Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. Padmaja K / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.001-006A Study on web Applications & Protection against Vulnerabilities Padmaja KAbstract Web applications are widely adopted and application vulnerabilities have sharply increased.their correct functioning is mission critical for For example, in the last two years, the three topmany businesses. Online banking, emails, e- positions in the annual Common Vulnerabilities andshopping, has become an integral part of today’s Exposures (CVE) list published by Mitre [3] werelife. Vulnerabilities in web application can lead to taken by web application vulnerabilities. Toa variety of erroneous behavior at dynamic run identify and correct bugs and securitytime. We encounter the problem of forceful vulnerabilities, developers have a variety of testingbrowsing in many web applications, username tools at their disposal. These programs can beenumeration can help an attacker who attempts broadly categorized as based on black-boxto use guessable passwords, such as test/test, approaches or white-box approaches. White-boxadmin/admin, guest/guest, and so on. These testing tools, such as those presented in [1] use staticaccounts are often created by developers for analysis to examine the source code of antesting purposes, and many times the accounts application. They aim at detecting code fragmentsare never disabled or the developer forgets to that are patterns of instances of known vulnerabilitychange the password, hacking reduces the classes [2]. Since these systems do not execute theperformance or function of the application, application, they achieve large code coverage, and,further more, the modified system itself becomes in theory, can analyze all possible execution pathsa constraint to counter newer types of [4]. A drawback of white-box testing tools is thatvulnerabilities that may crop up from time to each tool typically supports only very few (or atime. Hence, the best solution would be to finds single) programming language. A second limitationthe steps to solve that are web-based (firewall) is the often significant number of false positives.independent for protecting against vulnerabilities Since static code analysis faces undecidablein web applications. In our work algorithm is to problems, approximations are necessary. Especiallyanalyze vulnerabilities that are caused by for large software applications, these approximationsbreaking of the data dependency using problem can quickly lead to warnings about software bugswhich work efficient with existing one. that do not exist [5]. Attacks against Web applications come in aKeywords – Web Application, Vulnerabilities, variety of forms, but it is important to understandForceful browsing, Testing, Dynamic Testing that viewing Web application security with merely an attack-verses-vulnerability perspective results inINTRODUCTION I an overly narrow focus. Studies such as conducted Web applications are collections of static by Erickson and Howard reinforce the point that thefiles linked with each other by means of HTML overall security posture of a Web applicationreferences. With this dynamic feature was depends on a variety of factors such as propertraditionally implemented by CGI scripts were added configuration, continuity within application logicto web page to accept the user input, changing and workflow, as well as factors such as competentpresentation and content of the pages accordingly. administration and observance to security policies onCurrently more often web sites are created the part of corporations that own and managedynamically, to send the sites content is stored in application data. Several organizations havedatabase entries and present them to the user. While published lists of the top categories of Webin the beginning user interaction was typically application vulnerabilities, notably the OWASP Toplimited to simple request-response pairs, web 107 and the WASC Threat Classification8.applications today often require a multitude of However, each list differs both in the level ofintermediate steps to achieve the desired results. abstraction and types of Web applicationWhen developing software, an increase in vulnerabilities included among its top threats. Thecomplexity typically leads to a growing number of Cenzic Intelligent Analysis (CIA) Lab uses its ownbugs. Of course, web applications are no exception. framework for classifying the top vulnerability threatMoreover, web applications can be quickly deployed classes, the methodology having been derived fromto be accessible to a large number of users on the its proprietary HARM system, the Hailstorm®Internet, and the available development frameworks Application Risk Metric (ARC™), which ismake it easy to produce (partially correct) code that explained in detail later in this document. Analysisworks only in most cases. As a result, web provided below will show vulnerability information from all three categories, for comparative purposes, 1|Page
