Research paper

bejay
websecurity.zip

web security/Evaluation_of_web_application_security_risks_and_s.pdf

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/220846451

Evaluation of web application security risks and secure design patterns

Conference Paper · January 2011

DOI: 10.1145/1947940.1948057 · Source: DBLP

CITATIONS

13 READS

1,820

2 authors:

Some of the authors of this publication are also working on these related projects:

Wireless Personal Area Networks View project

Sarcasm Sentiment Analysis in Tweets View project

Asish Dalai

National Institute of Technology Rourkela

16 PUBLICATIONS   46 CITATIONS   

SEE PROFILE

Sanjay Kumar Jena

National Institute of Technology Rourkela

207 PUBLICATIONS   7,156 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Sanjay Kumar Jena on 09 April 2014.

The user has requested enhancement of the downloaded file.

Evaluation of Web Application Security Risks and Secure Design Patterns

Asish Kumar Dalai and Sanjay Kumar Jena National Institute of Technology Rourkela, Odisha, India

dalai.asish@gmail.com, skjena@nitrkl.ac.in

ABSTRACT The application of security in web application is of profound importance due to the extended use of web for business. Most of the attacks, are either because the developers are not considering security as a concern or due to the security flaws in designing and developing the applications. The en- forcement of security in the software development life cycle of the application may reduce the high cost and efforts asso- ciated with implementing security at a later stage. For this purpose, various attempts has been made to define some security patterns keeping the attacks in mind. The develop- ers now can use these patterns but sometimes it is difficult to choose a pattern from the large list, which may or may not suit the context. This paper is based on analyzing the existing security patterns. Here web application vulnerabil- ities has been classified and pairing is done between each vulnerability and a suitable pattern.

Categories and Subject Descriptors D.2.11 [Software Engineering]: Software Architecture— Patterns; K.6.5 [Management of Computing and In- formation Systems]: Security and Protection—Authenti- cation, Unauthorized access.

General Terms Security, Design.

Keywords Web Application Security Risks, Design Patterns, Security Patterns

1. INTRODUCTION Developers have chosen the web as the prime choice for de-

signing and deploying the applications due to its cross plat- form compatibility. Web application have undergone several

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ICCCS’11 February 12-14, 2011, Rourkela, Odisha, India Copyright c© 2011 ACM 978-1-4503-0464-1/11/02 ...$10.00.

advancements with latest technologies: Ajax and web ser- vices. The attacks to the web applications are also increas- ing at a greater rate along with advancement in technology. Hence, the traditional approach of software development life cycle may not suit well where security in the web applica- tion comes into picture. Writing secure code and/or testing the code to make the application attack proof is a challeng- ing task. Using context specific security design patterns for web application may reduce the chances of attack. Attempts have been made to define some security patterns which can be used by the developers. Choosing the appropriate one for the context is difficult.

In this paper, the related works in security patterns has been studied and then the most common vulnerabilities in the web are categorized with an attempt to provide a suit- able security pattern for each vulnerability. This then leads to a number of problems and indications for future research directions for web application security patterns. This pa- per is structured as follows: Section 2 describes the origin and growth of design patterns. Section 3 contains the se- curity patterns representing the related works. In Section 4 the most common web vulnerabilities have been classified and suitable patterns are associated with them. Finally the concluding remarks are given in the last section.

2. DESIGN PATTERNS Design patterns are reusable solution to commonly oc-

curring problems in design. Design pattern in the field of software development, provides experts’ knowledge and ex- perience in form of a design template.These templates are implemented in software development life cycle to avoid the recurrence of specific issues in software applications.

The idea of design pattern was actually started with civil architecture for modeling buildings and towns. Later it is used in software engineering in the design of the software applications. The experience and knowledge of the develop- ers during the course of development has been captured and modeled as a solution to specific problem named as a design pattern. The developers in future can use these patterns which will reduce their task for developing applications.The same idea of design pattern when defined to solve the secu- rity problems in the software applications called as security design patterns. The use of these security patterns then resolves the security issues in the applications.

The origin and journey of the design patterns from build- ing architecture to the field of software engineering and then to the area of security are summarized as below:

565

Table 1: Pattern Template [4]

Element Description

Name Name of the pattern Also Known As Alias or Other names of the pattern if any are known Example A real-world example demonstrating the existence of the problem and the need for the pattern. Motivation A description of situations in which the pattern may apply. Applicability A general description of the characteristics a program must have for the pattern to be useful in the

design or implementation of the program. Structure A textual or graphical description of the relationship between the various participants in the pattern. Participants The entities involved in the pattern. Consequences The benefits the pattern provides and any potential liabilities. Implementation Guidelines for implementing the pattern. Sample Code Code providing an example of how to implement the pattern. Example Resolved An example of how the real-world example problem described in the Example section may be

resolved through the use of the secure design pattern. Known Uses Examples of the use of the pattern, taken from existing systems.

• 1977-79 - Architect Christopher Alexander introduced the concept of design patterns with respect to design of buildings and towns.

• 1987 - Beck and Cunningham experimented with ap- plying patterns to programming and presented their work at OOPSLA.

• 1994/95 - The “Gang of Four” (Erich Gamma, Richard Helm, Ralph Johnson, and John M. Vlissides) pub- lished a book containing a large number of design-level patterns aimed at object oriented programming lan- guages [7].

• 1997 - Yoder and Baraclow published a paper outlining several security patterns [19].

A pattern can be characterized as a solution to a prob- lem that raised within a specific context [17]. A pattern not only describes the solution but also explains the context and problem for which it is used. Thus, it is defined as {prob- lem/context/solution} triplet. Patterns can be illustrated using a class diagram or a role model.Gamma et al. proposed a template [7] which includes 1. name of the pattern, 2. in- tent/motivation, 3. applicability structure and 4. related patterns. Later in 2006, Buschmann et al. have proposed an extension to this template [17].A standard template to represent the design pattern as proposed by Dougherty et al. [4] is shown in Table 1. Following a standard template facilitates understanding the important concepts and allow- ing the developers with security background to easily apply the pattern in their own context.

3. SECURITY PATTERNS Security design pattern implements the experts’ knowl-

edge and experience in the form of proven solutions to re- curring security problems. Generally security is disregarded due to lack of security aspect in the life cycle. Only the threat analysis in the viewpoint of an attacker reveals the vulnerabilities in the application and identifying the threats in the later stage requires a great deal of effort. So the pres- ence of an efficient security design pattern enables to bridge the gap between developer and security experts thereby re- ducing the vulnerabilities. Security patterns try to provide

constructive assistance in the form of worked solutions and the guidance to apply them properly.A significant amount of research has already been performed in the field of security patterns. This section provides some of the major contri- butions to this field and presents a brief description of each piece of work in Table 2.

Developers can also follow catalogue consisting set of de- sign and implementation guidelines emphasizing program- mers viewpoint for writing secure programs. These guide- lines have been pragmatically collected from actual program- ming experiences.

