Web Security Checklist
General
- All inputs which the user can modify are potentially vulnerable. This includes HTTP requests, file uploads, form fields and cookie values.
- Vulnerabilities are especially critical when communication crosses trust boundaries (e.g. web application -> backend database)
Approach for testing
- Identify modifiable input which is processed by a XML, SQL, LDAP engine etc. This can be the case in form fields, cookies or HTTP payload as well as header information.
- Test sending critical characters to trigger error messages or other unintended behavior
- Try exploiting unintended behavior to inject own statements/commands
Mitigate risks
- Identify all inputs which the user can manipulate and check the correct handling in the source code.
- Validate all possible user input including input that can be modified by the user by manipulating requests.
- Use allow-list to filter out chritical characters from user input, e.g. by using regex. (Avoid block-list, if possible)
- Escaping critical characters if they have to be allowed.
- Implement output validation to avoid leakage of vulnerability-info through error messages.
- Define minimal privileges for the entity processing the input
Specific injection attacks
SQL injection
Characteristics:
- Critical chars:
'"
- Sometimes the RDBMS can be used to attack the underlying system.
Mitigate:
- Use “Prepared Statements” for interacting with database.
XXE injection (XML External Entities)
Characteristics:
- Validation specs like DTD (
<!DOCTYPE>
) can be used to manipulate the parsed XML document. - Generating
SYSTEM
entities can allows file inclusion, DoS and port scanning.
Mitigate:
- Declaring new entities in validation definitions should be disabled!
- External entities should be disabled in the XML-Parser’s configuration. (This feature is rarely used anyway!)
LDAP injection (Lightweight Directory Access Protocol)
Characteristics:
- Critical chars:
()*&|!'"=<~
) - Sometimes hidden
<input>
fields contain LDAP parameters (likedc=
orou=
) that can be manipulated.
XPath injection
Characteristics:
- Basically enables extracting info from database (rarely manipulations).
- Critical chars:
@()='"[]:,*/
- Newer versions of XPath (v2 or v3) are more prone to attacks.
Mitigate:
- Use pre-compiled XPath queries.
OS command injection
Characteristics:
- Very powerful attack, if successful!
- Critical chars:
;
,&
,&&
or||
Mitigate:
- Passing any user input to an OS command should be avoided and not necessary with the correct application architecture!