reasonable steps to ensure that information on this site is authentic. Applicants are advised to research bonafides of advertisers independently. VYOMS.com shall not have any responsibility in this regard.
Placement Papers | FREE SMS | C++ Interview Questions | C Interview Questions | Report a Bug | Romantic Shayari | CAT 2009