Researchers have designed set of patterns to meet security requirements of the application, but the growing risks in the web and the new threats has put a challenge and has given a new dimension to research in security patterns. In the next section a classification of the common vulnerabilities has been made and suitable patterns are associated with each vulnerability.

Figure 1: Breakdown of Vulnerabilities in Web Ap- plication

4. WEB APPLICATION SECURITY RISKS The web server and the browser perform so many tasks

for rendering the page on the user’s screen. With the advent of web 2.0, users got a rich experience but at the same time it has opened many doors for the hackers to seep through and gain unauthorized access to user and business sensitive

566

Table 2: Related Works on Security Patterns

Author Year Name of the pattern Remarks

Yoder and Barcalow [19] 1997 Architectural patterns for enabling application secu- rity

A group of 7 Patterns provides security framework for building application.

Braga et al. [2] 1998 Cryptographic Design Pat- tern

Consisting a group of 9 patterns provides four fun- damental objectives of cryptography and a pat- tern language for cryptographic software.

Brown et al. [3] 1999 The Authenticator Pattern Performs authentication of a requesting process before deciding access to distributed objects .

Sasha Romanosky [15] 2001 Security Design patterns Part 1

A set of 8 patterns providing architectural and procedural guidelines.

Fernandez and Pan [5] 2001 A Pattern Language for Se- curity Model

The authorization, Role Bases Access Control, Multilevel Security and file authorization patterns are cataloged.

Kienzle and Elder [11] 2002 Security Patterns for Web Application Development

A group of 29 patterns categorized as structural and procedural pattern.

J Juren [10] 2004 secure data transfer pattern For Transferring data securely Blakely and Heath [1] 2004 Open Group Guide to Secu-

rity Patterns Contains architectural level patterns and design- level patterns focusing on system availability and the protection of privileged resources.

Halkidis et al. [9] 2004 Choked Point System pat- tern

That state can be recovered and restored to a known valid state in case a component fails.

T. Priebe et al. [14] 2004 A pattern System for access control

Provides access control.

Steel et al.[18] 2005 Secure logger pattern and Secure pipe pattern

Application events and data must be securely logged and avoids man in the middle attack.

M Hafiz [8] 2005 secure pre-forking pattern Task can be forked securely and efficiently in a multitasking environment.

Morrison and Fernandez [12] 2006 The Credentials Pattern Provides authentication and authorization. Schumacher et al. [17] 2006 Single Access Point Pattern System with external access should have a single

access point. Schumacher et al. [17] 2006 Firewall patterns and Ac-

counting patterns To mitigate the attacks and satisfy confidentiality of services also ensures the availability.

Sasha Romanosky [16] 2006 Privacy Patterns for online Interaction

Provides secure online transactions.

E B Fernandez et al. [6] 2007 Secure pattern for VOIP Network

Guarantee the integrity of calls.

Daniela et al. 2009 An Access Control Pattern Based on qualifications to grand access to physic resources

data. Security experts has focused on the most common vul- nerabilities. Open Web Application security Risk (OWASP) has published “OWASP Top 10” [13] containing 10 most se- curity risks. Many attempts have been made to list the vulnerabilities and their countermeasures. Here most com- mon vulnerabilities has been taken and classified in to three major categories:

1. Technical Vulnerabilities

2. Configurational Vulnerabilities

3. Security Vulnerabilities

The figure 1 shows their impact on the world wide web.

4.1 Technical Vulnerabilities Vulnerabilities due to technical flaws in the code comes

under this category. These vulnerabilities causes most seri- ous attacks like: Injection attacks, XSS and CSRF attacks

etc. Based on the attack caused by the vulnerability and intent of the patterns a suitable pattern is associated with each vulnerability as given in Table 3 .

Table 3: Patterns for Technical Vulnerabilities Technical Vulnera- bilities

Security Pattern

Content Injection Input Validation cross site scripting flaw Input Validation and Au-

thentication cross site request forgery

Secure GetPost

buffer over flow Input Validation insecure direct object reference

Access Control Pattern

567

4.2 Configurational Vulnerabilities The vulnerabilities due to architectural flaws in the sys-

tem are categorized as configurational vulnerability. Some time the security goals are not documented properly so there remains some server configuration flaws and leads to various risks. Table 4 contains the configurationl vulnerabilities and one suitable pattern for each of them.

Table 4: Patterns for Configurational Vulnerabilities Configurational vulnera- bilities

Security Pattern

encryption flaw Cryptographic Design Pattern

broken authentication and session management

Authenticted session

path traversal, directory browsing

Secure Directory

server misconfiguration and predictable pages

document the server con- figuration

Information Leakage Encrypted storage Insufficient Authentication Authenticator Disclosing error details Limited View code decompilation, source code discloser

code obfuscation

unvalidated redirect and for- wards

directed session

failure to restrict url access Limited View

4.3 Security Vulnerabilities Sometimes the flaws in transport layer or network layer or

in the other layers of the network causes the application to fail. Man in the middle, Denial of service are the examples of such serious attacks. Vulnerability of this category are due to the flaws not in the application but in the system. Table 5 contains the list of such vulnerabilities and suitable patterns for each.

Table 5: Patterns for Security Vulnerabilities Security vulnerabilities Security Pattern

Denial of Service Secure Logger DNS cache Poisoning Cryptographic Patterns Path manipulation Pathname Canonicalization man in the middle attack Secure pipe pattern

5. CONCLUSION In this paper the related works in web application secu-

rity risks has been analyzed. A standard template [4] has been provided for the pattern designers to follow. The most common vulnerabilities has been classified into three broad categories. A pairing between each vulnerability and a suit- able pattern is done which may help the web application developer. The future research will address the patterns for critical issues like denial of service and cryptography.

Acknowledgment: The authors are indebted to In- formation Security Education and Awareness (ISEA) Project, MCIT, Department of Information Technology, Govt. of In- dia for sponsoring this research and development activity.

6. REFERENCES [1] B. Blakely and C. Heath. Security design pattern,tech

report g031. OpenGroup, 2004.

[2] A. M. Braga, C. M. F. Rubira, and R. Dahab. Tropyc: A pattern language for cryptographic software. PLoP, 1998.

[3] F. L. Brown and E. B. Fernandez. The authenticator pattern. PLop, 1999.

[4] C. Dougherty, K. Sayre, R. C. Seacord, D. Svoboda, and K. Togashi. Secure Design Patterns. Software Engineering Institute, 2009.

[5] E. B. Fernandez and R. Pan. A pattern language for security models. PLop, 2001.

[6] E. B. Fernandez, J. C. Pelae, and M. M. Larrondopetrie. Security pattern for voice over ip network. In International multi conference on Computing in Global Information Technology(ICCGI’07), 2007.

[7] E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns: Elements of Reusable Object Oriented Software. Addison-Wesley, 1995.

[8] M. Hafiz. Secure pre-forking- a pattern for performance and secuirty. PLoP, 2005.

[9] S. T. Halkidis, A. Chatzigeorgiou, and G. Stephanides. A quantitative evaluation of security patterns. International Conference on Information and Communication Security(ICICS), 2004.

