Ecommerce Security Report Vulnerabilities In Web Goat Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Structured query language (SQL) is a very special programming language that sends queries to database. Applications generally use user- supplied Data to create SQL statements.

SQL Injection is a technique that Exploits security Vulnerability in Database layer of application. Here the malicious code is inserted into a string & passed to SQL server, which executes all valid queries. Once these queries are executed they tend to deface or Damage website. This allows an attacker to gain control of all database resources that are accessible by a particular user & might have capability to execute SQL commands on hosting system. Most basic kind of implementation involving SQL Injection is carried out by insertion of malicious code into user-input variable, wherein malicious code is concatenated with the SQL commands and executed. Sometimes vulnerabilities exists within Database server software, based on which Attacks are carried because of Bad Unicode Charcters.SQL injections may occur because of text box, query string & manipulated values in HTML.


As stated in Halfond et al. (2006) these are some important SQL Injection types.

Piggy Backed queries: Extensive numbers of queries are inserted along with original query. Vulnerability that's pertaining to this attack is due fact that is completely dependent on database configuration, where it allows numerous statements to be assembled on single string.

Tautologies: create a query that should evaluate true for every entry in database. The most common usage mostly is used to Bypass the authentication pages and extract data. Henceforth SQL Injection being a dangerous Web-application attack never try it on live-website, so to illustrate the mechanism have used Web goat. In this scenario below task would be to display database details of weather station. So for below E.g. initially a particular weather station (101) would be selected, using webscarb intercept the request then modify the station parameter on webscrab to 101 or 1=1 below example is an numeric SQL injection. Once accept changes is clicked all weather stations in database would be listed.

Source (OWASP, 2011)

Source (OWASP, 2011)

Source (OWASP, 2011)

Alternate Encoding: Encode attack to avoid naive input filtering. In this process the injected code is modified so to avoid detection by defensive coding practices also many automated prevention technique.

Inference: Based on Behaviour of application , attacker infer The value of data. Here in attack the query is modified to recast it in form of an action that could be executed based on true or false question about data values in the database.

Stored Procedures: is a subroutine Available to Application to Access Relational Database, Invoked by using call Statement (Authorstream, ND).


As suggested by Halfond et al. (2006) for SQL injection mechanism

Injecting through user input :In this mechanism attacker injects SQL commands provided by suitable user inputs.web application might read user inputs depending upon the environment they are deployed in.web application inputs are generated from form submission, that are sent to web application via HTTP GET or POST request.

Injecting through cookies: cookies store state information that is generated by web application which lies on client machine. A client has control over the cookie storage, if web application uses cookie to build an SQL queries, then an attacker could embed malicious code & submit an attack.

Injecting through Sever Variables: server variables are collection of variables such as HTTP, network headers & Environment Variables. Suppose these variables are not sanitized it creates SQL vulnerability. Hackers can forge values that are directly placed on HTTP & network header, these vulnerability could be exploited by placing an SQLIA directly into header, when the server variable is issued to database, and an attack in the forged header is then triggered.

Second-order Injection: Attack is triggered in the second phase of database, but not when it reaches the database at beginning. For E.G

Query string ="UPDATE users SET pin= "+ new pin + "WHERE username='" +username +" AND pin=" + old pin;

Query string="UPDATE users SET pin='0' WHERE username='admin'- -'AND pin=1";


As discussed by Curphey et al. (2002) following are known SQL injection treats.

The attacker exploits vulnerability in input validation to run the arbitrary commands and execute on database. Treat can be caused when web-application is using dynamic SQL statements to access the database or codes using stored procedure that are passed strings might contain unfiltered user input. Attacker could remove, add, modify, retrieve & cripple database. Denial of service can be performed on web-application. Using SQL injection attacker can by-pass the authentication.


Trust Nobody: Validate every User-submitted Data.

Avoid Dynamic SQL: Use stored Procedure, Prepared statements, Parenthesized query.

