This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This document explains the web application vulnerabilities like SQL injection, Cross Site Scripting, Session Management and Weak Authentication and their severity in present situation. All these attacks are illustrated with help of Web-Goat and Web-Scarab. The main objective of this report is to explain the reasons for the cause of vulnerabilities with a picture-perfect mechanism and demonstration. Besides theses, it also illustrates the impact of these vulnerabilities on organizations and on its users. Finally, some prevention or mitigation techniques to each of the vulnerabilities have been clearly demonstrated.
Vulnerability a weakness or hole in the software permits attacker to gain access over the system. This allows attacker targets to damage system by interrupting correct execution or execution incorrect actions. Weakness can be any of the errors within application which makes that specific application vulnerable.
WebScarab is a powerful web security application testing tool which manipulates requests between pc to server or targeted website and it can deface any existing website. It is a proxy and uses 8008 port. It intercepts the requests (http and https) and allows the attacker to modify data. It is a portable framework with java and it has several modes of operation. It can even record traffic.
WebGoat is web application designed by OWASP especially to demonstrate web application security lessons in a safe mode with help of hints and solutions. It is uses java technology so it is platform independent. It can comfortably run on Windows, Linux or Mac operating systems. It also uses Apache Tomcat.
Presently vulnerabilities are becoming more risky and damaging the websites. In 2009, domestic university's admission website faced a serious threat by Trojan horse and XSS. Because of that attack university's entrance exam data was attacked. Threats are mainly because of flaws which exist in the source code of application. It is easy to notice and exploit web vulnerabilities in low graded software applications.
Xin-hua Zhang et al. (2010) says that "In 2005 and 2006, XSS was number one and SQL injection was number two". Since to control these attacks researchers are trying to protect in 3 modes like Protecting from Client Side, Protecting from Server Side and Protection from both Client/ Server Side. Tian He et al. (2009) describes "Websense security report shows that in the first half of year 2008 above 75% of the most popular websites have utilized by the hackers to run malicious code"
2. SQL Injection:
SQL injection is a technique of injecting code into an application to parse and execution. Cyrus Peikari and Anton Chuvakin (2004) state that "SQL injection as an abuse of a database-connected application by passing an untrusted and unauthorized SQL command through to an underlying database." Amit Yoran (2009) CEO of NetWitness describes "SQL injection is a common technique that's well understood and provides a bountiful target because you are literally going after databases, which is frequently where large stores of information exist".
Database is structured collection of data. SQL injection is an attack on web application through database. SQL attacks are multi application, multi database and multi platform. Using SQL injection attacker aims to gain access over the system, bypass user credentials, modifying user data and more such things. SQL injection occurs with applications by using input variables while creating a dynamic SQL statement. Attackers inject malicious code to get the sensible data or to gain access over the server. SQL injection is mainly caused due to use of " ' ", "union" and " --; ".
2.1 Types of SQL Injections:
Unauthorized data access: It permits the attacker to get access over database by tricking the application.
Authentication bypass: It permits the attacker to gain access without providing authentication authorizations like user id and password where authentication is necessary.
Database modification: It permits the attacker to modify data by insert, delete or edit database content without authorization.
Escape from a database: It permits the attacker to execute commands on target machine to connect to other devices and to scan ports using built in tools.
2.2 Mechanism of Injection Flaws in Web-Goat with Demonstration:
SQL injection is very easy to perform. Attacker just sends a malicious code as a user input instead of proper data. For instance,
Select * from members where userid='naren' AND password='keylogger'
This displays the data from members table where userid is naren and password is keylogger
But by using tools like web scarab, every request between pc to server can be manipulated as follows
Select * from members where userid='1' OR '1'='1' AND password='1' OR '1'='1'
Using this, attacker can be able to access data because 1' or '1'='1 makes all values true and allows attacker to bypass. Attacker can also delete or modify data by using "- -" and ";" to append query. These attacks can cause "loss of data confidentiality, Loss of data integrity and even compromises network".
Example of SQL Injection:
http://192.168.1.1 /naren/html.php ? op=Change&cid %56OR451=1%40 /tmp/naren2.txt
a b c d e f
a=ip adress, b=php script, c=separator, d=changing url, e=attack and f=tmp file to hold data
Numeric SQL injection:
String SQL Injection:
Lab SQL Injection: (1,3)
Blind SQL Injection:
2.3 Impact of SQL Injections:
Organizations have a serious impact of these SQL injections. On 5th Nov 2010, the Royal Navy website was hacked by Romanian hacker as Tinkode it was caused by a simple SQL injection through which attacker retrieved the user names and passwords of all administrators. In a recent survey it was conformed that 1.5 million pages were affected by SQL injection attack known as shadow server. On 25th Nov 2010, a virus was used interrupt Iran's nuclear plan and traded on black market. These attacks are increasing day by day. Ollman (2009) believes that "Cybercriminals are constantly looking for sites that are susceptible to SQL injection, which is a recurring problem, as new content is developed and sites are updated". Attacks are mainly because of poorly written application and its holes. On 23rd Sep 2010, Sweden elections faced a serious threat because of simple SQL injection.
2.4 Prevention or Mitigation of SQL Injections:
Stored Procedures can be used to mitigate or prevent Injection attacks because they allow only actual query to run. The properties of stored procedures provide more security to counter injection attacks. Stored procedures can get updated and run faster because of good compatibility with database. Application should be able to run with least privileges of database and administrator privileges when essential. It is better to reduce secure data like userid and password in source code as this is root to attack.
Sanitization and Validation are most significant protections techniques which are used to be secure from attacks.
Trust no-one: Data sent by all the users must be sanitized and validated.
Rare use Dynamic SQL: It is preferable to avoid the using dynamic SQL and prefer stored procedures, parameterized queries and prepared statement to avoid attacks
Update and Patch: There should be a regular updates and patches as they are very important to protect application from malicious users.
Firewall: Web application firewall is very necessary to filter the malicious data and safeguards from vulnerabilities
Reduce attack surface: It is more advantageous to reduce the attack surface by using stored procedures like XP cmdshell, Windows command shell and many other.
Correct Privileges: It is better to use limited access account instead of administrator privileges because it can reduces hacker access
Secure the vital data: Data is stored securely by hashing or encrypting and minimise the error messages like wrong password or alternate questions because hacker takes it as an advantage to understand database architecture.
Update passwords: Passwords can be changed according to the level of security and it is better to use a combination of case sensitive letter, number and special characters with an appropriate length.
3 Cross Sites Scripting (XSS):
Michael Cross (2007) states that "Cross Site Scripting is the ability of inserting malicious program into dynamically generated Web pages". XSS allows hacker to inject destructive script into the web pages and when user visits that specific URL the browser downloads that malicious script and automatically runs it without examining and authorising. The downloaded malicious code or installed Trojan can damage the system by formatting harddisk or by stealing password. XSS mainly aims to trick a user by sending the scripted URL, when user accesses that trojaned URL the data will be sent to attacker.
Basically XSS is due to vulnerable web applications which takes data from webserver and sends back to user without filtering. For instance, Samy a guy from china executed "transwebsite malicious worm" which infected millions of MYSPACE members within a day and also caused MYSPACE led failure. The XSS code can contains HTML, Java, VB, Flash or many more like ActiveX which can be supported by browser
The following diagram shows the steps in XSS:
3.1 Types of XSS:
XSS is of three types Persistent, Non persistent and DOM based. Persistent attack means executes the malicious code from website which will be stored for a specific time period. For instance, it can be an email which contains code in it. Non persistent and Dom based means executing malicious code with the help of web form where malicious code is embedded in it. These are caused by Java scripts and embedded clients such as Flash player.
3.2 Mechanism of Cross-Site Scripting in Web-Goat with Demonstration:
In XSS, attacker finds a website with XSS vulnerabilities. Initially attacker posts some malicious code to website by discussion board or any forms. When user accesses that specific data new cookie will be generated which was done by XSS and hence attacker captures that generated cookie. Once if attacker gains access over that specific cookie then he can able to gain access the website with entire user privileges.
LAB: Cross Site Scripting:
Cross Site Request Forgery:
Cross Site Tracing Attacks:
HTTP Only Test:
3.3 Impact of XSS:
XSS is the most common web application attack. On 25 Sep 2010, Orkut had a XSS attack known as Bom Sabado means good Saturday in Portuguese. It was posted to all the users as a scrap, it was a powerful threat which could steal user cookie and cause damage. On 2 Nov twitter was again hacked because of XSS worm. XSS is becoming more noticeable among all the attacks and causes damage for most the popular organisations.
3.4 Prevention or Mitigation of XSS:
Disabling script language on browser can prevent XSS attacks but it also prevents the user to access scripts from the trusted websites.
Validation of unsecure inputs:
By using standard input validation all the input data like syntax, type and length can be validated before processing that specific data. This process can prevent invalid data and error message which may contain some malicious script.
Encoding output elements:
When the data is encoded it prevents attacker to access data only to some extent and hence it is necessary to encode output elements.
Secure Encoding Library:
It is highly recommended to perform security encoding library as it prevents XSS attacks and filter characters like ( ", ', &, <, >) in dynamic elements.
XSS can easily steal cookie because web applications are mainly based on cookies for authentication of protocols so examining and securing cookie is very important.
Before validating the input, it must be decoded and canonicalized. If inputs are decoded twice then it can cause dangerous error to bypass.
4. Session Management:
The process of tracking user activities and their navigations when sessions were generated by the computer system and managing those sessions to authenticate users is known as Session Management. These threats is mainly used in Cookies, URLs, Hidden forms and there combinations. Session management threats use Wireshark, Ettercap or FireSheep to capture the traffic.
4.1 Types of Session Management:
Session management are of two types Permissive and Restrictive. Permissive means web server receives some arbitrary session ids and creates a proper session id which does not exist. Restrictive means webserver allows session ids which are generated locally within the system.
4.2 Mechanism of Session Management Flaws in Web-Goat with Demonstration:
Session Management flaws can hijack a session, Spoof an authentication cookie and Session Fixation
Hijack a Session:
Spoof an Authentication Cookie:
4.3 Impact of Session Management:
Because of session management flaws the following threats Session hijacking, Session Replay and Man in the middle can take place in an organisations. Intruders are monitoring and manipulating tcp stream data due session flaws. Attacker can insert commands which can execute in organization servers and cause severe damage. But many organizations and commercial business are still unaware these attacks. Session Hijack mainly runs by taking advantage of TCP in many organizations. On 3rd Jan 2007 Gmail was hijacked by black hat hacker.
4.4 Prevention or Mitigation of Session Management:
Security critical applications can prevent session management flaws. Encryption and robust security rules with access control can mitigate session hijack. SSH can mitigate vulnerable file transfer protocol and telnet. Best mitigation for organizations is to configure network which can reject packets from internet that claim to access from local address. Network administrators are suggested to use Kerberos or IP sec as a better option from mitigation session hijacking threats
5. Weak Authentication:
Authentication means finding identification credentials from given data and validating that trusted data, service or user against designed authority. Weak authentication means authenticating unknown data without depending on any trusted 3rd party. When websites allow attacker to get access over some secured data or a protected functionality without proper authentication it is known as weak authentication. Secure data communication can be achieved by encrypting data between two end systems for authentication purpose. A cryptography protocol is essentially used for authentication and key distribution.
5.1 Types of Authentication:
There are four main web authentications like http basic, http digest, https client and form based Authentication
5.2 Mechanism of Authentication Flaws in Web-Goat with Demonstration:
5.3 Impact of Weak Authentication:
Weak authentication shows its impact particularly on E-Commerce and business logic of web applications. It was because of careless authenticators from client side. Presently 10% of web applications are having weak authentication vulnerabilities. Weak authentication vulnerabilities are mainly caused due to the threat of dictionary attack and online/offline password guessing attack, it was because of hint of the password or a weak password.
Organizations are mainly facing the Dictionary attack, Compromising password attack, Single point failure, Trusting 3rd party, Replay attack, Man-in-middle attack and some more threats because of Weak Authentication.
.5.4 Prevention or Mitigation of Weak Authentication:
Authentication: Credentials must be verified and validated against the designed authority this is basic security principle.
Weak password Recovery: A weak password easily allows attacker to get the privilege rights so user must reduce this attack my eliminating simple words. For instance 14816, qwerty takes seconds and Pa55w*rd , L74*&?ok takes hours or days
Information Verification: When user or attacker provides in correct password system must ask for stored secret information along with password and users must avoid password hint.
Authorization: Authorization means checking for permissions and then performing the action or functionality.
Security goals: Users must understand which data must be secured and must follow some security goals to achieve confidentiality
Security risks: User must be aware common web vulnerabilities and threats related to their work area.
Securing code access and physical access: In organizations servers must be secured from fundamental issues. ACLS and network security must be established to prevent attacks. Code trusting must be depending on sender (i.e.) from where it has come.
The thesis explains about the various web application vulnerabilities with their mechanism. It also deals with the impact of vulnerabilities and the mitigation or prevention techniques in the present environment. It clearly mentions the necessary precautions that are to be taken to avoid hackers.
The main objective of this assignment was to complete the WEB-BASEB APPLICATIONS AND E-COMMERSE SECURITY module in ISS MSc and to get idea across all the vulnerabilities and the measures to control or mitigate vulnerabilities. In particular, I would like to state that the assignment helped a lot to learn about web vulnerabilities and mitigation techniques. Finally I thank Mr Neil for giving me this chance to explore my knowledge.