Vous êtes sur la page 1sur 18

COGNIZANT 20-20 INSIGHTS

A Multidimensional View
of Critical Web Application
Security Risks: A Novel
Attacker-Defender PoV

By assessing specific functional attributes across


the application and IT architecture, security and
remediation teams can more effectively anticipate
and plug vulnerabilities exploited by hackers and
other cybercriminals.

Cognizant 20-20 Insights | March 2017


Cognizant 20-20 Insights

EXECUTIVE SUMMARY

Web applications have evolved to meet a wide range of business requirements. The increasing
complexity of these applications significantly augments the attack surface of the
infrastructure and thus leaves an organization open to potential security threats. With the
various user-interactive functionalities such as login, registration, payment, etc. that deal
with underlying components such as databases, lightweight directory access protocol
(LDAP) repositories greatly increase the attack surface area and become prime areas of
focus for hackers. These functionalities act as entry and exit points to the application and
underlying infrastructure.

Successful penetration through the application layer leads to attacks that may cause remote
code execution with web server privileges, unauthorized access to information stored in a
web server, website content defacement, deletion of files in the web server and denial of
service. Any of these outcomes can damage the organizations reputation. The fundamental
security problem with web applications is that all user input is considered untrusted; this
requires the implementation of a number of security mechanisms to enable applications to
defend themselves against attack. Figure 1 (see next page) depicts vulnerability distribution
for 2016 across different verticals.

2
Cognizant 20-20 Insights

Vulnerability Distribution 2016 Across Key Verticals

50%
40%
40%

30% 23%
20%
11% 11%
10% 8%
3% 4%
0%
e

rs
es

il

st g
S

lit d
nc

ta

ita an

gi rin
BF

he
nc

s
Re
ra

ic
Lo tu

Ot
sp el
ie
su

Ho rav

d ac
Sc
In

an uf
fe

an
Li

M
Source: Cognizant (based on 2016 engagement experiences)
Figure 1

This white paper illuminates various defense small to complex web application owned by
mechanisms that can be applied to key different industry sectors such as banking,
functionalities of a web application to secure healthcare and retail. Authentication services
them from being attacked. Based on our project limit unauthorized users in conjunction with
engagements in the year 2016, the vulnerability certain other protected features of the
distribution across the different functionalities application. Authentication functionalities such
are highlighted in Figure 2 (see next page). as login and logout, in our view, are more often
subject to design weaknesses than any other
Our attacker-defender approach considers security mechanisms employed in web
common functionalities in any web application applications. Authentication technologies vary
from an attackers perspective and then presents from HTML form-based authentication,
the defense techniques to be employed in order multifactorial mechanisms such as combining
to secure the application. The following sections passwords and physical tokens, client secure
elucidate the attacker and defender approach for socket layer (SSL) certifications and smartcards,
different functionalities commonly found in a HTTP basic and digest authentication, and
web application. Windows integrated authentication using NTLM
or Kerberos protocols.
LOGIN/LOGOUT Attacker-Defender Approach
User authenticity has become a necessity in To gain a cohesive understanding of application
almost every web application and is typically security issues, a slightly modified attack tree
managed through the login and logout function- can be deployed. The tree will represent several
alities. These functionalities are the front line of possible attacks that are targeted at a specific
defense for an application and are seen in every functionality, along with the corresponding

Multidimensional View of Critical Web Application Security Risks | 3


Cognizant 20-20 Insights

Vulnerability Distribution in Functionalities

1,740
2000

1,673
1600

1,229
1200

959
903

800

442
285
275
249
202

400
189

155
140

123
106

125
102
94
89

89
80

79

58
64

111
59

44

35
51
22

0
2012 2013 2014 2015 2016
Login / Logout Payment Search
Registration File Upload / Download Privileged User Functionality
Source: Cognizant (based on 2016 engagement experiences)
Figure 2

