Application Security And Cross Site Scripting Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Protecting applications in the cloud has become a major issue with both cloud service providers and their clients, as more and more companies and clients are migrating their applications towards the cloud to preserve their own local resources for productivity. A report in 2008 performed by Cenzic showed that 80 % of vulnerabilities are related to web technologies:

Some of the major threats which according to Cenzic cloud computing apps can suffer from are namely: Cross Site Scripting, Injection, Cross Site Request Forgery, Information leakage and improper error handling, and Broken authentication and Session Management.

Cross Site Scripting (a.k.a. XSS) happens when a web application is used to store a script, transport and deliver malicious active content to an unsuspecting user. The root cause for this threat is the inability to remove or reject malicious characters in such scripts at the input and output phases. Its impact is important, since if a user gets such a script, he/she may then be subject to theft of cookie sessions, credential thefts or even browser hijacking. Thus, to avoid such untrusted content, the use of input filtering is highly recommended, whereby whitelists and blacklists could be used to filter out such scripts.

Injection is usually associated with SQL, whereby again the use of special characters in a query can compromise database contents. The cause is yet again the inability of successfully parsing and removing special characters in commands or queries, whereby unauthorized access is provided to manipulate private data. One solution for this threat is to parameterized all queries and to scrub and validate all input before processing.

Cross Site Request Forgery is mostly related to attackers making legitimate web requests to a web-based application, using the victim's browser, but without the latter knowing it. These requests can include using that person's username to perform transactions or logging to confidential sites. Such attacks are part of the cookie-theft exploitations. One way to prevent such attacks is to use one-time tokens, whereby passwords given to users are valid for a one-time login then changed once a session was open with it. Also HTTP Referrer headers validation could also be used to prevent such threats.

Information leakage and improper error handling can affect in the following ways:

Disclosure of configuration and data

Revealing how the application works internally

One way to prevent this is to make proper use of error handlers which can return appropriate messages when errors are encountered, or not to disclose log information and paths in case user requests were not processed properly.

Broken authentications and session management deals with how the system manages users' sessions and logins when they are accessing the cloud server to open an application. In many cases, cookies are used to control sessions, and authentication is managed via usernames and passwords in use. To protect authentication, users are usually requested to use strong passwords and change them regularly. Also logout mechanisms are used to terminate sessions properly, else it may happen a user has closed connection but his session is still open, thus allowing unwanted parties to get access to his contents.

Another type of issue which exists is physical risks, which involves physical destruction of data stored. This can be due to natural circumstances, like floods, earthquakes, and other natural calamities which may occur. In these cases, the company acting as the server should make sure the buildings and infrastructures are protected to ensure safety of the materials, thou in cases of earthquakes it will be very unlikely, or in some cases, provide regular backups to the clients, who then store them on their own premises or elsewhere for safety.

Google Apps is one example of applications running in the cloud. Google has put together several security policies to counter the threats that may crop up when running the apps on the web.

Their first policy deals with organizational policies, which encloses Information Security, Global Internal Audit and Global compliance, and Physical Security. Concerning Information Security, Google has set up teams to monitor the company's perimeter defense, and scan all activities which are transited through the Google networks. They also comply with routine security checks, as well as internal audits. Ongoing analysis of possible threats is performed while trying to find plausible solutions for them. Moreover, developers are provided with proper trainings to comply with Google's security policies, as well as to code securely. Google also provide external information by organizing conferences and other communication methods to make users aware of threats that they may be exposing themselves or others so as to reduce security threats.

Google also has a Global compliance function which makes sure they follow standards and rules which have been set globally in the case of using cloud computing infrastructures, as well as a Global Internal audit function, which ensures the said compliances are being followed at any point in time.

Concerning physical security, Google has highly trained officers who make sure the Google premises as well as data center facilities are well guarded.

Another group of security which Google imposes is the Asset Classification and Control, which includes Information Access, whereby Google uses many techniques to protect user information, such as layers to structure and store data, use of certificates (x509 certificate), assigning of privileges to users, example system admins, or normal users. In doing so, Google can restrict operations carried out by these users depending on their access rights. Google also makes use of Personnel security, whereby employees need to follow defined guidelines and behave in a very professional manner when confidentiality and other issues are involved.

Google also has to ensure Environmental Controls, whereby data center facilities need to run 24x7, must be fault tolerant, and allow maximum usage of resources available. It also has to make sure proper detectors are available in case of fire breakouts or abrupt changes in temperatures in the data center facilities.

At the Operational Security level, Google has to ensure no malware is found in its servers at any point in time, and thus needs to implement proper techniques to detect, and eradicate those malwares in ever present. Monitoring is carried out throughout on the networks to detect any potential vulnerability, and system logs are made available to the security teams. Proper firewalls need also be present for network security, along with proper authorization levels for personnel and user access. Google also applies Single Sign On techniques for its users, whereby they make use of tokens, and also enforces the HTTPS protocol mostly for services such as Google Docs and Gmail.