How about that Web Application and API Security?
About 3 years ago Gartner Research company coined the term WAAP which stands for Web Application and API Security which is mouth full to say it instead what we used to just call it a WAF in the industry.
There are so many solutions that offer WAAP as SaaS or PaaS or as a software. This article is to highlight and discuss why would anyone need a WAAP.
Let’s talk about Recon briefly.
Recon is mainly about the following items:
- Web App Recon: (Information gathering, Web App mapping)
- Structure (Modern vs Legacy, REST APIs, JS Object Notation: Variables, Functions, Context, DOM, SPA Frameworks, Authentication and Authorization, Server-side & Client-side Databases)
- Finding subdomains(multiple apps per Domain, browser’s built-in network analysis tools, DGA, Public record search, Caches, archives, zone transfer attacks, brute forcing, dictionary attacks)
- API analysis(Endpoint discovery, Authentication mechanisms, Endpoint shapes: common and app-specific shapes)
- Identifying Third Party dependencies(Detecting client-side, SPA, JS, CSS libraries, Server-side frameworks, and Header detection, error messages and 404 pages)
- Identifying Weak points in app architecture(layers, adoption/reinvention, secure vs insecure architecture signals)
It’s important to get understanding of the common technologies that many web apps share as dependencies and the these span from JavaScript helper libraries and per-defined CSS modules to web servers and even operating systems.Understanding each of these dependencies and their common implementation methods in app stack is important to quickly identify them and look for misconfigurations.
Legacy vs Modern Web Apps
Most of today’s web applications are built on top of 10 year old models that current models and flows didn’t exist back then.
The tools available for building web applications have advanced so much in that time frame that it seems it’s a different specialization today.
10 years ago all web apps were built using server side frameworks that rendered JS/CSS/HTML page that would then be sent to he client side.
Each request would have to be rendered and piped over HTTP to the client.
Today, most applications are properly communicating via a network protocol, versus what it used to be a single monolithic application. This is a one of them major architectural differences between the web apps today and 10 years ago.
Most current day web apps consists of several apps connected with a Representational State Transfer (REST) API. These APIs are states and only exist to fulfill requests from one application to another one, which means they don’t store any data about the requester.
Most modern day web apps consist of the following technologies:
- REST API
- JSON or XML
- JavaScript
- SPA framework (React, Vue, EmberJS, AngularJS)
- An authentication and authorization system
- Web servers (typically on a Linux server)
- Web server software packages(ExpressJS, Apache, NginX)
- Dabases(MySQL, MongoDB, etc)
- Local data store on the client(cookies, web storage, IndexDB)
Offence
- Hacking web apps(identify hacker’s mindset,, applied Recon)
- Cross-Site Scripting XSS(Exploitation, Stored XSS, Reflected XSS, DOM-based XSS, mutation based XSS)
- Cross-Site Request Forgery CSRF (Query parameter tampering, alternate GET payloads, CSRF against POST endpoints)
- XML External Entity XXE (Direct and indirect XXE)
- Injection(SQL injection, Code injection, command injection)
- Denial of Service DOS (regex DoS/ReDOS, Logical DoS vulnerabilities, Distributed DoS)
- Exploiting third-party dependencies (methods of integration, branches and forks, self-hosted app and source code integrations, Package managers, JavaScript and Java, common vulnerabilities and exposure databases)
Defence
- Securing modern web applications(defensive software architecture, comprehensive code reviews, vulnerability discovery, analysis, management)
to be continued…