mitigation techniques to hamper the attack. query has already been defined in the first
Figure 3 (see next page) depicts such an attack step, it is not possible for malformed data in
tree for login/logout functionality, which includes the second step to interfere with the query
attack methods and attacks that aim to gain user structure. One of the most powerful controls,
credentials. The tree also enlists the remediation if done well, is validation of the input that an
methods to defend against the attacks. application receives. It can be as simple as
strictly typing a parameter and as complex as
Injection using regular expressions or business logic to
Attacker: Injection flaws such as SQL, SQLi, validate input.
bSQLis, NoSQLi, HQL injection and LDAP
There are two different types of input
injection occur when untrusted data is sent
to an interpreter as part of a command or validation approaches: whitelist validation
(inclusion or positive validation) and blacklist
query. The attacker usually sends simple
validation (exclusion or negative validation).
text-based messages that exploit the syntax
of the targeted interpreter. Almost any source Phishing Through Frames
of data can be an injection vector, including
Attacker: Phishing is a scenario which
internal sources.
involves an e-mail message that asks users to
Defender: The most effective way to prevent update their personal information with a link
injection attacks is to use parameterized to a spoofed website. Frames are a popular
queries (prepared statements) for all database method of hiding attack content due to their
access. This two-step method incorporates uniform browser support and easy coding
potentially tainted data into all types of SQL style. The page linked to within the hidden
queries: first, the application specifies the frame can be used to deliver additional
structure of the query, leaving placeholders content, retrieve confidential information
for each item of user input; second, the such as session IDs, or do something more
application specifies the contents of each elaborate such as executing screen-grabbing
placeholder. Because the structure of the and key-logging while the user is exchanging

4
Cognizant 20-20 Insights

Attack Tree with Mitigations for Login/Logout Functionality Vulnerabilities

FUNCTIONALITY

Login/Logout Functionality

Gaining User Credentials Information

ATTACK METHODS

Attacks Related to User Interface Attacks Related to N/W Channel

ATTACKS

Password replay Getting the username/ Sniffing the unencrypted


password value from history data channel
(get method enabled)
Browser refresh attack Weak SSL ciphers would
Enabling the browser configu- permit decrypting and
ration to get sensitive user
data (Autocomplete set=ON) intercepting a particular
Click-jacking SSL
Retrieving sensitive data from
temp file (Https page enabled Forgery of the self-
SQL injection the cache/store) signed certificate

MITIGATION

Application should redirect Username/password should be Proper SSL certification should


to generic error page. passed on the POST request. be enabled with standard
cryptographic algorithms.
Hash the password before Enable the no-cache/
the data is sent to the server. no-store flag. Standard cryptographic
algorithms (NIST/local policy)
Embed click-jacking- should be used to encrypt the
defensive code in sensitive data.
the UI window.

White list validation should


apply to all the user
controlled data.
Parameterized data is passed
to the application.
Application should not
display the detailed error
message.

Figure 3

Multidimensional View of Critical Web Application Security Risks | 5


Cognizant 20-20 Insights

Disabling pop-ups will make it much more


difficult for attackers to take over the users
session without being detected.