  2. 2. Padmaja K / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.001-006so that organizations using any one of the threat An attacker user input control e.g enterclassification systems will have Q1 2007 data related ,;DROP („articles‟);to the methodology they are presently using. Adds a command to the SQL query which then becomes:SECTION II2. Software vulnerabilities: vulnerabilities occurs SELECT * FROM articles WHERE id=‟in different ways hardware, sites, software, „;DROP(„articles‟);‟;organizations, we focusing on software in inputvalidation errors such as These SQL commands will select some data, delete the table articles in the database and then2.1. Format String: The Format String exploit generate an SQL error due to the single quotationoccurs when the submitted data of an input string is mark. SQL injection gives an attacker theevaluated as a command by the application. In this opportunity to manipulate the database and inway, the attacker could execute code, read the stack, special cases execute arbitrary code on the databaseor cause a segmentation fault in the running server. It is therefore an effective attack on webapplication, causing new behaviors that could applications. Typical attack are logins, search formscompromise the security or the stability of the and the URL of dynamically generated pages e.gsystem. could resultTo understand the attack, it‟s necessary to in a SQL query similar to the one in the example.understand the components that constitute it. SQL injection can be avoided through user input• The Format Function is an ANSI C conversion validation, ensuring appropriate handling of function, like printf, fprintf, which converts a characters with a special meaning in SQL. primitive variable of the programming language into a human-readable string representation. 2.3. Cross-site Scripting: The main purpose of• The Format String is the argument of the Format cross-site scripting is a XSS attacks [5]. To steal the Function and is an ASCII Z string which contains credentials i.e cookies of an authenticated user. text and format parameters, like: printf ("The .request in the web contains an authentication cookie magic number is: %dn", 1911); is treated by the server as a request of the• The Format String Parameter, like %x %s defines corresponding user as long as does not explicitly log the type of conversion of the format function. out. Everyone who manages to steal cookies is able to impersonate its owner for the current sessions. The attack could be executed when the The browser automatically sends a cookie only toapplication doesn‟t properly validate the submitted the web sites that created it, but with JavaScriptinput. In this case, if a Format String parameter, program are restricted by the same origin %x, is inserted into the posted data, the string is XSS attacks circumvent the same –origin policy byparsed by the Format Function, and the conversion injecting malicious java script into the output ofspecified in the parameters is executed. However, vulnerable applications. In this case, the maliciousthe Format Function is expecting more arguments as code appears to originate from the trusted site andinput, and if these arguments are not supplied, the thus, has complete access to all (sensitive) datafunction could read or write the stack. related to this site. For example, consider theIf the application uses Format Functions in the following simple PHP script, where a user‟s searchsource-code, which is able to interpret formatting query is displayed after submitting it:characters, the attacker could explore thevulnerability by inserting formatting characters in a echo "You searched for " . $_GET[’s’];form of the website. For example, if the printf The user‟s search query is retrieved from afunction is used to print the username inserted in GET parameter. Therefore, it can also be supplied insome fields of the page, the website could be a specifically crafted URL such as the following,vulnerable to this kind of attack, as showed below: which results in theprintf (username); user‟s cookie being sent to “”:2.2. SQL Injection: It have more severe<script>dconsequences than XSS due to the fact that a ocument.locationsuccessful SQL injection can comprise the integrity =‟‟+document.of a database. Vulnerable in web application is a Cookie</script>SQL injection if unvalidated user input is used togenerate SQL queries . typical SQL query used to All that the attacker has to do is to trick agenerate dynamic web pages user into clicking this link, for example, by sending it to the victim via email. As soon as the user clicks SELECT * FROM ARTICLES on this link, her browser visits the page post.php on WHERE id=‟<user input>‟ the vulnerable site, with the GET parameter “s” set 2|Page
