Beruflich Dokumente
Kultur Dokumente
1 Introduction
In the past ten years, the World-Wide Web has evolved from a system to
provide access to static information into a full-fledged distributed execution
infrastructure. Web-based applications have become a popular way to provide
access to services and dynamicallygenerated information. The popularity
of web-based applications, such as online shopping catalogs and webbased
discussion forums, is a result of the ease of development, deployment, and access
of this class of applications. Even network devices and traditional applications
(such as mail servers) often provide web-based interfaces that are used for
administration as well as configuration. Unfortunately, while the developers of
the software infrastructure (that is, the developers of web servers and database
engines) usually have a deep understanding of the security issues associated with
the development of critical software, the developers of web-based applications
2 Puica Marian Cosmin
often have little or no security skills. These developers mostly focus on the
functionality for the end-user and often work under stringent time constraints,
without the resources (or the knowledge) necessary to perform a thorough
security analysis of the application code. The result is that poorly-developed
code, riddled with security flaws, is deployed and made accessible to the whole
Internet.
Web-related security flaws represent a substantial portion of the total
number of vulnerabilities.
Because of their immediate accessibility, poor security, and large installation
base, web-based applications have become popular attack targets and one of
the main venues to compromise the security of systems and networks.
Nowadays, most of the information that we need in everyday life and in
professional environments is found on the internet. Be it the latest news,
the latest activities of your friends and families, purchasing various products
available in the virtual stores, or even E-banking, the internet makes it all
possible. But, what most of the internet users dont know is that, as attractive
as it may be, its still pretty much vulnerable to cybernetic attacks.
Web based attacks are considered by security experts to be the greatest and
oftentimes the least understood of all risks related to confidentiality, availability,
and integrity.
Application vulnerabilities could provide the means for malicious end users
to breach a systems protection mechanisms typically to take advantage or gain
access to private information or system resources. Information gathered can
include social security numbers, dates of birth, and maiden names, which are all
often used in identity theft. Another popular target for attackers is credit card
data which left unprotected and unencrypted can be used to cause significant
damage to organizations most valued assets, their customers. Machines become
unresponsive or sluggish resulting in users becoming frustrated and adminis-
trators spending precious time trying to find the problem. When a machine
is infected, some administrators often want to simply re-install the operating
system, however a responsible system administrator or security analyst would
want to investigate and assess the situation before doing anything else. All of
these tasks take time and resources. People have to stop working, the hardware
has to be replaced and so on.
This paper shows how some of the best known web-based attacks work and
how can web developers protect against them.
2 Web threats
Web threats use multiple types of malware and fraud, all of which utilize HTTP
or HTTPS protocols, but may also employ other protocols and components,
such as links in email or IM, or malware attachments or on servers that access
the Web. They benefit cybercriminals by stealing information for subsequent
sale and help absorb infected PCs into botnets.
Web Threats 3
What is a botnet?
A botnet is a collection of internet-connected programs communicating with
other similar programs in order to perform tasks. The word botnet derives from
the two words robot and network.
There are many web-based threats but only a handfull can do serious
damage and steal valuable information.
This form of SQL injection occurs when user input is not filtered for escape
characters and is then passed into a SQL statement. This results in the
potential manipulation of the statements performed on the database by the
end-user of the application.
The following line of code illustrates this vulnerability:
statement = "SELECT * FROM users WHERE name = " + userName + ";"
This SQL code is designed to pull up the records of the specified username
from its table of users. However, if the userName variable is crafted in a
specific way by a malicious user, the SQL statement may do more than the
code author intended.
This form of SQL injection occurs when a user-supplied field is not strongly
typed or is not checked for type constraints. This could take place when a
numeric field is to be used in a SQL statement, but the programmer makes
no checks to validate that the user supplied input is numeric. For example:
statement := "SELECT * FROM userinfo WHERE id = " + a_variable + ";"
It is clear from this statement that the author intended a variable to be a
number correlating to the id field. However, if it is in fact a string then the
4 Puica Marian Cosmin
Conditional responses
One type of blind SQL injection forces the database to evaluate a logical
statement on an ordinary application screen. As an example, a book review
website uses a query string to determine which book review to display. So
the URL http://books.example.com/showReview.php?ID=5 would
cause the server to run the query
SELECT * FROM bookreviews WHERE ID = 5;
from which it would populate the review page with data from the re-
view with ID 5, stored in the table bookreviews. The query happens com-
pletely on the server; the user does not know the names of the database,
table, or fields, nor does the user know the query string. The user only
sees that the above URL returns a book review. A hacker can load
the URLs http://books.example.com/showReview.php?ID=5 AND
1=1 and http://books.example.com/showReview.php?ID=5 AND
1=2, which may result in queries
SELECT * FROM bookreviews WHERE ID = 5 AND 1=1;
SELECT * FROM bookreviews WHERE ID = 5 AND 1=2;
respectively. If the original review loads with the 1=1 URL and a blank
or error page is returned from the 1=2 URL, the site is likely vul-
nerable to a SQL injection attack. The hacker may proceed with this
query string designed to reveal the version number of MySQL running
on the server: http://books.example.com/showReview.php?ID=5
AND substring(@@version,1,1)=4, which would show the book review
Web Threats 5
Protection
This function calls MySQLs library function mysql real escape string, which
prepends backslashes to the following characters: \x00, \n, \r, \, , and \x1a
. This function must always (with few exceptions) be used to make data safe
before sending a query to MySQL.
There are other functions for many database types in PHP such as
pg escape string() for PostgreSQL. There is, however, one function that works
for escaping characters, and is used especially for querying on databases that do
not have escaping functions in PHP. This function is:addslashes(string $str
). It returns a string with backslashes before characters that need to be quoted
in database queries, etc. These characters are single quote (), double quote (),
backslash (\) and NUL (the NULL byte).
Routinely passing escaped strings to SQL is error prone because it is easy to
forget to escape a given string. Creating a transparent layer to secure the input
can reduce this error-proneness, if not entirely eliminate it.
Database permissions
Limiting the permissions on the database logon used by the web application
to only what is needed may help reduce the effectiveness of any SQL injection
attacks that exploit any bugs in the web application.
For example on SQL server, a database logon could be restricted from
selecting on some of the system tables which would limit exploits that try to
insert JavaScript into all the text columns in the database.
6 Puica Marian Cosmin
Non-persistent
Persistent
Persistent XSS can be more significant than other types because an attackers
malicious script is rendered automatically, without the need to individually
target victims or lure them to a third-party website. Particularly in the case of
social networking sites, the code would be further designed to self-propagate
across accounts, creating a type of a client-side worm.
The methods of injection can vary a great deal; in some cases, the attacker
may not even need to directly interact with the web functionality itself to
exploit such a hole. Any data received by the web application (via email, system
logs,IM etc.) that can be controlled by an attacker could become an injection
vector.
Exploit examples
Non-persistent attack:
1. Alice often visits a particular website, which is hosted by Bob. Bobs website
allows Alice to log in with a username/password pair and stores sensitive
data, such as billing information.
2. Mallory observes that Bobs website contains a reflected XSS vulnerability.
3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email,
enticing her to click on a link for the URL under false pretenses. This URL
will point to Bobs website (either directly or through an iframe or ajax),
but will contain Mallorys malicious code, which the website will reflect.
4. Alice visits the URL provided by Mallory while logged into Bobs website.
5. The malicious script embedded in the URL executes in Alices browser, as
if it came directly from Bobs server (this is the actual XSS vulnerability).
The script can be used to send Alices session cookie to Mallory. Mallory can
then use the session cookie to steal sensitive information available to Alice
(authentication credentials, billing info, etc.) without Alices knowledge.
Persistent attack:
Prevention ways
Cookie security
Defensive technologies
There are three classes of XSS defense that are emerging. These include,
Mozillas Content Security Policy, Javascript Sandbox tools, and Auto-escaping
templates. These mechanisms are still evolving but promise a future of heavily
reduced XSS.
Protection
3 Conclusion
For many businesses which conduct business online, their reputation is at stake.
One breach can oftentimes lead to irreparable brand damage. And putting a
price on the amount of damage done is oftentimes extremely difficult, though
losses to public companies can be in excess of billions when stock valuations are
considered.
Because of the continuous evolution of computer science, in the near future
every person will store valuable information on their computer, thus opening the
path to every attackers with evil intents. To stop the attackers in their track,
high security programs are created. But every time a security program is created
so does its counterpart, following a neverending story. The purpose of this paper
was to show how some web attacks work and how they can be prevented so that
in the future, people can store valuable information on their computers without
fear of being hijacked.
Only a few of the possible approaches have been discussed in this paper, and
likely in time these strategies will require tweaking and improvement as attack
vectors will invariably evolve over time.
Future research will provide more ways to prevent web-based attacks.
References
1. Neil Chou, R. Ledesma, Client-side defense against web-based identity
theft.Stanford University
2. William G.J. Halfond, Jeremy Viegas, and Alessandro Orso, A Classifica-
tion of SQL Injection Attacks and Countermeasures, College of Computing, Georgia
Institute of Technology
3. Ulrike Meyer, A man-in-the-middle attack on UMTS,Darmstadt University of
Technology, (2004)
4. Justin Crist, Web Based Attacks, SANS Institute (2007)
5. Mike Dalton, Preventing Authentication and Authorization Bypass Attacks in
Web Applications , (2009)
6. William Robertson, Giovanni Vigna, Christopher Kruegel, and Richard
A. Kemmerer, Using Generalization and Characterization Techniques in the
Anomaly-based Detection of Web Attacks, University of California, Santa Barbara