ISSN: 2278 – 1323                                       International Journal of Advanced Research in Computer Engineering...
ISSN: 2278 – 1323                                      International Journal of Advanced Research in Computer Engineering ...
ISSN: 2278 – 1323                                                         International Journal of Advanced Research in Co...
ISSN: 2278 – 1323                                      International Journal of Advanced Research in Computer Engineering ...
Upcoming SlideShare
Loading in …5
×

375 378

407
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
407
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

375 378

  1. 1. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012 Tool to Detect and Prevent Web Attacks Nilesh Khochare Dr.B.B.Meshram nileshkhochare@gmail.com bbmeshram@vjti.org.in Computer Department Computer Department VJTI, Mumbai VJTI, Mumbai Abstract— A Web Application Firewall (WAF) is a securitytool that protects the web application and web applicationserver from various attacks. Application protection is avaluable security layer to add because it can protect against anumber of application layer security threats which is usuallynot protected by a typical network layer intrusion detectionsystem. The Web Application can easily be attacked by thehackers even though with the existence of the normal firewall inthe system. This is due to the limitation that the normal firewalldoes not work in the application layer. The hackers will attackthe Web Application using the methods like structured QueryLanguage (SQL) Injection, Cross Site Scripting (XSS),Command Injection, or Session Manipulation, cookiepoisoning, Directory traversal, Forceful browsing. This paperaddresses these problems by presenting a methodology for theautomatic detection of vulnerabilities in web application andpreventing web application from various attacks. The proposedmethodology, implemented in this paper monitors all the Fig 1. Basic working of Application Firewallincoming and outgoing data in the web application and blocksweb related attacks like SQL injection attacks, Cross Site Application firewall is a set of application-specific policiesScripting attacks, Buffer Overflow attacks, Cookie poisoning that gives you granular control over network traffic on the,Forceful browsing and Directory traversal attacks. level of users. The primary functionality of this application-layer tool is to regulate Web browsing, file Index Terms—Application Firewall, SQL injection, Cross transfer, email, and email attachments. Using applicationSite Scripting, WAF. firewall, you can restrict transfer of certain file names, file types, email attachments, attachment types, email with I. INTRODUCTION certain subjects, and email or attachments with certain Today applications are becoming the prime target for keywords or byte patterns. You can deny internal or externalcyber attacks. A recent research showed that approximately network access based on various criteria.80% of all successful web attacks exploit applicationvulnerabilities and there is no shortage of vulnerabilities to II. RELATED WORKgo after, all of them require some skill to exploit. The This paper describes a methodology and a tool for thetraditional firewalls block packets effectively at the network detecting and preventing attacks on web application. Now welayer; they are ineffective against attacks which point to describe various approaches to securing Web applicationsapplication weaknesses. Web application firewalls detect from web-based attacks.application vulnerabilities and whether sensitive data, such asaccount information or credit card number, is being hacked A. Open source Toolsand can take suitable action accordingly. [2] IronBee is an open source tool designed by Qualys. Various web applications such as online branch of a bank, IronBee implements a robust framework for applicationan online-shop, a customer, partner, or employee portal, all security monitoring and defense. It provides a layered set ofare available to their customers as well as to their attackers features at different levels of abstraction, enabling its users toaround the clock due to the always on nature of the internet. choose the approach that works best for the work they need toAttacks such as SQL injection, cross-site scripting or session accomplish. It provides security from DoS and DDoS attacks,hijacking and many more are aimed at vulnerabilities in the Cookie related attacks, Brute Force attacks, SQL injectionweb applications itself. Web application firewalls are attacks and cross site scripting attacks. [11]specialized tools whose purpose is to increase security in web AQTRONIX WebKnight is an application firewall for IISapplications. Figure 1 show the basic working of the web and other web servers and is released under the GNU Generalapplication firewall, where only normal user can access the Public License. WebKnight scans all requests and processingweb application or web server and access is denied for an them based on filter rules, set by the administrator. Theseattacker. [18] rules are not based on a database of attack signatures that require regular updates. WebKnight filters buffer overflow, 375
  2. 2. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012SQL injection, and directory traversal, character encoding malicious request or response (iv) Alert the user regardingand other attacks. [17] detected attack. Guardian@JUMPERZ.NET is an open source applicationlayer firewall for HTTP/HTTPS. It works as a reverse proxy Module I – User Interface Moduleserver. It analyzes all HTTP/HTTPS traffic against This module provides robust user interface through withrule-based signatures and protects web servers and web user can interact with the Application Firewall tool. Throughapplications from attack. When unauthorized activity is this module user can set or change the policies of the firewall.detected, Guardian@JUMPERZ.NET can disconnect theTCP connection before the malicious requests reach the web Module II – Database Moduleserver.[18] This module provides the database which stores the ModSecurity is an application firewall which makes patterns and signatures of various attacks which is useful incopies of the data, place it into memory and then apply all detection and prevention of the attacks.data transformations, etc, and it would then decide whatdisruptive action to take if there was a rule match on the data. Module III – Detection ModuleWhile this process works well in defense of the vast majority Detection module implement the algorithm to detect theof web application security issues, there are still certain SQL injection attacks, Cross Site Scripting attacks, Buffersituations where it is limited. Client-side security issues are Overflow attacks, Cookie poisoning ,Forceful browsing anddifficult to address in this architecture since the WAF has no Directory traversal attacks.visibility on the client. [19] Module IV – Prevention ModuleB. Commercial Tools Prevention module implement algorithm to prevent the Barracuda Web Application Firewall protects Web sites SQL injection attacks, Cross Site Scripting attacks, Bufferand Web applications from attackers leveraging protocol or Overflow attacks, Cookie poisoning, Forceful browsing andapplication vulnerabilities to instigate data theft, denial of Directory traversal attacks.service, or defacement of an organization’s Web site. Unliketraditional network firewalls or intrusion detection systemsthat simply pass HTTP, HTTPS, or FTP traffic for Webapplications, the Barracuda Web Application Firewallproxies this traffic and inspects it for attacks to insulate Webservers from direct access by hackers. [10] Imperva Secure Sphere Web Application Firewall protectsapplications from current and future security threats bycombining multiple security engines into a cohesive Webdefense. Imperva Secure Sphere provides ironclad protectionagainst the OWASP Top Ten attacks, including SQLInjection, Cross Site Scripting and Cross Site RequestForgery. [16] The Citrix Application Firewall protects web servers andweb sites from misuse by hackers and malware, such asviruses and Trojans, by filtering traffic between eachprotected web server and users that connect to any web site Fig 2.proposed Architecture of Application firewallon that web server. The Application Firewall examines alltraffic for evidence of attacks on web server security or Module V- Messenger Modulemisuse of web server resources, and takes the appropriate Messenger module provides warning messages and alertaction to prevent these attacks from succeeding. [9] messages to user time to time FortiWeb web application firewall provides specialized, B. Proposed Working of Application Firewalllayered application threat protection. FortiWeb integrated The proposed Application Firewall is a filter which sitsweb application and XML firewalls protect your web-basedapplications and internet from various attack and data loss. between web applications and users, examining requests andFortiWeb helps you prevent identity theft, financial fraud, responses and blocking dangerous or inappropriate traffic.SQL injection, cross site scripting. [14] This tool protects web servers and web sites from unauthorized access and misuse by hackers and malicious III. THE PROPOSED APPROACH AND TOOL programs, such as viruses and trojans (or malware). To secure our web application and web servers, application A. Proposed Architecture of Firewall firewall must be installed in a location where it can intercept The proposed approach to prevent web applications and traffic between the web servers and web application you wantweb servers consist of various modules which is shown in to protect and network devices through which users accessfigure 2 and aimed at (i) Monitoring the incoming and those web servers. You then configure the network to sendoutgoing request of web application (ii) Matching all the requests to the Application Firewall instead of directly torequest and response with the firewall rules, policies and the your web servers, and responses to the Application Firewallattack definitions present in database (iii) Block the instead of directly to your users as shown in figure 3. Then application firewall filters the traffic before forwarding it to 376 All Rights Reserved © 2012 IJARCET
  3. 3. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012 its final destination and examines each request and response  Buffer Overflow using its rule set. AQTRONIX  SQL injection 2 Open Source WebKnight  Directory Traversal  Rule based signature Forward Request Guardian Request Security detection to web 3 @JUMPER Open Source Check server/Applicatio  SQL injection Z.NET of n  Cross Site Web Request Pass Scripting Application Firewall Request  SQL injection Fail  Cross Site 4. ModSecurity Open Source Scripting  Cookie attacks Display Specific Error Message Web  DoS attacks Server/Web Application  Information Leakage Fail  OWASP Top Ten attacks  Data theft Response protectionResponse 5. Barracuda Commercial Pass Security  Brute Force Check of Protection Respons e  SQL injection  Cross Site Fig 3. Proposed Working of Application Firewall Scripting  Cookie and form As the Figure 3 shows, when a user requests a URL on a tampering web server, the application firewall first examines the request  SQL Injection in “Security Check of Request”. These rules check for  Cross site various types of attacks on the web servers. Application Imperva scripting Firewall also checks to see if the request needs further 