confidential information over the Internet. Attacker-Defender Approach


Through this attack, an adversary can trick
The two major attack methods for stealing
the user into entering the login credentials to
payment information are UI-related and network-
a spoofed website and capture the content in
related attacks. Attacks that are executed
a hidden frame.
through the user interface include injection,
Defender: There are two modes of defending accessing clipboard data, cross-site scripting,
mechanism for this attack: cross-site request forgery (CSRF), etc. Network-
related attacks, however, are accomplished over
Browser perspective: Browser pop-ups the network channel e.g., sniffing, decrypted
are a common attack technique used by weak ciphers and self-signed SSL certificate
attackers to make it appear that the forgery.
requests are coming from a victim domain.
Disabling pop-ups will make it much more
Cross-Site Scripting
difficult for attackers to take over the Attacker: Cross-site scripting (XSS) is a type
users session without being detected. of injection problem in which malicious scripts
are injected into a trusted website. XSS flaws
Application coding perspective: As occur whenever an application sends
attackers use frames to host malicious untrusted data without validation or encoding
content, they can discover the confidential to a web browser or stores it in the target
information in the application. The best servers.
practice here is to use a Target directive to
create a new window that will usually Defender: XSS can be prevented by
break out of an iframe and other performing proper input validation and output
JavaScript jails. encoding on both the client and server sides
such that the scripts are not executable. Filter
PAYMENT out the hazardous characters from the user
input into the web application.
The number of attacks targeting payment card
processing systems is on the rise. Storing CSRF
payment card numbers, card expiration dates, Attacker: The attacker can force the user to
CVV numbers, data from magnetic stripes and send unintended requests to the application
other personal data in nonsecure environments server and perform malicious actions on
puts cardholders at risk. Millions of records with behalf of the web application user who has
sensitive information have been breached over already logged into the application.
the years. Storing sensitive data without the
proper safeguards exposes businesses to hacking Defender: Insert custom random tokens into
and fraud, and increases the risk of being required every form and URL that will not be
to pay thousands of dollars in damages per automatically submitted by the browser. Every
cardholder in addition to the reputational loss. request should contain a unique identifier,

6
Cognizant 20-20 Insights

Do not use GET requests (URLs); instead, use


POST when processing sensitive data requests.

Attack Tree with Mitigations for Payment-Related Functionality Vulnerabilities

FUNCTIONALITY

Payment Functionality

Gaining Sensitive User Payment Information

ATTACK METHODS

Attacks Related to User Interface Attacks Related to N/W Channel

ATTACKS

Cross-site scripting Bypass the nonstandard Sniffing the unencrypted data


cryptographic algorithm using channel
known plain text, cipher text
attack
Decrypt the SSL certificate if
SQL injection weak cipher enabled in the
Session-based attacks (session
application
hijacking/session fixation)

CSRF Retrieving sensitive data from Forgery of the self-signed


temp file (Https page enabled certificate
the cache/store)

MITIGATION

White list validation should apply Enable the no-cache/no-store flag. Proper SSL certification should be
to all the user-controlled data. enabled with standard
Output encoding should apply to cryptographic algorithms.
the server response. Standard cryptographic
algorithms (NIST/local policy)
Escape the malicious characters.
should be used to encrypt the
sensitive data.
White list validation should apply
to all the user-controlled data.
Session value is properly
Parameterized data passed to the invalidated at server side.
application. Application should not
display the detailed error Unique token value should be used
message. in each session.
Implement secure session
management. Use strong session
Pass the unique token value to IDs, protect them in transit and
each request. regenerate session identifiers at
frequent intervals.

Figure 4

Multidimensional View of Critical Web Application Security Risks | 7


Cognizant 20-20 Insights

which is a parameter that an attacker cannot //Cache-Control: no-cache, no-store, must-


guess. Do not use GET requests (URLs); revalidate
instead, use POST when processing sensitive Pragma: no-cache
data requests. Expires: 0//

Retrieving Sensitive Data from a Temp File Figure 4 (see previous page) depicts an attack
Attacker: It is possible for an attacker to tree for payment functionality, comprising attack
gather sensitive information about the methods, types of attacks that aim to gain
payment application such as usernames, sensitive user payment information and various
passwords, credit card data, account numbers, mitigation techniques.
machine names and/or sensitive file locations.
SEARCH
Defender: Clear all parameters, sensitive
information and input values when the page is Search functionality is commonly used in most
being loaded/reloaded. applications to enable users to discover content

Attack Tree with Mitigations for Search-Functionality-Related Vulnerabilities

FUNCTIONALITY

Search Functionality

Execution of Unintended Payloads

ATTACK METHODS

Attacks Related to User Interface

ATTACKS

XSS SQL Injection HTTP Response Splitting

MITIGATION

White list validation should apply White list validation should apply Sanitize the response header
to all the user-controlled data. to all the user-controlled data. when user input is reflected in the
Output encoding should apply to Parameterized data passed to the response header.
the server response. application.
Escape the malicious characters. Application should not display the
detailed error message.

Figure 5

8
Cognizant 20-20 Insights

The effective way to prevent enumeration attacks


is to add CAPTCHA in the registration page.

contained in a data repository. Search pages are application are not always legitimate users, the
usually constructed with a single form field and a application should validate unauthorized inputs
submit button. A search query would display before they are processed.
both the matched results and the searched-for
text. Attackers often attempt to exploit search Attacker-Defender Approach
functionality behaviors to execute unintended Enumerating User Information
queries or malicious scripts.
Attacker: Enumeration is the first stage of
Attacker-Defender Approach the attack; it is the process used to gather the
information about a target application by
HTTP Response Splitting
actively connecting to it and identifying the
Attacker: A response splitting attack is user account, system account and admin
possible only if there is a proxy server used by account. It is also an activity in which an
multiple users to connect to various websites. attacker tries to retrieve valid usernames
The attacker will be able to modify the request from a web application. If the system is
header with a value and two responses, vulnerable to this attack, the attacker may be
separated by %0d%0a (CRLF) code. able to obtain a list of existing usernames in
Immediately after sending the first request, the system by submitting input (valid and
the attacker sends a second request for a invalid usernames) and analyzing the server
valid publicly accessible page on the site/ response (error messages). The scope of this
server. test is to verify if it is possible to collect a set
of valid usernames by interacting with the
Defender: Use server side validation and
applications authentication mechanism. The
disallow CRLF characters in all requests where
attacker can then run a dictionary attack to
user input is reflected in the response header.
further exploit the obtained information.
Figure 5 (see previous page) depicts an attack
Defender: The effective way to prevent
tree for search functionality attacks that aim to
enumeration attacks is to add CAPTCHA in
execute unintended payloads, plus defensive
the registration page. Also, display only the
remediation techniques.
customized error messages to the user
interface, and disable the unnecessary
REGISTRATION comments in the source code to prevent the
Registration is a basic and essential function. attacker from gathering information from the
Self-service registration functionality allows new error messages.
users to register or enroll in the application by
Automated Multiple Registration
providing personal details such as username,
date of birth, e-mail address, security questions, Attacker: The attacker tries to increase the
etc. The new user is registered if all provided size of the request by appending an enormous
details fit according to the applications amount of data that is sent to the server. This
requirements, thus allowing users to log in could result in a delayed response or server
thereafter. Since all users who try to log into the hanging. The attacker can also send

Multidimensional View of Critical Web Application Security Risks | 9


Cognizant 20-20 Insights

Use strong encryption standards between


the client and the server; also, the server
should authenticate the clients request by
presenting a digital certificate, and only then
allow connection to be established .

n number of requests to the server for Decrypt the SSL Certificate if Weak Cipher
registering multiple times to cause the denial Is Enabled in the Application
of service attacks.
Attacker: All systems and applications
Defender: The most effective way to prevent utilizing the SSL with cipher-block chaining
automated multiple registration is to validate mode ciphers may be vulnerable.
the content length and check for the file size By decrypting this SSL certificate, an attacker
that is being passed in the request. If the can gain access to sensitive data passed
content size is more than the specified limit, within the encrypted web session, such as
drop that particular request. If there are too passwords, cookies and other authentication
many requests in the queue, then the tokens. These can then be used to gain more
upcoming request should be automatically complete access to a website (impersonating
dropped without serving. Approaches such as that user, accessing database content, etc.).
a one-time password, generating QR code and
Defender: It is important to check the SSL
using CAPTCHA riddles should be
configuration being used to avoid putting in
implemented to reduce the impact of this
place cryptographic support that could be
attack.
easily defeated. Accordingly, an SSL-based
Sniffing the Unencrypted Data Channel service should not offer the possibility to
Attacker: This is a type of cyberattack where choose a weak cipher suite. A cipher suite is
a malicious user inserts him/herself into a specified by an encryption protocol (e.g., DES,
conversation between two parties, RC4, AES), the encryption key length (e.g.,
impersonates both parties and gains access 256 bits) and a hash algorithm (e.g., SHA,
to information that the two parties were MD5) used for integrity checking.
trying to send to each other. This attack allows
Forge the Self-Signed Certificate
a malicious user to intercept, send and receive
data meant for someone else and gain access Attacker: The attackers usually use
to the unauthorized resources. self-signed digital certificates or stolen
certificates that are accepted as valid by most
Defender: Use strong encryption standards browsers. The browsers display a warning
between the client and the server; also, the message when encountering errors during
server should authenticate the clients SSL certicate validation, but users can
request by presenting a digital certificate, and proceed anyway. This is the typical scenario
only then allow connection to be established . for fake SSL connections, which triggers

