HTTP Vulnerabilities: How to Protect Your Website and Have Security

Remember that the basis of the web is the Hypertext Markup Language, that is, HTML . Since its inception, it has been presented as an excellent alternative to develop web pages. Over the years, its evolution has taken leaps and bounds. Thousands of libraries are available to developers to adjust websites according to the original purpose of the project. Unfortunately, they are not without security threats and risks, especially when it comes to end users.

What is the HTTP protocol?

Likewise, we must remember and consider good the emphasis on the definition of the HTTP protocol. So also, what is it for? It is a communication protocol. Its essential function is the transmission of data through the WWW (World Wide Web) . It is one of the essential components of the architecture of the web. In 1999, the first version of the protocol documentation was published, with RFC 2616, this protocol was released with version 1.1. Over the years, different versions have been released, and the latest version available is HTTP / 3, which will succeed the current HTTP / 2, which is widely used in the vast majority of Internet websites.

The essential operating scheme consists of the following: a client (web user) tries to make a connection through a request. This request sends a message with a specific format to the web server. That web server is the one that hosts the web site or service from which we need information. If the connection is successful, the web server responds to that request with a positive response. This is something that happens multiple times a day every time you visit your favorite websites.

HTTP vulnerabilities (+ HTML)

The set of HTML and HTTP has several applications with malicious purposes, or that simply do not behave in the way one would expect. Consequently, they become important vulnerabilities that threaten the integrity of the website or web application. Above all, regarding the security of said site or application.

Hidden form fields

One of the well-known features of HTML is that there is a forms attribute that allows fields or objects to be marked as hidden ( hidden ). How is this reflected on a page? When opening a web page, the user can only complete the visible fields, the rest is hidden. Of course, most users will not perceive that there are precisely hidden form fields. The danger of this is that the developer of the page could use this attribute to implement hidden fields in the form that would allow him to store sensitive data on the web server. In many cases, it is unnecessary to do this.

Consequently, the professional ethics of each developer will determine whether the use of this particular attribute is appropriate.

<html>
<input type="hidden" id="precio" name="precio" value="200">
<html>

Above, you can see an example of applying hidden form fields. This is a supposedly hidden field that stores price information. Generally, in a web store, the different prices are handled on the server side. In this case, such data is handled on the user’s side. It is as if this hidden field acts as a supposed web server that stores data of any kind. Although at first glance, this is quite practical has its risk, mainly because it will be possible for the user himself to manipulate the different prices simply from the browser.

Remember that it is possible to view the source code of a web page from the browser. Google Chrome is the browser most people use and the shortcut to access the developer console is ” CTRL + Shift + I “. With this you can do, among other things, save a copy of the web page on your computer or use a web proxy to manipulate any data on a web page, especially the form fields.

Going back to the example, thanks to the hidden fields you can manipulate the price on the user’s side and apply the price you want before finalizing the purchase. Therefore, it is advisable not to apply these types of attributes to form fields, especially if they are websites that handle values.

Magic URLs

One of the essential concepts of HTML is the URL . Its acronym in English stands for Uniform Resource Locator . It is what generally people know as a link or link to any web page. In web development there is a curious concept of magic links or magic URLs. The HTTP standard allows a web developer to provide additional data that is relevant in a URL in the form of verbs or key pairs. This additional data, be it verbs or key pairs, are essential components of a magic URL . What is done is to manage sensitive and / or important data between the client and the web server.

http://www.misitioweb.com?OpDEfgtRDBc&action=view

Above we see an example of a magic URL. Apparently, there is nothing unusual. But, what comes after “.com / OpDEfgtR …” is the verb or key pair that carries with it this data that is so relevant for communication between the client and the web server. Now, what data could be stored in magic URLs? They can be passwords, PIN type keys, bank account numbers, credit cards, cookies from the different sessions on a website and much more.

This is another case of a supposed practical application of data management but that, however, can be much more dangerous. A cybercriminal can intercept the communication between the client and the web server in order to decode the information available in that verb or key pair in the URL. With the resources available today, it won’t be a very difficult task.

Predictable cookies

Although it is somewhat difficult to avoid associating the word cookie with the delicious cookies we all know, cookies on the web play an essential role in browsing day after day. They are designed in such a way that they can store persistent data on the client side, that is, on the client’s own device. From our browser, we can manage our cookies at any time, and it is that, above all, it helps us to authenticate our identity in the different web services.

from http import cookies

cookieVal = 0
def getCookie ():
c = cookies.SimpleCookie ()
c [‘usercookie’] = cookieVal
cookieVal + = 1
return c

The problem starts when cookies are developed with predictable generation logic. It is very difficult for something like this to apply today but we must not rule out the fact that many web pages could have this security hole. Suppose that any web page (see the example above) generates session cookies and as each of them are generated, the increase occurs one by one. That is, cookie with value “1”, cookie with value “2”, cookie with value “3” and so on.

Taking a closer look at the example code, this is the line that causes the value of the cookie, which is stored in the cookieVal variable, to increase by one:

cookieVal += 1

Predictable cookies allow a cybercriminal to access the web sessions of multiple users without the need to know the access credentials. If a web page has generated 1000 cookies with the logic that we have just demonstrated, if a cybercriminal manages to have control of the website, he would manage to appropriate 1000 sessions of users of that page. Consequently, it is essential that as a web developer you apply the best practices when working with cookies. Free resources such as those we can find on the Mozilla Developer Network are useful, practical and accessible to anyone who needs to guarantee the security of cookies. You can access this web resource in Spanish about HTTP cookies .

There is no doubt that without HTML and HTTP, the web as we know it would not exist. However, it is not spared from vulnerabilities. This means that more than ever, it is important to know about the aforementioned vulnerabilities and handle them to have an effective control of them. As a result, the web pages that you develop will be more robust in terms of security and in the end, it translates into tranquility and trust for the user who is increasingly exposed to cyber attacks.