CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Similar documents
Certified Secure Web Application Security Test Checklist

Application vulnerabilities and defences

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

P2_L12 Web Security Page 1

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Security. CSC309 TA: Sukwon Oh

Finding Vulnerabilities in Web Applications

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

RKN 2015 Application Layer Short Summary

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CSCD 303 Essential Computer Security Fall 2018

Web Application Security. Philippe Bogaerts

WEB SECURITY: XSS & CSRF

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

Web basics: HTTP cookies

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Solutions Business Manager Web Application Security Assessment

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CSCD 303 Essential Computer Security Fall 2017

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CIS 4360 Secure Computer Systems XSS

Bank Infrastructure - Video - 1

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

GOING WHERE NO WAFS HAVE GONE BEFORE

WEB APPLICATION PENETRATION TESTING VERSION 2

Robust Defenses for Cross-Site Request Forgery

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Security Testing White Paper

COMP9321 Web Application Engineering

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Security II. Slides from M. Hicks, University of Maryland

Information Security CS 526 Topic 8

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

epldt Web Builder Security March 2017

Automatically Checking for Session Management Vulnerabilities in Web Applications

WAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material. Downloadable material

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Introduction to Ethical Hacking

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Web Application Vulnerabilities

Certified Secure Web Application Engineer

Web Application Whitepaper

Applications Security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Information Security CS 526 Topic 11

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web Application Penetration Testing

CSC 482/582: Computer Security. Cross-Site Security

The security of Mozilla Firefox s Extensions. Kristjan Krips

COMP9321 Web Application Engineering

Web Security: Vulnerabilities & Attacks

EasyCrypt passes an independent security audit

An analysis of security in a web application development process

SECURING APACHE : ATTACKS ON SESSION MANAGEMENT

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le


Building A Secure & Anti-Theft Web Application By Detecting And Preventing Owasp Critical Attacks- A Review

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

COMP9321 Web Application Engineering

IronWASP (Iron Web application Advanced Security testing Platform)

OWASP TOP OWASP TOP

SECURE CODING ESSENTIALS

6.170 Tutorial 7 - Rails Security. Prerequisites. Goals of this tutorial. Resources

Certified Secure Web Application Secure Development Checklist

Common Websites Security Issues. Ziv Perry

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Copyright

WHY CSRF WORKS. Implicit authentication by Web browsers

Vulnerabilities in online banking applications

ESORICS September Martin Johns

INNOV-09 How to Keep Hackers Out of your Web Application

Scan Report Executive Summary

Your Turn to Hack the OWASP Top 10!

Real-world security analyses of OAuth 2.0 and OpenID Connect

Aguascalientes Local Chapter. Kickoff

CS 161 Computer Security

HP 2012 Cyber Security Risk Report Overview

CS 155 Project 2. Overview & Part A

Contents. xvii xix xxiil. xxvii

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Transcription:

180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS), to provide vulnerability free web applications. In this work, an attack prevention mechanism for code injection vulnerabilities, such as SQL injection, XPath injection, Cross-site scripting, and Session hijacking, is developed. There are four prevention modules working together in the WAPS-CIVS system. The entire system is implemented through web services to facilitate the prevention mechanism to the web application independently. In the SQL injection prevention system, all forms of SQL injection vulnerability are possible only through malicious inputs from the attacker. The malicious inputs used to craft a query will be executed in the data logic which will turn as SQL injection. To prevent an SQL injection, the SQL injection preventer does not allow the query to run at the data logic directly. Instead, the crafted query fetched through the AOP module, and sent to the syntactic verification module. The syntactic verification module of the SQL injection preventer, analyzes the crafted query and convert it in the form of XML file. A SQL injection preventer schema is designed in order to eliminate the tautology function, use of piggyback, union query and end of line. The designed schema

181 is a robust and reliable meta document to prevent the SQL injection. The converted XML file is parsed with the SQL injection preventer schema to detect the SQL injection. The SQL injection preventer would also prevent disclosure of the database information when a logically incorrect query is used for the SQL injection. In the XPath prevention mechanism, all the user inputs are intercepted from the XQuery using Aspect Oriented Programming, and the inputs are converted in the form a XML file. In the XPath injection preventer, a new XPath injection preventer Schema is defined to prevent an invalid input, which leads to XPath injection. Since the XQuery will be converted in the form of an XML file, it will be validated with the defined XPath injection preventer schema for any invalid input. In the validation process, the SAX parsing technique is used to detect the XPath injection. In the implementation of the Cross site script attack prevention mechanism, every HTTP request and response is fetched through servlet filter and it is analysed to check for the presence of any malicious injected script. To identify the XSS attack, the HTTP request of the original web application is crawled to collect all the legitimate client side scripts in the web application. The client side scripts are analysed and a graph is drawn equivalent to the scripts in the web page. The same procedure is followed at the time of the HTTP response to the client. With the help of the two graphs, an adjacency matrix is generated and compared. If any additional injected script is presented in the HTTP response, it might be the suspicious script that leads to the XSS attack. The additional script which is identified through the adjacency matrix is parsed and the script executable characters are replaced with the entity reference so that, the script will not be executed at the client browser.

