A Survey on Exposed Vulnerabilities in Web Applications
A.Saravanan
Assistant Professor,
Department of MCA,
Sri Krishna College of
Technology, Coimbatore,
Tamil Nadu, INDIA
Mobil: 98420 06163
a.saravanan21@gmail.com
M.S.Irfan Ahmed
Director, Department of MCA,
Nehru Institute of Engineering
and Technology, Coimbatore,
Tamil Nadu, INDIA
Mobile: 90037 50009
msirfan@gmail.com
S.Sathya Bama
Assistant Professor,
Department of MCA,
Sri Krishna College of
Technology, Coimbatore,
Tamil Nadu, INDIA
Mobile: 98655 33391
ssathya21@gmail.com
Abstract
Internet becomes more and more integrated in our society and our offline time continually
decreases. However, the number of reported web application vulnerabilities is increasing
dramatically. Security vulnerabilities in web applications may result in stealing of confidential
data, breaking of data integrity or affect web application availability. So, it is clear that these
vulnerabilities are complex and widespread. Thus, the task of securing web applications is not
only important but also needs immediate attention, since for most people, Internet and the web
are utilities that have become as common as food and water. In this paper, we explore some
security breaches in web applications which needs immediate attention. We describe some of
the attacks that enable an attacker to impersonate a victim.
Keywords: vulnerabilities, web applications, confidentiality
1. Introduction
Over the past few years, a clear inclination has emerged that the web applications are under
attack. Millions of users connect every day to different web-based applications to search for
information, exchange messages, interact with each other, conduct business, perform financial
operations and many more [1]. Web security vulnerabilities continually impact the risk of a
web site. Some of these critical web-based services are targeted by several malicious users
intending to exploit possible vulnerabilities, which could cause not only the interruption of the
service, but also compromise the users and organizations information. However, most of the
times, these malicious users succeed in exploiting different types of vulnerabilities and the
consequences can be disastrous [2].
Web application vulnerabilities can be planted through poor input validation, insecure session
management, improperly configured system settings and flaws in operating systems and web
server software. Certainly writing secure code is the most effective method for minimizing web
application vulnerabilities. However, writing secure code is much easier said than done and
involves several key issues [3].
Motivated by the urgent need for securing web applications, a considerable amount of research
efforts have been dedicated into this problem with a number of techniques developed for
hardening web applications and mitigating the attacks [4]. When any web security vulnerability
is recognized, performing the attack requires using at least one of several application attack
techniques. These techniques are commonly referred to as the class of attack. Many of these
types of attack have recognizable names such as Buffer Overflows, SQL Injection, and Crosssite Scripting. As a baseline, the class of attack is the method the Web Application
vulnerabilities classification will use to explain and organize the threats to a website [5].
2. Web Architecture
The web can be better understood in terms of simple client-server model, where the browser
sends the request and the server response with the web pages. A web page is a text document
written in HTML and contains embedded technologies like JavaScript or Flash. However, web
pages are actually more complex, since a single page may need to contact many different
servers in order to display all the information embedded within the page. Figure 1shows a
typical three-tier system architecture of web applications. The entities are, a web browser: an
application to display the HTML page, a web application server: store web pages and manages
business logic, a database server and content provider server: provide content and data to the
web pages. The web application server receives input from the user. And then collects the
content and data from content provider and database server. Finally provides the contents to
the browser. However, in reality, sometimes the web browser embeds the data to the web page
displayed.
Figure 1. A typical three-tier system architecture of web applications
Unfortunately, there are ways in which content and code may be inserted into a web page. Once
code or content has been inserted into a page, it can do a variety of things, including many
malicious activities [6]. These malicious activities include Content Injection, Cross-Site
Request Forgery, Clickjacking and more.
