AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application 2 HOD, Department of Computer Application, Ganpat University Kherva, Gujarat, India ABSTRACT: Web Security is an important aspect in E-Governance since Government provides services to the citizen and manage all transactions using web portals develop for this purpose. Citizen s trust and privacy of data are key factors of E-Governance success. Vulnerabilities in E- governance web applications leads to the breach in trust and privacy of the citizens. Government sites although passed through security audit procedures still contains residual vulnerabilities which invites threats like denial of service, password cracking, SQL injection, cross site scripting. Paper discussed and analysed vulnerabilities found in 26 selected E- Governance websites/web applications with representation from 26 out of 27 Departments in the State of Gujarat, India. The paper depicts major vulnerabilities their severity level and impact on information resource. In all paper help us to understand web security in Gujarat E- Governance context. Keywords: Information Security, Web Security, Vulnerability, Security Audit, E-Governance [1] INTRODUCTION E-Governance is the application of Information and Communication Technology (ICT) for providing government services, exchange of information communication transactions, integration of various stand-alone systems and services between Government-to-Citizens (G2C), Government-to-Business (G2B), and Government-to-Government (G2G) as well as back office procedures and communications within the entire government frame work [1]. Information security, sometimes abbreviated to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, alteration, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical) [2]. Information security is important for successful E-Governance implementation. Maintaining privacy and security of an individual s personal data that he/she provides to obtain government services is a severe hindrance in implementing e-governance. [3] Apart from E- Government implementation, effective Information Security is important from State and National security perspective. Threats like Cyber terrorism, hackers, Advance Persistent Threats applying spear-phishing targeting a specific individual or small group of people within the Government organization to obtain sensitive information are the major source of concern for any Government agency. Figure 1 depicts some of the recent Government website hacking news reported by media. In India, it is mandatory for each Government websites/web 99
An E-Governance Web Security Audit application to undergo security audit from enlisted agencies and clear the same before hosting and after addition of new module. Apart from this each Department must formulate a security policy to address various security issues related to website/web application [4] Government of Gujarat has also made security audit compulsory on each instance of website update or every six month whichever is earlier for all the organizations through Computer Emergency Response Team India enlisted security auditors. [5] [2] WEB SECURITY AUDIT Figure: 1. A Govt. website hacking news in Media Vulnerability scanners are effective tools for web security auditing and finding vulnerabilities in the web application or web site. We have utilized Accunetix web vulnerability scanner for web security audit. Total 26 Websites/Web Applications pertaining to 26 out of 27 Departments of Government of Gujarat were surveyed and scanned for vulnerabilities. According to the 2013/2014 Web Application Vulnerability Scanners Benchmark [6], Acunetix is confirmed as one of the leaders in web application scanning with a 100% detection accuracy and 0% false positives for Reflected Cross-Site Scripting and SQL Injection vulnerabilities, together with a leading WIVET (Web Input Vector Extractor Teaser) assessment score. WIVET (Web Input Vector Extractor Teaser) is a project that measures how well a scanner is able to crawl an application, and how well it can find input vectors by presenting a collection of challengers that contain links, parameters and input delivery methods that the crawling process should locate and extract. [7] The websites/web Application was chosen in such a way that it represent each Department listed on official website of Government of Gujarat. [8] The web site/ web applications within the department was selected from three sources 1. E-Governance coffee Table book published by Science and Technology Department Government of Gujarat and 2. NIC Gujarat official website [9] 3. Based on random selection in case website/web application not listed in 1 or 2.The web sites/ web applications were scanned for parameters like Vulnerability, Vulnerability severity, Vulnerability type, Asset information and Threat impact. The detailed analysis has been conducted to evaluate E-Governance web security in Gujarat. 100
[3] WEB SECURITY ANALYSIS We have categorized Vulnerability severity in four severity levels High-H, Medium-M, Low-L and Informational-I according to the likelihood of the malicious user can actually exploit the vulnerability and cause harm to website/web application. Table1 depicts Vulnerabilities found in E-Governance websites/web applications in Gujarat. Other parameter depicted in Table are Severity Level, Impact on Information Security attributes like Confidentiality-C, Integrity-I and Availability-A. Percentage column depicts vulnerability found in number of websites/web applications. In each severity level group we have chosen vulnerabilities with presence in more than 10% websites/web applications. Table: 1. Vulnerability Severity and Impact on CIA SR. No Vulnerability Severity Level Impact on CIA % Website V1 Cross Site Scripting H C, I 33.33% V2 Proxy accepts CONNECT requests H C 26.67% V3 ASP.NET Padding Oracle Vulnerability H C,I 13.33% V4 Microsoft IIS tilde directory enumeration H C 13.33% V5 Application error message M C 24.39% V6 HTML form without CSRF Protection- Cross Site Request forgery M C,I 17.07% V7 User credentials are sent in clear text M C 14.63% V8 ASP.NET error message M C 12.20% V9 Session Cookie without Secure flag set L C 25.00% V10 OPTIONS method is enabled L C 15.63% V11 Broken Links I 20.00% V12 Password type input with autocomplete enabled I C 17.50% V13 Typical login page I C 13.89% V14 Possible internal IP address disclosure I C 12.50% V15 Error page Web Server version disclosure I C 11.11% As shown in Chart1 among High Severity group vulnerabilities V1 appeared in 33.33% websites/web applications while V2 appeared in 26.67% websites followed by vulnerabilities V3 & V4 found in 13.33% sites each. V1-Cross Site Scripting (XSS) is vulnerability which allow an attacker to send harmful code to another user. Since user browser cannot identify trusted or non-trusted scripts, it allows harmful script to run in user context and gain unauthorized access to the session or cookies that browser retains. The possible impact of V1 is stealing the session cookie and take over the account, impersonating the user to gain unauthorized access. V1 will mainly affect Confidentiality and Integrity of the information resource. The possible prevention is careful coding since XSS flaws can be difficult to identify and the best way to find flaws is to perform a security scan of the code and search for all places where input from an HTTP request could 101
An E-Governance Web Security Audit probably result in the HTML output. [10] V2- Proxy accepts CONNECT requests vulnerability may allow attacker to bypass firewall and connect arbitrary ports like 23(telnet), 25(send mail) using proxy. Solution to this vulnerability is changing proxy configuration which deny CONNECT request generated by Non Valid users or hosts. It will allow possible information disclosure and affect confidentiality of information resource. [11] V3-ASP.NET Padding Oracle Vulnerability exists with the fact that ASP.net use encryption to hide sensitive data, however vulnerability in ASP.Net encryption implementation allow an attacker to decrypt and tamper with the data or file like view state data or web config file on target serve.v3 exists in all version of asp.net. V3 affects confidentiality and integrity of website due to unauthorized information disclosure and modification of data. As per the Microsoft Security bulletin MS10-070, they have issued patch MS10-070 and workaround to prevent from this vulnerability being exploited. [12] V4-Microsoft IIS tilde directory enumeration is vulnerability where it is possible to identify short names of files and directories which have an 8.3 file naming scheme similar to Windows by using some paths in several versions of Microsoft IIS. This vulnerability allow sensitive information disclosure and it affects confidentiality of Information Resource. To avoid this error it is recommended to deploy IIS with 8.3 names disabled. [13] [14] [15] Chart: 1. Vulnerability with Severity Group 100 80 60 40 20 East West North 0 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr From the Chart1 among the medium severity group vulnerability V5- Application error message score highest with 24.39% followed by V6- Cross Site Request forgery with 17.07% 102
and V7- User credentials are sent in clear text with 14.63% and V8- ASP.NET error message with 12.20% website count. Under V5 vulnerability page having error/warning message may disclose sensitive information. This sensitive information can be utilized by attacker to launch further attacks on target website. Since V5 disclose sensitive information it affect confidentiality attribute of CIA triad. The solution to this vulnerability is rewriting code that displays wordy error messages that display sensitive information to the user with new simple error messages and avoid including file location, system information and user account information etc. in error message. [16] [17]. V6 -Cross-Site Request Forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is an attack which forces an end user to execute undesirable actions on a web application in which they are currently authenticated. CSRF specifically act on state changing request like transferring funds, changing user email address etc. In CSRF attack using social engineering, an attacker may trick the users of a web application into performing actions of the attacker's choosing. Successful CSRF may result in state changing request for normal user or it can compromise entire application if victim is administrative account. [18] CSRF can affect confidentiality and integrity of information resource. The most popular prevention available against CSRF is appending challenge Token with each request. Important point in using token is, it must be associated with the user session otherwise attacker may be able to fetch the valid token and utilize it for attack. Apart from user session association it is essential that token must be valid for limited time period only. [19] V7- User credentials are sent in clear text vulnerability affects confidentiality since User credentials are transmitted over an unencrypted channel. User credentials information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. Under V8-ASP.net error message vulnerability, attacker can possibly generate an ASP.NET error message by requesting a specially crafted URL. The message contains the complete stack trace and Microsoft.NET Framework Version. The error messages may reveal sensitive information. This information can be used to launch further attacks.v8 vulnerability affects the confidentiality of the information resource. It can be prevented by adjusting web.config to enable custom errors for remote clients. Set customerrors mode to Off or RemoteOnly. We have identified two vulnerabilities under low severity group and five vulnerabilities under informational severity group. This groups are comparatively less harmful than the medium and high severity groups. As per chart1 in low severity group V9- Session Cookie without Secure flag set score highest with 25.00% followed by V10-Option method is enable with 15.63%. V9-Session Cookie without secure flag may affect confidentiality since cookie can be access over non-secure channels. When