Web Security: Beyond Common Attacks

TL;DR

SQL injection and Cross-Site Scripting (XSS) are well-known web security threats, but modern attacks go further. This guide covers techniques like CSRF, session fixation, insecure direct object references, and more, with practical steps to protect your applications.

1. Understanding the Threat Landscape

While SQL injection and XSS remain prevalent, attackers are increasingly using sophisticated methods. Here’s a breakdown of common attacks beyond those basics:

• Cross-Site Request Forgery (CSRF): Tricking a logged-in user into performing unwanted actions on a web application they’re authenticated with.
• Session Fixation: Forcing a user to use a known session ID, allowing an attacker to hijack their session.
• Insecure Direct Object References (IDOR): Allowing users to access resources directly by manipulating object IDs without proper authorization checks.
• Server-Side Request Forgery (SSRF): Exploiting server-side vulnerabilities to make requests on behalf of the server, potentially accessing internal resources.
• Authentication and Authorization Flaws: Weak passwords, missing multi-factor authentication, or inadequate access controls.
• Injection Attacks (beyond SQL): Command injection, LDAP injection, XML External Entity (XXE) attacks.

2. Protecting Against CSRF

1. Use Anti-CSRF Tokens: Generate a unique, unpredictable token for each user session and include it in forms. Verify the token on server-side submission.

# Example (Python/Flask)

from flask import Flask, render_template, request, session
import secrets

app = Flask(__name__)
app.secret_key = secrets.token_hex(16)

@app.route('/form')
def form():
    session['csrf_token'] = secrets.token_hex(16)
    return render_template('form.html', csrf_token=session['csrf_token'])

@app.route('/submit', methods=['POST'])
def submit():
    if request.form['csrf_token'] != session['csrf_token']:
        return 'CSRF token invalid!'
    # Process form data...
    return 'Form submitted successfully!'

2. SameSite Cookies: Set the SameSite attribute on cookies to Strict or Lax to prevent cross-site requests.

Set-Cookie: sessionid=value; SameSite=Strict

3. Preventing Session Fixation

1. Regenerate Session IDs on Login: After successful authentication, create a new session ID and invalidate the old one.

# Example (PHP)

session_start();
if (isset($_POST['login'])) {
    // Authentication logic...
    session_regenerate_id(true);
}

2. Use Secure Session Cookies: Ensure session cookies are marked as Secure and HttpOnly.

4. Mitigating IDOR Vulnerabilities

1. Implement Proper Authorization Checks: Always verify that the user has permission to access the requested resource before granting access. Never trust client-side data for authorization decisions.
2. Use Indirect Object References: Instead of using direct object IDs, use opaque identifiers or mapping tables.

5. Addressing SSRF Risks

1. Input Validation and Sanitization: Thoroughly validate and sanitize any user-supplied input used in server-side requests.
2. Whitelist Allowed Domains/IPs: Restrict the domains or IP addresses that the server is allowed to connect to.
3. Disable Unnecessary Network Access: Limit the server’s ability to make external network connections if it’s not required for its functionality.

6. Strengthening Authentication and Authorization

• Enforce Strong Password Policies: Require complex passwords, regular password changes, and consider using a password manager.
• Implement Multi-Factor Authentication (MFA): Add an extra layer of security by requiring users to provide multiple forms of identification.
• Least Privilege Principle: Grant users only the minimum necessary permissions required for their tasks.

7. Injection Attack Prevention

• Parameterized Queries/Prepared Statements: Use parameterized queries or prepared statements to prevent SQL injection.
• Input Validation and Output Encoding: Validate all user input and encode output appropriately for the context (e.g., HTML encoding, URL encoding).