Sie sind auf Seite 1von 9

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

Survey on Attacks targeting Web based System through Application Layer


Author: Amit Kumar Pandey email: apandey@kent.edu, homepage: http://www.cs.kent.edu/~apandey/ Prepared for Prof. Javed I. Khan Department of Computer Science, Kent State University Date: June 2006 Abstract: With advent of Business-to-Business (B2B) and Business-to-Consumer (B2C) interaction, it is has become a necessity that information must be exchanged in a secure and accurate way. Most of the web application contains security vulnerabilities which enables attacker to exploit them and launch attack. As a result of attack confidentiality, integrity and availability of information are lost. This attacks which are at application level, cannot be prevented using packet inspection firewall which analyses individual IP packets for signature or allow specific ports. What is needed is mechanism which analyses whole message stream . In addition to that specific application level attack requires specific mechanism. Attacks like content spoofing cannot be stopped unless user is made aware. In this survey, I would be discussing the different types of attack in web applications at application level and ways to prevent them.

Other Survey's on Internetwork-based Applications Back to Javed I. Khan's Home Page

Table of Contents:
Introduction
Web application Architecture

Different attacks

Fig.1 Types of attack

Client side
Web browser Content Spoofing Cross site Scripting Session fixation

1 of 9

9/3/2013 10:26 PM

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

Server side
Web Server Path traversal Denial of Service Database server SQL Injection Xpath injection

Comparison of attacks Summary References


Research Papers for More Information on This Topic Research Groups Other Relavant Links

Scope of Survey

Introduction:
Rapid growth of internet has created many services, which have become integral part of our day to today life. Web applications are used for making reservations, paying bills, and shopping on-line. However wide spread usage of this applications came with increase in number and type of attacks affecting confidentiality, integrity and availability of information. Almost everyday a new security vulnerabilities are discovered which are exploited by hackers in accessing confidential information.

Need for securing web applications


1. Rapid increase in attack In a paper presented at the JavaOne conference last year, Cisco security architect Martin Nystrom claimed that as many as 95% of web applications have serious flaws, 80% of which are being vulnerable to cross-site scripting attacks,75 percent of all security attacks tody are at application level. 2. Cost of attack In april 2006 , a San Diego man was charged with hacking into USC admissions Web site and accessing more than 270,000 applications containing sensitive information such as birth dates, addresses and Social Security numbers. USC spent more than $140,000 to notify affected students and also shut down the applications Web site for 10 days. The hack was made via a SQL injection attack.

Web application Architecture and attacks targeting different components

Fig. 2 Typical web application architecture

Web system consists of web browser at user end. User is connected to web application through internet. A firewall protects web system from intrusion and allows traffic at port 80 only. Web server receives request from browser, processes them and passes dynamic part to application server, which processes server side code, like JSP. All requests for database access are passed to database server. The results are shipped back to web browser Web based system like this are subjected various attacks, targeting web server, database server and web browser. Users at client side using web browser to access web sites are targeted by hackers through content spoofing, cross site scripting and session fixation attack. Server side systems consisting of web server and database server are subjected different kinds of attack. Web server is targeted to path traversal attack which is used to read contents of restricted files and directories, other form of attack like denial of service attack prevents legitimate user from accessing service. Attacks at database server like SQL injection and Xpath injection aims to obtain unauthorized information.

2 of 9

9/3/2013 10:26 PM

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

Attacks at application level differ from network layer attack. Application level attack exploit vulnerabilities present in web application code and limitations of protocol like HTTP. Attacks at application level cannot be stopped by most network firewalls. They normally leave port 80 open for web server. It is through this port that web application communicates to the user. If the attacker is able to access application he may launch attack which cannot be prevented by firewall. For example, consider a user who has legitimate account at banking system. He connects to his account by authenticating and establishing a valid session. If the user is injecting code to access unauthorized information of other users, than network firewall will not be able to stop him. Preventing them requires fixing vulnerabilities in application code, like validating user input at server side rather than client side. Specific application level attack at application layer requires specific mechanism

Different Attacks
Client side attack
Client side attacks are used for variety of purposes like stealing username and password, stealing cookies, which are used for session management, and accessing other sensitive information. To achieve all these tasks, attackers would sometimes create fake website with look similar to original website, and than they would send link of that fake website to victims email address asking him to open it and verify account information. In other form of client attack, attacker would submit malicious code in forums, message boards. When these are read by other users, the malicious code would execute in user's browser to access sensitive information like cookies which are than sent to attacker's machine.

Content Spoofing
In this type of attack malicious hackers would create fake website with look similar to original one to make user believe that the site is legitimate. They would create fake website for banks such as Citibank, online organization such as PayPal and eBay. Attacker would than send specially crafted links through email, instant messages to user. The messages may look quite authentic, having corporate logos and formats similar to the ones used by legitimate messages. Typically they would ask for verification of certain information such as account numbers and passwords. These links would make user believe that the content is coming from trusted website, but in fact they would be from external source. Sometimes also called phising, they are frequently used to get credit card or bank account information from user. Content spoofing tem is formally used in literature, phising term used more in media. The attack uses trust relationship between user and website. In most of the cases attacker would collect all information in two to three days and than would shut down his server to avoid being caught. Sometimes they are present in some other countries which makes it difficult to arrest them.

Example Content spoofing can be done if web page is dynamically generated using frames. Location of frame can be specified by URL parameter value. Attacker can change this value to take user to different web page. If the original URL is http://abc.example/page?frame_src=http://abc.example/file.html The attacker would replace frame_src parameter to take user to different link. http://abc.example/page?frame_src=http://attacker.example/foreign.html The user would believe that content is coming from original domain, but in fact he is directed to attacker system.

Fig3. Content Spoofing In this example, victim receives an email which asks him to click on "here" , which according to email would take user to banking site, so that user can verify his information. The attacker would create exact replica of citibank home page to fool user. After getting all information from user, he is directed to real site. Dangers involved Victims can lose confidential information to attacker like bank account number, credit card number etc. Difficult to track attacker, they would collect information in 2-3 days than would close his site, making it them. Sometimes they are present in third countries so difficult to arrest

3 of 9

9/3/2013 10:26 PM

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

What can be done Educating user to directly type URL of bank, rather than clicking on links in email and not to respond to email with HTML embedded forms. Making them aware of HTTPS in the address bar and SSL padlock icon, SSL certificate which are used for authenticity. Using antivirus software to filter spam. Disabling HTML functionality of email.

Cross site scripting


In cross-site scripting (XSS) malicious code is executed in users browsers which are usually written in VBScript, ActiveX, java etc. The code is echoed by web site to users browser. The code is placed in web site by attacker using message boards, bulletins etc. When these pages are viewed by user, the script present in messages is executed at user end. These scripts may read, modify or transmit data accessible by clients browser. Example Consider a website which redirects user Alice after login to www.abc.com/default.asp?name=alice and a server-side script generates a welcome page that says "Welcome Back Alice!". The user information are stored in a database, and the Web site places a cookie on your computer containing a key to that database. The cookie is retrieved anytime the site is visited. An attack can be launched as follows: 1. 2. 3. 4. 5. The hacker sends you an e-mail that claims you've just won a vacation getaway and all you have to do is "click here" to claim your prize. The URL for the hypertext link is www.adatum.com/default.asp?name=<script>evilScript()</script>. User clicks on links Server generates HTML, the script is treated as parameter which contains name of user. Malicious script is sent to user's browser. The script is executed by browser. The sensitive information is sent to hacker.

Fig. 4 Cross site scripting Dangers involved Sensitive information like cookie can be stolen from user system . Web sites can be made unreadable by making the web page unpleasant to use (e.g., via annoying banners and offensive material) By embedding malicious FORM tags at the right place, an intruder may even be able to trick users into revealing sensitive information. What can be done Using HTTP-only cookies, eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script. Filtering inputs for special character like < which denotes beginning of tag. Disabling scripting when it isnt required.

