AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

Similar documents
Application vulnerabilities and defences

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

EasyCrypt passes an independent security audit

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Copyright

Acunetix Website Audit. 31 October, Developer Report. Generated by Acunetix WVS Reporter (v9.0 Build )

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Robust Defenses for Cross-Site Request Forgery Review

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Security Penetration Test of HIE Portal for A CUSTOMER IMPLEMENTION. Services provided to: [LOGO(s) of company providing service to]

Web Application Security. Philippe Bogaerts

Web Application Whitepaper

Solutions Business Manager Web Application Security Assessment

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

1 About Web Security. What is application security? So what can happen? see [?]

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Aguascalientes Local Chapter. Kickoff

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

An analysis of security in a web application development process

Curso: Ethical Hacking and Countermeasures

P2_L12 Web Security Page 1

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

RiskSense Attack Surface Validation for Web Applications

INNOV-09 How to Keep Hackers Out of your Web Application

Detecting XSS Based Web Application Vulnerabilities

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

COMP9321 Web Application Engineering

Web Security. Thierry Sans

COMP9321 Web Application Engineering

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Test Harness for Web Application Attacks

SECURITY TESTING. Towards a safer web world

CIS 4360 Secure Computer Systems XSS

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CSWAE Certified Secure Web Application Engineer

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

CSCD 303 Essential Computer Security Fall 2018

OWASP March 19, The OWASP Foundation Secure By Design

CSCD 303 Essential Computer Security Fall 2017

Finding Vulnerabilities in Web Applications

Information Security CS 526 Topic 11

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

TIBCO Cloud Integration Security Overview

Security Testing White Paper

Information Security CS 526 Topic 8

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

COMP9321 Web Application Engineering

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Application Security Approach

RKN 2015 Application Layer Short Summary

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Testing and Comparing Result Scanning Using Web Vulnerability Scanner

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13


Web Applications Penetration Testing

HP 2012 Cyber Security Risk Report Overview

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

C1: Define Security Requirements

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Security Solutions. Overview. Business Needs

Security Course. WebGoat Lab sessions

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Your Turn to Hack the OWASP Top 10!

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Domino Web Server Security

OpenID Security Analysis and Evaluation

Authentication Security

SECURITY & PRIVACY DOCUMENTATION

Web Application Penetration Testing

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

Acunetix Website Audit. 31 October, Developer Report. Generated by Acunetix WVS Reporter (v9.0 Build )

e-commerce Study Guide Test 2. Security Chapter 10

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Combating Common Web App Authentication Threats

epldt Web Builder Security March 2017

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Transcription:

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application 2 HOD, Department of Computer Application, Ganpat University Kherva, Gujarat, India ABSTRACT: Web Security is an important aspect in E-Governance since Government provides services to the citizen and manage all transactions using web portals develop for this purpose. Citizen s trust and privacy of data are key factors of E-Governance success. Vulnerabilities in E- governance web applications leads to the breach in trust and privacy of the citizens. Government sites although passed through security audit procedures still contains residual vulnerabilities which invites threats like denial of service, password cracking, SQL injection, cross site scripting. Paper discussed and analysed vulnerabilities found in 26 selected E- Governance websites/web applications with representation from 26 out of 27 Departments in the State of Gujarat, India. The paper depicts major vulnerabilities their severity level and impact on information resource. In all paper help us to understand web security in Gujarat E- Governance context. Keywords: Information Security, Web Security, Vulnerability, Security Audit, E-Governance [1] INTRODUCTION E-Governance is the application of Information and Communication Technology (ICT) for providing government services, exchange of information communication transactions, integration of various stand-alone systems and services between Government-to-Citizens (G2C), Government-to-Business (G2B), and Government-to-Government (G2G) as well as back office procedures and communications within the entire government frame work [1]. Information security, sometimes abbreviated to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, alteration, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical) [2]. Information security is important for successful E-Governance implementation. Maintaining privacy and security of an individual s personal data that he/she provides to obtain government services is a severe hindrance in implementing e-governance. [3] Apart from E- Government implementation, effective Information Security is important from State and National security perspective. Threats like Cyber terrorism, hackers, Advance Persistent Threats applying spear-phishing targeting a specific individual or small group of people within the Government organization to obtain sensitive information are the major source of concern for any Government agency. Figure 1 depicts some of the recent Government website hacking news reported by media. In India, it is mandatory for each Government websites/web 99