[10] J. Jurens. Secure system development with uml. Springer, 2004.

[11] D. M. Kienzle and M. C. Elder. Final technical report: Security pattern for web application development, 2002. http: //www.scrypt.net/celer/securitypatterns/final.

[12] P. Morrision and E. B. Fernandez. Securing the broken pattern. In 11th European Conference on Pattern Language of Programs ( EuroPLoP). PLop, 2006.

[13] OWASP. Owasp top 10 application security risks-2010. http://www.owasp.org/index.php/Category:

OWASP_Top_Ten_Project.

[14] T. priebe, E. Fernandez, J. I. Mehlau, and G. Pernull. A parten system for access control. 18th Annual IFIP WG 11.3 Working Conference on Data and Application Security, 2004.

[15] Romanosky. Security design patterns. technical report. http://www.cgisecurity.com/lib/securityDesignPatterns.pdf, 2001.

[16] S. Romanosky, A. Acquisti, J. Hong, L. F. Carnor, and B. Friedman. Privacy pattern for online interaction. In PLop 2006 Conference. PLop, 2006.

[17] M. Schumacher, E. B. Fernandez, D. Hybertson, and F. Buschmann. Security Patterns: Integrating Security And System Engineering. John Wiley and Sons Inc, 2006.

[18] C. Steel, R. Nagappan, and R. Lai. Best Practice and Strategy for J2EE, Web Service and Identity Management. Prentice Hall, 2005.

[19] J. Yoder and J. Barcalow. Architectural patterns for enabling application security. In International Conference on Pattern Language of Programs. PLoP, 1997.

568

View publication statsView publication stats

web security/help.docx

Research Presentation Proposal

Proposals outline/help –

You are to create a literature review on a self-selected research topic that relates to Web Development. This could be language or framework comparisons, database performance, security-related related topics, accessibility, law-related topics, etc. You should be pulling and reading peer-reviewed journal articles in and around your topic. Your final product should have 10-20 references. They don’t all need to be peer-reviewed, but they should all be from creditable sources and authors.

web security/material 2 web securities.pdf

Analysis of Field Data on Web Security Vulnerabilities

José Fonseca, Nuno Seixas, Marco Vieira, and Henrique Madeira

Abstract—Most web applications have critical bugs (faults) affecting their security, which makes them vulnerable to attacks by

hackers and organized crime. To prevent these security problems from occurring it is of utmost importance to understand the typical

software faults. This paper contributes to this body of knowledge by presenting a field study on two of the most widely spread and

critical web application vulnerabilities: SQL Injection and XSS. It analyzes the source code of security patches of widely used web

applications written in weak and strong typed languages. Results show that only a small subset of software fault types, affecting a

restricted collection of statements, is related to security. To understand how these vulnerabilities are really exploited by hackers, this

paper also presents an analysis of the source code of the scripts used to attack them. The outcomes of this study can be used to train

software developers and code inspectors in the detection of such faults and are also the foundation for the research of realistic

vulnerability and attack injectors that can be used to assess security mechanisms, such as intrusion detection systems, vulnerability

scanners, and static code analyzers.

Index Terms—Security, Internet applications, languages, review and evaluation

Ç

1 INTRODUCTION

MOST information systems and business applicationsbuilt nowadays have a web front end and they need to be universally available to clients, employees, and partners around the world, as the digital economy is becoming more and more prevalent in the global economy. These web applications, which can be accessed from anywhere, become so widely exposed that any existing security vulnerability will most probably be uncovered and exploited by hackers.

In the context of the present work, we use the

terminology introduced by Avizienis et al. [4] that considers

an error as a “deviation of an external state of the system from

the correct service state,” a fault as “the adjudged or hypothesized

cause of an error,” a vulnerability an “internal fault that enables

an external fault to harm the system,” and an attack as a

“malicious external fault.” The security of web applications becomes a major

concern and it is receiving more and more attention from

governments, corporations, and the research community

[7], [13], [25], [52], [56]. Attackers also followed the move

to the web and as such more than half of current

computer security threats and vulnerabilities affect web

applications [24]. Not surprisingly, the number of reported

attacks that exploit web application vulnerabilities is

increasing [19]. In fact, numerous data breach attacks are

frequently reported due to web application security problems [31], [36], [43], [45], [53].1

Given the preponderant role of web applications in many organizations, one can realize the importance of finding ways to reduce the number of vulnerabilities. This can be helped with a deeper knowledge on software faults behind such vulnerabilities [16], [21], [23], [49]; however, this is a vast field and there is still a lot of work to be done, like the one presented by Scholte et al. [46].

This paper contributes to fill this gap by presenting a study on characteristics of source code defects generating major web application vulnerabilities. The main research goal is to understand the typical software faults that are behind the majority of web application vulnerabilities, taking into account different programming languages. To understand the relevance of these kinds of vulnerabilities for the attackers, the paper also analyzes the code used to exploit them.

Regarding the programming language perspective, we considered some of the most relevant in the context of web applications. First, we focused on the most widely used weak typed language, PHP. Then, we analyzed strong typed languages, namely Java, C#, and VB. Recall that our goal is not to analyze each programming language in what concerns their ability to prevent security vulnerabilities, but to analyze the vulnerabilities and their relation with some language characteristics, like the type system.

The vulnerabilities analyzed in our field study were cross-site scripting (XSS) and SQL injection (SQLi), as these are two of the most common and critical vulnerabilities found in web applications [31], [36]. To characterize the types of software faults that are most likely to create these vulnerabilities, we classified the pieces of code used to fix

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 2, MARCH/APRIL 2014 89

. J. Fonseca is with the Research Unit for Inland Development, Institute Polytechnic of Guarda and the Centre for Informatics and Systems, University of Coimbra. E-mail: josefonseca@ipg.pt.

. N. Seixas, M. Vieira, and H. Madeira are with the Centre of Informatics and Systems, University of Coimbra. E-mail: {naseixas, mvieira, henrique}@dei.uc.pt.

Manuscript received 3 June 2013; revised 3 June 2013; accepted 22 Aug. 2013; published online 5 Sept. 2013. For information on obtaining reprints of this article, please send e-mail to: tdsc@computer.org, and reference IEEECS Log Number TDSC-2013-01-0014. Digital Object Identifier no. 10.1109/TDSC.2013.37.

1. The most relevant vulnerabilities are known for many years; however, they are still proliferating, in spite of the development of tools that help automate their mitigation (e.g., Java Pathfinder [27]). In fact, the knowledge about them and how they are created is still insufficient.

1545-5971/14/$31.00 � 2014 IEEE Published by the IEEE Computer Society

them in a set of real web applications. Each patch was inspected in depth to gather the precise characteristics of the code that was responsible for the security problem and classified them according to an adaptation of the orthogonal defect classification (ODC) [6], [8].

The proposed methodology allows gathering the infor- mation on common mistakes that developers should avoid. This knowledge is helpful for training [17], and it is crucial for the specification of guidelines for security code reviewers, for the evaluation of penetration testing tools, as well as for the creation of safer internal policies for programming practices, among others. It can also be used to build a realistic attack injector [18]. In our study, we observed that not every vulnerability is equally important for an attacker, and when not all vulnerabilities can be fixed in due time, these data may be used to select those that should be addressed first, for example.