10
Cognizant 20-20 Insights

Self-signed certificates with pinning are more


secure than CA-signed certificates.

Attack Tree with Mitigations for Registration-Functionality-Related


Vulnerabilities

FUNCTIONALITY

Registration Functionality

Gaining Sensitive Information

ATTACK METHODS

Attacks Related to User Interface Attacks Related to N/W Channel

ATTACKS
Enumerating user Sniffing the unencrypted
information data channel
Retrieving sensitive data
Enabling the browser from temp file (Https page Decrypt the SSL certificate if
configuration to get sensitive enabled the cache/store) weak cipher is enabled in the
user data (Autocomplete application
set=ON)
Automated multiple Forgery of the self-signed
Cross-site scripting registration certificate

SQL injection

MITIGATION

Customized error message should be Enable the no-cache/ Proper SSL certification
revealed to the user. no-store flag. should be enabled with
Unnecessary source code comments standard cryptographic
should be disabled. algorithms.

Autocomplete set=OFF for sensitive fields.

Whitelist validation should apply to all the


user-controlled data.
Parameterized data passed to the
application.
Application should not display the detailed
error message.

Whitelist validation should apply to all the


user-controlled data. Output encoding
should apply to the server response.
Escape the malicious characters.

Figure 6

Multidimensional View of Critical Web Application Security Risks | 11


Cognizant 20-20 Insights

If uploaded files are downloaded by users, provide


an accurate non-generic content-type header.

a certicate warning, caused primarily by vulnerable parameters. RFI attacks are highly
server miscongurations. However, these automated, judging by traffic shape (e.g.,
alerts are often ignored by users who trust consistency and rate) and characteristics
forged SSL certificates. (e.g., distinctive HTTP headers), making them
very suitable for mitigation via reputation-
Defender: Browser vendors could mitigate based blacklists. By exploiting RFI vulnerability,
this cyber threat by adopting HTTP Strict an attacker can inject a c99 shell to attack a
Transport Security, Public Key Pinning and web server. Scripts also can be injected
TLS Origin Bound Certificates, and by through RFI in order to deface the websites.
validating certificates with notaries. In
general, self-signed certificates with pinning In local file inclusion (LFI), which is similar to
are more secure than CA-signed certificates. remote file inclusion vulnerability, only local
files (i.e., files on the current server) are
Figure 6 (see previous page) depicts an attack included. The vulnerability is also due to the
tree for registration functionality, illustrating use of user-supplied input without proper
attack methods and types of attacks that attempt validation. LFI enables an attacker to include
to gain sensitive information from the user. The code that is already hosted on the same web
tree also elaborates several countermeasures. server as the application. LFI vulnerability
exploitation requires that the malicious code
FILE UPLOAD/DOWNLOAD is hosted on the vulnerable server. By using
the presence of LFI, an attacker can execute
Uploaded files represent a significant risk to
the remote code via an Apache server log.
applications. The consequences of unrestricted
Code can also be executed via uploading files
file upload can vary, including complete system
by including some script files in the uploaded
takeover, an overloaded file system or database,
files.
forwarding attacks to back-end systems and
simple defacement. It depends on what the Defender: If the uploaded file needs to be
application does with the uploaded file and stored on the disk, use a server-generated
especially where it is stored. filename. Inspect the content of uploaded
Attacker-Defender Approach files, and enforce a whitelist of accepted,
non-executable content types. Enforce a
Remote File Inclusion (RFI)/Local File
whitelist of accepted, non-executable file
Inclusion (LFI)
extensions. And also ensure that the file
Attacker: Remote file inclusion (RFI) is a type extension matches the actual type of the file
of vulnerability most often found on websites. content. Use a predefined switch/case
It allows an attacker to include a remote file, statement to determine which file to include
usually through a script on the web server. rather than using a URL or form parameter to
The vulnerability occurs due to the use of dynamically generate the path. If uploaded
user-supplied input without proper validation. files are downloaded by users, provide an
An attacker may use streams to exploit RFI accurate non-generic content-type header.