Update & Patch: Fix Vulnerabilities Found In Application & Database Regularly.

Firewall: use Web-Application Firewall, to filter out Malicious Data.

Reduce Attack Surface: Get rid of Unwanted Database Functionality.

Appropriate Privileges: Use Admin Privileges When needed, else use Limited Privileges.

Maintain Secret: Encrypt and Hash password & Confidential Data.

Don't Divulge Information: Hackers learn Database Architecture from Error Message.

Follow Basics: Change Passwords of Application accounts into Database.

Better Software: Fix Security Flaws In Custom Application As Software Developed( Enterprisenetworkingplanet,2010).


As stated in Halfond et al., (2006) the following prevention & detection measures could be followed:

Penetration Testing: Evaluates security on computer or network, simulating attack from malicious source.

Proxy Servers: used intermediary server that connects client request to other servers based on its filtering rules.

Static Analysis of Code: computer program Debugging Examines code for Defects without Executing them.

Defensive coding: Secure Programming minimizes bugs, sometimes bugs can cause hacker to perform denial of service, code injection etc (Author stream, ND).


Intrusion Detection: Builds model with typical SQL queries, monitors application during Runtime & checks for query which don't match model.

Instruction Set Randomization: Queries are created with Randomized Instruction set instead of common SQL keywords, Proxy filters intercepts queries to database and de-randomizes the keywords.

Taint approach: Variables modified by outside user poses threat. If these variables are used in expression and executed with SQL commands, taint checker warns it dangerous tainted variable.

Combined Static and Dynamic Analysis: AMNESIA model Based Technique combines Static and Dynamic phase.

Static: Builds query model containing types of queries and application that provides Access to Database.

Dynamic: AMNESIA intercepts & monitors all queries sent to Database checking them against statically built model.

Finally Queries that are Identified Malicious are prevented from executing on Database (Author stream, 2009).



A cross-site scripting (XSS) is a dangerous attack on client-side, where an attacker might build a malicious link containing script-code that is executed on the victim's browser. A script code can be any language that are preferably supported by the browser in fact it could be HTML or JavaScript which might be used along with embedded flash, java or activex.XSS could be used to hijack a session, phishing attack, browser attack & probably even worms. But still if attack has to be successful the victim should click malicious link or enter a malicious page that is controlled by attacker. A website that might use dynamic content is most likely to be XSS vulnerable (r00tsecurity, 2010).


There are 2 basic types of XSS

Reflected XSS: Attack is carried out on an unknown user who will be directed towards web application that might be XSS vulnerable controlled by malicious user Once when victim enters the website or application the malicious user's attack is executed. Attacker sends his malicious URL with URL parameters to unknown user, can be sent across through a email, instant message, forums or blog etc. Literally the attack is URL encoded or HEX encoded to make it valid (Testing security, 2006).

Henceforth cross-site scripting being a dangerous Web-application attack never try it on live-website, so to illustrate the mechanism have used Web goat. In scenario below if know the credit card information of person but don't know the security code on back of card. Just insert a script for e.g. <script> alert ('BANG'!) </script>.you might break-in and purchases something from card.

Source (OWASP, 2011)

Source (OWASP, 2011)

Stored XSS: stored XSS-stored XSS can be pretty dangerous compared to reflected, attacker stores some attack that might be called at a later instance upon an unknown user. Attack is stored in some kind of method for a later execution. Storage might be in form of database blog or forum etc. In below scenario a malicious attacker create a message using JavaScript and stores in some location which might be later called on an unknown user ,once he click the message link XSS attack is carried out on user's web browser(Testing security, 2006).

Source (OWASP, 2011)

Source (OWASP, 2011)

Source (OWASP, 2011)


Scripting via malicious link: In this particular scenario an attacker builds a malicious link containing scripts for victim. For E.g.