The structure of the paper is as follows. Section 2 discusses related work. Section 3 presents some background on security vulnerabilities and web programming lan- guages. Section 4 details the classification of software faults, the data sources (for web applications and patches), and the process followed to analyze and classify the patch of each vulnerability. Section 5 discusses the results of the field study, and Section 6 presents a detailed vulnerability analysis. Section 7 presents another study, but on the exploits developed to attack web applications. Section 8 discusses the threats to validity. Finally, Section 9 concludes the paper and suggests future work.

2 RELATED WORK

It is unfeasible to produce complex applications without defects, and even when this occurs, it is impossible to know it, prove it, and repeat it systematically [22]. Software developers cannot assure code scalability and sustainability with quality and security, even when security is defined from the ground up [20].

One of the aspects that contribute to security problems

seems to be related to how bad different programming

languages are in terms of propensity for mistakes. Clowes [9]

discussed common security problems related to the easiness

in programming with PHP and its features, but this affects

many other programming languages. The choice of the type

system (strong or weak) and the type checking (static or

dynamic) of the programming language also affects the

robustness of the software. For example, a strong typed

language with a static type checking can help deliver a safer

application without affecting its performance [51]. Scholte et

al. [46] presented an empirical study on a large set of input

validation vulnerabilities developed in six programming

languages. However, that work focused on the relationship

between the specific programming language used and the

vulnerabilities that are commonly reported, not going into

details in what concerns the typical software faults that

originate vulnerabilities, like we do in the present work. One of the best practices to find software faults is to

perform a static analysis to the code [27]. This is a labor- intensive job, usually done with automated tools, although they lack the precision of the manual counterpart. To

improve them and to help predict software failures, a new defect classification scheme was proposed [32]. Another research work proposed a security resources indicator that seems to be strongly correlated with change in vulnerability density over time [54].

Web application vulnerabilities have been addressed by recent studies from several points of view, but without any code analysis [3], [7], [31], [36], [54]. To overcome the low level of detail of existing vulnerability databases, some researchers proposed approaches based on the market, instead of on software engineering [37].

The attacker’s perspective has also been of some focus in the literature [9], [16], [23], [30], but mainly through empirical data gathered by the authors highlighting social networking and what could be obtained from attacking specific vulnerabilities. Some studies analyzed the attacks from the victim’s perspective, including the proposal of a taxonomy to classify attacks based on their similarities [2] and the analysis of attack traces from HoneyPots to separate the attack types [12]. There is, however, a lack of knowledge about existing exploits and their correlation with the vulnerabilities.

To improve software quality, developers need a deeper knowledge about the software faults that must be mitigated. The underlying idea is that knowing the root cause of software defects helps removing their source, therefore contributing to the quality improvement [29]. Researchers at IBM developed a classification scheme of software faults, intended to improve the software design process and, consequently, reduce the number of faults [6], [8]. It is the ODC and it is typically used to classify software faults or defects after they have been fixed and it is also broadly used by the industry and researchers outside IBM [32].

3 VULNERABILITIES AND PROGRAMMING LANGUAGES

The Open Web Application Security Project Report listed the 10 most critical web application security risks, having SQLi at the top, followed by XSS [36]. Other studies also found XSS and SQLi as the most prevalent vulnerabilities [1], [24], [34], [54]. Fig. 1 depicts the yearly percentage of disclosed XSS and SQLi among all the causes of web application vulnerabilities showing that they are increasing over time [33].

SQLi attacks take advantage of unchecked input fields in the web application interface to maliciously tweak the SQL query sent to the back-end database. By exploiting an

90 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 2, MARCH/APRIL 2014

Fig. 1. Evolution of disclosed reports of SQLi and XSS causes of vulnerabilities [33].

XSS vulnerability, the attacker is able to inject into web pages unintended client-side script code, usually HTML and Javascript. SQLi and XSS allow attackers to access unauthorized data (read, insert, change, or delete), gain access to privileged database accounts, impersonate other users (such as the administrator), mimic web applications, deface web pages, view, and manipulate remote files on the server, inject and execute server side programs that allow the creation of botnets controlled by the attacker, and so on. Details on the most common vulnerabilities, including SQLi and XSS, along with the reasons of their existence, attacks, best practices to avoid, detect, and mitigate them can be found in many referenced works, such as [23], [36], [49].

Many programming languages are currently used to develop web applications. Ranging from proprietary languages (e.g., C#, VB) to open source languages (e.g., PHP, CGI, Perl, Java), the spectrum of languages available for web development is immense.

Programming languages can be classified using taxo- nomies, such as the programming paradigm, the type system, the execution mode, and so on. The type system, particularly important in the context of the present work, specifies how data types and data structures are managed and constructed by the language, namely how the language maps values and expressions into types, how it manipulates these types, and how these types correlate. Regarding the type system, they can be typed versus untyped, static versus dynamic typed, and weak versus strong typed [51]. In particular, strong typed languages provide the means to produce more robust software, since a value of one type cannot be treated as another type (e.g., a string cannot be treated as a number), as in weak typed languages.

One of the contributions of this work is to help understanding the impact of the type system in the security of web applications. This is of particular significance, as critical security vulnerabilities like XSS and SQLi are strongly related to the way the language manages data types [36]. For example, it is common to find attacks that inject SQL code by taking advantage of variables that supposedly should not be strings (e.g., numbers, dates) as the type of the variable is determined based on the assigned value. On the other hand, in strong typed languages, this is not possible because the type of variables is determined before runtime and the attempt to store a string in a variable of another type raises an error. However, this does not prevent the occurrence of vulnerabilities in strong typed languages, but only by taking advantage of string variables. In fact, although Java is intrinsically a safe programming language [5] and it is a strong typed language, vulnerabil- ities can be found in Java programs due to implementation faults [28].

4 SECURITY PATCH FIELD STUDY METHODOLOGY

This section presents the methodology to obtain and classify the source code and the security patches of the web applications of our field study.

4.1 Web Applications Analyzed

One mandatory condition of our field study is the ability to analyze the source code of current and previous versions of the target web applications, together with the associated security patches. Therefore, we restricted our

search to open source web applications. We also decided to choose only web applications with a large number of downloads or installations, and we also preferred award- winning web applications.

These restrictions are aimed to allow only web applica- tions relevant to a wide range of users and, wherever possible, with a higher quality granted by the awards. Although this does not guarantee generalization of results, it still shows how mainstream web applications are in relation to security. Under these conditions, we have chosen the most relevant applications we could manually analyze, given the resources at our disposal.

Because PHP is the most widely used language present in web applications, we used it for the weak typed program- ming language study. Due to time constraints, other programming languages like PERL could not be considered. Given the high number of security problems found, we only used six web applications (see Table 1): PHP-Nuke (phpnuke.org), Drupal (drupal.org), PHP-Fusion (php- fusion.co.uk), WordPress (wordpress.org), phpMyAdmin (phpmyadmin.net), and phpBB (phpbb.com).