12
Cognizant 20-20 Insights

Enforce appropriate authorization on all critical


functionalities.

Attack Tree with Mitigations for File-Upload-Related Functionality Vulnerabilities

FUNCTIONALITY
File Upload

Execution of Unintended File/Shell/Payloads

ATTACK METHODS

Remote File Inclusion Local File Inclusion Malicious Content Upload (Shell/Batch)

MITIGATION
Use a server-generated filename if storing uploaded If uploaded files are downloaded by users, supply
files on disk. an accurate non-generic content-type header.
Inspect the content of uploaded files, and enforce a Enforce a size limit on uploaded files. Reject
whitelist of accepted, non-executable content types. attempts to upload archive formats such as
Enforce a whitelist of accepted, non-executable file ZIP/war/jar.
extensions.

Figure 7

Enforce a size limit on uploaded files to avoid Parameter Tampering


the DOS attacks. Reject attempts to upload
Attacker: The attacker attempts to change
archive formats such as ZIP/war/jar.
the role of his/her user ID to a higher privileged
Figure 7 depicts an attack tree showing one. First the attacker identifies the parameter
attacks that can cause unintended execution representing the user role that is sent in HTTP
of file/shell/payloads exploiting the file upload requests to the application. The attacker then
functionality. The graphic also summarizes modifies the parameter to a higher privileged
best practices to prevent the execution of one and gains additional privileges. The attack
such attacks. is possible when the application relies on user
role/level parameters in HTTP requests to
determine the users access level. These
PRIVILEGED USER
parameters could initially be set by the
FUNCTIONALITIES
application upon authentication, in the HTTP
Privilege escalation attacks aim to obtain response as cookies or in hidden fields. Based
additional privileges for web application users to on the parameter, the application could return
access critical system resources, functions, pages a list of application functionalities/menu-items
or accounts. They can be either vertical or applicable to the user. Since a client-supplied
horizontal privilege escalation attacks. role parameter of the application is accepted

Multidimensional View of Critical Web Application Security Risks | 13


Cognizant 20-20 Insights

Enforce authorization at the server side to


ensure the user has the required privilege to
access the page.

