CMU Jin Cyber Workshop 2024: Web Exploitation and Web Attacks

Jul 13, 2024

CMU Jin Cyber Workshop 2024: Web Exploitation and Web Attacks

Introduction

  • Workshop Focus: Understanding web exploitation, its methods, prevention, and the importance of web security.
  • Goals: Recognize vulnerabilities, understand attack patterns, and learn prevention techniques.

What is Web Exploitation?

  • Definition: Exploiting vulnerabilities within a website to achieve malicious outcomes.
  • Outcomes:
    • Taking control of the application.
    • Stealing information (e.g., login info).
    • Using the application to attack other systems.

Background Information

  • Websites: Interactive sets of pages, built using coding languages like HTML, JavaScript, and CSS.
    • Basic websites can handle more features and complexity, leading to potential vulnerabilities.
    • Examples of complex functionalities: Uploading and playing videos (e.g., YouTube), maintaining databases (user info, payment details), integrating third-party services.

Importance of Understanding Web Exploitation

  • Prevalence: 26% of data breaches come from web application-based services.
  • Frequency: Websites face an average of 94 attacks per day.
  • Malware: 12.8 million websites are infected with malware; 88% aren’t blacklisted by search engines.

CIA Triad

  • Confidentiality: Protect information from unauthorized access.
  • Integrity: Ensure data and functions remain accurate and unaltered.
  • Availability: Ensure services are accessible when needed.
  • Web Exploits Impact: They can compromise all three elements of the CIA Triad.

Types of Web Exploits

Insecure Direct Object Reference (IDOR)

  • Description: Accessing unauthorized pages or information by modifying URLs or parameters.
  • Example: Changing a user ID in a URL to access another user's homepage.
  • Prevention: Implementing and validating access control measures.

Injection Attacks

  • Concept: Injecting untrusted or malicious input into a website.
  • Mechanism: Taking advantage of coding languages or network protocols without validation.
  • Examples:
    • SQL Injection: Injecting malicious input into a database query (e.g., login forms) to extract sensitive data.
    • Cross-Site Scripting (XSS): Injecting malicious scripts into websites to trap and exploit other users.

Browser Extensions

  • Risk: Many extensions may be high-risk or malicious, compromising user data.
  • Example: Out of 300,000 Chrome extensions, 51% were found to be high-risk.
  • Self-Check: Assess the trustworthiness of extensions before using them.

Denial of Service (DoS) and Distributed Denial of Service (DDoS)

  • Description: Overwhelming a website with traffic to prevent it from functioning correctly.
  • Mechanism: Flooding the site with excess traffic to deny service to legitimate users.

Resources and Further Learning

  • Websites: OWASP, Burp Suite.
  • Future Topics: Recognizing and preventing web exploits.

Conclusion

  • Emphasis on the importance of understanding web exploitation.
  • Encourage further learning and vigilance in web security.