An E-Governance Web Security Audit application to undergo security audit from enlisted agencies and clear the same before hosting and after addition of new module. Apart from this each Department must formulate a security policy to address various security issues related to website/web application [4] Government of Gujarat has also made security audit compulsory on each instance of website update or every six month whichever is earlier for all the organizations through Computer Emergency Response Team India enlisted security auditors. [5] [2] WEB SECURITY AUDIT Figure: 1. A Govt. website hacking news in Media Vulnerability scanners are effective tools for web security auditing and finding vulnerabilities in the web application or web site. We have utilized Accunetix web vulnerability scanner for web security audit. Total 26 Websites/Web Applications pertaining to 26 out of 27 Departments of Government of Gujarat were surveyed and scanned for vulnerabilities. According to the 2013/2014 Web Application Vulnerability Scanners Benchmark [6], Acunetix is confirmed as one of the leaders in web application scanning with a 100% detection accuracy and 0% false positives for Reflected Cross-Site Scripting and SQL Injection vulnerabilities, together with a leading WIVET (Web Input Vector Extractor Teaser) assessment score. WIVET (Web Input Vector Extractor Teaser) is a project that measures how well a scanner is able to crawl an application, and how well it can find input vectors by presenting a collection of challengers that contain links, parameters and input delivery methods that the crawling process should locate and extract. [7] The websites/web Application was chosen in such a way that it represent each Department listed on official website of Government of Gujarat. [8] The web site/ web applications within the department was selected from three sources 1. E-Governance coffee Table book published by Science and Technology Department Government of Gujarat and 2. NIC Gujarat official website [9] 3. Based on random selection in case website/web application not listed in 1 or 2.The web sites/ web applications were scanned for parameters like Vulnerability, Vulnerability severity, Vulnerability type, Asset information and Threat impact. The detailed analysis has been conducted to evaluate E-Governance web security in Gujarat. 100

[3] WEB SECURITY ANALYSIS We have categorized Vulnerability severity in four severity levels High-H, Medium-M, Low-L and Informational-I according to the likelihood of the malicious user can actually exploit the vulnerability and cause harm to website/web application. Table1 depicts Vulnerabilities found in E-Governance websites/web applications in Gujarat. Other parameter depicted in Table are Severity Level, Impact on Information Security attributes like Confidentiality-C, Integrity-I and Availability-A. Percentage column depicts vulnerability found in number of websites/web applications. In each severity level group we have chosen vulnerabilities with presence in more than 10% websites/web applications. Table: 1. Vulnerability Severity and Impact on CIA SR. No Vulnerability Severity Level Impact on CIA % Website V1 Cross Site Scripting H C, I 33.33% V2 Proxy accepts CONNECT requests H C 26.67% V3 ASP.NET Padding Oracle Vulnerability H C,I 13.33% V4 Microsoft IIS tilde directory enumeration H C 13.33% V5 Application error message M C 24.39% V6 HTML form without CSRF Protection- Cross Site Request forgery M C,I 17.07% V7 User credentials are sent in clear text M C 14.63% V8 ASP.NET error message M C 12.20% V9 Session Cookie without Secure flag set L C 25.00% V10 OPTIONS method is enabled L C 15.63% V11 Broken Links I 20.00% V12 Password type input with autocomplete enabled I C 17.50% V13 Typical login page I C 13.89% V14 Possible internal IP address disclosure I C 12.50% V15 Error page Web Server version disclosure I C 11.11% As shown in Chart1 among High Severity group vulnerabilities V1 appeared in 33.33% websites/web applications while V2 appeared in 26.67% websites followed by vulnerabilities V3 & V4 found in 13.33% sites each. V1-Cross Site Scripting (XSS) is vulnerability which allow an attacker to send harmful code to another user. Since user browser cannot identify trusted or non-trusted scripts, it allows harmful script to run in user context and gain unauthorized access to the session or cookies that browser retains. The possible impact of V1 is stealing the session cookie and take over the account, impersonating the user to gain unauthorized access. V1 will mainly affect Confidentiality and Integrity of the information resource. The possible prevention is careful coding since XSS flaws can be difficult to identify and the best way to find flaws is to perform a security scan of the code and search for all places where input from an HTTP request could 101

