WebApplication

Purpose

The WebApplication object is used to represent a network service provided by a web server. Since a web application partly is run on the web server and partly may be run on the client side, by a web browser, the WebApplication object represents both these parts. Worth mentioning is that this approach will let a web browser, modelled as a Client object, only concerns the piece of software installed on the client host, not the programs or routines it will download and run on behalf of the WebApplication visited.

Connections

WebApplication and Neighboring Objects
WebApplication and Neighboring Objects

 

ObjectConnectionDescriptionFunction
ServiceWeb Service ExecutionWeb Service Execution & Specifies which Service is hosting/running the WebApplication.A connection to a Service is needed for Web Application to function properly.
WebApplication FirewallFirewall ExecutionA firewall functionality is available and running to handle requests to the WebApplication. Such a functionality is often provided as part of the web server software running the WebApplication, but since it has major impact on the WebApplication, it is modeled explicitly.A missing Web Application Firewall increases the risk of BypassWAF
DatastoreWebApplicationShows what data a user can access by using the WebApplication.A connected Datastore can cause Read and Write access through SQLinjections.
KeystoreKeystore ExecutionShows that the WebApplication is providing access to a Keystore.A missing connection to a Keystore prevents Read access on a Keystore through WebApplications.

Attack Steps and Defenses

Attack Steps and Defenses
Attack Steps and Defenses

 

Attack StepDescriptionLeads to
BypassWAFViaCIThe possibility for an attack step to trick or pass undiscovered by the web application firewall using Command Injection.WebApplication: ExploitCI
BypassWAFViaRFIThe possibility for an attack step to trick or pass undiscovered by the web application firewall using Remote File Inclusion.WebApplication: ExploitRFI
BypassWAFViaSQLInjectionThe possibility for an attack step to trick or pass undiscovered by the web application firewall using SQL Injection.WebApplication: ExploitSQLi
BypassWAFViaXSSThe possibility for an attack step to trick or pass undiscovered by the web application firewall using Cross Site Scripting.WebApplication: ExploitXSS
DiscoverNewVulnerabilityThe possibility to discover a new vulnerability in the WebApplication.WebApplication: BypassWAFViaCI
WebApplication: BypassWAFViaRFI
WebApplication: BypassWAFViaSQLInjection
WebApplication: BypassWAFViaXSS
ExploitCommandInjectionThe possibility to send commands or pieces of commands to the web server, via the web application, making it do unintended operations.Service(root): Host.Compromise
Service(non-root): Host.UserAccess
ExploitRFIThe possibility to send a file containing some kind of malware to the web server, via the web application, to make it perform unintended operations.Service(root): Host.Compromise
Service(non-root): Host.UserAccess
ExploitSQLInjectionThe possibility to send an unintended SQL statement to the web application to read, alter or delete data.The possibility to send an unintended SQL statement to the web application to read, alter or delete data.
ExploitXSSThe possibility to, via input fields or variables, inject a malicious script which will be visible and runnable by other users of the web application.Service: Dataflow.Client.UserAccess

 

DefenseDescriptionImpactDefault
BlackBoxTestingBlack box testing denotes the process of automated testing through scanners or fuzzers without access to the source code. Which should decrease the number of false positives as well as false negatives . The aim of black box testing is to find and remove vulnerabilities before deployment.Reduces the risk of Discover Vulnerability.Off
NoPublicCI VulnerabilitiesCommand injection (CI attacks aims to execute arbitrary code on system level. This defense denotes the presence of public command injection vulnerabilities (on e.g. Exploit DB or PacketStorm) in the application.Reduces the risk of Exploit CommandInjection.Off
NoPublicRFI VulnerabilitiesRemote file inclusion (RFI) attacks aims to include files remotely to a web application to execute code in the context of the server. This defense denotes the presence of public command injection vulnerabilities (on e.g. Exploit DB or PacketStorm) in the application.Reduces the risk of ExploitRFI.Off
NoPublicSQLI VulnerabilitiesSQL injection (SQLi) attacks aims to alter SQL queries sent to a server. If the injection is successful, the injection can alter e.g. database tables and data and execute commands. This defense denotes the presence of public SQL injection vulnerabilities (on e.g. Exploit DB or PacketStorm) in the application.Reduces the risk of Exploit SQL Injection.Off
NoPublicXSS VulnerabilitiesCross site scripting (XSS) attacks aims to inject client-side scripts that are executed by other users visiting the web service. This defense denotes the presence of public SQL injection vulnerabilities (on e.g. Exploit DB or PacketStorm) in the application.Reduces the risk of ExploitXSS.Off
ScurityAwareDevelopersA security aware developer can recognize proper use of input and output sanitizing and implement effective countermeasures.Reduces the risk of Discover Vulnerability.Off
StaticCodeAnalysisStatic code analysis is the analysis of software source code without executing the program. Static code analysis tools can automatically look for specific patterns to find vulnerabilities and bugs.Reduces the risk of Discover Vulnerability.On
TypeSafeAPIType Safe APIs specifies a rule set which describes exactly what kind of data that is transferred between different parts of the application. This leads to more secure and reliable environments.Reduces the risk of Discover Vulnerability.On