3. Web Vulnerabilities
3.1. Code Injection
A code injection attack occurs when a malicious user manages to inject his own code into the
program generated by the application. Injected code may steal data, compromise database
integrity, and/or bypass authentication and access control, violating system correctness,
security, and privacy properties [7]. The source code can be injected directly from an untrusted
input or the web application can be manipulated into loading it from the local file system or
from an external source such a URL. When a Code Injection occurs as the result of including
an external resource it is commonly referred to as a Remote File Inclusion though a RFI attack
itself need always be intended to inject code.
The primary causes of Code Injection are Input Validation failures, the inclusion of untrusted
input in any context where the input may be evaluated as PHP code, failures to secure source
code repositories, failures to exercise caution in downloading third-party libraries, and server
misconfigurations which allow non-PHP files to be passed to the PHP interpreter by the web
server. Particular attention should be paid to the final point as it means that all files uploaded
to the server by untrusted users can pose a significant risk.
3.2. SQL Injection
SQL Injections operate by injecting data into a web application which is then used in SQL
queries. The data usually comes from untrusted input such as a web form. However, It is also
possible that the data comes from another source including the database itself. Programmers
will often trust data from their own database believing it to be completely safe without realising
that being safe for one particular usage does not mean it is safe for all other subsequent usages.
Data from a database should be treated as untrusted unless proven otherwise, e.g. through
validation processes [8]. If successful, an SQL Injection can manipulate the SQL query being
targeted to perform a database operation not intended by the programmer.
3.3. Session Fixation
Web sessions are a mechanism which provides a way for stateful communication. The session
is a key-value pair. Here the key is the session identifier and the value is the data about the
user. Session Identifier (SID) is an alphanumerical value which is used to uniquely identify the
corresponding Web session. When the web server receives its first request from a particular
client, it creates a session identifier (also called a session ID or SID) and associates the
generated SID with the client. Also it sends the SID to the client as part of the response. In
successive interactions, the client is instructed to include the assigned SID with every request,
allowing the server to associate multiple requests to the same user using the same SID. Then
the user tries to log in to the application by providing user name and the password as a request
containing his SID. If the user name, password and the SID is authenticated, then the user is
allowed to access the application. Thus SID is one of the user’s authentication credential.
A session fixation attack, the attacker fixes the user’s session ID before the user even logs into
the target server, thereby eliminating the need to obtain the user’s session ID afterwards. This
approach, however, ignores one possibility: namely the possibility of the attacker “issuing” a
session ID to the user’s browser, thereby forcing the browser into using a chosen session. We’ll
call this class of attacks “session fixation” attacks, because the user’s session ID has been fixed
in advance instead of having been generated randomly at login time. [9, 10]
3.4. Session Hijacking
In the session hijacking attack, an attacker tries to take over a victim’s session by capturing the
victim’s session ID. He then uses the SID to make the server think that he is the victim. This
causes him to be able to, for example, read the victim’s e-mail in a webmail application, change
the victim’s information on a social networking website, or acquire the victim’s credit card
information in an online shop [11]. A user whose session is stolen may not notice anything
strange while the attack is performed, since the execution of the script may run in the
background without changing anything on the screen of the user. This means that the user can
be offered little advice in order to prevent such attacks.
3.5. Cross Site Request Forgery
The cross site request forgery (also called CSRF or session riding) attack is different from the
session hijacking and session fixation attacks in the sense that an attacker executing a CSRF
attack does not try to completely take over a victim’s session. Instead, the attack leverages the
victim’s browser’s implicit authentication to make requests in the name of the victim. This is
accomplished by compelling the victim’s browser into issuing a request [12, 13].
An XSRF attack can be used to modify firewall settings, post unauthorized data on a forum or
conduct fraudulent financial transactions. A compromised user may never know that such an
attack has occurred. If the user does find out about an attack, it may only be after the damage
has been done and a remedy may be impossible. An XSRF attack is functionally the opposite
of a cross-site scripting (XSS) attack, in which the hacker inserts malicious coding into a link
on a Web site that appears to be from a trustworthy source. When an end user clicks on the
link, the embedded programming is submitted as part of the client's Web request and can
execute on the user's computer.