Session fixation

4 of 9

9/3/2013 10:26 PM

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

HTTP was designed purely for document exchange. It is incapable of session management. It does not provide any way for web server to maintain states for user's subsequent requests. To perform session management web server generates session identifier which is sent to user's browser. In each subsequent request web browser sends this session identifier (sessionid) back to web server. Session ID thus can be used to identify users. In session fixation attack, attacker fixes the Session ID of victim. Since the session ID, which is used by the victim, is fixed by attacker, attacker is able to access account of the victim by using same session ID to connect to his account without any authentication. Session fixation allows attacker to get access to the application with same privileges of the user whose session he steals. The session fixation attack is normally a three step process : 1) Session set-up The attacker connects to website to obtain session ID, which would be introduced in user's browser. 2) Session fixation The attacker introduces the session value obtained in last step into the users browser by making him click on a URL containing session ID which is obtained in last step (The URL link can be sent by attacker to victim). When the user clicks on URL sent by attacker, his session ID is fixed to the session ID value contained in URL. 3) Session entrance The attacker waits until the user logs into the target web site. When the user does so, the attacker also logs in same account using same session ID. The attacker is able to do that since he knows the session ID being used by victim. The details of this attack be understood by an example which is given with a diagram showing all steps of attack. Example Consider web server online.worldbank.dom which hosts a web banking application. Session IDs are transported from browser to server within a URL argument session id. The attacker who in this case is also a legitimate user of the system logs in to the server 1. 2. 3. 4. 5. 6. He is issued a session ID 1234 by web server. He then sends a hyperlink http://online.bank.dom/login.php?sessionid=1234 to the user, trying to lure him into clicking on it . Session ID issued to him by web server is embedded in the link. The user clicks on the link, which opens the servers login page in his browser Upon receipt of the request for login.jsp?sessionid=1234, the web application has established that a session already exists for this user and a new one need not be created so no new session ID is issued to user , and user uses Session ID which was issued to attacker in step 1. Finally, the user provides his credentials to the login script and the server grants him access to his bank account. However, at this point, knowing the session ID, the attacker can also access the users account via account.jsp?sessionid=1234 . Since the attacker is also using same session ID as user, the web site won't ask username and password from attacker, and the attacker is able to access the accout of user.

Fig. 5 Session fixation Dangers involved Authentication: The attacker is able to access account of some other user without authenticating. Authorization: The attacker operates with access privileges of the user, and can access application or information for which he is unauthorized. What can be done One way to fix session fixation problem is issuing session IDs of newly generated sessions to user only after they successful authentication of their identity. The web application should not accept session ID provided by the browser at login. Binding session ID to the browser's network address can also help fix the problem. Destroying session after certain time interval. Destroying session after users log out at both client and server.

Server side attacks


Server side attack target web server for downloading or viewing files like scripts, configuration files without proper authorization. They use path traversal attack to achieve this file disclosure. Other form of web server attack like denial of service attack prevents legitimate user from using service by flooding web server with messages. Due to heavy traffic and limited capacity the web server's resource are exhausted and is unable to process request of legitimate user. Server side attack like SQL injection and Xpath injection target database server to retrieve information without proper authentication and authorization. Both these attack are possible when application uses user input to dynamically generate query without sanitizing them

Path traversal attack


Web servers generally allow access to a specific portion of the Web server's file system called the "Web document root" directory. In path traversal attack, attacker accesses files and directories that are outside web document directory. They do this by using special character sequences in URL input parameter like ../ which allows to access parent folder of a subfolder. Example Simple path traversal attack uses ". . /" character sequence in URL move one directory above current directory, but recent web server prevent this technique, so attacker using Unicode-encoding ". .%255c" for backslash characters to escape filtering. E.g., Attack against web server http://webp/ . .%255c/script/

5 of 9

9/3/2013 10:26 PM

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

In some cases web application loads text from static file to render web page. Like URL below uses home variable to load index page. http://webpage/update.cgi?home=index.htm The attacker can change URL parameter to replace index.htm with update.cgi to get source code of script update.cgi. http://webpage/update.cgi?home=update.cgi Dangers involved Confidentiality of information is compromised. Attacker can obtain information like, configuration file contents, by looking for file with .conf, .config extension . Attack can reveal contents of scripts which are hidden from user. The more information attacker learns about the easier the system becomes to compromise. Traversing to system directories which contain binaries makes it possible to execute system commands. What can be done Preventing "../" and its unicode variants from input would help reduce kind of attack discussed in example. To prevent attacker from executing operating system commands, Web root directories and virtual directories must be kept in non-system partition, since it is not possible to traverse across drives. If system is installed on C: drive , web site and content must be moved to E: drive, and virtual directory should point to the new drive.

Denial of Service
Denial of service attack aims to prevent legitimate users from using a service. This is usually done by consuming all of a resource used to provide the service like CPU, operating system memory etc. Attacker may launch attack by bombarding website with numerous messages. If the attack is carried out by thousands of machines, than it is called distributed denial of service attack. DDoS is more complex and harder to solve. High volume of packet traffic makes it difficult to inspect legitimate from attack packet. This how denial of service attack take place The first step taken by attacker is to find vulnerable machines which can be compromised. They than compromise vulnerable hosts to gain access. Attacker installs script on compromised host. Compromised host is used for further scanning and compromising. Attacks are than either prescheduled by hard coding in the propagated code or are invoked by attacker by sending commands to agents.

Fig.6 Denial of Service attack mechanism Attacker builds a handler/agent network, where the attacker controls the network by issuing commands to the handler, which in turn relays commands (sometimes using a different command set) to the agents. Example A web server takes a certain amount of time to serve web page requests, which limits the maximum number of requests which can be handled by web server in a finite amount of time. If it is assumed that a web server can process 1000 requests per second to retrieve file and serve home page, than at most 1000 customer's request can be processed concurrently. Normally the web server receives 50-70 requests per second, which is less than 10 percent of its capacity. If attacker controls 10,000 machines and makes them send request every 10 second, than web server will receive 1000 request per second which when combined with normal traffic makes total request 1050-1070 request which exceeds the maximum capacity that web server can handle. The web server is not able to handle legitimate requests because of saturation .

6 of 9

9/3/2013 10:26 PM

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

Fig. 7 Example of denial of service attack Dangers involved In case of ecommerce sites, denial of service attack can lead to loss of revenue, as legitimate user won't be able to use it. According to FBI report the financial loss was over $300 million for year 2005. If the enterprise is small they may find it difficult to deploy expensive mechanism to prevent attack , there has been cases where attacker demanded money to stop the attack Presence of various distributed denial of service tools which can be easily downloaded and used to recruit agent and activate attack , makes it is possible to launch attack by even inexperienced users. What can be done Attacks can be prevented by identifying software bug or error in application design and patching up with latest patches. Critical applications should be replicated on several servers with each of them running on different operating system and application versions. Reverse turing test can be employed to make sure that a there is a human user at other end of connection. Typical turing test displays a slightly blurred or distorted picture and asks user to type in the displayed characters or symbols. This task is easy for human but very hard for computers, and works well for web applications. Dangerous packets should be filtered by employing packet recognition system. Sources should be validated to verify the user's identity before granting service request.

Code Injection
In this kind of attack, attacker manipulates input parameters to inject malicious code which executes at server side to perform operations violating security of data.SQL injection and Xpath injection are two different kinds of attack under this category targeting database. Xpath injection is more severe, since the attacker is able access to all information, unlike SQL injection where the administrator can restrict user from accessing all information. Xpath as same syntax , unlike SQL where, different vendors have different syntaxes.

SQL Injection
They are most prevelant form of attack since most of the website use database to store and retrieve data. In SQL injection attacker provides user input which becomes part of SQL query. Dynamically generated query when executed on database server without proper check could let attacker retrieve aunthorized information without proper authentication and authorization. Example: Consider a website which requires user to provide login name and Password to access account information. The user name and password is used by middle tier (ASP, servlets etc) to generate SQL statement. Therefore, if a user submits login and password as abc and xyz, the servlet dynamically builds the query: SELECT info FROM users WHERE login=abc AND pass=xyz If attacker enters OR 1=1 -- and , instead of abc and xyz, the resulting query is: SELECT info FROM users WHERE login= OR 1=1 -- AND pass= The single quote before OR keyword neutralizes opening quote. Presence of the OR 1=1 clause after WHERE clause turns this conditional into a tautology. The characters -- denotes the beginning of a comment, so everything after them is ignored. Hence the password condition is disabled by attacker. As a result, the database would return information about all users

7 of 9

9/3/2013 10:26 PM

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

Fig.8 SQL Injection Dangers involved Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL Injection vulnerabilities. Authentication: Using SQL injection it may be possible to connect to a system as another user with no previous knowledge of the password. Authorization: If authorization information is held in an SQL database, it may be possible to change this information through the successful exploitation of an SQL Injection vulnerability. Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with an SQL Injection attack What can be done Validating all string input for SQL keywords and escape all single quotes Restricting access to standard database functions and procedures Restricting access to custom database stored procedures

Xpath injection
XPath is used to query XML database. XML database is represented using an XML document and XPath query is similar to an SQL query. XPath queries are used for search requests, for login processing, for data retrieval, and other lightweight database tasks. XPath injection takes place in web site, which constructs XPath from User input. Example: Consider a XML document with three elements: User name, password and checking account number. The XPath expression to retrieve account number requires user to give user name and password : string(//user[name/text()='abc' and password/text()='abc4']/account/text()) If the attacker enters following string in username field: ' or 1=1 or ' '=' , the Xpath expression would be: string(//user[name/text()='' or 1=1 or ' '=' ' and password/text()='xyz']/account/text()) Since 1=1 is a tautology, the attacker can login as first user listed in XML document. Dangers involved Dangers involved in Xpath injection is even more severe than SQL injection. XPath allows one to query all items of the database, unlike SQL DBMS in which user might restrict to some tables using access control . Since XPath is a standard language compared to SQL, it is much easier to launch attack. In SQL different vendors have different kind of implementation. What can be done Defending against XPath Injection is essentially similar to defending against SQL injection Sanitizing user input by application program. Specifically, disallowing the single and double quote characters . This can be done either in the application itself, or in a third party product (e.g. application firewall.) Testing application susceptibility to XPath Injection can be easily performed by injecting a single quote or a double quote, and inspecting the response. If an error has occurred, then its likely that an XPath Injection is possible.

Comparison of attacks
Attacks Content Spoofing Target Client Effects Loss of confidential information like username and password Unauthorized access to client's private information like cookies Unauthorized access to user account information Unauthorized access to files and directories stored on server. Severity moderate moderate Prevention Educating user Disabling scripts at client's browser Issuing session id after authentication checking "../" and its variants. Fixing bugs, reverse turing test, resource replication checking user input,

Cross site Scripting Client

Session fixation

Client

moderate

Path traversal

Server

moderate

Denial of Service

Server

Web application unavailable for normal users moderate

SQL injection

Server

Unauthorized operations and access to

Severe

8 of 9

9/3/2013 10:26 PM

Untitled Document

http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

database.

giving minimum privileges Severe checking user input

Xpath injection

Server

Unauthorized access to all data entities.

Summary
We surveyed some of the application level attacks in web based systems which are present due to vulnerabilities present in configuration, and protocols standards. Vulnerabilities present due to web server configuration leads to path traversal attack. In case of database server it leads to code injection attack. Improperly written server side code which fails to sanitize user input is another reason for these attacks. The fact that the applications are written by people who are different from people who manage security leaves vulnerabilities in codes. Operating systems and web browsers are getting more complex with each release. The sheer size of code makes it difficult to find all bugs and fix them on time. Limitations of existing protocols are another reason for attacks.For example, HTTP not provide any way for web server to maintain states for user's subsequent requests. Existing methods for providing sessions have limitations which allows attacker to launch session based attacks. There are different mechanism for preventing each type of application level attacks. Despite all efforts attacker would come up with new pattern and web applications would be continued to attack.

References
Research Papers for More Information on This Topic William G.J. Halfond and Alessandro Orso. AMNESIA: Analysis and Monitoring for Neutralizing SQLInjection Attacks. ASE05, November 711, 2005, Long Beach, California, USA. Amit Klein. Blind XPath Injection, Sanctum 2004. Scott, D., Sharp, R. Abstracting Application-Level Web Security. In: The 11th International Conference on the World Wide Web ( Honolulu, Hawaii, May 2002), 396-407. Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans. Automatic Hardening web application using precise tainting. 20th IFIP International Information Security Conference (June 2005, Chiba Japan) Bob Gehling, David Stankard. eCommerce Security. Information security curriculum development Proceedings of the 2nd annual conference on Information security curriculum development (September 2005 Kennesaw, Georgia) "A new spoof: all frames-based sites are vulnerable" - SecureXpert Labs http://tbtf.com/archive/11-17-98.html#s02 David Endler. Brute-Force exploitation of Web Application Session IDs. iAlert white paper 2001 Mitja Kolek. Session Fixation Vulnerability in Web-based Applications, ACROS Security December 2002 John Viega, Gary McGraw. Building Secure Software Addison-Wesley Ivan Ristic, Apache Security, O'Reill Jelena Mirkovic, Sven Dietrich Internet Denial of Service: Attack and defense mechanisms Research Groups Web application security consortium. Spidynamics lab MSDN

Other relevant links Path traversal attack CERT, CERT Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests

Scope
This survey is based on research publications found in ACM Digital Library as well as white papers from Spidynamics lab and Sanctum. The keywords that were used: web application security attacks, denial of service attacks, information disclosure, client side attacks in web application . I also looked into MSDN which has given comprehensive information about cross site scripting attacks.

9 of 9

9/3/2013 10:26 PM