1. introduction - Academic Science

advertisement
Analyzing Vulnerability of Web Pages through SQL Injection
and Cross Site Scripting
Musham Hasan Mehdi
University School of Information
& Communication Technology
P-76, Anuj Vihar
Shankar Vihar,
New Delhi
mehdi.musham@gmail.com
ABSTRACT
In computer science, analyzing vulnerability is done
through data validation which is the process of ensuring
that a program operates on clean, correct and useful
data. It uses routines, often called "validation rules"
"validation constraints" or "check routines", that check
for correctness, meaningfulness, and security of data
that are input to the system. The rules may be
implemented through the automated facilities of a data
dictionary, or by the inclusion of explicit application
program validation logic. In the contemporary scenario
where the misfeasors are constantly trying to innovate
their malicious intents, the programmers are working
day and night and coming out with innovative measure
to keep the Attacks at bay. In dealing with such
dynamic and changing scenario it becomes imperative
for us to adopt new and innovative methods to counter
such loopholes. [1]The process of Reverse Engineering
comes into play, as we delve into the minds of the
opposing forces. In general philosophy, it is said that to
defeat your enemy you must think like him and attack
where he least expects it. Keeping this in mind, today’s
programmers attack their very own creations in order to
make them more robust and fortified, as the advantage
in such an approach is that, we might have tried out
every possible move of the opponent, thereby leaving
him with less or no option open..
Keywords
input validation, web
language, Security.
application,
programming
1. INTRODUCTION
Web application security is a branch of Information
Security that deals specifically with security of
websites, web applications and web services[2]. At a
high level, Web application security draws on the
principles of application security but applies them
specifically to Internet and Web systems. Typically web
applications are developed using programming
languages such as PHP, Java EE, Java, Python, Ruby,
ASP.NET, C#, VB.NET or Classic ASP. With the
emergence of Web 2.0, increased information sharing
through social networking and increasing business
adoption of the Web as a means of doing business and
delivering service, websites are often attacked directly.
Hackers either seek to compromise the corporate
network or the end-users accessing the website by
subjecting them to drive-by downloading. As a result,
industry is paying increased attention to the security of
the web applications themselves in addition to the
security of the underlying computer network and
operating systems.
avoiding critical mistakes.
2. Collection of Data and Tools
In order to study the characteristics of vulnerable web
applications, it is necessary to have access to a
significant amount of vulnerability data. Hence, we
collected and classified a large number of vulnerability
reports[3]. These vulnerability reports were used to
identify the programming language each web
application was developed in. Furthermore, we used the
vulnerability reports we gathered to semi-automatically
extract vulnerable input parameters from the source
code of web applications[3]. Finally, by automatically
collecting data from a number of open source project
hosting services, we were able to estimate the
popularity of web programming languages.
Table 1
4. Analysis
Figure 1
3. Attacks and Statistics
Web applications have become attractive targets for
attackers due to the large degree of authority they
possess, their significant user populations, and the
prevalence of vulnerabilities they contain. Among the
classes of vulnerabilities exhibited by web applications,
XSS and SQL injection remain among the most serious
threats to web application security[4]. As such, much
attention in the security research community has
focused on removing or mitigating the effect of these
vulnerabilities. XSS and SQL injection vulnerabilities
both manifest at a fundamental level as a failure to
preserve the integrity of HTML documents and SQL
queries, respectively, in the presence of untrusted input
to the web application. In the former case, an XSS
vulnerability allows an attacker to inject dangerous
HTML elements, typically including malicious clientside code that executes in the security context of a
trusted web origin. In the latter case, a SQL injection
vulnerability allows an attacker to modify an existing
database query — or, in some cases, to inject a
completely new one — in such a way that violates the
web application’s desired data integrity or
confidentiality policies[5]. One particularly promising
approach to preventing the exploitation of these
vulnerabilities is robust, automated sanitization of
untrusted input. In this approach, filters, or sanitizers,
are automatically applied to user data such that
dangerous constructs cannot be injected into HTML
documents or SQL queries. Automated protection
against these vulnerabilities is highly desirable due to
the well known difficulty in manually achieving
complete and correct sanitizer coverage.
We first examine whether certain languages are more
prone to XSS and SQL injection vulnerabilities. Then
we analyze the type of the input parameters that
commonly serve as attack vectors, and we compare
them with particular features provided by the web
programming languages, or by the application
frameworks available to them.
5. SQL Vulnerabilities
SQL injection is a code injection technique, used to
attack data-driven applications, in which malicious SQL
statements are inserted into an entry field for execution
(e.g. to dump the database contents to the attacker).SQL
injection must exploit a security vulnerability in an
application’s software, for example, when user input is
either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is
not strongly typed and unexpectedly executed. SQL
injection is mostly known as an attack vector for
websites but can be used to attack any type of SQL
database.[6]
SQL injection (SQL) is considered one of the top 10
web application vulnerabilities of 2007 and 2010 by the
Open Web Application Security Project. In 2013, SQLI
was rated the number one attack on the OWASP top
ten[6]. There are five main sub-classes of SQL
injection:
-specific SQLI
insufficient authentication
SQL injection + DDoS attacks
QL injection + DNS hijacking
Figure 2
7. Cross Site Scripting : XSS
Cross-site scripting (XSS) is a type of computer
security vulnerability typically found in Web
applications. XSS enables attackers to inject client-side
script into Web pages viewed by other users. A crosssite scripting vulnerability may be used by attackers to
bypass access controls such as the same origin policy.
Cross-site scripting carried out on websites accounted
for roughly 84% of all security vulnerabilities
documented by Symantec as of 2007 [7]. Their effect
may range from a petty nuisance to a significant
security risk, depending on the sensitivity of the data
handled by the vulnerable site and the nature of any
security mitigation implemented by the site’s owner.
Figure 3
8. Discussion
we can conclude that there is empirical evidence to
support the general intuition that input validation serves
as an executive layer of defense against XSS and
SQL injection vulnerabilities[8]. In fact, it is likely that
the
increased usage of strongly-typed languages and
explicit in-put validation functions for web
programming would have similar benefits for other
classes of vulnerabilities, as well as more general
software faults. Note, however, that we observe that
input validation is not a panacea for eradicating
vulnerabilities in web applications. For example, a
particular drawback of the explicit input validation for
complex input data is that the developer is responsible
for applying the appropriate validator to each and every
possible user input that is not already covered by
implicit typecasting. Unfortunately, this is, as
operational experience has demonstrated in the case of
web application output sanitization, an arduous and
error-prone task[8]. Therefore, we advocate that,
analogous to the case of framework support for
automatic output sanitization, web development
languages and frameworks should support the automatic
validation of web application inputs as an additional
security measure against both XSS and SQL injection
vulnerabilities, as well as other security-relevant
application logic flaws.
8. Related Work
Figure 4
Our work is not the first study of vulnerabilities in web
Applications[9]. Fonseca et al. studied how software
faults re- late to web application security[10]. Their
results show that only a small set of software fault[11]
types is responsible for most of the XSS[12] and SQL
injection vulnerabilities in web applications. Moreover,
they empirically demonstrated that the most frequently
occurring fault type is that of missing function calls to
sanitization or input validation functions. Our work
partially corroborates this depending, but also focuses
on the potential for automatic input validation as a
means of improving the electiveness of existing input
validation methods.[10]
Table 2
9. Conclusion
Web applications have become an important part of the
daily lives of millions of users. Unfortunately, web
applications are also frequently targeted by attacks such
as XSS and SQL injection. In this paper, we presented
our empirical study of more than 7000 web application
vulnerabilities and more than 70 web application
development frameworks with the aim of gaining
deeper insights into how common web vulnerabilities
can be prevented[13]. In the study, we have focused on
the relationship between the specific programming
language used to develop web applications, and the
vulnerabilities that are commonly reported.
10. References
[1.] Data Validation, Data Integrity, Designing
Distributed Applications with Visual Studio .NET
[2.] Jump up Arkady Maydanchik (2007), "Data Quality
Assessment", Technics Publications, LLC
[3.] (sections 3.2.3 and 3.4.1) and RFC 5321 – with a
more readable form given in the informational RFC
3696
[4.] Written by J. Klensin, the author of RFC 5321
[5.]
The
associated
errata
http://www.rfceditor.org/errata_search.php?rfc=3696
[6.] Microsoft. "SQL Injection". Retrieved 2013-08-04.
[7.] Imperva (July 2012). "Imperva Web Application
Attack Report"
[8.] Category:OWASP Top Ten Project". OWASP.
Retrieved 2011-06-03.
[9.] "Using SQLBrute to brute force data from a blind
SQL injection point". Justin Clarke. Archived from the
original on June 14, 2008. Retrieved October 18, 2008.
[10.] Andrey Rassokhin; Dmitry Oleksyuk. "TDSS
botnet: full disclosure". Retrieved 6 December 2012.
[11.] Symantec Internet Security Threat Report: Trends
for July–December 2007 (Executive Summary) (PDF)
XIII. Symantec Corp. April 2008. pp. 1–3. Retrieved
May 11, 2008.
[12.] Jeremiah (July 30, 2006). "The origins of CrossSite Scripting (XSS)". Retrieved September 15, 2008.
[13.] http://securitythoughts.wordpress.com/
Download