3.6. Clickjacking Attack
It is a malicious technique of tricking a Web user into clicking on something different from
what the user perceives they are clicking on, thus potentially revealing confidential information
or taking control of their computer while clicking on seemingly innocuous web pages. It is a
browser security issue that is a vulnerability across a variety of browsers and platforms. In a
clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on
an element of a different page that is only just or not at all visible. Clickjacking takes the form
of embedded code or script that can execute without the user's knowledge, such as clicking on
a button that appears to perform another function [14].
3.7. Cross-site Scripting (XSS) Attack
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate
website or web application. XSS is amongst the most extensive of web application
vulnerabilities and occurs when a web application makes use of invalidated or un-encoded user
input within the output it generates [15]. By leveraging XSS, an attacker does not target a
victim directly. Instead, an attacker would exploit a vulnerability within a website or web
application that the victim would visit, essentially using the vulnerable website as a vehicle to
deliver a malicious script to the victim’s browser. While XSS can be taken advantage of within
VBScript, ActiveX and Flash (although now considered legacy or even obsolete),
unquestionably, the most widely abused is JavaScript – primarily because JavaScript is
fundamental to most browsing experiences.
3.8. Security Misconfiguration
Security misconfiguration is incorrectly assembling the safeguards for a web application. These
misconfigurations typically occur when holes are left in the security framework of an
application by systems administrators, DBAs or developers. They can occur at any level of the
application stack including the platform, web server, application server, database, framework
and custom code. These security misconfigurations can lead an attacker right into the system
and result in a partially or even totally compromised system [16, 17]. Attackers find these
misconfigurations through unauthorized access to default accounts, unused web pages,
unpatched flaws, unprotected files and directories and more. If a system is compromised
through faulty security configurations, data can be stolen or modified slowly over time and can
be time-consuming and costly to recover.
3.9. Sensitive data exposure
IT systems usually save in a database user’s personal information such as passwords, credit
card numbers, house address, telephone number, id number etc. When the system is not
protected effectively from unauthorised access there is a high probability that a hacker might
exploit that vulnerability and steal that information. That vulnerability is “Sensitive Data
Exposure” [18].
A data breach or data leak is a security incident in which sensitive or confidential data is copied,
transmitted, viewed, stolen or used by an unauthorised individual. The information could
include financial data (bank or card details), personal health information, and personal
identifiable details, trade secrets and corporation’s intellectual property. The issue of data
leakage has always arisen from data at rest, data in transit, email, IM and various other internet
channels, however now with the rise of mobile technology, data leakage is occurring with
greater ease, whether by accident or malice. The threat of data leakage from outside the
corporation is still a concern, however substantial data leakage results from internal activities
as well.
Data can leave the network through various exit points within the IT infrastructure. Enterprises
should prioritise the management of data loss risk by choosing DLP solutions that monitor and
act at these exit points. [19]
3.10. Path Traversal
The Path Traversal attack technique allows an attacker access to files, directories, and
commands that potentially reside outside the web document root directory. An attacker may
manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary
files anywhere on the web server. Any device that exposes an HTTP-based interface is
potentially vulnerable to Path Traversal. The most basic Path Traversal attack uses the "../"
special-character sequence to alter the resource location requested in the URL. Although most
popular web servers will prevent this technique from escaping the web document root, alternate
encodings of the "../" sequence may help bypass the security filters.
Conclusion
Number of reported web applications vulnerabilities is increasing dramatically. Most of them
result from improper or none input validation by the web application. Analyzing the threats
and how that can affect the data and the site itself is an important aspect of web development.
Though several techniques and extensions exists in virtually all the technologies, no work
presents an interface where both secured and insecure version of the site can be checked. This
workflow can be a useful guide to learn about the web application vulnerability. The work can
be further improved by demonstrating and providing methods to various vulnerabilities. The
objective of this paper is only a starting point for those issues that represent the most serious
risks to web application security.