An E-Governance Web Security Audit probably result in the HTML output. [10] V2- Proxy accepts CONNECT requests vulnerability may allow attacker to bypass firewall and connect arbitrary ports like 23(telnet), 25(send mail) using proxy. Solution to this vulnerability is changing proxy configuration which deny CONNECT request generated by Non Valid users or hosts. It will allow possible information disclosure and affect confidentiality of information resource. [11] V3-ASP.NET Padding Oracle Vulnerability exists with the fact that ASP.net use encryption to hide sensitive data, however vulnerability in ASP.Net encryption implementation allow an attacker to decrypt and tamper with the data or file like view state data or web config file on target serve.v3 exists in all version of asp.net. V3 affects confidentiality and integrity of website due to unauthorized information disclosure and modification of data. As per the Microsoft Security bulletin MS10-070, they have issued patch MS10-070 and workaround to prevent from this vulnerability being exploited. [12] V4-Microsoft IIS tilde directory enumeration is vulnerability where it is possible to identify short names of files and directories which have an 8.3 file naming scheme similar to Windows by using some paths in several versions of Microsoft IIS. This vulnerability allow sensitive information disclosure and it affects confidentiality of Information Resource. To avoid this error it is recommended to deploy IIS with 8.3 names disabled. [13] [14] [15] Chart: 1. Vulnerability with Severity Group 100 80 60 40 20 East West North 0 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr From the Chart1 among the medium severity group vulnerability V5- Application error message score highest with 24.39% followed by V6- Cross Site Request forgery with 17.07% 102

and V7- User credentials are sent in clear text with 14.63% and V8- ASP.NET error message with 12.20% website count. Under V5 vulnerability page having error/warning message may disclose sensitive information. This sensitive information can be utilized by attacker to launch further attacks on target website. Since V5 disclose sensitive information it affect confidentiality attribute of CIA triad. The solution to this vulnerability is rewriting code that displays wordy error messages that display sensitive information to the user with new simple error messages and avoid including file location, system information and user account information etc. in error message. [16] [17]. V6 -Cross-Site Request Forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is an attack which forces an end user to execute undesirable actions on a web application in which they are currently authenticated. CSRF specifically act on state changing request like transferring funds, changing user email address etc. In CSRF attack using social engineering, an attacker may trick the users of a web application into performing actions of the attacker's choosing. Successful CSRF may result in state changing request for normal user or it can compromise entire application if victim is administrative account. [18] CSRF can affect confidentiality and integrity of information resource. The most popular prevention available against CSRF is appending challenge Token with each request. Important point in using token is, it must be associated with the user session otherwise attacker may be able to fetch the valid token and utilize it for attack. Apart from user session association it is essential that token must be valid for limited time period only. [19] V7- User credentials are sent in clear text vulnerability affects confidentiality since User credentials are transmitted over an unencrypted channel. User credentials information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. Under V8-ASP.net error message vulnerability, attacker can possibly generate an ASP.NET error message by requesting a specially crafted URL. The message contains the complete stack trace and Microsoft.NET Framework Version. The error messages may reveal sensitive information. This information can be used to launch further attacks.v8 vulnerability affects the confidentiality of the information resource. It can be prevented by adjusting web.config to enable custom errors for remote clients. Set customerrors mode to Off or RemoteOnly. We have identified two vulnerabilities under low severity group and five vulnerabilities under informational severity group. This groups are comparatively less harmful than the medium and high severity groups. As per chart1 in low severity group V9- Session Cookie without Secure flag set score highest with 25.00% followed by V10-Option method is enable with 15.63%. V9-Session Cookie without secure flag may affect confidentiality since cookie can be access over non-secure channels. When secure flag is set for cookies, Browser allows cookies to be accessed over secure SSL channels only. It is an important security protection for session cookie. To protect the session cookie we should set the secure flag for cookie. V10- Option method is enable indicates that HTTP OPTIONS method is enabled on web server. Enabling this option on webserver provides a list of the methods that are supported by the web server. The OPTIONS method may expose sensitive information that may help a malicious user to prepare more advanced attacks. As prevention it is recommended to disable OPTIONS Method on the web server. It affects the confidentiality of the information resource. Under informational severity group V11-Broken links refers to any link that should take you to a document, image or webpage, that actually results in an error. The page was linked from the website but it is inaccessible. The only problem with V11 is, it affects navigation in the website. To overcome this either remove the links to this file or make it accessible. In V12- Password type input with autocomplete enabled when a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the 103