6. Secure Commercial  Cross Site filtering. If the request passes the Application Firewall Sphere Request Forgery security checks, it is passed to the Web Server. The web site  OWASP Top Ten or web service sends its response back to the Application attacks[20] Firewall, which examines the response in “Security Check of  Buffer Overflow Response”. If the response does not violate any security  Cookie Poisoning checks, the Application Firewall forwards the response to the  XML related user. This process is repeated for each request and response. attacks 7. Citrix Commercial  SQL injection IV. COMPARISON WITH OTHER TOOLS  Cross Site TABLE I Scripting COMPARISON WITH OTHER TOOLS  Credit card theft Sr. Name of Features and  SQL injection Type No. Tool prevented attacks  Cross site  Dos, DDoS attack scripting  Cookie attacks  Financial fraud  Brute force attack protection  SQL injection  Prevent Identity  Cross Site 8. FortiWeb Commercial Theft Scripting  XML related 1 Iron Bee Open Source  Information threats leakage  Cross Site  Error message Request Forgery detection  Information Leak  Behavioral  SQL injection monitoring Proposed  Cross Site 9 Open Source Tool Scripting  Cross site Request 377
  4. 4. ISSN: 2278 – 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 4, June 2012 Forgery REFERENCES  Information leakage [1] Chong Hee Kim and Jean-Jacques Quisquater, “FAULTS,  Data theft INJECTION METHODS, AND FAULT ATTACKS”, Journal IEEE Design & Test archive Volume 24 Issue 6, November 2007. Protection [2] Hironao Takahashi, hafiz farooq Ahmad, Kinji Mori ,“Application for  Buffer Overflow Autonomous decentralized multi layer cache system to web application  Incorrect Input firewall”, 2011 Tenth International Symposium on Autonomous Decentralized Systems. Handling [3] MichaelMeike , Johannes Sametinger and Andreas Wiesauer, “Security  Cookie Poisoning in Open Source Web Content Management Systems”, Journal IEEE  Error handling Security and Privacy archive Volume 7 Issue 4, July 2009 [4] HORSTEN HOLZ, SIMON MARECHAL, FRÉDÉRIC RAYNAL, problems “New Threats and Attacks on the World Wide Web, Journal IEEE  DoS, DDoS Security and Privacy archive Volume 4 Issue 2, March 2006  Forceful [5] Elizabeth Fong and Vadim Okun,“Web Application Scanners: Browsing Definitions and Functions” Proceedings of the 40th Hawaii International Conference on System Sciences – 2007  Directory [6] Angelo Ciampa,Corrado Aaron Visaggio,Massimiliano Di Penta ,“A Traversal heuristic-based approach for detecting SQL-injection vulnerabilities in  XML related Web applications”, Proceeding SESS 10 Proceedings of the 2010 attacks ICSE Workshop on Software Engineering for Secure Systems [7] Frank S. Rietta,”Application Layer Intrusion Detection for SQL  Session hijacking Injection “,Proceeding ACM-SE 44 Proceedings of the 44th annual  OWASP Top Ten Southeast regional conference attacks [8] Ryan Riley,Xuxian Jiang,and Dongyan Xu, “An Architectural Approach to Preventing Code Injection Attacks”, Proceeding DSN 07  Robust GUI Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Table 1 shows the comparison of the present tools with the [9] Citrix Applicaton Firewallproposed tool. The tool presented in this paper is able to www.citrix.com/appfirewal [10] Barracuda Application Firewallprevent more number of attacks because it combines all the http://www.barracudanetworks.com/ns/products/web-site-firewall-oveattack prevention methods from present tool and it is very rview.phpeasy to use as it provides Robust GUI. [11] IronBee - Open Source Web Application Firewall. https://www.ironbee.com/ [12] Profence Application Firewall V. CONCLUSION AND FUTURE WORK http://www.armorlogic.com/web-application-firewall.html The spectra of online identity threat was never so real as it [13] ThreatSentry Application Firewall http://www.privacyware.com/intrusion_prevention.htmlis today, primarily due to rapid growth of the internet and [14] Fortiweb Application Firewallincrease in web application which offer a cost effective http://www.fortinet.com/products/fortiweb/index.htmlmethod to service providers such as banks, retailers etc., to [15] OWASP,WebScarabreach their customers. This has also provided the hacking http://www.owasp.org/software/webscarab/ [16] Imperva Web Application Firewallcommunity an excellent tool to try and fool the organizations www.imperva.com/and peoples. There are many popular attack techniques on [17] AQTRONIX WebKnight Application firewallWeb applications such as SQL injection, Cross Site http://www.aqtronix.com/?PageID=99Scripting, Brute Force Attack, Cross Site Request Forgery, [18] Guardian@JUMPERZ.NET - Open Source Web Application http://guardian.jumperz.net/index.htmlSession Hijacking, Buffer Overflow etc. Web Application [19] Modsecurity Web application firewall.Firewall gives huge benefits to network security as it is www.modsecurity.org/uncomplicated and considered as one of the effective tool to [20] OWASP Top Ten attacks.prevent the attacks at the application layer. This paper https://www.owasp.orgproposes an Application Firewall tool to protect webapplication from hackers. This tool analyzes the incomingrequest towards the web application and outgoing responsefrom web application or web server. The business logicmodule of this tool maintains all the database of attacks, rulesand policies for detection and prevention of the attack. Thistool prevent web application from SQL injection attacks,Cross Site Scripting attacks, Buffer Overflow attacks, Cookiepoisoning ,Forceful browsing and Directory traversalattacks. Work in progress aims at (i) Further validating this tooland comparing the result with other open source andcommercial tools and (ii) improving this tool by addinganomaly detection module. 378 All Rights Reserved © 2012 IJARCET

×