  3. 3. Padmaja K / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.001-006to the malicious JavaScript code. As a result, the can deface web sites, poison cache and trigger cross-malicious code is embedded in the application‟s site scripting.reply page, and now has access to the user‟s cookie. Normally,The JavaScript code sends the cookie to the attacker, can now use it to impersonate the victim. The sets the cookieparticular type of XSS vulnerability discussed above //Query parameter text is not checked before savingis called reflected XSS, in user cookie since the attacker‟s malicious input is NameValue collection request =immediately returned (i.e., reflected) to the victim. RequestQuerystring:There also exists a second type of XSS, where the //Adding cookies to the responseapplication first stores the input into a database or Response.Cookies[“UserName”]Value=request[“texthe file system. At a later stage, the application t”];retrieves this data through database queries or files Set-Cookie header is used in HTTP response toreads, and finally sends it to the victim. For instance, request browser to save a cookie, %0D%0A is a newsuch stored XSS vulnerabilities often occur in web line characterguest books or forums, where a visitor leaves a On a HTTP response encoded by URL encoding,comment that is later accessed by another visitor. In this is usually represented as “rn” in code.general, an XSS vulnerability is present in a webapplication if malicious content (e.g., JavaScript) 2.5. HTTP Response Splitting: attack involved inreceived by the application is not properly stripped 3 typesfrom the output sent back to a user. When speaking Web server which has a security holein terms of the sketched class of taint-style enabling HTTP Response splittingVulnerabilities, XSS can be roughly described by the Target – Entity that interacts with the webfollowing properties: server perhaps on behalf of the attacker. Typically this is a cache server forward/reverse proxy or • Entry points into the program: GET, browser attacker which initiates the attack.POST and COOKIE arrays. • Sanitization routines: PHP functions such 2.6. Forceful Browsing: Forceful browsing isas htmlentities () and htmlspecialchars (), making several requests to the web server with theand type casts that destroy potentially malicious URL patterns of typical web application componentscharacters or transform them into harmless ones such as CGI programs. The common with many of(such as casts to integer). the exploits is that lack of server side validation • Sensitive sinks: All routines that display makes them possible. Client side validation doesn‟tdata on the screen, such as echo(), print() and provide real protection as it is always possible toprintf(). create a custom user agent or use an intermediary This tool can only handle reflected XSS tool. These attacks against web[9] applications arevulnerabilities. However, it is straight forward to use that there are so many things can do for the detection of stored XSS as well, given acertain program policy with regard to the taint statusof persistently stored data. For instance, it is SECTIONIIIcustomary that data is not sanitized before it is 3. Problem definition: Today‟s life hectic with ourstored to a database or to the file system, which schedules we go for online banking, emails, chats, e-means that it has to be sanitized after its later shopping become an integral part. Thus web-basedretrieval. In the System, this can be modeled by techniques are widely adopted and their correctadding the corresponding data retrieval functions to functioning is mission critical for many businessthe set of entry points. Analogously, the applications, vulnerabilities are readily exploited byapplication‟s policy can demand that all data is attackers. Unfortunately software failures occur tosanitized before it is stored. In this case, data storage reduce system availability and efficiency of thefunctions have to be defined as sensitive sinks. system as a whole. Here we have method to solveMixed policies are more difficult to handle. For the vulnerabilities.instance, an application could expect a certaindatabase table to contain only sanitized values,whereas some other table might also be allowed tocontain unsanitized values. Here, the analysis wouldalso have to resolve the names of the tables that areused for storage and retrieval.2.4.HTTP Header Injection: It allows attackers tosplit a HTTP response into multiple ones byinjecting malicious response HTTP headers. This Figure 1. User Login Screen 3|Page
  4. 4. Padmaja K / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.001-006 email files. Depending upon the program we are using, often can configure the automatic update for virus signatures. 3.2.4. Do Not Unsubscribe: If we receive unsolicited email do not click to unsubscribe to the list as it could contain malware or lead you to a website that is infected with malware. Simply delete the unsolicited message or if it ended up in your spam folder, clear the folder altogether. Username enumeration can help an attackerwho attempts to use some trivial usernames with 3.2.5. Administrator: Avoid running email clienteasily guessable passwords, such as test/test, under administrator privileges. If this is not possible,admin/admin, guest/guest, and so on. These accounts try to restrict the privileges while logged on asare often created by developers for testing purposes, administrator. The administrator privileges can openand many times the accounts are never disabled or up your email clients to exploits by a hacker.the developer forgets to change the password.During testing assignments, have found such 3.2.6Attachments: Make sure attachments areaccounts are not only common and have easily scanned by your antivirus program before you openguessable passwords, but at times they also contain them. Most antivirus programs contain this featuresensitive information like valid credit card numbers, and will let you know if there is a threat of a viruspassport numbers, and so on. Needless to say, these before you open the attachment.could be crucial details for social engineeringattacks. 