by the server, it is possible to tamper with with an external malicious code injected on
these values. the path parameters. For example: An attacker
can exploit a file download functionality to
The attacker force-browses into a particular download sensitive configuration files, such
restricted functionality by tampering with as the Web.config, and gain vital information
HTTP query parameters. For example: If a user about the application such as database
is authorized to only view the list of users using
credentials, admin credentials, etc.
www.app.com/users.aspx?fn=view, he may edit
or delete users by force-browsing to www.app. Defender: Perform proper input validation on
com/users.aspx?fn=edit. The attacker retrieves all user-supplied parameters and URI requests.
the data of another user by modifying exposed Restrict the user-defined path within a
system object references. Then the attacker whitelist of allowed paths. The directory/
attempts to obtain other users details by filename should be expanded to its absolute
modifying the primary key value such as a canonical path. Enforce directory level access
database table or record value, exposed by control.
the application.
Forced Browsing
Defender: Do not rely on client-supplied
Attacker: The attacker attempts to access
values of user level or role ID to determine the
the pages of admin/privileged users. He or
access level for a user. Implement proper
she initiates a direct request attack wherein
access control at the server side for all users.
he tries accessing sensitive resources by
Enforce appropriate authorization on all
directly browsing to the URL. For example: An
critical functionalities. Perform authorization
attacker may be able to access administrative
checks at the server side to ensure the user is
pages in www.vulnerableapp.com by browsing
authorized for the requested resource/
to www.vulnerableapp.com/admin.apsx.
function. Do not expose references to system
objects or primary keys. Each use of an object Defender: Do not make the assumption that
reference from an untrusted source must resources can be reached only through the
include an access control check to ensure the user interface or by the menu items displayed
user is authorized for the requested object. to the user. Enforce authorization at the
Use per-user or session-specific indirect server side to ensure the user has the required
object references. For example, instead of privilege to access the page. Do not rely on
using the resources database key, the client side validation. Perform server side
application should map the user indirect access control check for all pages/
reference back to the actual database key on functionalities.
the server.
Session Hijacking
Path Traversal
Attacker: The attacker gains access to the
Attacker: The attacker aims to access files active session of an authenticated user and
and directories that are stored outside the using the session gets full access to all
web root folder. This attack can be executed functionalities in the privileges of the

14
Cognizant 20-20 Insights

Regenerate session IDs after every successful


login and at frequent intervals. Use unique,
sufficiently long, random session identifiers
to reduce risk of brute force attack.

Attack Tree with Mitigations for Privilege Escalation Functionality-Related


Vulnerabilities

FUNCTIONALITY

User Privilege Management Functionality

Gaining Higher Privilege Access

ATTACK METHODS

Attacks Related to User interface

ATTACKS

Parameter Tampering Local File Inclusion

Path Traversal Bypassing Client Side Validation

Forced Browsing Session Hijacking

MITIGATION

View state should be used to avoid tampering. Use a server-generated filename if storing
Function level access control should be enabled. uploaded files on disk.
Inspect the content of uploaded files, and
enforce a whitelist of accepted,
Whitelist validation should apply to all the non-executable content types.
user-controlled data. Escape malicious
Enforce a whitelist of accepted,
characters in user input.
non-executable file extensions.
If uploaded files are downloaded by users,
Perform server side authorization checks. supply an accurate non-generic
Avoid client side validation. content-type header.

Implement secure session management. Use strong


session IDs, protect them in transit and regenerate
session identifiers at frequent intervals.

Figure 8

Multidimensional View of Critical Web Application Security Risks | 15


Cognizant 20-20 Insights

victimized user. If the victim account has frequent intervals. Use unique, sufficiently
elevated privileges, the attacker can even long, random session identifiers to reduce risk
revoke the admin privileges from the victim of brute force attack. Include http only and
account and grant it to him- or herself. secure flags set in cookies in order to avoid
session cookie theft.
Defender: Properly invalidate the session
once the user has successfully logged out. Figure 8 (see previous page) depicts an attack
Maintain a standard session time out say, tree for user privilege management, showcasing
20minutes. Do not use static values of session attacks that exploit vulnerabilities in the
identifiers for the identification of a legitimate application to gain greater privilege access.
user. Do not accept client-supplied session Possible remediation methods for preventing
tokens to prevent session fixation. Regenerate privilege escalation and maintaining access
session IDs after every successful login and at control are also presented.

