WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project
Size: px
Start display at page:

Download "WEB SECURITY. Oriana Kondakciu 0054118 Software Engineering 4C03 Project"

Transcription

1 WEB SECURITY Oriana Kondakciu Software Engineering 4C03 Project

2 The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure corresponds to software based communication interfaces, which are executed upon physical hardware. The main software application responsible for the transmitted data is the java-based browser. The design of this application is directly responsible for the reliability of the data transmitted through the Internet. Security however is usually treated as an afterthought. Despite common sense, the security is considered at the bottom of a list that includes functionality, performance, compatibility and human interface. Good faith should not be applied when transferring private information through the Internet. The programming languages Java and JavaScript have become the power tools of choice in building web-based applications. A Web application is a dynamic extension of a web server. Its services can include remote database access and online purchases. Security weaknesses of web applications are often refer as holes or bugs. The exploitation of these weaknesses has severe consequences which include loss and manipulation of sensitive information. The new browsers have a considerable improvement over their predecessors when it comes to security but cannot guarantee that they are bug-free. The newest technology with a superior security system is ActiveX control by Microsoft. The downside of this technology is that it is supported only by Internet Explorer browser. Also, the ActiveX controls are written and compiled using Microsoft office visual basics programs. The Java language however needs only an editor and a free compiler. ActiveX controls use certified digital signature, but it is dangerous because it has no restrictions on the variety of its use. One disturbing example is the spy-ware software usually downloaded automatically from specific websites. Java on the other hand, achieves security by restricting the behavior of applets to a set of safe actions supervises 1. The information transmitted in the Internet and mostly web browsers may contain very sensitive. It is understandable that third parties will always be interested in acquiring this information. Unauthorized use and access of sensitive data can have unprecedented consequences. The most common threats to web applications include SQL Injection, Variable manipulation, Cross Site Scripting and exploitation of their different features. The process of acquiring information illegally is usually called an attack or exploitation. SQL Injection technique is very simple; it uses the basic knowledge of the SQL language representation of the database and it exploits it. The Variable manipulation involves accessing the information after it leaves the browser on its way to the server. Once the browser's proxy settings are configured to go through the HTTP proxy, some proxy tools such as WebScarab, can see all information flowing between the client and the server; it even allows the attacker to modify any part of the request/response before sending it. Such tool can access credit card information during an online purchase. Another interesting attack that is due mostly to human negligence is the Cross-Site Scripting. Cross-Site Scripting relies on the server reflecting back user input without checking for embedded JavaScript. This can be used to steal 1 WWW Security FAQL Client Side Security. Retrieved on April 1 st. O.Kondakciu Web Security 2

3 cookies and session IDs. This information however should be deleted regularly by the user. While cookies are considered a benign vulnerability, deleting them prevents another type of exploitation that is called Browse Cache, in which the attacker can track the surfing patterns of the users. The spy-ware companies for example rely on these cookies to collect information about the user. Another very dangerous exploitation can come from using the Forgot Password feature of a web application such as an service provider. In this case, the user has to answer its secret question. If the attacker for example, can access the secret question, he might guess the answer, and even reset the password. The remote-access method, which allows another party to control the desktop of the user s computer, makes this exploitation really easy. Another great procedure that collects information entered through keyboard is the Keystroke loggers. They are usually a very efficient and simple way to retrieve information. Most of these attacks are assisted by tools such as IP sniffers and Trojan horses. Port sniffing consists in the first stage of the attack. The IP sniffer uses the communications protocols to collect the ports status of the user s machines. If any of the ports is unprotected, then it can be used in the second stage of the attack. Sniffing is done remotely and in large ranges of IP. That means that the attacker might be looking for any unprotected online computer. A Trojan horse is a different tool that needs to be installed on the users computer. Upon installation, it opens a back-door that allows the attacker to infiltrate inside the computer. This program is called a Trojan horse because it masquerades itself behind friendly applications, big size pictures or links. Worms, which is a program that can duplicate itself upon execution, is another very common threat on the Internet. Full scale attacks on websites such as CNN or YAHOO!, are made possible by spreading a powerful worm on the Internet. The two processes that a worm performs are: duplicate and attack. The attack consists in sending data packets into a specific website. Usually the number of computers infected with the worm may exceed thousands, which causes the data traffic to exceed its capacity limits. If the number of infected computers continues to increase, the web-servers supporting the attacked website would crash and go down. Finally, biggest threats of all are the people behind these malicious programs. The two most generalized groups are called hackers and crackers. Hackers are your friendly neighborhood gang of attackers who would come to your house and look around but not steal. Crackers on the other hand are very dangerous, because they will actually try to damage any information they come across too and usually they cause great damage. Most attackers do not write the malicious programs themselves; they use tools that are already created by other software programmers. A dangerous crime that an attacker might commit is identity theft which has become an increasing problem in North America. That is why it is so important that attack detection and defense should be a priority for the user. Most of the attacks are directed towards websites that store the information in data bases stored in remote web servers. As a form of defense, remote access of data bases uses an encryption technique that is called MD5. SQL injection for example can be prevented by not using dynamic SQL queries or by removing all unwanted input and accepting only expected input. The encryption O.Kondakciu Web Security 3

4 technique is the best protection by far. The Variable manipulation attack can be prevented by using SSL 2 or digital passports which uses 40 bit and 128 bit encryption. In this case, the attacker has to replace the embedded certificate in the applet with a fake certificate to succeed or has to decode the public key. A higher bit encryption is illegal in North America. In the client side, spy-ware programs are not fully detected by anti-viruses, and the best way to detect them is using anti-spy ware programs. Keystroke loggers can be detected by the antivirus programs, but the oldest versions can also be seen through the Task Manager. These programs can be detected by the antivirus because they use a Trojan horse to transmit the log files back to the attacker. A graphical keyboard eliminates this threat but they are not recommended for other security reasons. The user should always be security-conscious especially if he or she is processing sensitive information. Trojan horses are the most common way of attack but they can be easily prevented. The Internet user must not open files of size greater then 50kb without antivirus scanning. Because the usual way of transmitting a Trojan horse is through s, the user should not click on links or download attachments that are not secured. Worms have the tendency to spread very quickly because the account owners act with negligence. The fastest way to detect a worm is to monitor Internet data traffic. An abrupt increase in traffic is a good indication that a worm is in motion. The sniffing attack can be rejected by a well configured firewall. The new patches by Microsoft office, allow the Windows XP OS to reject remote sniffing successfully. However, 100% protection against identity theft does not exist. Most of personal information online is stored in data bases accessed by a web browser. This might be a bank account, student grades, medical records and even top secret military records. This weakness together with human error is a great vulnerability that software engineers should try to patch up in the future years. The designer or the software engineer should consider the security from the start. Some of the security points that should be taken in consideration are: anticipate future security requirements, minimize and isolate security controls, enforce least privilege feature, structure the security-relevant functions, make security friendly and do not depend on secrecy for security. Some lawmakers consider as the most efficient way to protect the information on the Internet is by stalling and outlawing the technology that makes it possible. The author of this paper strongly disagrees with this approach. The technology is not the malicious; the people who use the technology can be. The only best way to protect the information on the Internet is by developing and expanding more security tools 3 for traffic analysis and black hole monitors, key Encryption, personal certificate, host-based firewall, proxy-based defenses and other defense and detection systems. The users should also be conscious about the risks that associate the web applications. Knowledge and Education is the answer. 2 Secure Sockets Layer which is a protocol used over the Internet for securing transactions made between clients to server. 3 Rough Auditing Tool For Security scans for security flaws, FX Cop by Microsoft, Prexic and Flawfinder are is a run time and source code analyzer, Compaq ESC and Parasoft work with Java O.Kondakciu Web Security 4

5 Reference Hazario, Jose. Defense and Detection Strategies against Internet Worms, Archtech House, 2004 Gassier, Morrier. Building a Secure Computer System, Van Nostrand Reinhold Company, New York, 1988 Web Applications, retrieved on April 1 st AppSec FAQ, retrieved on April 1 st WWW Web Security FAQ: General Questions, retrieved on March 24 th, 2005 Microsoft Server 2003, retrieved on March 24 th, 2005 The Apache Software Foundation, retrieved on March 24 th, 2005 O.Kondakciu Web Security 5

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information