A Survey on Exposed Vulnerabilities in Web Applications A.Saravanan Assistant Professor, Department of MCA, Sri Krishna College of Technology, Coimbatore, Tamil Nadu, INDIA Mobil: 98420 06163 a.saravanan21@gmail.com M.S.Irfan Ahmed Director, Department of MCA, Nehru Institute of Engineering and Technology, Coimbatore, Tamil Nadu, INDIA Mobile: 90037 50009 msirfan@gmail.com S.Sathya Bama Assistant Professor, Department of MCA, Sri Krishna College of Technology, Coimbatore, Tamil Nadu, INDIA Mobile: 98655 33391 ssathya21@gmail.com Abstract Internet becomes more and more integrated in our society and our offline time continually decreases. However, the number of reported web application vulnerabilities is increasing dramatically. Security vulnerabilities in web applications may result in stealing of confidential data, breaking of data integrity or affect web application availability. So, it is clear that these vulnerabilities are complex and widespread. Thus, the task of securing web applications is not only important but also needs immediate attention, since for most people, Internet and the web are utilities that have become as common as food and water. In this paper, we explore some security breaches in web applications which needs immediate attention. We describe some of the attacks that enable an attacker to impersonate a victim. Keywords: vulnerabilities, web applications, confidentiality 1. Introduction Over the past few years, a clear inclination has emerged that the web applications are under attack. Millions of users connect every day to different web-based applications to search for information, exchange messages, interact with each other, conduct business, perform financial operations and many more [1]. Web security vulnerabilities continually impact the risk of a web site. Some of these critical web-based services are targeted by several malicious users intending to exploit possible vulnerabilities, which could cause not only the interruption of the service, but also compromise the users and organizations information. However, most of the times, these malicious users succeed in exploiting different types of vulnerabilities and the consequences can be disastrous [2]. Web application vulnerabilities can be planted through poor input validation, insecure session management, improperly configured system settings and flaws in operating systems and web server software. Certainly writing secure code is the most effective method for minimizing web application vulnerabilities. However, writing secure code is much easier said than done and involves several key issues [3]. Motivated by the urgent need for securing web applications, a considerable amount of research efforts have been dedicated into this problem with a number of techniques developed for hardening web applications and mitigating the attacks [4]. When any web security vulnerability is recognized, performing the attack requires using at least one of several application attack techniques. These techniques are commonly referred to as the class of attack. Many of these types of attack have recognizable names such as Buffer Overflows, SQL Injection, and Crosssite Scripting. As a baseline, the class of attack is the method the Web Application vulnerabilities classification will use to explain and organize the threats to a website [5]. 2. Web Architecture The web can be better understood in terms of simple client-server model, where the browser sends the request and the server response with the web pages. A web page is a text document written in HTML and contains embedded technologies like JavaScript or Flash. However, web pages are actually more complex, since a single page may need to contact many different servers in order to display all the information embedded within the page. Figure 1shows a typical three-tier system architecture of web applications. The entities are, a web browser: an application to display the HTML page, a web application server: store web pages and manages business logic, a database server and content provider server: provide content and data to the web pages. The web application server receives input from the user. And then collects the content and data from content provider and database server. Finally provides the contents to the browser. However, in reality, sometimes the web browser embeds the data to the web page displayed. Figure 1. A typical three-tier system architecture of web applications Unfortunately, there are ways in which content and code may be inserted into a web page. Once code or content has been inserted into a page, it can do a variety of things, including many malicious activities [6]. These malicious activities include Content Injection, Cross-Site Request Forgery, Clickjacking and more. 3. Web Vulnerabilities 3.1. Code Injection A code injection attack occurs when a malicious user manages to inject his own code into the program generated by the application. Injected code may steal data, compromise database integrity, and/or bypass authentication and access control, violating system correctness, security, and privacy properties [7]. The source code can be injected directly from an untrusted input or the web application can be manipulated into loading it from the local file system or from an external source such a URL. When a Code Injection occurs as the result of including an external resource it is commonly referred to as a Remote File Inclusion though a RFI attack itself need always be intended to inject code. The primary causes of Code Injection are Input Validation failures, the inclusion of untrusted input in any context where the input may be evaluated as PHP code, failures to secure source code repositories, failures to exercise caution in downloading third-party libraries, and server misconfigurations which allow non-PHP files to be passed to the PHP interpreter by the web server. Particular attention should be paid to the final point as it means that all files uploaded to the server by untrusted users can pose a significant risk. 3.2. SQL Injection SQL Injections operate by injecting data into a web application which is then used in SQL queries. The data usually comes from untrusted input such as a web form. However, It is also possible that the data comes from another source including the database itself. Programmers will often trust data from their own database believing it to be completely safe without realising that being safe for one particular usage does not mean it is safe for all other subsequent usages. Data from a database should be treated as untrusted unless proven otherwise, e.g. through validation processes [8]. If successful, an SQL Injection can manipulate the SQL query being targeted to perform a database operation not intended by the programmer. 3.3. Session Fixation Web sessions are a mechanism which provides a way for stateful communication. The session is a key-value pair. Here the key is the session identifier and the value is the data about the user. Session Identifier (SID) is an alphanumerical value which is used to uniquely identify the corresponding Web session. When the web server receives its first request from a particular client, it creates a session identifier (also called a session ID or SID) and associates the generated SID with the client. Also it sends the SID to the client as part of the response. In successive interactions, the client is instructed to include the assigned SID with every request, allowing the server to associate multiple requests to the same user using the same SID. Then the user tries to log in to the application by providing user name and the password as a request containing his SID. If the user name, password and the SID is authenticated, then the user is allowed to access the application. Thus SID is one of the user’s authentication credential. A session fixation attack, the attacker fixes the user’s session ID before the user even logs into the target server, thereby eliminating the need to obtain the user’s session ID afterwards. This approach, however, ignores one possibility: namely the possibility of the attacker “issuing” a session ID to the user’s browser, thereby forcing the browser into using a chosen session. We’ll call this class of attacks “session fixation” attacks, because the user’s session ID has been fixed in advance instead of having been generated randomly at login time. [9, 10] 3.4. Session Hijacking In the session hijacking attack, an attacker tries to take over a victim’s session by capturing the victim’s session ID. He then uses the SID to make the server think that he is the victim. This causes him to be able to, for example, read the victim’s e-mail in a webmail application, change the victim’s information on a social networking website, or acquire the victim’s credit card information in an online shop [11]. A user whose session is stolen may not notice anything strange while the attack is performed, since the execution of the script may run in the background without changing anything on the screen of the user. This means that the user can be offered little advice in order to prevent such attacks. 3.5. Cross Site Request Forgery The cross site request forgery (also called CSRF or session riding) attack is different from the session hijacking and session fixation attacks in the sense that an attacker executing a CSRF attack does not try to completely take over a victim’s session. Instead, the attack leverages the victim’s browser’s implicit authentication to make requests in the name of the victim. This is accomplished by compelling the victim’s browser into issuing a request [12, 13]. An XSRF attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions. A compromised user may never know that such an attack has occurred. If the user does find out about an attack, it may only be after the damage has been done and a remedy may be impossible. An XSRF attack is functionally the opposite of a cross-site scripting (XSS) attack, in which the hacker inserts malicious coding into a link on a Web site that appears to be from a trustworthy source. When an end user clicks on the link, the embedded programming is submitted as part of the client's Web request and can execute on the user's computer. 3.6. Clickjacking Attack It is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only just or not at all visible. Clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function [14]. 3.7. Cross-site Scripting (XSS) Attack Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most extensive of web application vulnerabilities and occurs when a web application makes use of invalidated or un-encoded user input within the output it generates [15]. By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser. While XSS can be taken advantage of within VBScript, ActiveX and Flash (although now considered legacy or even obsolete), unquestionably, the most widely abused is JavaScript – primarily because JavaScript is fundamental to most browsing experiences. 3.8. Security Misconfiguration Security misconfiguration is incorrectly assembling the safeguards for a web application. These misconfigurations typically occur when holes are left in the security framework of an application by systems administrators, DBAs or developers. They can occur at any level of the application stack including the platform, web server, application server, database, framework and custom code. These security misconfigurations can lead an attacker right into the system and result in a partially or even totally compromised system [16, 17]. Attackers find these misconfigurations through unauthorized access to default accounts, unused web pages, unpatched flaws, unprotected files and directories and more. If a system is compromised through faulty security configurations, data can be stolen or modified slowly over time and can be time-consuming and costly to recover. 3.9. Sensitive data exposure IT systems usually save in a database user’s personal information such as passwords, credit card numbers, house address, telephone number, id number etc. When the system is not protected effectively from unauthorised access there is a high probability that a hacker might exploit that vulnerability and steal that information. That vulnerability is “Sensitive Data Exposure” [18]. A data breach or data leak is a security incident in which sensitive or confidential data is copied, transmitted, viewed, stolen or used by an unauthorised individual. The information could include financial data (bank or card details), personal health information, and personal identifiable details, trade secrets and corporation’s intellectual property. The issue of data leakage has always arisen from data at rest, data in transit, email, IM and various other internet channels, however now with the rise of mobile technology, data leakage is occurring with greater ease, whether by accident or malice. The threat of data leakage from outside the corporation is still a concern, however substantial data leakage results from internal activities as well. Data can leave the network through various exit points within the IT infrastructure. Enterprises should prioritise the management of data loss risk by choosing DLP solutions that monitor and act at these exit points. [19] 3.10. Path Traversal The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal. The most basic Path Traversal attack uses the "../" special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the "../" sequence may help bypass the security filters. Conclusion Number of reported web applications vulnerabilities is increasing dramatically. Most of them result from improper or none input validation by the web application. Analyzing the threats and how that can affect the data and the site itself is an important aspect of web development. Though several techniques and extensions exists in virtually all the technologies, no work presents an interface where both secured and insecure version of the site can be checked. This workflow can be a useful guide to learn about the web application vulnerability. The work can be further improved by demonstrating and providing methods to various vulnerabilities. The objective of this paper is only a starting point for those issues that represent the most serious risks to web application security. Reference [1] Teodoro N, Serrão C. Web application security: Improving critical web-based applications quality through in-depth security analysis. InInformation Society (iSociety), 2011 International Conference on 2011 Jun 27 (pp. 457-462). IEEE. [2] Katkar Anjali S, Kulkarni Raj B. Web vulnerability detection and security mechanism. International Journal of Soft Computing and Engineering (IJSCE) ISSn. 2012 Sep:2231-307. [3] Chavan BS, Meshram BB. Classification of web application vulnerabilities. International Journal of Engineering Science and Innovative Technology (IJESIT).;2:241. [4] Li X, Xue Y. A survey on server-side approaches to securing web applications. ACM Computing Surveys (CSUR). 2014 Apr 1;46(4):54. [5] Web Application Security Consortium version 2.0.0 by webappsec.org. www.owasp.org. [6] Oda, 2011. T.: Simple Security Policy for the Web, PhD Thesis. [7] Livshits B, Erlingsson Ú. Using web application construction frameworks to protect against code injection attacks. InProceedings of the 2007 workshop on Programming languages and analysis for security 2007 Jun 14 (pp. 95-104). ACM. [8] Boyd SW, Keromytis AD. SQLrand: Preventing SQL injection attacks. InApplied Cryptography and Network Security 2004 Jan 1 (pp. 292-302). Springer Berlin Heidelberg. [9] Bonné B. Improving session security in web applications. [10] M. Schrank, B. Braun, M. Johns, and J. Posegga. “Session Fixation - the Forgotten Vulnerability?” in Proceedings of GI Sicherheit 2010, Lecture Notes in Informatics (LNI), 2010. [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] Nikiforakis N, Meert W, Younan Y, Johns M, Joosen W. SessionShield: Lightweight protection against session hijacking. InEngineering Secure Software and Systems 2011 Jan 1 (pp. 87-100). Springer Berlin Heidelberg. Jovanovic N, Kirda E, Kruegel C. Preventing cross site request forgery attacks. InSecurecomm and Workshops, 2006 2006 Aug 28 (pp. 1-10). IEEE. Mao Z, Li N, Molloy I. Defeating cross-site request forgery attacks with browserenforced authenticity protection. InFinancial Cryptography and Data Security 2009 Jan 1 (pp. 238-255). Springer Berlin Heidelberg. Huang LS, Moshchuk A, Wang HJ, Schecter S, Jackson C. Clickjacking: Attacks and Defenses. InUSENIX Security Symposium 2012 Aug 8 (pp. 413-428). Kirda E, Kruegel C, Vigna G, Jovanovic N. Noxes: a client-side solution for mitigating cross-site scripting attacks. InProceedings of the 2006 ACM symposium on Applied computing 2006 Apr 23 (pp. 330-337). ACM. Eshete B, Villafiorita A, Weldemariam K. Early detection of security misconfiguration vulnerabilities in web applications. InAvailability, Reliability and Security (ARES), 2011 Sixth International Conference on 2011 Aug 22 (pp. 169-174). IEEE. Wichers D. OWASP Top-10 2013. OWASP Foundation, February. 2013. Zhu DY, Jung J, Song D, Kohno T, Wetherall D. TaintEraser: protecting sensitive data leaks using application-level taint tracking. ACM SIGOPS Operating Systems Review. 2011 Feb 18;45(1):142-54. Papadimitriou, P., Garcia-Molina, H., Data Leakage Detection, IEEE Transactions on Knowledge and Data Engineering, Volume 23, Number 1, January 2011 David Scott and Richard Sharp,” Specifying and Enforcing Application-Level Web Security Policies”, IEEE Transactions On Knowledge And Data Engineering, Vol. 15, No. 4, July/August 2003.