Before you start
With the rise of smart phones and similar devices, web application security has been broadened to include mobile applications. Because of the constraints imposed by the interfaces of many such devices, developers sometimes work with the flawed assumption that client-side input validation is sufficient for protection against attacks. However, requests sent by mobile applications can be manipulated in the same way as traditional web applications. Because of this vulnerability, the client cannot be trusted. With sensitive data sometimes stored on devices and the servers that they use, the protection of users from black-hat hackers is critical. This tutorial shows how several types of vulnerabilities occur and some of the countermeasures that can be put in place to mitigate attackers trying to exploit them. The following types of vulnerabilities are covered:
- Cross-site scripting
- Cross-site request forgery
- Broken access control
- SQL injection
- File inclusion
- OS command injection
- Scripting language injection
- Arbitrary file creation
All vulnerabilities and countermeasures are demonstrated using a sample application built with jQuery Mobile, PHP, and MySQL. (See Download for a .zip file with the sample code.)
You will need the following tools to complete this tutorial:
- Web server — You can use any web server with PHP support. Many of the exploits throughout this tutorial are Windows specific, but they can be adapted for other operating systems. Suggested web servers are Apache or the IBM HTTPServer.
- PHP — Because some attacks described do not work against the latest version, PHP 5.3.1 was used. Such incompatibilities are noted throughout the tutorial.
- MySQL — This tutorial uses MySQL, an open source database. Version 5.1.41 was used for this tutorial, but other versions should work fine.
- Web debugging proxy — Because a way of manipulating HTTP requests is necessary, a web debugging proxy is very helpful. Throughout this tutorial, Fiddler v220.127.116.11 is used, but any other web debugger proxy that allows for modification of requests works.
- jQuery Mobile — The front end of the sample application built in this tutorial uses jQuery Mobile 1.0 Alpha 3.
See Resources for helpful links.