16
Cognizant 20-20 Insights

ABOUT THE AUTHOR

Dr. Sivakumar Dr. Sivakumar Kathiresan, B.E., M.E., Ph.D., is a Principal Architect,
Technology, within Cognizants Enterprise Risk and Security Solutions
Kathiresan business unit. In this role, he leads the North American competency,
solutions and pre-sales effort in the organizations integrated
Principal Architect,
Technology vulnerability management services team. He has managed 150-plus
Sivakumar.Kathiresan@ security assessment projects across various industry sectors over
cognizant.com. the last six years. Sivakumar has 22 years of experience, including
industry, research and academia, and has delivered more than
125 knowledge-sharing and solution architect sessions on various
fields of enterprise security at different forums. His current areas
of interest are web security, secure SDLC, advanced log analysis,
application vulnerability correlation, integrated vulnerability
management, advanced persistent threats and management, and
security analytics. Sivakumar received his Ph.D. from the Indian
Institute of Technology, Roorkee; he continues to research the area
of digital security. His certificates include CEH, CISM, Sourcefire,
Qualysguard, Envision, LanDesk and BigData Associate.

ACKNOWLEDGMENTS
The author recognizes the value added by the following Cognizant
associates:
Sivakumar Subramaniam, Head, ITM and IVM.
Sivarama Subramanian Kailasam and the entire IVM delivery
team.
He also acknowledges the contributions to this white paper of the
following Cognizant cybersecurity experts:

Balachanthar Palanivelu Vimalaasree Anandhan


Rakesh Balasunder Saravanakumar G
Subadeepam Rajappan Ranjith Kumar Ramu
Nisha Selvaraj Dinesh Jain
NagaPranavi K Nagamarimuthu Karuppiah
Padma Prasoona K GraceCatherine Jothiprakash
Parkavi Neelakandan Sivapradha Sivaraman
Jemmi Angelin Manoharan KK Ashwin
Jayasree Otukuru Eby Mohan
Abhijeet Ananda Patil Chendhil Thirumalai Kandasamy
Siddesh N Prasath J
Rekha Tharmaraj Madhan Mohan
Pavithra Kamaleswar Subhashini Sundaramurthy
Pradeep Varadarajan Rajesh Chilukuri Thirupathaiah

Multidimensional View of Critical Web Application Security Risks | 17


ABOUT COGNIZANT ENTERPRISE RISK AND SECURITY SOLUTIONS
Cognizant Enterprise Risk and Security Solutions (ERSS ) business unit specializes in providing end-to-end information security solutions for
various industry sectors, including retail, banking and financial services, logistics, telecom, healthcare, manufacturing, and travel and
hospitality, and has served 450-plus customers across various geographies. The team has expertise in providing information security
solutions and services based on best-of-breed products in each category of enterprise security. Our services include:

1600-plus security consultants specializing in IAM, GRC, data security and application security assessment.

350-plus CISA, CISM, CISSP, CEH and vendor certified associates.

350-plus Infrastructure Security trained associates.

Over 11000 person years of information security experience.

A proven track record and experience in 500-plus client engagements for security services.

Partnership with leading vendors such as IBM, CA, Oracle, Sail Point, Novell, Dell, RSA, HP, Symantec, etc.

ABOUT COGNIZANT
Cognizant (NASDAQ-100: CTSH) is one of the worlds leading professional services companies, transforming clients business, operating and
technology models for the digital era. Our unique industry-based, consultative approach helps clients envision, build and run more innovative
and efficient businesses. Headquartered in the U.S., Cognizant is ranked 230 on the Fortune 500 and is consistently listed among the most
admired companies in the world. Learn how Cognizant helps clients lead with digital at www.cognizant.com or follow us @Cognizant.

World Headquarters European Headquarters India Operations Headquarters


500 Frank W. Burr Blvd. 1 Kingdom Street #5/535 Old Mahabalipuram Road
Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam
Phone: +1 201 801 0233 London W2 6BD England Chennai, 600 096 India
Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000
Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060

Copyright 2017, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means,electronic, mechanical,
photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks
mentioned herein are the property of their respective owners.

TL Codex 2531