182 To prevent session hijacking in a web application, every HTTP request and HTTP response is intercepted and passed on to the session ID fixation prevention module, which will store the original cookies value in the database and generate one dynamic id for each response, and attached it to the original session id value through the dynamic session ID mapping technique. By setting the set-cookie header that contains both the dynamic and original session id, the dynamic session id in the header will set as httponly cookie, so that it will not be used to hack the session. Another session hijacking attack is browser hijacking. This browser hijacking is prevented by generating a onetime URL with the randomized nonce for URL Randomization. For every user request, the original session id value is compared with the nonce value which is unique, and it is attached to the URL to generate a URLRandomization for a one-time URL. The attached nonce value is set true flag in database. If the flag is true, change it to false and generate a new nonce value and attach this new nonce value to the header URL. Set this nonce value flag as true for this session id value. For the remaining request from the same session, the web server sends an error message as browser hijacking. The background XSS propagation attacks are prevented by a ensuring no trust relationship between the pages induced by the same-origin policy, which exists as long as the Document.domain property for every page differs. To achieve this trust removal introduces an additional sub-domain to the web application. Every link included in a webpage directs to a URL with a subdomain that differs from the domain of the containing webpage. As a result, every single page possesses a different Document.domain value. Hence, the attacker cannot steal any credential and other confidential information from the legitimate web page.

183 8.2 CONTRIBUTIONS OF THIS RESEARCH A system called the Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS) has been designed and developed. To integrate the best coupling with the existing web applications, the solution was proposed and implemented by means of web services, which do not demand any alteration in the web application. The proposed and developed system, Prevented all forms of SQL injection, such as tautology, union query, piggyback query, and logically incorrect queries, using our SQL-XML schema. Provided a customized error response system to handle logically incorrect queries in the SQL injection. Provided a log monitoring system to analyze the malicious input to the web application for further vulnerability analysis. Provided the code injection attack prevention mechanism to the web application, which is processed at the run time of the application. Prevented XPath injection attack where the web applications used XML data stored as a data logic with the designed schema and maintained a log file system for further vulnerability analysis. Prevented a cross-site scripting attack by a server side solution. The server side solution does not demand any modification in the web client and server.

184 Analyzed zero day attack and vulnerabilities through a specialized log entry module integrated in the WAPS-CIVS. Prevented session hijacking attack created through session ID fixation attack with Dynamic cookie rewriting module. Prevented browser hijacking attack using a one-time URL generation. Prevented the background XSS propagation attack with the help of Sub-domain switching. Provided the attack prevention mechanism, which is compatible to all types of web applications. 8.3 JUSTIFICATION FOR THIS STUDY Although traditional firewalls have effectively prevented networklevel attacks, most present and future attacks will be at the application level, where current security mechanisms are woefully inadequate. Applicationlevel security vulnerabilities are inherent in a Web application s code, regardless of the technology in which the application is implemented, or the security of the Web server and backend database on which it is built. Code injection vulnerabilities are the top most application level attacks to degrade the security of the web application. The WAPS-CIVS is a complete solution to prevent code injection vulnerabilities, such as SQL injection, XPath injection, Cross-site scripting (XSS) and session hijacking. The WAPS-CIVS is implemented completely through web services. Since the solution is through web services, any type of web application can be integrated into -our system. The WAPS-CIVS is provides a prevention mechanism to all forms of SQL injection, such as tautology, union query, piggyback query and logically incorrect query. It also prevents XPath

185 injection created through tautology XQuery. Cross-site scripting is a serious vulnerability in web applications. The WAPS-CIVS provides a server side solution to prevent an XSS attack at run time. HTTP communication between the web client and web server is stateless. The session hijacking attack takes advantage of the stateless communication, and steals the session of the legitimate user. The WAPS-CIVS also provides the prevention solution for the session hijacking attack, which can be created through session ID fixation, browser hijacking and background XSS propagation. In a real time environment, the response time of the web application is critical to evaluate the performance. Since the WAPS-CIVS is implemented by means of web services, this entire system does not load the web server to degrade the response time, and the system can be integrated into any platform or application. 8.4 FUTURE ENHANCEMENTS There is scope for further improvement in the WAPS-CIVS prevention system. The SQL injection preventer of WAPS-CIVS does not address injection through the stored procedure. The Stored procedure is a common method to operate the database at the database server. The WAPS- CIVS considers the SQL statement crafted at the application / business logic of the web application. The XPath injection is similar to SQL injection, and nowadays, it has become popular where XML data is used as a data store for the web application. The WAPS-CIVS addressed only the tautology based XPath injection in a web application. It does not address the insert XQuery and union XQuery. The XPath injection preventer can be further improved by addressing issues other than tautology based injections.

186 A Cross-site request forgery attack, also known as CSRF or XSRF (pronounced sea-surf) is the well known, but equally dangerous like the Cross Site Scripting (XSS) attack. The cross-site scripting preventer system of WAPS-CIVS can be further improved by integrating the CSRF prevention mechanism. The session hijacking prevention can be further enhanced, based on complex encryption techniques and taint information flow in web applications.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback