This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Changes in business environments and the advances in web technologies have made the services of corporate, public and private firms to be more widespread over the web by making use of web applications. Although web services can provide greater convenience, flexibility and efficiency, they also possess great number of threats which could be a significant risk for the organization if not properly dealt with. This paper discusses the various vulnerabilities that web applications present and the best practices to apply counter-measures and mitigate those risks
In today's e-world the activities of web users are increasing day by day on the potentially vulnerable World Wide Web. The new impressing applications that are available today are developed using various tools and technologies, whose ease and convenience of implementation had made them so popular and to be widely used. Today almost all the private and government organizations depend on the web technologies and applications to carry out their everyday essential operations.
Much of the confidential and financial matters concerning an company and an individual are carried out using web which is prone to many security risks like hacker attacks, sql injection attacks, website intrusion, denial-of-service attack etc. There is an alarming increase in the number of attacks as hackers are finding new ways to attack the system.
The vulnerabilities that are being attacked now-a-days are very different from those carried out in the past years. While some attacks were carried out for pure psychological satisfaction of the attacker, others aim at stealing sensitive data like credit-card numbers, bank account information, and sensitive data from organizations. This has made the organization to spend more on security related aspects.
C. Role of Management
Web application security should be taken care by management by right decisions and techniques. Periodical training sessions should be conducted to bring awareness among the developers, of new type of attacks and threats and how to implement effective security mechanisms to defense their applications or modules against these threats. Securing web applications should be done right from the starting of the project rather than adding at the end of the development process. The management should ensure that all necessary precautions are taken before releasing the applications to the outside world by thoroughly testing them.
III. Top Security risks and Counter Measures
This section discusses three of the top ten security risks of 2010 according to 'The Open Web Application Security Project' (OWASP).
Although there are many types of injection attacks, SQL injection attacks are most widespread.
1. SQL Injection
Sql injection attack involves insertion of malicious sql strings in to input parameters of sql statements, these makes the databases to compromise sensitive information and to view, modify or delete the information in databases by an attacker. For example, consider the following legitimate sql statement that retrieves the matched username from the input query
SELECT * FROM TableName WHERE username = '$username'
If an attacker modifies the statement to
SELECT * FROM TableName WHERE username = (' ' or '1'='1')
it retrieves all the rows in the selected table because 1 equals 1 is always true, thus compromising sensitive information.
Countermeasures and Prevention
Although injection attacks can be easily detected and avoided, more and more attacks are found to be occurring because of using dynamic queries for taking user input. An attack can be successfully prevented by validating user input, using parameterized queries and stored procedures. While parameterized statements include place holders like '?' to substitute the user input data, the attacker can easily substitute malicious strings in to the place holders. Using parameterized queries along with stored procedures is found to be effective as stored procedures use the already defined code in the database to take the input data from application. However the use of above two methods can affect the system's performance, so another technique can be used for rejecting the user supplied statements by using strong escape schemes or strings that are pertinent to each kind of statement so the DBMS can differentiate between user input and developer's code. It is advisable to apply string escaping both on client-side and server-side to provide stronger security.
B. Cross-site scripting(XSS)
It is the process of injecting malicious code in to a trusted website by using a vulnerable web application or sending malicious script to be executed in the web browser of an user. This may result in compromising of sensitive information like stealing passwords, cookies, session information stored in the browser, misshaping of website and also conducting phishing attacks. These types of attacks commonly arise from message boards, discussion boards, newsgroups, mail messages and forums. A user may embed malicious code in tags like <OBJECT>Malicious code </OBJECT>. When a user views the message the code may be automatically executed thereby exploiting the vulnerability.
1. Stored XSS attacks
The injected code is permanently stored in the database servers, visitor log, fields etc. The malicious code is retrieved when users request stored information. The attack propagates to every user who requests the stored information.
2. Reflected XSS attacks
Malicious code is sent to the server through specifically crafted means like a form, the request is sent to the server and is responded to the user's browser. The user's browser executes the code as the respond came from a trusted source
Prevention and Countermeasures
XSS attacks are difficult to identify and prevent. One method of securing is 'input filtering' the data by omitting <script> tags and other tags. For using advanced input filters the programmer should have good knowledge of security aspects. Output filtering involves filtering of the response data rather than filtering the input strings, but it has got its disadvantages that are similar to input filtering. Other general prevention methods like turning off the browsers automatic script execution facility to prevent script execution. Users should be selective of visiting a website, by going to the main page of website and then find the necessary information rather than directly clicking the links of other users.
C. Broken Authentication and Session Management
Authentication and session management functions are often poorly implemented in web application which allows the attacker to compromise passwords, session tokens, keys, administrative accounts, credentials etc. It is found that automatic scanning tools and static analysis tools are not likely to identify loopholes in session management and authentication. Therefore software testers have to manually test the code. Code review in conjunction with testing may discover the vulnerabilities in authentication and session management.
Secure transmission of data and proper storage of credentials can protect authentication and session management. Session tokens whether created by developers or provided by web application environment should use strong scheme and all data should be passed over Secure Socket Layer (SSL) which uses encrypted protocols to protect the session from taking-off by an attacker. HTTPS protocol should be used to transmit session information to the server. It has to made sure that session ID's and other identifiers do not appear in the URL bar of the browser. Session timeout has to be employed which automatically log-out the user after a specified time period. It has to be made sure that authentication mechanisms are not subjected to replay attacks which attack the session by fraudulently repeating the transmission. Also when a user log-out of the system all session ID's and information stored about the session should be deleted from the browser.
IV. Best Practices for securing web applications
As the number of exploits and attacks are increasing day by day, it is essential that organizations train the individuals about the attacks. Organizations spend a great amount of resources on training the employees. Each individual in the organization should be aware of the organization's policies, procedures, practices, ethics etc. Employees in different categories require different training procedures like software developers has to receive training on secure programming and specific technology related aspects that they work on while network programmers and system engineers should be trained on secure network and socket programming and system engineering. Awareness among the employees about the latest software attacks, threats and countermeasures on how to detect and mitigate them will significantly reduce the number of attacks.
B. Risk Assessment
Risk assessment is the process of examining a system to identify potential risks
1. Qualitative Risk Assessment: Factors that affect the quality of the system are identified and a risk assessment is made. Factors that are considered include
Threats - which may be caused by natural incidents or human activities
Vulnerabilities - Vulnerability is a weakness which a threat will exploit to attack the assets. They can be weakness in the system, design, implementation or security, configuration.
Countermeasures - These are the actions that are to be performed to reduce the risks of attacks and vulnerabilities
Threat probability chart - This is a chart prepared by project manager that consists of threats that an organization or project may encounter, the impact, probability, countermeasures of these threats.
2. Quantitative Risk Assessment
As the name suggests quantitative risk assessment calculates the amount of risk that an organization may face, Specific methods based on expectations are used to calculate and express the risk in quantitative measures. Knowing these values help the management to take intelligent investment, financial decisions and protective counter measures.
C. Design and Implementation
Design phase occurs after all the requirements were identified and thorough analysis is made. The system architecture, security measures, implementation procedures to be followed is documented. A model of the system is produced based on UML notation depicting the different aspects of a system in detail. Design methodologies include Rapid Application Development (RAD) in which the system designers consult the end users to review the prototype and offer feedback. Joint Application Development (JAD) involves different parties like executive sponsor, manager, system designer, who collectively design and implement a system. After Design phase comes the Implementation phase in which developers can work with previously created code or can work from scratch to create different applications and components. They follow all the guidelines and requirements from the architectural documents and UML models. All the components developed by each developer are integrated to form the desired product or system. Developers involved in implementation should be trained to develop secure applications. Performance, quality checks and testing are done in the implementation phase. Next is the deployment stage in which the product is delivered to the team.
V. Testing Web Application Security
A. Specification Auditing
"A software audit is a type of software review in which one or more members who does not belong to the software development organization conduct an independent examination of a software product, software process, or set of software processes to assess compliance with specifications, standards, contractual agreements, or other criteria". (IEEE) It is a type of software review which is carried out after design stage and before implementation stage. Sometimes an internal auditor conducts the audit. The process involves checking how the security and architecture specifications mentioned in the document blue print or UML models protect various aspects of the system like databases, processing and related mechanisms. When auditing is conducted by a tool it may encounter problems like not opening the executables or some tools does not search specific locations like recycle bins or the file names had been changed. So the audit process could be poorly done if the tool fails to detect various file formats.
B. Code Review
Code Review is the process of reviewing of software source code by its developer or security expert or code review tools to fix vulnerabilities that were overlooked in the initial stages of development. It helps to detect and prevent vulnerabilities like information leakage, format string exploits, buffer overflows, programming conventions, and loopholes in security mechanisms that protect the application. Formal code review is found to be an effective type of code review in which developers attend formal meetings to review each and every line of code.
As it is very difficult for the developer to review each line of code, organizations may make use of code review software which tests the code in programmer-assisted or an automated fashion. As tools make use of predefined set of rules to review the source code, they concentrate more on programming standards and conventions rather than on the leakage, exploits and buffer overflow vulnerabilities which can be effectively detected in traditional code review methods.
Software Testing is the process of testing a program or system to find errors and defects. It involves the process of determining whether various aspects of the system like performance, capability, functionality etc., meet the requirements mentioned in the specification document. Considering the complexity of the software system, it is very difficult to design a software system without any defects, bugs and defects may exist in any module. It is very vital to detect defects and bugs early in the development stage because the cost of fixing a defect becomes 10-100 times more as shown in the fig below.
McConnell, Steve (2004). Code Complete (2nd ed.). Microsoft Press. pp. 960. ISBN 0-7356-1967-0.
Even though there are plenty of testing tools available that automates the testing procedure, testers should not completely rely on its limited ability mechanisms.
New types of attacks are coming up day-by-day as the systems and applications are becoming increasingly complex, because of this growing complexity and new type of attacks, it is not practically possible for an organization to completely guarantee the security aspects of the system. It is important for an organization to define what level of risk is acceptable to them and decide upon what security mechanisms would protect their systems effectively and the countermeasures to be taken when an attack has been identified.
Ryan, Barnett. "Anatomy of SQL injection attack." Network World. Network world, 10 oct 2008.
"Sql Injection." Microsoft development network library. N.p., n.d. Web. <SQL Injection>.
Dave, Wichers. "SQL Injection Prevention Cheat Sheet." Microsoft development network. N.p., n.d. Web. <http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet>.
Amit, Klein. "Cross Site Scripting Explained." www.SanctumInc.com. N.p., june 2002. Web. 30 Mar 2011. <http://crypto.stanford.edu/cs155/papers/CSS.pdf>.
CERTÂ® Advisory. 03 feb 2000. Web. <http://www.cert.org/advisories/CA-2000-02.html>.
"Broken authentication & Session Management." OWASP. N.p., n.d. Web. <http://www.owasp.org/index.php/Broken_Authentication_and_Session_Management>
"Web Based Session Management." N.p., n.d. Web. 30 Mar 2011. <http://www.technicalinfo.net/papers/WebBasedSessionManagement.html>.
Kenneth, R. van Wyk. "Training and Awareness." Software Engineering Institute, 28 aug 2008. Web. <https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/training/256-BSI.html>.
Nguyen, Hung Q. "Introduction to Software Testing." logigear Software Testing. LogiGear Corporation, may 2006. Web. <http://www.logigear.com/newsletter-2006/271-introduction-to-software-testing.html>.
IEEE Std. 1028-1997, IEEE Standard for Software Reviews, clause 3.2