web security
TRANSCRIPT
1
A SOLUTION FOR ATTACK VECTORS AGAINST WEB APPLICATIONS USING AJAX
2
ABSTRACT
Web applications are most predominated applications that are accessed over a network such as
Internet. Web applications are presentation-oriented that generates interactive web pages
containing various types of markup language (HTML, XML, and so on) and dynamic content in
response to requests. As there is heavy traffic in today’s web world it is essential to maintain
security concerns and prevention approaches in order to protect web applications from cyber
culprits. These applications are increasingly the preferred targets of cyber criminals looking to get
profit from identity theft and other illegal activities.
There are modern tools and technologies such as AJAX technology are available to prepare web
applications as simple as user friendly. Ajax web technology, by design makes number of calls to
the web server to process a user request. As there is an increase in session management
vulnerabilities and a greater risk of hackers gaining access to the many hidden URLs that are
necessary for AJAX requests to be processed we need to provide high-end web security
measures to protect web sites from vulnerabilities.
Web security is the act of protecting authorized users from malicious threats. The current solution
addresses most common threats occurred at client side such as CSS(Cross Site Scripting) and
SQL Injection.
3
INTRODUCTION
• Web application is software application accessed by users over internet
• 2 variants. – Static web sites– Dynamic web applications
• Static web sites consists of content oriented web pages used for blogs, wiki sites.
• Dynamic web applications are interactive and more service based applications contains stored and processed content.
• Developed using browser supported scripting, markup languages on client side and efficient server side programming.
• Used for social network activity, ecommerce business applications …...
4
5
WEB SECURITY
• Sensitive data increasingly spread over the network.• The more number of vulnerabilities and and security
incidents reported as there wide availability of data.• Web applications should have control over
– Confidentiality– Integrity– Availability– Authentication– Authorization
• Common vulnerabilities– SQL Injection Attacks– CSRF(CSS Variant) Attacks
6
SQL Injection Attack
• SQLIA is server side attack that manipulates content in back end database system
• Embeds malformed query statements in input data and compromises query execution process.
• Attacks against confidentiality, availability and integrity services
• Unauthorized access to database and attacks with malformed DML statements.
• Various SQL injection formats:– Tautologies.
• SELECT u.name FROM users u WHERE u.login=’’ OR 1=1 – ‘ AND u.passwd=***
– UNION Queries.• SELECT acct FROM users WHERE login=’ ’ UNION SELECT transaction FROM transactions WHERE
acct_no=9012 – AND passwd=****
– Piggy back queries.• SELECT name FROM users WHERE login=’xyz’ AND passwd=’***’ ; DROP TABLE system.users
7
SQL Injection Attack
8
SQLIA Existing Solutions
SQL Injection
• Syntax analysis and prevention.
• White list patterns and black list patterns
• Parameterized prepared statements with attributes
9
SQLIA Proposed Solution
SQL Injection Attack prevention
– Use Encode and Decode the crucial data.– The encrypted data is persisted in database system– User’s input data is get encrypted before query processing– The critical data is decrypted while retrieval from database.
Advantages:– Malformed query formation not possible.– No Query preprocessing or manual checks required.
Disadvantages:– Require additional space to store cipher data instead of plain
data.
10
SQLIA Proposed Solution
11
CSRF (Cross Site Request Forgery) Attack
• CSS(Cross Site Script) is client side script attack. scripts embedded in a page which are executed on the client-side.
• Cookie captures and hijacks legitimate users sessions.• CSRF is typical CSS variant which sends unauthorized
commands from valid user to the server.• Malicious script or URLs embedded into blog contents or
hidden in image tags.– <img src=“http://buggy-site.com/hacked”/>
• Attacks against Identity theft and cheats business transactions.
• Unauthorized crucial form data post activity.– <script>document.getElementById(‘form’).submit()</script>
12
Existing Solutions
CSS and CSRF prevention
– User input validations
– HTML encoded characters
– Client IP Binding
– Session life time limitations
– Disable the client side script executions
13
CSRF Proposed Solution
• CSRF prevention approach– Use secret XSRF token for each GET and POST requests.– Generate unique XSRF secret token for every get request.– Maintain the XSRF token in form pages on client side– Validate the secret XSRF token from the form post data against the
previously generated XSRF token on server side
<form action=”fundTransfer.do” method=”POST”>
<input type=”hidden” name=”xsrfSecretToken” value=”qiou3hkps986hn”/> <input type=”text” name=”amount”/> <input type=”submit” value=”Send”>
</form>
Advantages:– Unauthorized form submissions blocked.
14
CSRF Proposed Solution
15
Instant Media --- An E-commerce Web Application
• Is an online market place e-commerce web application.
• Provides services to sell or buy soft copies by online or offline.
• Supports messages, comments and reviews activity.
• Handles critical operations like buying and payment functionalities.
• Showcased the application as vulnerable to CSRF and SQLIA threats
16
Modules
• User signup and login process.
• Publish soft copy items.
• Purchase soft copies and payment transaction processing.
• Payment activity listing and search functionality.
• Messaging
• Account details maintainance
17
UML Designs
18
UML Designs contd…
19
Screen Captures
20
Screen Captures contd…
21
Screen Captures contd…
22
Screen Captures contd…
23
Screen Captures contd…
Search functionality prevented from SQLIA
24
Conclusion
• Vulnerabilities can result unauthorized access by injecting malicious scripts.
• Most of the web security attacks targeted on critical e-commerce web sites.
• Manual or automated inspections required in validating the input submitted by end users.
• The suggested solution can prevent more number of CSRF, SQLIA threats.
• No compute overhead, platform independent and scalable solution for any web applications.
• Need to address website sever attacks like web site crawling and hidden URLs spawn activities.
• Need to be alert and and get up to date with latest web application development technologies.
25
References
• Jayamsakthi Shanmugam, M.Ponnavaikko, XSS Application Worms, IEEE, 8th ACIS International Conference on Software Engineering, 2007.
• Xiang Fu, A Static Analysis Framework For Detecting SQL Injection Vulnerabilities, IEEE, 31st Annual International Computer Software and Applications Conference, 2007.
• Preventive Approaches Fro Web Application’s Security Attacks, International Conference on Software Engineering, 2009.
• http://www.isecpartners.com • Jeremiah Grossman, Cross-Site Request Forgery "The
sleeping giant”. www.whitehatsec.com.• http://www.webappsec.org/projects/statistics/
26
Thank You