3.2.7. Receipts and Confirmations: Configure the settings in email client so it does not automatically3.1. Email Vulnerabilities: Email is one of the most send return receipts or read confirmations. If anwidely used applications on the Internet due to its email is infected automatically opening or sending aconvenience, cost effectiveness, and time saving message could spread the infection to the recipientsability. Because of its ubiquitous capability it can be email client.left open to many different types of vulnerability. 3.2.8.Use Encryption: To ensure that confidential There are multiple ways that hackers can information is secure, use encryption for sendingattack your email clients. Some of these methods these types of messages.include distribution of malware such as spyware,adware, Trojans, and viruses, to name a few types. 3.3. Protect from Web Vulnerabilities: All theOther attacks on your email client can include Consequences of the most common web applicationphishing, spam that is laced with malware, and security vulnerabilities we present a basic methodsdenial of service attacks which are the result of to protect against these vulnerabilities to securesending a massive amount of messages to a server coding security programcausing it to crash. Attacks can also cause a lot ofdamage to your other applications, data, and 3.3.1Inject flaws: Injection occurs when user-ultimately the PC operating system itself. supplied data is sent to an interpreter as part of a query. The attackers hostile data tricks the3.2. Protect from email vulnerabilities: Our interpreter into executing unintended queries orcomputer operating system is used as a platform for changing client. Regardless of what type of client weuse such as Microsoft Outlook, Outlook Express, 3.3.2. Malicious File Execution: Code vulnerable toEudora, or other, there are steps we can take to remote file inclusion allows attackers to includeprotect email client against vulnerabilities hostile code and data resulting in devastating attacks such as total server compromise malicious file3.2.1. Plain Text: When checking our email execution attacks affect PHP, XML and anymessage, use plain text format instead of formats framework which accepts filenames or files fromsuch as HTML or rich text format that can open up usersemail client to vulnerabilities hackers to exploit. 3.3.3. Insecure Direct Object: A direct object3.2.2. Automatic Updates: Always use the latest reference occurs when a developer exposes aversion of the mail client software and make sure reference to an internal implementation object, suchyou have the automatic update feature enabled. as a file directory database record or key as a URL or form parameter. Attacker can manipulate those3.23.3.Antivirus Software: Use antivirus softwarethat includes a virus signature for monitoring your 4|Page
  5. 5. Padmaja K / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.001-006references to access other objects without [3] If (P=Ti) then {authorization. - Add 1 to match_count; - Declare „Safe Query‟;3.3.4. Cross Site Request Forgery: A CSRF attack - Exit; }forces a logged-on victim‟s browser to send a pre- [4] End if;authenticated request to a vulnerable web application [5] End For Loop;which forces the victim‟s browser to perform a [6] If (match_count=0) then {hostile action to the benefits of the attacker CSRF - Declare „Attack Alarm I‟;can be as powerful as the web application that it - Call Approximate Matching; }attacks [7] Stop; Approximate Matching3.3.5 Information Leakage & improper Error: Input : T, P, WApplications can unintentionally leak information Output: Safe Query, Attack Alarm Finalabout their configuration internal workings or violate [1] k = element_count(P);privacy through a variety of application problems. [2] For i = 1 to n do {Attackers use this weakness to steal sensitive data or [3] For j = 1 to k do {conduct more serious attacks. [4] If (P[j] c T[i][j]) then [5] D[i] b D[i] + 1 ;3.3.6. Broken Authentication session [6] Enf if ; } }Management: Account credentials and session [7] Edit_Distance b 0 ;tokens are often not properly protected. Attackers [8] For i = 1 to n do {compromise passwords keys or authentication [9] Edit_Distance = MIN (D[i]); }tokens to assume other users identities. [10] If (Edit_Distance < W) then { - Declare „Safe Query‟ ;3.3.7. Insecure Cryptographic Storage: Web - Execute P; }applications rarely use cryptographic functions [10] Else {properly to protect data and credentials. Attackers [11] - Declare „Attack Alarm Final‟ ;use weakly protected data to conduct identity theft [12] - Block P; }and other crimes such as credit card fraud [13] End if; [14] Stop;3.3.8. Insecure Communications: Applicationsfrequently fail to encrypt network traffic when it is 4.2. Dynamic Analysis for vulnerabilities in webnecessary to protect sensitive communications. applications: In context of web applications, static3.3.9. Failure to restrict URL access: frequently an approaches have limited potential because, webapplication protects sensitive functionality by applications are often written in dynamic scriptingpreventing the display of links or URLs to languages that enables on fly creation