Introduction to HTTP and HTML vulnerabilities
Web applications are commonly targeted by cybercriminals. The combination of public exposure and potential access to sensitive data makes them easily accessible and provides a reasonable expectation of payoff for a successful attack. As a result, ensuring that they do not contain common vulnerabilities such as cross-site scripting (XSS) and SQL injection is a must.
However, the vulnerabilities that appear on the OWASP Top Ten list are not the only potential threats to web application security. Improper use of HTTP and HTML can also make a website vulnerable to exploitation.
Common abuses of HTTP and HTML
The HTTP and HTML standards grant developers a lot of flexibility and useful tools for developing their web applications. However, these tools can also be used in clever ways that jeopardize the security of the application and its users. Some examples of common misuses of HTTP and HTML features include hidden form fields, magic URLs and predictable cookies.
Hidden form fields
The HTML standard gives developers the ability to label certain fields or objects on a web page as hidden. When opening the page in the web browser, anything marked as hidden will not be visible to the user. As a result, it can be tempting to use hidden fields to carry important data, making it unnecessary to store this state information on the server.
The code sample above uses this technique for a simple web order form. Instead of managing the pricing information on the server side, it is stored in a hidden field. This makes it simpler to handle pricing information that may vary from user to user.
The problem with this approach is that hidden fields within a webpage are still visible in the page’s source code, which is available to and editable by the user. By saving a local copy of the webpage or using a web proxy, a user could change this price value to whatever they wanted before sending the final order to the web server for processing.
Another tactic for avoiding the need to track state on a webserver is the use of magic URLs. The HTTP standard allows a developer to provide additional information within a URL in the form of “verbs” or key-value pairs. A “magic URL” uses these values to carry important or sensitive state information between the client and the server.
The URL shown above is an example of a magic URL. The verb in this URL resolves to “Password” after performing Base64 decoding.
Like the previous approach, this is also an insecure way to manage state information. A malicious user could encode their own state in the URL or someone eavesdropping on the network traffic could reach sensitive user data from the URL.
Cookies become a problem if they are predictable as demonstrated in the code sample above. In this code sample, the cookie value is incremented by one for each user session.
This makes it trivially easy for an attacker to predict a user’s cookie value for a webpage. This can be used to access the user’s account without knowledge of the user’s login credentials since cookies store authentication data.
Using HTTP and HTML correctly
Most of the HTTP and HTML abuses that jeopardize web application security are performed in an attempt to make a web application easier to develop. While the examples described above are insecure, they can be corrected through simple modifications:
- Data encryption: The hidden form field and magic URL examples included data that could be easily read or modified by a user or eavesdropper. Encrypting this data — using a key stored only on the web server — makes these techniques usable in a way that doesn’t impact data confidentiality and in which attempted modifications are easily detectable
- Randomized cookies: Cookies are a common way to store authentication information. However, cookie values should be randomized and it is a good idea to encrypt the data that they contain to protect against abuse
- Encrypted communications: The use of TLS and HTTPS is growing more common, but not all web traffic uses it yet. In addition to protecting confidentiality, TLS provides server authentication. This helps users to verify that they are on the correct site
Taking these steps does not guarantee that a website will be immune to exploitation or free of data leaks. However, they dramatically decrease the probability that a simple error will leave a web application and its users vulnerable to attack.
- Using Burp to Bypass Hidden Form Fields, PortSwigger
- Michael Howard, David LeBlanc, John Viega, “24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them,” McGraw-Hill Professional, 2009
- Session Prediction, OWASP