Attacking Other Users

The majority of interesting attacks against web applications involve targeting the server-side application itself. Many of these attacks do of course impinge upon other users — for example, an SQL injection attack that steals other users’ data. But the essential methodology of the attacker is to interact with the server in unexpected ways in order to perform unauthorized actions and access unauthorized data.

The attacks described in this article are in a different category, because the primary target of the attacker is the application’s other users. All of the relevant vulnerabilities still exist within the server-side application. However, the attacker leverages some aspect of the application’s behavior in order to carry out malicious actions against another end user. These actions may result in some of the same effects that we have already examined, such as session hijacking, unauthorized actions, and the disclosure of personal data. They may also result in other undesirable outcomes, such as logging of keystrokes or execution of arbitrary commands on users’ computers.

Other areas of software security have witnessed a gradual shift in focus from server-side to client-side attacks in recent years. To take one example, Microsoft used to announce serious security vulnerabilities within their server products on a frequent basis. Although numerous client-side flaws were also disclosed, these received much less attention because servers presented a much more appealing target for most attackers. In just a few years, this situation has changed markedly. At the time of this writing, no critical security vulnerabilities have been publicly announced in Microsoft’s IIS 6 web server. However, in the time since this product was first released, a very large number of flaws have been disclosed in Microsoft’s Internet Explorer browser. As the general awareness of security threats has evolved, the front line of the battle between software developers and hackers has moved from the server to the client.

Although web application security is still some way behind the curve just described, the same trend can be detected. A decade ago, most applications on the Internet were riddled with critical flaws like command injection, which could be easily found and exploited by any attacker with a bit of knowledge. Although many such vulnerabilities still exist today, they are slowly becoming less widespread and more difficult to exploit. Meanwhile, even the most security-critical applications still contain many easily discoverable client-side flaws. A key focus of recent research has been on this kind of vulnerability, with defects such as session fixation first being discussed many years after most categories of server-side bugs were widely known about. Media focus on web security is predominantly concerned with client-side attacks, with such terms as spyware, phishing, and Trojans being common currency to many journalists who have never heard of SQL injection or path traversal. And attacks against web application users are an increasingly lucrative criminal business. Why go to the trouble of breaking into an Internet bank, when it has 10 million customers and you can compromise 1% of these in a relatively crude attack that requires little skill or elegance?

Attacks against other application users come in many forms and manifest a variety of subtleties and nuances that are frequently overlooked. They are also less well understood in general than the primary server-side attacks, with different flaws being conflated or neglected even by some seasoned penetration testers. We will describe all of the different vulnerabilities that are commonly encountered and spell out the practical steps you need to perform to identify and exploit each of these.