Drupal, PHP-Fusion, and phpBB are web Content Management Systems (CMS). Drupal won first place at the 2007 Open Source CMS Award [39]. PHP-Fusion was one of the five overall award winner finalists at the 2007 Open Source CMS Award [39]. Finally, phpBB is the most widely used Open Source forum solution and it was the winner of the 2007 Sourceforge Community Choice Awards for Best Project for Communications [48]. PHP-Nuke is a well- known web-based news automation system built as a community portal and it has been downloaded over 8 million times from the official site [41]. WordPress is reportedly the most widely used personal blog publishing platform with millions of users. phpMyAdmin is a web-based MySQL administration tool. It is included in many Linux distribu- tions, it is available in 47 languages, and it was the winner of the 2007 Sourceforge Community Choice Awards for Best Tool or Utility for SysAdmins [48].

For the strong typed programming languages, for which we found less security problems, we used 11 web applications developed in Java, C#, and VB (see Table 2): JForum (jforum.net), OpenCMS (opencms.org), BlojSom (sourceforge.net/projects/blojsom), Roller WebLogger (rollerweblogger.org), JSPWiki (jspwiki.org), SubText

FONSECA ET AL.: ANALYSIS OF FIELD DATA ON WEB SECURITY VULNERABILITIES 91

TABLE 1 Versions of Weak Typed (PHP) Apps

(subtextproject.com), Dot-NetNuke (dotnetnuke.com), YetAnotherForum (yetanotherforum.net), BugTracker.NET (ifdefined.com/bugtrackernet.html), Deki Wiki (developer. mindtouch.com), and ScrewTurn Wiki (screwturn.eu).

JForum and YetAnotherForum are discussion board system forums. OpenCMS is a web CMS with a large community of users and has six books published about it. BlojSom, Roller WebLogger, and SubText are blog software packages. Roller WebLogger drives important blogs such as blogs.sun.com, blog.usa.gov, IBM Lotus Connections, and IBM Developer Works blogs. JSPWiki, Deki Wiki, and ScrewTurn Wiki are Wiki engines used by many commu- nities and organizations. JSPWiki is well known and used by enterprises such as Recursa, IBM, Shopping.com, and Oxford University SPIE Project. Dot-NetNuke is a web application framework for creating interactive web sites and has a community of over 440,000 users. BugTracker.NET is a web- based customer support issue tracker.

4.2 Classification of Software Faults from the Security Vulnerability Point of View

After choosing a web application, we searched the web for all reported SQLi and XSS patches that were classified based on the work presented in [15]. This classification is derived from the code defect types (assignment, checking, interface, and algorithm) of the ODC software fault types [6], [8]. As ODC fault types are still too broad [15], we detailed them according to the nature of the defect: missing construct, wrong construct, and extra- neous construct.

All the security vulnerabilities collected could be classified using only 15 of the fault types already identified in [15] and one extra fault type, the missing function call extended (MFCE); however, not all were found in both weak typed and strong typed web applications (see Table 3).

The missing function call extended (marked with an * in Table 3) is a new addition and it is based on a missing function in situations where the return value is used in the code (as opposed to the MFC where the return value is not used).

4.3 Obtaining the Patch Code

For our field study, we need to obtain the web application code, as well as the source code of the patches. By comparing them, we analyze the cause of the vulnerabilities and classify the changes made in the code to fix them.

To gather the source code of security patches, we used

several sources of data, such as developer sites, online

magazines, news sites, sites related to security, hacker sites,

change log files of the application, the version control

system (VCS) repository, and so on.2 Next are the main

sources of information:

1. Security patched files. These files are applied to the application by replacing the vulnerable files. To extract only the code change that these files provide, we used the UNIX diff command applied to both the patch and the original (vulnerable) file.

2. Updated versions of the web application. This represents completely new releases of the application contain- ing new features and fault fixes (including security ones). Although this was our primary source of data, it was also the most labor-intensive one. It is necessary to compare all the files of the vulnerable and updated versions of the application looking for security fixes. This process can be eased when there is a change log file. This file consists of the summary of changes made to the new version of the applica- tion, including faults and security issues fixed. After identifying the vulnerable source file and the fix, the UNIX diff command was used.

3. Security diff files. These are files containing only the code changes needed to fix a referenced vulner- ability. The contents are ready to be applied to the target application using the UNIX patch command. This single file has all the information needed; however, it was not very common.

4. Version control system repositories. Many applications are developed using a VCS to manage the contribu- tions of the community of developers from around the world. We were granted permissions to query some VCS repositories, so we had access to all the revisions (similar to versions) of the application and their change log files. Through the change log file, we can identify the revisions of the application where vulnerabilities were fixed. A differential analysis using the UNIX diff command obtained the code changes that fixed the vulnerabilities.

4.4 Patch Code Analysis Guidelines

The patch code was analyzed according to the extension of

the ODC classification, emphasizing the nature of the fix as

missing, wrong, or extraneous code. When there was no

information about it, the decision whether it was an XSS or

92 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 2, MARCH/APRIL 2014

TABLE 2 Versions of Strong Typed Apps

2. The complete list of web resources queried was the following: blogsecurity.net, buayacorp.com, bugs.debian.org, dev.wp-plugins.org, digitrustgroup.com, downloads.securityfocus.com, downloads.sourceforge. net, drupal.org, michaeldaw.org, milw0rm.com, notsosecure.com, nuked gallery.net, nukeresources.com, nvd.nist.gov, osvdb.org, php-fusion.co.uk, phpbb.com, phpmyadmin.net, phpmyadmin.svn.sourceforge.net, phpnu ke.org, phpsecure.info, seclists.org, secunia.com, securiteam.com, secunia. com, securitydot.net, securityfocus.com, sourceforge.net, trac.wordpress. org, trapkit.de, waraxe.us, wordpress.org, www.virtuax.be.

an SQLi vulnerability was done by looking at the source

code. SQLi involves changing an SQL query string and XSS

displaying an unchecked variable. The classification process

followed these guidelines:

1. We assumed that the information publicly disclosed in specialized sites is accurate and that the fix available by the developer of the web application solves the stated problem.

2. When the patch can fix both XSS and SQLi, the corresponding fault type is counted for both vulnerabilities.

3. To correct a single vulnerability several code changes may be necessary. We consider all the changes as a series of individual fault type fixes, because missing any of them makes the application vulnerable.

4. When a particular code change corrects several vulnerabilities, each vulnerability corrected is counted.

5. When a single vulnerability affects several versions of the application and the patch is the same for all, then it accounts for a single fix.

The methodology to classify the web application security

patches was the following:

1. Manual analysis of the vulnerable source code of the application and of the code after being patched.

2. Classification of each singular code fix found in the patch from the perspective of what was done wrong when developing the application.

3. Loop through the previous steps until all patches of the web application are analyzed.

By following the above guidelines, it was possible to

classify 95 percent of all the code fixes gathered. The

discarded 5 percent, for which we could not identify the

code responsible for the security fix, account for patches too

complex or the merge of security problems with other faults.

5 RESULTS AND DISCUSSION OF THE VULNERABILITY FIELD STUDY

This section presents and discusses the results of the field study. We used the Pearson product-moment correlation (statistically significant when P < 0:05) to see the strength and direction of the relationship of two variables. A positive correlation (positive r) indicates that when one variable

increases so does the other and a negative correlation (negative r) indicates that when one variable increases the other decreases. Strong correlation is when r is between 1 and 0.5; medium correlation when r is between 0.5 and 0.3; weak correlation when r is lower than 0.3 [11]. The number of samples is n.

5.1 Results for PHP Weak Typed Applications

We classified 655 XSS and SQLi security fixes found in six web applications developed using PHP. The distribution of

the occurrences throughout the 12 classification fault types is shown in Fig. 2. Comparing with Table 3, we see that we did not found any sample for three fault types (MIEB, MLPA, and WLEC).

The most representative is the MFCE, accounting for around 3/4 of all the types found. The high value observed may be related to the common use of specific functions to

validate or clean input data. The next three most common fault types are the WPFV,

MIFS, and WVAV (see Table 3 for details on these types). These vulnerabilities were mainly found in the following situations:

1. Missing quotes around a variable in SQL queries allowing an attacker to inject strings that are treated as part of the structure of the query.

2. Missing IF around a statement. When a variable should not be null, it needs to be initialized to a specific value; otherwise, a malicious code may be

FONSECA ET AL.: ANALYSIS OF FIELD DATA ON WEB SECURITY VULNERABILITIES 93

TABLE 3 Fault Types Observed in the Field and Corresponding ODC Fault Type

�Fault type added to the extension of the ODC, based on the MFC fault type, when the return value is used in the code.

injected.3 This situation is an exploit of the PHP directive “register_globals ¼ on” [42], allow- ing assigning values to variables, based on input from GET, POST, or COOKIE data. If the developer relies on the default value and does not assign a value to the variable, an attacker may exploit it by tweaking the HTTP GET request, for example.

3. A poor regular expression (regex)4 used to filter the input. We frequently found several past versions of the same application, with the same regex string being slightly updated as new attacks were discovered.

Excluding the fault types already discussed, the remain- ing types represent only 7.63 percent of the vulnerabilities.

Our results also show that all fault types contribute to XSS and only eight to SQLi. The four fault types that do not contribute to SQLi (MFC, MIA, MLOC, and ELOC) are residual (1.22 percent). A Pearson correlation showed a strong, positive correlation to the number of SQLi and XSS vulnerabilities, which was statistically significant (r ¼ 0:975, n ¼ 12, P < 0:0005).

A common belief is that vulnerabilities related to input validation are mainly due to missing IF constructs or even missing conditions in the IF construct. However, our results show that the typical PHP approach is to clean the input data with a function and let the program run normally, instead of stopping it and raise an exception. In fact, missing IF fault types (MIFS and MIA) account for 5.5 percent and missing condition fault types (MLAC and MLOC) account only for 1.52 percent.

5.2 Results for Strong Typed Applications

For the strong typed language, we collected and classified 60 XSS and SQLi vulnerabilities, distributed over 11 web applications presented in Fig. 3. Comparing with Table 3, five fault types (WVAV, WFCS, MLAC, MLOC, ELOC) were not found in this study.

Our data show that MFCE is the most frequent as the majority of vulnerabilities are sanitized using functions that clean and validate the input. Another interesting fact is that most of these fixes (82.93 percent) are related to XSS vulnerabilities, which by definition is prone to this kind of error. A Pearson correlation was run to determine the relationship between the number of SQLi and XSS

vulnerabilities; however, it was not statistically significant (r ¼ 0:402, n ¼ 10, P < 0:250). We need more samples to make strong assumptions about these results.

Concerning SQLi, we have not observed the preponder- ance of a single fault type, as was the case for XSS. The most frequent is MIEB with 26.32 percent, followed by MFCE with 21.05 percent. This shows that the way this kind of vulnerabilities are fixed in strong typed languages is not only by using simple verification of other application states (through the introduction of IF...ELSE statements), but also by using a function to sanitize user input. This simplifica- tion of the sanitation process using IF statements, compar- ing with the PHP results, may be a direct contribution of the type of language used having more robust structures to manipulate the variables.

5.3 Lessons Learned

From the results discussed previously, we can summarize the main differences and correlations observed in the vulnerabilities found in the field for weak and strong typed web applications.

The major divergence comes from the number of vulnerabilities detected. While for PHP web applications, we could identify 655 vulnerabilities in only six applica- tions, for strong typed languages, we needed 11 applications to identify only 60 vulnerabilities. It is, indeed, possible to write vulnerable code using strong typed languages, but our observation suggests that they are safer than those developed with weak typed languages, which is also the trend shown in other reports [46], [55]. The fact that, in a strong typed language, a well-defined integer variable cannot be used to store characters is, by itself, a huge benefit to prevent many vulnerabilities. Some authors go even further and they agree that a strong type system is, indeed, necessary to improve the application security by presenting additions to the type system [44]. Nonetheless, strong typed languages, by themselves, do not eliminate the need to validate and sanitize all the inputs from the user, as we can see by our field results.

The distribution of XSS and SQLi vulnerabilities found is similar for both weak and strong typed applications (see Fig. 4). With two-third of all vulnerabilities, XSS is the most frequent. Usually, XSS is easier to find although SQLi is more interesting for the attacker [31], [50].

Table 4 summarizes the distribution of the 15 fault types per vulnerability type for both weak and strong typed web applications. As we can see highlighted with shade back- ground, the MFCE is clearly the main cause of vulnerabil- ities, regardless the type system used (63.33 percent for

94 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 2, MARCH/APRIL 2014

Fig. 3. Strong typed (Java, C#, VB) web applications vulnerability fault types summary.Fig. 2. Weak typed (PHP) web applications vulnerability fault types

summary.

3. PHP, as other scripting languages like Perl, does not require variable initialization (a NULL value is automatically assigned).

4. A regex string describes a search pattern, according to specific syntax rules, that is used to search inside another string.

strong typed and 75.87 percent for weak typed). More details and examples on MFCE are shown in Section 6. A Pearson correlation was run to determine the relationship between the number of all the strong and weak typed vulnerabilities. There was a strong, positive correlation, which was statistically significant (r ¼ 0:976, n ¼ 15, P < 0:0005). This shows that both weak type and strong type vulnerabilities follow a similar pattern, but looking at Table 4, we see that the MFCE is responsible for most of both XSS and SQLi vulnerabilities, although its prevalence in XSS is more evident (82.93 percent in strong typed languages and 77.27 percent in weak typed).

The big difference between weak and strong typed applications concerns the faults classified in second and third places. For the weak typed, WPFV and MIFS ranked second and third, respectively, while for the strong typed, we found MIEB and MFC in these positions.