Reference
[1] Teodoro N, Serrão C. Web application security: Improving critical web-based
applications quality through in-depth security analysis. InInformation Society (iSociety), 2011 International Conference on 2011 Jun 27 (pp. 457-462). IEEE.
[2] Katkar Anjali S, Kulkarni Raj B. Web vulnerability detection and security mechanism.
International Journal of Soft Computing and Engineering (IJSCE) ISSn. 2012
Sep:2231-307.
[3] Chavan BS, Meshram BB. Classification of web application vulnerabilities.
International Journal of Engineering Science and Innovative Technology
(IJESIT).;2:241.
[4] Li X, Xue Y. A survey on server-side approaches to securing web applications. ACM
Computing Surveys (CSUR). 2014 Apr 1;46(4):54.
[5] Web Application Security Consortium version 2.0.0 by webappsec.org.
www.owasp.org.
[6] Oda, 2011. T.: Simple Security Policy for the Web, PhD Thesis.
[7] Livshits B, Erlingsson Ú. Using web application construction frameworks to protect
against code injection attacks. InProceedings of the 2007 workshop on Programming
languages and analysis for security 2007 Jun 14 (pp. 95-104). ACM.
[8] Boyd SW, Keromytis AD. SQLrand: Preventing SQL injection attacks. InApplied
Cryptography and Network Security 2004 Jan 1 (pp. 292-302). Springer Berlin
Heidelberg.
[9] Bonné B. Improving session security in web applications.
[10] M. Schrank, B. Braun, M. Johns, and J. Posegga. “Session Fixation - the Forgotten
Vulnerability?” in Proceedings of GI Sicherheit 2010, Lecture Notes in Informatics
(LNI), 2010.
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
Nikiforakis N, Meert W, Younan Y, Johns M, Joosen W. SessionShield: Lightweight
protection against session hijacking. InEngineering Secure Software and Systems 2011
Jan 1 (pp. 87-100). Springer Berlin Heidelberg.
Jovanovic N, Kirda E, Kruegel C. Preventing cross site request forgery attacks.
InSecurecomm and Workshops, 2006 2006 Aug 28 (pp. 1-10). IEEE.
Mao Z, Li N, Molloy I. Defeating cross-site request forgery attacks with browserenforced authenticity protection. InFinancial Cryptography and Data Security 2009 Jan
1 (pp. 238-255). Springer Berlin Heidelberg.
Huang LS, Moshchuk A, Wang HJ, Schecter S, Jackson C. Clickjacking: Attacks and
Defenses. InUSENIX Security Symposium 2012 Aug 8 (pp. 413-428).
Kirda E, Kruegel C, Vigna G, Jovanovic N. Noxes: a client-side solution for mitigating
cross-site scripting attacks. InProceedings of the 2006 ACM symposium on Applied
computing 2006 Apr 23 (pp. 330-337). ACM.
Eshete B, Villafiorita A, Weldemariam K. Early detection of security misconfiguration
vulnerabilities in web applications. InAvailability, Reliability and Security (ARES),
2011 Sixth International Conference on 2011 Aug 22 (pp. 169-174). IEEE.
Wichers D. OWASP Top-10 2013. OWASP Foundation, February. 2013.
Zhu DY, Jung J, Song D, Kohno T, Wetherall D. TaintEraser: protecting sensitive data
leaks using application-level taint tracking. ACM SIGOPS Operating Systems Review.
2011 Feb 18;45(1):142-54.
Papadimitriou, P., Garcia-Molina, H., Data Leakage Detection, IEEE Transactions on
Knowledge and Data Engineering, Volume 23, Number 1, January 2011
David Scott and Richard Sharp,” Specifying and Enforcing Application-Level Web
Security Policies”, IEEE Transactions On Knowledge And Data Engineering, Vol. 15,
No. 4, July/August 2003.