<AHREF=<SCRIPT>malicious code</SCRIPT>>Click here</A>

Source (IBM, 2002)

When a unknown user tries to click on the malicious link, then the URL is sent to including the Malicious code, if the specified server(i.e.) legitimate server sends a page back to user including the client profile information, the malicious code will be Executed on Client web browser(IBM, 2002).


Now days most of the website are pretty much user-interactive, websites allows users to interact with its contents. Common interactivity might be search fields, login forms, comment fields & feedback fields. It's found that about 90% of website on internet is XSS vulnerable due to lack of security (xssed, 2007).

A malicious user can take over user session before the user session cookie expires.

A hacker can connect users to malicious server of the attacker's choice.

Users can execute malicious scripts unknowingly by viewing dynamically generated pages based on actual content provided by an attacker.

Attacker can control the privileges of user who accessed the URL generated by attacker. Such as might start issuing queries to SQL database, faulty implementation on target systems could be exploited (IBM, 2002).


As found in book written by (Grossman et al.2007) some basic ways to mitigate XSS.

Filtering: sanitize all the user inputs, filter special characters that lie in HTML specification. Each input fields must include the link parameters that are to be validated for script tags.

Encoding: XSS can be mitigated when the web server recognizes that WebPages are properly encoded to prevent the execution of scripts. Server side encoding is done so that script tags can be replaced to codes.

Disabling features: disabling certain features such as JavaScript, java, active X, VB script & quick time must allow for safe browsing experience.

Virtual Machine: by using the virtual machine can avoid if anything strange might happens during current session, important data on main machine remains well protected.

Defend your web mail: users can use strong passwords, change passwords on periodic basics.

Beware of overly long URL's: If the length of URL is pretty long and absolutely disguised with URL-encode percent characters. Just encode to check for HTML tags embedded within.


According to (Curphey et al., 2003) states the definition of session management.

Session management for the web application is an application layer responsibility. Session management is very essential security feature in a majority of web application. It responsible for identifying appropriate user across various different requests, it logs & manages data that it accumulates about the user's interaction with web-application.

Session management are prime target for attacker, if attacker can break-in to web application session management he can easily by pass the authentication then gain control and masquerade the legitimate application users without knowing their credentials. Literally if an attacker compromises an Admin user in such way he can gain control and own the entire application.


There are two types of session management.

In process session management: session here is stored in the same application memory.

Out process session management: sessions are not stored in application memory but at a separate destination such as SQL server or Web server etc. Default out process is of two kinds, SQL server sessions are stored in SQL server database. In state server sessions are stored in various different servers (Allinterview, 2009).


Session fixation attack can be used to explain the mechanism of session management. Attack on session-fixation could be explained in 3 different steps as follows:

Session set-up: Attacker set's-up a TRAP session on target server to obtain session's ID, or selects an arbitrary session ID to be used in the attack. Ideally sometimes the session has to be kept alive by continuously sending request across to avoid the sessions from being timeout.

Source (acrosssecurity, 2002)

Session Fixation: In this step Attacker needs to introduce his session ID to the user' browser, there by fixing the session.

Session Entrance: Literally the attacker has got wait till the user's login into the target server using the session ID that was fixed, and then enter the user's session(across,2007).

Henceforth session-fixation attack being a dangerous Web-application attack never try it on live-website, so to illustrate the mechanism have used Web goat. In scenario below the first step would be prepare mail that resembles a mail from goat hills financial with link embedding the session ID.To archive this we got add &SID=WHATEVER to link.

Source (OWASP, 2011)

In second step user Jane receives email & points the mouse on link so you can view the address bar containing SID, just needs to click link from goat hills financial.

Source (OWASP, 2011)

In step3 It prompts user to login to goat hills financial, session ID is visible on address bar. User just needs to login with username and password get into goat hills financial.