secure flag is set for cookies, Browser allows cookies to be accessed over secure SSL channels only. It is an important security protection for session cookie. To protect the session cookie we should set the secure flag for cookie. V10- Option method is enable indicates that HTTP OPTIONS method is enabled on web server. Enabling this option on webserver provides a list of the methods that are supported by the web server. The OPTIONS method may expose sensitive information that may help a malicious user to prepare more advanced attacks. As prevention it is recommended to disable OPTIONS Method on the web server. It affects the confidentiality of the information resource. Under informational severity group V11-Broken links refers to any link that should take you to a document, image or webpage, that actually results in an error. The page was linked from the website but it is inaccessible. The only problem with V11 is, it affects navigation in the website. To overcome this either remove the links to this file or make it accessible. In V12- Password type input with autocomplete enabled when a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the 103
An E-Governance Web Security Audit name is entered. An attacker with local access could obtain the clear text password from the browser cache.v12 affects confidentiality due to possible sensitive information disclosure. To prevent from V12 password autocomplete should be disabled in sensitive applications. V13- Typical login page is vulnerability listed in Google Hacking Database (GHDB) under category Pages contains login portal This login pages are front doors to the websites and it can reveal operating system and software of a target. [20] It affects confidentiality of the information resource.v14-possible internal IP address disclosure is a vulnerability revealing internal network IP address scheme which might be utilize by attacker to launch further attacks. In a way this vulnerability disclose sensitive information and affect confidentiality of the information resource. It can be prevented by not allowing internal IP to be displayed to the user. In vulnerability V15- Error page Web Server version disclosure, by requesting a page that doesn't exist, an error page was returned. This error page contains the web server version number and a list of modules enabled on this server. This information can be used to conduct further attacks. V15 affects confidentiality of the Information resource due to disclosure of sensitive information. It can be prevented by setting up custom error page 404 in website hosted on apache server. [21] [6] CONCLUSION Web security is crucial for E-Governance website/web application projects since Citizen s trust and privacy of data are key factors of E-Governance success. Although it is mandatory for all Government organizations to host their websites/web applications in public domain after proper security audit it is evident from the analysis that high impacting vulnerabilities like Cross Site Scripting and Proxy accepts CONNECT requests etc. appeared in more than 26% websites/web applications. High impacting vulnerabilities like ASP.NET Padding Oracle Vulnerability and Microsoft IIS tilde directory enumeration appeared in more than 13% websites/web applications. Medium impacting vulnerabilities like cross site request forgery, user credential sent in clear text etc. appeared in more than 14% websites/web applications. These vulnerabilities mainly affects confidentiality and integrity of information resource. Regular auditing of websites/web application is required to remove or restrained the constantly emerging threats and keep E-Governance services secure and safe. 104
REFERENCES [1] "E-Governance Definition," Wikipedia, [Online]. Available: http://en.wikipedia.org/wiki/e-governance. [2] "Information Security Definition," Wikipedia, [Online]. Available: http://en.wikipedia.org/wiki/information_security. [Accessed January 2015]. [3] P. Mittal and A. Kaur, "E-Governance - A challenge for India," International Journal of Advanced Research in Computer Engineering & Technology (IJARCET), vol. 2, no. 3, March 2013. [4] "Guidelines for Indian Government Websites," Department of Administrative Reforms and Public Grievances, Government of India, 2009. [5] "Guidelines for Registration, Hosting and periodic security audit of Government Websites," Science and Technology Department of Government of Gujarat, Gandhinagar, 2014. [6] S. Chen, "Security Tools Benchmarking," [Online]. Available: http://sectooladdict.blogspot.in/2014/02/wavsep-web-application-scanner.html. [7] "Web Application Scanner Comparison," Acunetix, [Online]. Available: https://www.acunetix.com/blog/news/acunetix-comparison-web-application-scanners/. [8] "Government of Gujarat Official Website," Government of Gujarat, [Online]. Available: http://gujaratindia.com. [9] "NIC Gujarat," National Informatics Center Gujarat, [Online]. Available: http://guj.nic.in/. [10] "OWASP-Cross Site Scripting," Open Web Application Security Project, [Online]. Available: https://www.owasp.org/index.php/cross_site_scripting. [11] "Proxy Accepts Connect Requests," Acunetix, [Online]. Available: http://www.acunetix.com/vulnerabilities/web/proxy-accepts-connect-requests. [12] "MS10-070 Patch," Microsoft Corporation, [Online]. Available: https://technet.microsoft.com/library/security/ms10-070. [13] "IIS ShortName Scanner," GitHUB, Inc., [Online]. Available: https://github.com/irsdl/iis- ShortName-Scanner. [14] "Microsoft IIS tilde vulnerability," Detectify, [Online]. Available: http://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tildevulnerability. [15] "Microsoft_IIS_Tilde_Character_Vulnerability," [Online]. Available: http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_fe ature.pdf. [16] "Security Innovation Appsec. Blog," Security Innovation, Inc., [Online]. Available: http://web.securityinnovation.com/appsec-weekly/blog/bid/89728/prevent-information- Disclosure-in-Error-Messages. [17] "Common Weakness Enumeration Community Dictionary," MITRE Corporation, [Online]. Available: https://cwe.mitre.org/data/definitions/209.html. 105