of code theunauthorized users. Attackers can use this weakness issue pose significant challenges to approachesto access and perform unauthorized operations by based on static analysis. Testing of dynamic Webaccessing those URLs directory applications is also challenging because the input space is large and applications typically requireSECTION IV multiple user interactions. The state of the practice4.1. Algorithms for Detecting vulnerabilities: in validation for Web standard compliance of realContent of text SQLMF are a set of n number of Web applications involves the use of programs suchlegitimate SQL queries (where, 1≤ n). Each query is as HTML Kit5 that validate each generated page, butexpressed as a sequence of elements {s1, s2,.., sn`}. require manual generation of inputs that lead toEach element is a string of characters. The text Dynamic Analysis Testing Toolspattern (P) of the dynamic query, is expressed as oneor more elements {s`1,s`2,.. s`n}, where, 1≤ n. An 4.2.1. DART: (directed automated random testing)element may have one or more sub elements, integration of random testing and dynamic testidentifiers and values. A function element count(P) generation using symbolic reasoning is bestcomputes the number of elements in P. Each element intuitively explained with an separated from others by semicolon (;). Consider the function h in the file below:Exact Matching int f(int x) f return 2 * x; gInput : T, P int h(int x, int y) { Output: Safe Query, Attack Alarm I if (x != y) [1] match_count <- 0; if (f(x) == x + 10) [2] For i= 1 to n do abort(); /* error */ Begin return 0;} 5|Page
  6. 6. Padmaja K / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.001-006 The function h is defective because it may [2] Appending “~” or back or old to GCIlead to an abort statement for some value of its input names may send back an older version ofvector, which consists of the input parameters x and the source code. For exampley. Running the program with random values of x and returnsy is unlikely to discover the bug. The problem is admin.jsp source code. Here hackingtypical of random testing: it is difficult to generate attempts that every serious businessinput values that will drive the program through all application should be ableits different execution paths. In contrast, DART is [3] B. Beizer. Software Testing to dynamically gather knowledge about the Van Nostrand Reinhold, 1990.execution of the program in what we call a directed [4] Burp Spider. Web Application Starting with a random input, a DART-, 2008.instrumented program calculates during each [5] Acunetix. AcunetixWeb Vulnerabilityexecution an input vector for the next execution. Scanner., 2008. [6] D. Balzarotti, M. Cova, V. Felmetsger, N.4.2.2. Apollo: Apollo first executes the Web Jovanov, E. Kirda, C. Kruegel, and G.application under test with an empty input. During Vigna. Saner: Composing Static andeach execution, Apollo monitors the program to Dynamic Analysis to Validate Sanitizationrecord path constraints that reflect how input values in Web Applications. In IEEE Security andaffect control flow. Additionally, for each execution, Privacy Symposium, 2008.Apollo determines whether execution failures or [7] Karl Forster, Lockstep Systems, Inc., “WhyHTML failures occur (for HTML failures, an HTML Firewalls Fail to Protect Web Sites,”validator is used as an oracle). Apollo automatically iteratively creates new inputs using the recorded webagain/why-firewalls-fail.pdf, 2007.path constraints to create inputs that exercise [8] I. Ristic, “Web Application Firewallsdifferent control flow. Most previous approaches for Primer,” (IN)SECURE, vol. 1, no. 5, pp. 6-concolic execution only detect “standard errors” 10, Jan. 2006.such as crashes and assertion failures. This approach [9] Shah, Shreeraj. Hacking Web Services.detects such standard errors as well as uses an oracle 2007.which are interactively supplied by the user (e.g., byclicking buttons in generated HTML pages). Padmaja K pursuing Ph.D fromCONCLUSION V JNTU Kakinada. M.Tech(CSE) from Our work have presented an approach to JNTU Kakinada. She is having 10improve the best functionality web applications by years of experience in Academics.the absence of runtime errors, dynamically proposed Has guided many UG & PG students.solution prevent due to data dependencies on session Her research areas include Softwaredata. Algorithm combines to develop program Engineering, Software Securityannotation verification and validation checking toprotect against broken data dependencies in webapplications. In addition, the proposed solution isinteroperable with the existing web infrastructureand does not interfere with other web securitysolutions. Moreover, the proposed solution is able toleverage the power of existing web security byproviding formal techniques guarantee to prove theabsence of broken data dependencies in a given webprotocol enforcement configuration. To the best ofour knowledge, the research presented in this paperis the first to improve web application security byproviding an appropriate solution to the specificproblem of broken data dependencies on sessiondata.References [1] A registration page had an an HTML comment mentioning a file named “ _private/customer.txt”typing sent back all customers information 6|Page