Source (OWASP, 2011)

Source (OWASP, 2011)

In stage 4: hacker needs to click on prepared link to reach goat hills financial. Once when hacker clicks the link his address bar would show a NOVALIDSESSION. so he just needs to modify that by changing it to &SID=WHATEVER & you would have completed performing a session fixation attack.

Source (OWASP, 2011)

Source (OWASP, 2011)


AS discussed in Curphey el al. (2003) Session management is important security factor that could be dangerous if an attacker break-into a session. Authentication can be easily by- passed on web application.

the top session management treats include:

session hijacking

session replay

man in middle

Session Hijacking: could be carried out if an attacker tries to monitor a network with software that could capture the authentication cookie which might represents a user session with an application. Once the cookie is captured attacker can spoof the user session & gain access to the web application. Henceforth the attacker might have exactly same privileges as the legitimate user.

session replay: Attacker intercepts steals & submits Authentication cookie to bypass the authentication.

Man in Middle: When a message is being sent to recipient attacker intercepts changes message sends it across to original recipient. When it reaches recipient he acts on it and sends a reply to original sender. Unfortunately its captured by attacker and he performs alteration on reply message sends back to original sender. Henceforth the original sender and receiver of message will not be aware of attack.


As discussed by Curphey el al. (2003) following steps could be used to mitigate it:

SSL generates a secure communication channel through which the authentication cookie is sent over an HTTPS connection.

Limit the session cookie's expiration time so that it might reduce the time window available for malicious attacker.

Create option "do not remember me" so that no session data might be stored on the client.

critical functions should be re-authenticated.

use cryptography to encrypt the message before being sent to recipient.

HMACS can be used to check if it's the original data that was sent across by sender.


As discussed by Curphey el al. (2003) following definition can be elaborated.

weak authentication extensively increases the identity spoofing treat. If an attacker can get the user's logon credentials then an attacker can spoof the user's identity gain the access to web application. Attacker can have same level of user's privileges on web application. Credentials must be protected since they are being sent across network & application. Authorization cookie that represents an authenticated identity to the application. After the initial logon must be protected to mitigate the risk of session hijacking and session cookie replay attacks.


Authentication defines the rules about security information, such as to checks whether credentials are being forwarded to next process, formats on how security information are be stored in credentials and tokens. For example if use web sphere application server that collaborates with the user registry. A user registry is nothing but a group or user account repository that which an authentication mechanism consults before the performing an authentication.

Source (IBM, 2010)

credential is created by the authentication mechanism, The configured authentication mechanism can be used to determine the abilities on credentials, and all credentials might be not equal. Authentication is required for enterprise-level client & web clients to access protected resources. Enterprise bean client could sent server authentication information to web application server through following protocols such as:

common secure interoperability version2 (cslv2)

secure authentication service (SAS).

web client always use HTTP or HTTPS protocol to send authentication across network. Authentication information might be from a credential tokens, basic authentication and client certificate. web authentication is performed by web application module, by using java authentication and authorization (JAAS) login module. Web authenticator and EJB authenticator pass the authentication data to login module which uses following mechanism to authenticate the data.


Simple web sphere authentication

The registry is configured on systems to carry out the authentication in an authentication module.web authenticator and enterprise bean authenticator makes use of an object request broker to store user credentials, henceforth authentication is successful. If we these types of authentication are not followed this might fall into a weak authentication slab, so above procedure can be applied to generate a strong authentication web application server (IBM, 2010). Henceforth Weak Authentication being a dangerous Web-application attack never try it on live-website, so to illustrate the mechanism have used Web goat. In scenario below the user login in using username and password, next request will be intercepted using webscrab On hidden field change user name and login in as specified user as you wish.

Source (OWASP, 2011)

Source (OWASP, 2011)


As discussed by Curphey el al. (2003) following treats could be found in real world scenarios.

If an authentication mechanism is not properly chosen and implemented they are definitely vulnerable, which might cause the attacker to exploit vulnerability and gain access to system. The top treats in world today due to improper authentication are:

Network eavesdropping: Attack occurs when an authentication data is sent across network from client and server, an attacker using a network monitoring software capture network traffic & obtains the username and password.

Brute force attack: use strong passwords to avoid brute force; brute force uses computational power to crack the hashed passwords etc.

Dictionary attack: In dictionary attack hacker tries to iterate using a programs to all of words in dictionary to crack a password.

Cookie replay attack: Attacker captures a cookie using a network monitoring software to replay the cookie to gain access to web application.


Use strong authentication to protect passwords since passwords are created, managed and used by humans. There are some best practices that could be used to solve problems pertaining to weak authentication.

create an extensive defensive model

User should be educated as to how they could protect their accounts from unauthorized attack.

Use system key utility (syskey) throughout the network. Syskey uses strong encryption technique to secure the account password information that are stored on the security account manager (SAM) database.

Make sure every user's are following the password policy guidelines.

Define password policy

Enforce password history policy remembers the previous passwords; with this policy in place users can't use same passwords once they are expired.

Maximum password expiry policy password expired pretty often with 30-90 day period, by using this policy attacker can access the network only till password expires.

Password complexity policy requirements checks if the newly entered passwords meet the basic strong password requirement.

Minimum password age policy where the passwords cannot be changed until a certain period of time.

Best practice for password protection

passwords should never be shared.

use different passwords for all user accounts.

change passwords if they are compromised.

Use strong password always (msdn, 2005).


Vulnerability on Web-application can be protected with the above mentioned counter-measures. So, follow the strong authentication methods to avoid vulnerabilities like SQL injection, Cross-site scripting and Session Management attack.


Allinterview. (2009, ND ND). Types of session management. Retrieved Janauary 14, 2011, from Allinterview:

Authorstream. (2009, February 2009). SQL injection. Retrieved January 14, 2011, from Authorstream:

Enterprise Networking Planet. (2010, February 23). 10 Ways to Prevent or Mitigate SQL Injection Attacks. Retrieved January 14, 2011, from Enterprise Networking Planet:

Allinterview. (2009, ND ND). Types of session management. Retrieved Janauary 14, 2011, from Allinterview:

Authorstream. (2009, February 2009). SQL injection. Retrieved January 14, 2011, from Authorstream:

Enterprise Networking Planet. (2010, February 23). 10 Ways to Prevent or Mitigate SQL Injection Attacks. Retrieved January 14, 2011, from Enterprise Networking Planet:

IBM. (2010, september 20). Authentication mechanisms. Retrieved January 14, 2011, from IBM:

IBM. (2002, September 2002). Cross-site scripting. Retrieved Janaury 14, 2011, from IBM:

Jeremiah Grossman, R. ". (2007). XSS Attack CROSS SITE SCRIPTING EXPLOITS AND DEFENSE. Burlington: SYNGRESS.

Kolsek, M. (2007, February ND). Session Fixation Vulnerability in web-based application. Retrieved January 14, 2011, from acros:

mark curphey, j. s. (2003). IMPROVING WEB APPLICATION SECURITY treats and countermeasures. ND: patterns and practices.

msdn. (2005, January 15). Password Best practices. Retrieved January 14, 2011, from msdn:

OWASP. (2011, January 4). Category:OWASP WebGoat Project. Retrieved January 14, 2011, from OWASP:

ROOTSECURITY. (2010, January 2010). XSS Tutorial - From Bug to Vulnerability. Retrieved January 14, 2011, from ROOTSECURITY:

Testingsecurity. (2006, ND ND). XSS Injection Vulnerabilities. Retrieved January 14, 2011, from Testingsecurity:

William G.J. Halfond, J. V. (2006, March 14). A Classification of SQL Injection Attacks and countermeasures. Retrieved January 14, 2011, from gatech:

xssed. (2007, May 15). Kr3w's Cross-Site Scripting Tutorial. Retrieved January 14, 2011, from xssed: