This article explores information present on the client machine from a security point of view and how it can be accessed by malicious users. Also discussed is how information present in the HTML Source, comments error messages, etc., can give subtle hints about your application's security.
I hope that you have already read first part of this article and familiar with the concept of how web applications are different from traditional client-server applications. If you have not, you might find it useful to read Part-1 as well.
In this part we will explore what kind of information is available to the client? What kind of information can be gathered from the pages which client can access? How validation is important to ensure proper security for the web application? What are cookies and how web applications use them?
It is very important in web application security testing to gather as much information about your application as you can. You need to find out how people outside your organization will access your web application and what kind of information they can access. Typical information that will be available to any person outside your organization could be categorized as:
- Comments & Sensitive information embedded in the HTML source code
- Error messages generated at the server and HTTP response returned
- Application error message
During web application development, it is very important to think about these aspects. Comments or sensitive information can be very useful for you while developing and maintaining the code, but if it is accessed by malicious user it can be dangerous. Similarly, detailed error messages given to improve usability can results in the security loophole.
HTML source present on the client side can be an excellent source of information for the attacker. It is very easy for everyone to view HTML source code and since it is not compiled, there is no way to hide HTML comments. For testing web applications for security, you should look for the sensitive information like passwords, usernames, database names, connection strings etc. As a person responsible for security testing you need to make sure that sensitive information is not present in the HTML source code
In order to start attack on any web application, it is important to know how its pages can be accessed what kind of data and parameters are passed from one page to another. You can keep an eye on the URL for this purpose and look for key-value pairs. You should always consider creating page map of your site containing this information. You can use tool or can create it manually by navigating to all the pages and making appropriate maps. After you have created this page map, you can search HTML source for specific strings containing information related to HTML comments, Application Comments, IP Address, E-Mail Address, SQL Queries, Database Connection Strings, Hidden input fields etc.
If you try to change parameters selected during this process and resubmit the request, you can find interesting information in error messages. Sometimes server or application throws overly helpful error messages which can give subtle hints to the attackers. For example on supplying invalid password during login process if system throws error like 'invalid password', it essentially means that username is proper.
Page map created earlier can also help you in guessing file names and directory structure present on the web server. Using this technique you can access files for which there is no link present on the pages, or which is not intended to be visible to the user. You must always check for the presence of any pattern in file names and location. Files which should not be viewed by clients should be located in places not accessible to the clients. Using this technique of educated guessing, malicious users can even access admin or control panel of the website, which usually runs as a separate sub-site or