An E-Governance Web Security Audit name is entered. An attacker with local access could obtain the clear text password from the browser cache.v12 affects confidentiality due to possible sensitive information disclosure. To prevent from V12 password autocomplete should be disabled in sensitive applications. V13- Typical login page is vulnerability listed in Google Hacking Database (GHDB) under category Pages contains login portal This login pages are front doors to the websites and it can reveal operating system and software of a target. [20] It affects confidentiality of the information resource.v14-possible internal IP address disclosure is a vulnerability revealing internal network IP address scheme which might be utilize by attacker to launch further attacks. In a way this vulnerability disclose sensitive information and affect confidentiality of the information resource. It can be prevented by not allowing internal IP to be displayed to the user. In vulnerability V15- Error page Web Server version disclosure, by requesting a page that doesn't exist, an error page was returned. This error page contains the web server version number and a list of modules enabled on this server. This information can be used to conduct further attacks. V15 affects confidentiality of the Information resource due to disclosure of sensitive information. It can be prevented by setting up custom error page 404 in website hosted on apache server. [21] [6] CONCLUSION Web security is crucial for E-Governance website/web application projects since Citizen s trust and privacy of data are key factors of E-Governance success. Although it is mandatory for all Government organizations to host their websites/web applications in public domain after proper security audit it is evident from the analysis that high impacting vulnerabilities like Cross Site Scripting and Proxy accepts CONNECT requests etc. appeared in more than 26% websites/web applications. High impacting vulnerabilities like ASP.NET Padding Oracle Vulnerability and Microsoft IIS tilde directory enumeration appeared in more than 13% websites/web applications. Medium impacting vulnerabilities like cross site request forgery, user credential sent in clear text etc. appeared in more than 14% websites/web applications. These vulnerabilities mainly affects confidentiality and integrity of information resource. Regular auditing of websites/web application is required to remove or restrained the constantly emerging threats and keep E-Governance services secure and safe. 104

REFERENCES [1] "E-Governance Definition," Wikipedia, [Online]. Available: http://en.wikipedia.org/wiki/e-governance. [2] "Information Security Definition," Wikipedia, [Online]. Available: http://en.wikipedia.org/wiki/information_security. [Accessed January 2015]. [3] P. Mittal and A. Kaur, "E-Governance - A challenge for India," International Journal of Advanced Research in Computer Engineering & Technology (IJARCET), vol. 2, no. 3, March 2013. [4] "Guidelines for Indian Government Websites," Department of Administrative Reforms and Public Grievances, Government of India, 2009. [5] "Guidelines for Registration, Hosting and periodic security audit of Government Websites," Science and Technology Department of Government of Gujarat, Gandhinagar, 2014. [6] S. Chen, "Security Tools Benchmarking," [Online]. Available: http://sectooladdict.blogspot.in/2014/02/wavsep-web-application-scanner.html. [7] "Web Application Scanner Comparison," Acunetix, [Online]. Available: https://www.acunetix.com/blog/news/acunetix-comparison-web-application-scanners/. [8] "Government of Gujarat Official Website," Government of Gujarat, [Online]. Available: http://gujaratindia.com. [9] "NIC Gujarat," National Informatics Center Gujarat, [Online]. Available: http://guj.nic.in/. [10] "OWASP-Cross Site Scripting," Open Web Application Security Project, [Online]. Available: https://www.owasp.org/index.php/cross_site_scripting. [11] "Proxy Accepts Connect Requests," Acunetix, [Online]. Available: http://www.acunetix.com/vulnerabilities/web/proxy-accepts-connect-requests. [12] "MS10-070 Patch," Microsoft Corporation, [Online]. Available: https://technet.microsoft.com/library/security/ms10-070. [13] "IIS ShortName Scanner," GitHUB, Inc., [Online]. Available: https://github.com/irsdl/iis- ShortName-Scanner. [14] "Microsoft IIS tilde vulnerability," Detectify, [Online]. Available: http://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tildevulnerability. [15] "Microsoft_IIS_Tilde_Character_Vulnerability," [Online]. Available: http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_fe ature.pdf. [16] "Security Innovation Appsec. Blog," Security Innovation, Inc., [Online]. Available: http://web.securityinnovation.com/appsec-weekly/blog/bid/89728/prevent-information- Disclosure-in-Error-Messages. [17] "Common Weakness Enumeration Community Dictionary," MITRE Corporation, [Online]. Available: https://cwe.mitre.org/data/definitions/209.html. 105

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback