180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS), to provide vulnerability free web applications. In this work, an attack prevention mechanism for code injection vulnerabilities, such as SQL injection, XPath injection, Cross-site scripting, and Session hijacking, is developed. There are four prevention modules working together in the WAPS-CIVS system. The entire system is implemented through web services to facilitate the prevention mechanism to the web application independently. In the SQL injection prevention system, all forms of SQL injection vulnerability are possible only through malicious inputs from the attacker. The malicious inputs used to craft a query will be executed in the data logic which will turn as SQL injection. To prevent an SQL injection, the SQL injection preventer does not allow the query to run at the data logic directly. Instead, the crafted query fetched through the AOP module, and sent to the syntactic verification module. The syntactic verification module of the SQL injection preventer, analyzes the crafted query and convert it in the form of XML file. A SQL injection preventer schema is designed in order to eliminate the tautology function, use of piggyback, union query and end of line. The designed schema
181 is a robust and reliable meta document to prevent the SQL injection. The converted XML file is parsed with the SQL injection preventer schema to detect the SQL injection. The SQL injection preventer would also prevent disclosure of the database information when a logically incorrect query is used for the SQL injection. In the XPath prevention mechanism, all the user inputs are intercepted from the XQuery using Aspect Oriented Programming, and the inputs are converted in the form a XML file. In the XPath injection preventer, a new XPath injection preventer Schema is defined to prevent an invalid input, which leads to XPath injection. Since the XQuery will be converted in the form of an XML file, it will be validated with the defined XPath injection preventer schema for any invalid input. In the validation process, the SAX parsing technique is used to detect the XPath injection. In the implementation of the Cross site script attack prevention mechanism, every HTTP request and response is fetched through servlet filter and it is analysed to check for the presence of any malicious injected script. To identify the XSS attack, the HTTP request of the original web application is crawled to collect all the legitimate client side scripts in the web application. The client side scripts are analysed and a graph is drawn equivalent to the scripts in the web page. The same procedure is followed at the time of the HTTP response to the client. With the help of the two graphs, an adjacency matrix is generated and compared. If any additional injected script is presented in the HTTP response, it might be the suspicious script that leads to the XSS attack. The additional script which is identified through the adjacency matrix is parsed and the script executable characters are replaced with the entity reference so that, the script will not be executed at the client browser.
182 To prevent session hijacking in a web application, every HTTP request and HTTP response is intercepted and passed on to the session ID fixation prevention module, which will store the original cookies value in the database and generate one dynamic id for each response, and attached it to the original session id value through the dynamic session ID mapping technique. By setting the set-cookie header that contains both the dynamic and original session id, the dynamic session id in the header will set as httponly cookie, so that it will not be used to hack the session. Another session hijacking attack is browser hijacking. This browser hijacking is prevented by generating a onetime URL with the randomized nonce for URL Randomization. For every user request, the original session id value is compared with the nonce value which is unique, and it is attached to the URL to generate a URLRandomization for a one-time URL. The attached nonce value is set true flag in database. If the flag is true, change it to false and generate a new nonce value and attach this new nonce value to the header URL. Set this nonce value flag as true for this session id value. For the remaining request from the same session, the web server sends an error message as browser hijacking. The background XSS propagation attacks are prevented by a ensuring no trust relationship between the pages induced by the same-origin policy, which exists as long as the Document.domain property for every page differs. To achieve this trust removal introduces an additional sub-domain to the web application. Every link included in a webpage directs to a URL with a subdomain that differs from the domain of the containing webpage. As a result, every single page possesses a different Document.domain value. Hence, the attacker cannot steal any credential and other confidential information from the legitimate web page.
183 8.2 CONTRIBUTIONS OF THIS RESEARCH A system called the Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS) has been designed and developed. To integrate the best coupling with the existing web applications, the solution was proposed and implemented by means of web services, which do not demand any alteration in the web application. The proposed and developed system, Prevented all forms of SQL injection, such as tautology, union query, piggyback query, and logically incorrect queries, using our SQL-XML schema. Provided a customized error response system to handle logically incorrect queries in the SQL injection. Provided a log monitoring system to analyze the malicious input to the web application for further vulnerability analysis. Provided the code injection attack prevention mechanism to the web application, which is processed at the run time of the application. Prevented XPath injection attack where the web applications used XML data stored as a data logic with the designed schema and maintained a log file system for further vulnerability analysis. Prevented a cross-site scripting attack by a server side solution. The server side solution does not demand any modification in the web client and server.
184 Analyzed zero day attack and vulnerabilities through a specialized log entry module integrated in the WAPS-CIVS. Prevented session hijacking attack created through session ID fixation attack with Dynamic cookie rewriting module. Prevented browser hijacking attack using a one-time URL generation. Prevented the background XSS propagation attack with the help of Sub-domain switching. Provided the attack prevention mechanism, which is compatible to all types of web applications. 8.3 JUSTIFICATION FOR THIS STUDY Although traditional firewalls have effectively prevented networklevel attacks, most present and future attacks will be at the application level, where current security mechanisms are woefully inadequate. Applicationlevel security vulnerabilities are inherent in a Web application s code, regardless of the technology in which the application is implemented, or the security of the Web server and backend database on which it is built. Code injection vulnerabilities are the top most application level attacks to degrade the security of the web application. The WAPS-CIVS is a complete solution to prevent code injection vulnerabilities, such as SQL injection, XPath injection, Cross-site scripting (XSS) and session hijacking. The WAPS-CIVS is implemented completely through web services. Since the solution is through web services, any type of web application can be integrated into -our system. The WAPS-CIVS is provides a prevention mechanism to all forms of SQL injection, such as tautology, union query, piggyback query and logically incorrect query. It also prevents XPath
185 injection created through tautology XQuery. Cross-site scripting is a serious vulnerability in web applications. The WAPS-CIVS provides a server side solution to prevent an XSS attack at run time. HTTP communication between the web client and web server is stateless. The session hijacking attack takes advantage of the stateless communication, and steals the session of the legitimate user. The WAPS-CIVS also provides the prevention solution for the session hijacking attack, which can be created through session ID fixation, browser hijacking and background XSS propagation. In a real time environment, the response time of the web application is critical to evaluate the performance. Since the WAPS-CIVS is implemented by means of web services, this entire system does not load the web server to degrade the response time, and the system can be integrated into any platform or application. 8.4 FUTURE ENHANCEMENTS There is scope for further improvement in the WAPS-CIVS prevention system. The SQL injection preventer of WAPS-CIVS does not address injection through the stored procedure. The Stored procedure is a common method to operate the database at the database server. The WAPS- CIVS considers the SQL statement crafted at the application / business logic of the web application. The XPath injection is similar to SQL injection, and nowadays, it has become popular where XML data is used as a data store for the web application. The WAPS-CIVS addressed only the tautology based XPath injection in a web application. It does not address the insert XQuery and union XQuery. The XPath injection preventer can be further improved by addressing issues other than tautology based injections.
186 A Cross-site request forgery attack, also known as CSRF or XSRF (pronounced sea-surf) is the well known, but equally dangerous like the Cross Site Scripting (XSS) attack. The cross-site scripting preventer system of WAPS-CIVS can be further improved by integrating the CSRF prevention mechanism. The session hijacking prevention can be further enhanced, based on complex encryption techniques and taint information flow in web applications.