Client /server security overview
0 likes369 views
This document provides an overview of security for client and server applications, highlighting common types of attacks such as traffic interception, authentication vulnerabilities, and session management issues. It emphasizes the importance of secure application architecture and outlines preventive measures developers can take to protect against these attacks. The document serves as a guide for building secure mobile and web applications in the context of escalating hacking threats.
Client /server security overview
- 1. Client and Server Applications Security Overview Mohamed Sayed Mahmoud Mobility team leader and info. security specialist Eng.mohamed8860@gmail.com Contents 1 Introduction............................................................................................................................................... 3 1.1 Purpose of this document ................................................................................................................. 3 2 Application Architecture ........................................................................................................................... 4 3 Types of attacks......................................................................................................................................... 5 3.1 Traffic interception............................................................................................................................ 5 3.2 Authentication attack........................................................................................................................ 5 3.2.1 Authentication bypass............................................................................................................... 5 3.2.2 Brute force attack...................................................................................................................... 6 3.2.3 Insecure credentials .................................................................................................................. 6 3.3 Authorization attack.......................................................................................................................... 7 3.3.1 Authorization bypass................................................................................................................. 7 3.3.2 Attack on confidentiality ........................................................................................................... 7 3.3.3 Attack on Integrity..................................................................................................................... 7 3.4 Session Management Attacks ........................................................................................................... 7 3.4.1 Session hijacking........................................................................................................................ 7 3.4.2 Session fixation.......................................................................................................................... 7 3.4.3 CSRF........................................................................................................................................... 7
- 2. Client and Server Applications Security Overview By : Mohamed Sayed Mahmoud Page 2 of 9 3.5 Reverse Engineering.......................................................................................................................... 7 4 Conclusion ................................................................................................................................................. 8 5 References................................................................................................................................................. 9
- 3. Client and Server Applications Security Overview By : Mohamed Sayed Mahmoud Page 3 of 9 1 Introduction 1.1 Purpose of this document This document is produced with limited objectives of building a secure mobile and cloud based web application by providing information about types of information attacks. Nowadays web applications are being converted and presented into mobile screens through web browsers or front end mobile application using different platforms and OSs like android , blackberry , IOS , windows phone …etc. Hackers may use the mentioned interfaces to attack and gain unauthorized access to the application logic and business. This paper is focusing on some common attacks on mobile and web applications by hackers, which should be known by application developers to defend their applications while SDLC.
- 4. Client and Server Applications Security Overview By : Mohamed Sayed Mahmoud Page 4 of 9 2 Application Architecture We will show in this document the most common scenario for mobile/web application architecture, where a mobile application communicating with a remote web service through internet Internet Connection Figure 1: Application architecture
- 5. Client and Server Applications Security Overview By : Mohamed Sayed Mahmoud Page 5 of 9 3 Types of attacks 3.1 Traffic interception An attacker monitors data streams to or from a target to know and understand how the application works, and gather sensitive information or know the entry points of hacking. This attack usually involves sniffing network traffic, but may include observing other types of data streams. Sniffing or eavesdropping is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information. With a simple packet sniffer, an attacker can easily read all plaintext traffic. To do that the hacker will setup a proxy between the front end application and the back end application by sending the traffic through Http proxy like Burp suite or OWASP ZAP proxies Internet Connection proxy Figure 2: Using proxy to intercept requests between mobile and server 3.2 Authentication attack Authentication plays a critical role in the security of any applications. When a user provides his login user name and password to authenticate and prove his identity, the application assigns the user specific privileges to the system, based on the identity established by the supplied credentials. The attacker may do his best to find a vulnerability or a weakness in the authentication mechanism, and below are some types of breaking the authentication 3.2.1 Authentication bypass Attacker may be able to bypass authentication if the authentication mechanism developed based on a flag on Frontend application to indicate that if the client was logged in or not,
- 6. Client and Server Applications Security Overview By : Mohamed Sayed Mahmoud Page 6 of 9 At then the attacker will be able to intercept the login request and change the authentication flag parameter to bypass the authentication. 3.2.2 Brute force attack Attacker may observer the response from the remote backend to predict password for successful user name or vice versa Brute force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password’s length increases, the amount of time, on average, to find the correct password increases exponentially. This means short passwords can usually be discovered quite quickly, but longer passwords may take decades. 3.2.3 Insecure credentials Attacker will discover weak saving credential, like plain username, password on configuration files or even hardcoded in application source code by a lot of ways like application reverse engineering or finding a sql injection vulnerability on remote server database
- 7. Client and Server Applications Security Overview By : Mohamed Sayed Mahmoud Page 7 of 9 3.3 Authorization attack 3.3.1 Authorization bypass Attacker may check if the client send a flag to identify its privilege like admin or super user for example, at then the attacker may got a high privileges than it should. 3.3.2 Attack on confidentiality When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized parties. Attacker may intercept the request initiated from the Frontend application side and change some parameters to get access to unauthorized asset or resource 3.3.3 Attack on Integrity Integrity of information refers to protecting information from being modified by unauthorized parties. Information only has value if it is correct. Information that has been tampered with could prove costly 3.4 Session Management Attacks 3.4.1 Session hijacking The attacker will reuse the active session of a victim and spoofs his identity by sniffing traffic and disclosing the session Id, or predicting the session, or injecting XSS script to get the session cookies or stealing cookies from browser cache. 3.4.2 Session fixation Attacker may acquire an inactive session id and deceives the victim to activate it. 3.4.3 CSRF Cross site request forgery attack forces a logged-on victim`s browser to send a http requests including Victim`s session cookies. 3.5 Reverse Engineering Reverse engineering allowing the hacker to know how the application logic is working, and help him to disclose sensitive information like encryption keys or hardcoded credentials if found.
- 8. Client and Server Applications Security Overview By : Mohamed Sayed Mahmoud Page 8 of 9 4 Conclusion Several ways can be done to overcome attacks discussed in the paper, Back end web services should deal with client’s requests as untrusted, since traffic is not always sent from trusted Frontend application. Back end should make sure of AAA mechanism (Authentication, Authorization, and Accountability) for each request. A trusted secure connection should be established between frontend and web application Within development phase, application developer should consider any logic can be compromised by the attacker to avoid logic attacks. Session Ids should be unpredictable and enforce traffic encryption while transferring session id. Invalidate session id when logout and set sessions time out. Use unpredictable token in the body or URL for each HTTP request and linked with Session id. Developers should obfuscate their source code to harden application reverse engineering. Developers should handle errors and exceptions to harden understanding application logic from errors. Developers should do Data validate for each request to avoid SQl Injection, directory traversal , XSS attacks..etc.
- 9. Client and Server Applications Security Overview By : Mohamed Sayed Mahmoud Page 9 of 9 5 References 1-Linkedin profile: https://eg.linkedin.com/in/mohamedsayed1 2-OWASP TOP 10 Mobile Controls: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_- _Top_Ten_Mobile_Controls 3-Burp Suite: https://portswigger.net/burp/download.html 4-OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 5-XSS: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 6-Directory traversal: https://www.owasp.org/index.php/Path_Traversal 7-OWASP Secure Coding: https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_- _Quick_Reference_Guide