In this article we will discuss some emerging attack vectors with their potentially high impact on the security of web application. We will cover Introduction to attack vector, Insecure Direct Object Reference, Relative Path Overwrite, Directory Brute Forcing. Let’s discuss it one by one.
Attack Vectors :
- Attack vector is basically a method used by the hacker or security analyst to penetrate in target application for some malicious use or to check the security features of application.
- Every ethical hacker has their own and unique attack vector to check the security of target application, this application may become web application or android application but in this article we are mainly focusing on web application.
- In this article you can learn some emerging attack vector with their impact. You can use any attack vector on the application if and only if you have legal permission to check their security features. Don’t apply any attack vector on application without permission of application owner it is totally illegal to penetrate in application without legal permission.
Insecure Direct Object Reference :
- Insecure Direct Object Reference is commonly known as IDOR, it is basically permission based vulnerability which allows an attacker to modify or access resources belonging to other users of the application.
- Fundamental concept behind the IDOR vulnerability is that an endpoint of application tries to give access for modifying and accessing the user data, data may contain images, address, files and in some cases is main to contain the username and password of user.
- Now days IDOR is common and emerging attack vector for web application because, cause IDOR vulnerability is access permission and problem related to permission cannot be fixed automatically or by default because in web application permission varies from user to user.
- For example, on any application normal user and prime user has different access permission, normal user and admin has different permission for modification of data.
- Basically this class of vulnerability is everywhere, in fact it is so common that the majority of the web application are affected by this.
Relative Path Overwrite :
- Security researcher Gareth Heyes discovered the new attack vector namely as Relative Path Overwrite(RPO). RPO exploits the way of browsers to interpret relative paths during importing CSS files into DOM (document object model) hence this attack also known as Path Relative Style sheet Import (PRSSI).
Relative Path - <link href="database/xyz.css" rel="stylesheet" type="text/css"/>
Absolute Path - <link href="https://example.com /database/xyz.css" rel="stylesheet" type="text/css"/>
- Example –
For example, if the document was loaded at https://example.com /database then the CSS will be loaded from the path https://example.com /database/xyz.css in the case of relative path. If website has URL : https://example.com /index.html and they link the <link href=”resource/rpo.css” rel=”stylesheet” type=” text/CSS”/> given path in html file.
In this scenario if we visit https://example.com /index.html this URL then website can import its CSS file through given path but if attacker change URL to https://example.com /index.htm/random/payload it’s also work due to the flexible nature of server-side programming languages and web frameworks but this time CSS does not load from the path given in html file. And by adding the payloads at vulnerable end point attacker can control the CSS of web application.
Directory Brute Forcing :
- This is very popular and simple attack vector, most of the ethical hacker use this vector to find hidden and sensitive directory on the web application.There are various automated tools are available for testing this attack vector.
- Many times developer forgot to make sensitive files and directory hidden, like files containing database username, password, source code of website, etc. due to this information may leak at particular endpoint and by brute forcing the directories attack may find the hidden data and sensitive information of web application.
- As a developer it is good practice to make all sensitive directories hidden from user.