Upload File

web security

26
A SOLUTION FOR ATTACK VECTORS AGAINST WEB APPLICATIONS USING AJAX

Upload: ali-habeeb

Post on 08-May-2015

764 views

Category:

Technology


1 download

Report

TRANSCRIPT

Page 1: Web Security

1

A SOLUTION FOR ATTACK VECTORS AGAINST WEB APPLICATIONS USING AJAX

Page 2: Web Security

2

ABSTRACT

Web applications are most predominated applications that are accessed over a network such as

Internet. Web applications are presentation-oriented that generates interactive web pages

containing various types of markup language (HTML, XML, and so on) and dynamic content in

response to requests. As there is heavy traffic in today’s web world it is essential to maintain

security concerns and prevention approaches in order to protect web applications from cyber

culprits. These applications are increasingly the preferred targets of cyber criminals looking to get

profit from identity theft and other illegal activities.

There are modern tools and technologies such as AJAX technology are available to prepare web

applications as simple as user friendly. Ajax web technology, by design makes number of calls to

the web server to process a user request. As there is an increase in session management

vulnerabilities and a greater risk of hackers gaining access to the many hidden URLs that are

necessary for AJAX requests to be processed we need to provide high-end web security

measures to protect web sites from vulnerabilities.

Web security is the act of protecting authorized users from malicious threats. The current solution

addresses most common threats occurred at client side such as CSS(Cross Site Scripting) and

SQL Injection.

Page 3: Web Security

3

INTRODUCTION

• Web application is software application accessed by users over internet

• 2 variants. – Static web sites– Dynamic web applications

• Static web sites consists of content oriented web pages used for blogs, wiki sites.

• Dynamic web applications are interactive and more service based applications contains stored and processed content.

• Developed using browser supported scripting, markup languages on client side and efficient server side programming.

• Used for social network activity, ecommerce business applications …...

Page 4: Web Security

4

Page 5: Web Security

5

WEB SECURITY

• Sensitive data increasingly spread over the network.• The more number of vulnerabilities and and security

incidents reported as there wide availability of data.• Web applications should have control over

– Confidentiality– Integrity– Availability– Authentication– Authorization

• Common vulnerabilities– SQL Injection Attacks– CSRF(CSS Variant) Attacks

Page 6: Web Security

6

SQL Injection Attack

• SQLIA is server side attack that manipulates content in back end database system

• Embeds malformed query statements in input data and compromises query execution process.

• Attacks against confidentiality, availability and integrity services

• Unauthorized access to database and attacks with malformed DML statements.

• Various SQL injection formats:– Tautologies.

• SELECT u.name FROM users u WHERE u.login=’’ OR 1=1 – ‘ AND u.passwd=***

– UNION Queries.• SELECT acct FROM users WHERE login=’ ’ UNION SELECT transaction FROM transactions WHERE

acct_no=9012 – AND passwd=****

– Piggy back queries.• SELECT name FROM users WHERE login=’xyz’ AND passwd=’***’ ; DROP TABLE system.users

Page 7: Web Security

7

SQL Injection Attack

Page 8: Web Security

8

SQLIA Existing Solutions

SQL Injection

• Syntax analysis and prevention.

• White list patterns and black list patterns

• Parameterized prepared statements with attributes

Page 9: Web Security

9

SQLIA Proposed Solution

SQL Injection Attack prevention

– Use Encode and Decode the crucial data.– The encrypted data is persisted in database system– User’s input data is get encrypted before query processing– The critical data is decrypted while retrieval from database.

Advantages:– Malformed query formation not possible.– No Query preprocessing or manual checks required.

Disadvantages:– Require additional space to store cipher data instead of plain

data.

Page 10: Web Security

10

SQLIA Proposed Solution

Page 11: Web Security

11

CSRF (Cross Site Request Forgery) Attack

• CSS(Cross Site Script) is client side script attack. scripts embedded in a page which are executed on the client-side.

• Cookie captures and hijacks legitimate users sessions.• CSRF is typical CSS variant which sends unauthorized

commands from valid user to the server.• Malicious script or URLs embedded into blog contents or

hidden in image tags.– <img src=“http://buggy-site.com/hacked”/>

• Attacks against Identity theft and cheats business transactions.

• Unauthorized crucial form data post activity.– <script>document.getElementById(‘form’).submit()</script>

Page 12: Web Security

12

Existing Solutions

CSS and CSRF prevention

– User input validations

– HTML encoded characters

– Client IP Binding

– Session life time limitations

– Disable the client side script executions

Page 13: Web Security

13

CSRF Proposed Solution

• CSRF prevention approach– Use secret XSRF token for each GET and POST requests.– Generate unique XSRF secret token for every get request.– Maintain the XSRF token in form pages on client side– Validate the secret XSRF token from the form post data against the

previously generated XSRF token on server side

<form action=”fundTransfer.do” method=”POST”>

<input type=”hidden” name=”xsrfSecretToken” value=”qiou3hkps986hn”/> <input type=”text” name=”amount”/> <input type=”submit” value=”Send”>

</form>

Advantages:– Unauthorized form submissions blocked.

Page 14: Web Security

14

CSRF Proposed Solution

Page 15: Web Security

15

Instant Media --- An E-commerce Web Application

• Is an online market place e-commerce web application.

• Provides services to sell or buy soft copies by online or offline.

• Supports messages, comments and reviews activity.

• Handles critical operations like buying and payment functionalities.

• Showcased the application as vulnerable to CSRF and SQLIA threats

Page 16: Web Security

16

Modules

• User signup and login process.

• Publish soft copy items.

• Purchase soft copies and payment transaction processing.

• Payment activity listing and search functionality.

• Messaging

• Account details maintainance

Page 17: Web Security

17

UML Designs

Page 18: Web Security

18

UML Designs contd…

Page 19: Web Security

19

Screen Captures

Page 20: Web Security

20

Screen Captures contd…

Page 21: Web Security

21

Screen Captures contd…

Page 22: Web Security

22

Screen Captures contd…

Page 23: Web Security

23

Screen Captures contd…

Search functionality prevented from SQLIA

Page 24: Web Security

24

Conclusion

• Vulnerabilities can result unauthorized access by injecting malicious scripts.

• Most of the web security attacks targeted on critical e-commerce web sites.

• Manual or automated inspections required in validating the input submitted by end users.

• The suggested solution can prevent more number of CSRF, SQLIA threats.

• No compute overhead, platform independent and scalable solution for any web applications.

• Need to address website sever attacks like web site crawling and hidden URLs spawn activities.

• Need to be alert and and get up to date with latest web application development technologies.

Page 25: Web Security

25

References

• Jayamsakthi Shanmugam, M.Ponnavaikko, XSS Application Worms, IEEE, 8th ACIS International Conference on Software Engineering, 2007.

• Xiang Fu, A Static Analysis Framework For Detecting SQL Injection Vulnerabilities, IEEE, 31st Annual International Computer Software and Applications Conference, 2007.

• Preventive Approaches Fro Web Application’s Security Attacks, International Conference on Software Engineering, 2009.

• http://www.isecpartners.com • Jeremiah Grossman, Cross-Site Request Forgery "The

sleeping giant”. www.whitehatsec.com.• http://www.webappsec.org/projects/statistics/

http://www.whitehatsec.com/
Page 26: Web Security

26

Thank You


Web$Security: Web$Application$Security...CSE$484$/$CSE$M$584:$Computer$Security$and$Privacy$ $ Web$Security: Web$Application$Security $ Spring2015 ’ Franziska’(Franzi)Roesner’’

Getting Started - Web Security, Email Security, Data Security

Web security

Web Security: Web Application Security [continued]courses.cs.washington.edu/courses/cse484/17sp/slides/cse484-lect… · Web Security: Web Application Security [continued] Spring

Web Security and Network Security

Web Filter and Web Security Web Security Gateway Web ... · Web Filter, Web Security, or Web Security Gateway • Windows Server 2003 R2 32- bit • Windows Server 2008 32- bit •

cWatch Web Security - Quick Start Guide · Comodo cWatch Web Security - Quick Start Guide Comodo cWatch Web Security - Quick Start Guide • cWatch Web Security is a cloud-based security

Web - Web security

Web Services Security (WS-Security)

Remote Filtering - Web Security, Email Security, Data Security

Testing web security security of web sites and applications

Network World QuickPulse Web Security Challenges How to Overcome Web Security ... · 2015. 9. 17. · Network World QuickPulse * Web Security Challenges How to Overcome Web Security

FDA Security Awareness Web Site - NIST · 2018-09-27 · FDA Security Awareness Web Site . The Security Awareness Web Site provides ongoing security awareness including useful security

Cisco IronPort Email & Web Security€¦ · Security Gateway. Application-Specific Security Gateways. SECURITY MANAGEMENT. Appliance. Internet. WEB. Security Gateway. SensorBase (The

Deployment Guide - Web Security, Email Security, Data Security

Upgrading Websense Web Security Software (Websense Web Security