MIEB shows that fixes were not only based on the introduction of simple IF statements, which would corre- spond to the MIFS found in the weak typed. This kind of fix can be interpreted in two ways: 1) there were some more complex algorithm steps to be performed or 2) the developer was more conservative and followed the best practice recommendations that state the need for having complete IF...ELSE statements [10], [14].

Another major difference lies in the fact that WPFV represents only 3.33 percent of the strong typed applica- tions, while it represents 7.02 percent of the weak typed, being the second most frequent fault type. This suggests that the use of wrong variables (or wrong values of the variables) in strong typed applications is lower than the number observed in weak typed applications, as expected. The fact that WPFV is only in the fifth place also suggests that the main security problem in applications built with strong typed languages is due to inputs not correctly sanitized and not by the use of wrong variables (or variables with wrong values) in the algorithm. This can be linked to the fact that, by definition, in strong typed languages, a variable has a predefined type of data, while in weak typed, a variable can handle many types, especially in dynamic typed languages, like PHP.

Another analysis can be made based on the age of the applications. The majority of the strong typed web applica- tion vulnerabilities analyzed were only well identified and disclosed after 2005. By that time, the concern about XSS and SQLi was already disseminated throughout the world (see Fig. 1), which can be confirmed by several studies [7], [13], [25], [31], [52], [56]. Therefore, when most of the strong typed applications analyzed were implemented, the tech- nical community was already concerned about these

problems. However, the weak typed web applications analyzed were released between 1998 and 2003, many years before most strong typed languages web applications (Java JDK was released in 1996, C#, and VB around 2002), when these vulnerabilities were not yet widely known. This may explain the larger number of vulnerabilities found in PHP web applications (PHP was created in 1995).

The results presented in this paper also unveil an important trend, also confirmed by other researchers [23]: a small set of fault types is responsible for most of the vulnerabilities. This observation can be used to train soft- ware developers, focusing their attention on the correct treatment of the software structures related to the most frequent types of faults. Additionally, this knowledge can also be useful to improve the effectiveness of code inspec- tions, as the team will be more focused on a few important code structures that can cause most vulnerabilities.

6 DETAILED VULNERABILITY ANALYSIS

During the classification of web application vulnerabilities, we saw repeating patterns in the code. We observed that the instructions that fixed the vulnerabilities belonged to a restricted subset of all the possible code structures of each fault type. This kind of deep understanding can be explored to build security tools, like an attack simulator that injects realistic vulnerabilities to validate intrusion detection systems and other security mechanisms, like automated program repair [26].

To make use of these data, which are more granular, and accommodate the precise situations found, we defined subtypes for the four most common fault types (MFCE, WPFV, MIFS, and WVAV). They are shown in Table 5, along with their occurrences for PHP applications, from which we have more samples. Once again, we can observe that a few set of subtypes, MFCE subtypes A and B, are responsible for most of the vulnerabilities (63.66 percent). There are also important differences between XSS and SQLi: MFCE-A is more important in SQLi, but MFCE-B is the opposite; WPFV-A has a huge importance in SQLi and none was found in XSS.

FONSECA ET AL.: ANALYSIS OF FIELD DATA ON WEB SECURITY VULNERABILITIES 95

Fig. 4. XSS and SQLi distribution.

TABLE 4 Distribution of Fault Types per Vulnerabilities

The following paragraphs present a detailed analysis of these fault types and subtypes, discussing the conditions/ locations where they were observed in our field study, with examples when needed to clarify them.

Missing function call extended (MFCE). This fault type was observed in situations where there is a missing function returning a value that is used elsewhere in the code. This function is always related to the filtering of one of the arguments where the other arguments are the configuration of the filtering process. Next are the constraints of the subtypes A, B, and C:

A. Missing casting to numeric of a variable using a language specific function or type cast. Furthermore, we analyzed the situations where this subtype occurred in PHP and we found the use of the “intval()”function in 83 percent of the cases and the use of the “(int)” type cast in 17 percent of the cases (see Table 6). The function can also act as an argument of other functions. This situation was found when the patch added an entire assignment line, for example: $var ¼ int)$_GET[$var]; or when there was a replacement of one variable in a string concatenation. For example, replace: ...“‘str1’.$var. ‘str2’”; with ...”‘str1’ .in- tval($var). ‘str2’”; or in the case of a function: $var1 ¼ func(intval($var1));

B. Missing assignment of a variable to a custom made function. This subtype is similar to MFCE-A and was found in the same situations of MFCE-A, except that the filtering function was not a language specific predefined function and was instead custom made.

C. Missing assignment of a variable to a predefined function. This subtype is similar to the MFCE-A and was found in the same situations of the MFCE-A, except that the filtering function is not one of those already present in the MFCE-A (casting to numeric).

Wrong variable used in parameter of function call (WPFV).

This was typically found when the following changes

occurred in the argument of a function:

A. Missing quotes in variables inside a string argument of a SQL query. For example, replace func(“SELECT. . . FROM. . . WHEREid ¼ $v a r ” ) w i t h func( “SELECT . . . FROM . . . WHERE id ¼ ‘$var’”)

B. Wrong regex string of a function argument. When the patch code is the change in the regex string of a function argument. In the code analyzed, the regex string was used to check a variable closely related to an input value, looking for known suspicious values that can be part of an attack. For example, replace the vulnerable regex string REGEXP (“ \̂.$id$|\.$id$”) with REGEXP (“^\\\.$id$|\\\.$id$”)

C. Wrong substring of a function argument. When the argument of the function is the result of the concatenation of several strings and variables and the patch code removed or changed one of them. When the programming language converts the type automatically, the variable replaced may be of a different type than the new variable, for example, from a numeric type to a character type.

D. Wrong variable when it is an argument of a function. For example, replace: func($var1) with func($var2)

Missing if construct plus statements (MIFS). This type was

found only when an IF condition and just one or two

surrounding statements were missing:

A. Missing traditional “if...then...else” condition. When it is a traditional IF..THEN...ELSE condition, an ELSIF or an ELSE.

B. Missing “if...then...else” condition in compact form. This fault type was also found when the condition is in the compact form, for example: (($var ! ¼ ‘‘) ? “true” : “false”)

Wrong value assigned to variable (WVAV). This was

typically found when the following situations changed the

variable assignment:

A. Missing pattern in a regex string assigned to a variable. In the code analyzed, the regex string was used to check a variable closely derived from an input value, looking for known XSS attacks.

96 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 2, MARCH/APRIL 2014

TABLE 5 Fault Subtypes in PHP

TABLE 6 MFCEA Situations Found

B. Wrong value in an array or a concatenation of a new substring inside a string. The patch changed one of the concatenation strings or removed one of the items of the array.

C. Wrong variable assigned to a variable. For example, replace $var1 = $var2; with $var1 = $var3;

D. Missing quotes in variables inside a string in a SQL query assignment. For example, replace SELECT... FROM... WHERE id ¼ $var with SELECT... FROM...WHERE id ¼ ‘$var’

E. Missing destruction of the variable. For example, unset ($var);

F. Extraneous concatenation operator “.” in an assignment. For example, replace $var. ¼ ... with $var ¼ ...

From this analysis on PHP vulnerabilities, we observe that MFCE-A, which accounts for about half of all the vulnerabilities, can be mitigated directly by a strong type system. In fact, the MFCE-A represents the missing cast to numeric of a variable, which is unnecessary in strong typed languages, because these variables would be declared as numeric.

7 ANALYSIS OF XSS AND SQLi EXPLOIT DATA

To characterize the relevance of the vulnerabilities ana- lyzed, including the scope and criticality of possible attacks, we conducted another study, but this time focusing on their known exploits. The exploit is the code developed by hackers to attack a specific vulnerability (or a set of vulnerabilities) of the target system or application. The goal is to understand the correlation between the number of vulnerabilities and exploits, and the level of the exploit damage.

This analysis was done with data collected from the database of exploits found in the Milw0rm web site (milw0rm.com). The Milw0rm is a hacker-related site devoted to share exploits of vulnerabilities developed by several hacking groups and individuals. Its database con- tains around 10,000 exploits. The collection of exploits available contains attacks to vulnerabilities already fixed, as well as 0 day vulnerabilities, for which no solution is available yet. It is one of the most popular exploit databases and it is the largest that we are aware of. Indeed, many of the exploits available at the Milw0rm site are also distributed by other hacker- and security-related sites, like RedOracle (redoracle.com), osvdb (osvdb.org), SecurityReason (secur- ityreason.com), and SecurityFocus (securityfocus.com). The well-known Metasploit framework (metasploit.com), widely used by hackers and developers for penetration testing and vulnerability detection, also has some modules based on exploits from the Milw0rm database.

The Milw0rm database contained 121 XSS and SQLi exploits for the same web applications we used in the vulnerability analysis already presented. These exploits were distributed in the following way: 118 for the six PHP web applications and three for the 11 strong typed web applications. This is shown in Table 7. A Pearson correlation was run to determine the relationship between XSS and SQLi exploits in each application. It showed a strong, positive correlation, which was statistically significant (r ¼ 0:588, n ¼ 17, P < 0:013).

Obviously, the number of vulnerabilities and exploits is not constant among web applications because the quality of the code, the hacker interest, and the number of vulner- abilities disclosed varies. Table 7 clearly shows that there is a huge difference in the number of exploits developed for the various web applications analyzed. For example, PHP web applications are clearly preferred by hackers to exploit. Moreover, we only found exploits for PHP and Java-based web applications. For the applications developed in VB and C#, we could not find any exploit, although applications developed with these programming languages are (ob- viously) also exploitable [55]. This does not mean that their vulnerabilities are neither exploitable nor exploited, only that they were not present in the source data analyzed. In fact, we were able to find other exploits targeting some of these web applications, attacking local file inclusion vulnerabilities, which we did not consider because they were outside the scope of our work.

To compare vulnerabilities and exploits for the same web applications, we run two Pearson correlations: one for XSS and another for SQLi. Both had a statistically significant strong correlation: (r ¼ 0:594, n ¼ 17, P < 0:012) for XSS and (r ¼ 0:596, n ¼ 17, P < 0:012) for SQLi. In fact, we cannot assert if the popularity of the exploits is due to the type of language or the popularity of the application, since PHP applications are, by far, more common.

Table 6 also shows that we have found some SQLi exploits in applications where we do not have SQLi vulnerabilities to analyze (JForum and OpenCMS). This occurs because both studies (the one where we collected vulnerabilities and the other of the exploits) were executed independently using different sources of information. This is the result of a lack of a unified repository that collects both vulnerabilities and exploits in a systematic and standardized fashion.

The exploits analyzed were developed between 2003 and 2009 (see Fig. 5). For the SQLi case, the peak was in 2008, but for XSS, we cannot see a clear trend. Comparing Fig. 5 with Fig. 1, we see that the growing number of XSS vulnerabilities does not have a correspondence with the exploits devel- oped, whereas for SQLi, the exploit growth even overcomes the vulnerability trend, reinforcing the interest in exploiting

FONSECA ET AL.: ANALYSIS OF FIELD DATA ON WEB SECURITY VULNERABILITIES 97

TABLE 7 Vulnerabilities and Exploits Analyzed

this kind of vulnerability. We also see this from Table 7. This may be due to the fact that with SQLi, the attacker can access one of the most valuable assets of the enterprise: the database data. The database data may contain credit card numbers, account numbers, social security numbers, user names, passwords, e-mail accounts, and so on. These goods have a huge demand in the underground economy, which indicate that they have a higher cost/benefit ratio compared to other types of attacks [50].

To understand the importance of each exploit, we classified the criticality of the effect (in fact it represents the criticality of the vulnerability, from a management point of view) according to the Payment Card Industry Data Security Standard (PCI-DSS), widely used in e-commerce, e-banking, and other financial applications [40]. This standard uses five severity levels to classify the danger that the vulnerabilities pose to the enterprise, where levels 5 and 1 are the most and the least critical, respectively. To be compliant with the PCI-DSS, an application cannot have high-level vulnerabilities (levels 5, 4, or 3).

These data were obtained from the analysis of the source code of the exploits. According to the damage the exploit was able to inflict, we classified 96 percent of the vulner- abilities exploited as level 5. The remaining 4 percent were classified with level 3 that still belongs to the designated high-level vulnerabilities. From the source code of the exploits, we saw that the hacker always wants to target the most valuable asset. The vast majority of exploits allowed the attacker to either obtain the user name and password stored in the application back-end database, or to access the web server as the root or administrator of the machine.

Given that we could find a considerable number of exploits and that 96 percent of them are among the most critical, we can say that these results reinforce the importance of addressing XSS and SQLi vulnerabilities and the need to increase awareness about them.

8 VALIDITY OF THE RESULTS

The web applications analyzed are just a small sample of the whole population so, although most of the results have statistical significance, they may lack practical significance (they cannot be considered as representative) [38]. Our observations may not apply to other applications, even for those written with the same programming languages. There are many ways and tools to develop an application and they may influence the outcome. This can also be seen from our data, if we take into consideration the high standard deviation values that represents the data dispersion related

to the number of vulnerabilities and exploits per application (see Table 8). Naturally, our results will fit better to applications developed with the same languages analyzed, but as improvements are being introduced to those languages results may also change. For example, the decline of malicious file execution attacks may be due to improve- ments in the fifth release of PHP [36].

However, results from other studies [23], [31], [50], [55] are in line with ours, so we are confident that most of the trends shown will apply to similar applications, although the particular values may be quite different: weak typed with more vulnerabilities than strong typed, XSS easier to find, but SQLi with more valuable attacks, newer applica- tions still with old school vulnerabilities like XSS and SQLi, few types of mistakes responsible for most of security problems with MFCE at the top, with most of vulnerabilities due to unchecked numeric fields.

9 CONCLUSION

This paper analyzes 715 vulnerabilities and 121 exploits of 17 web applications using field data on past security fixes. Some web applications were written in a weak typed language and others in strong typed languages. Results suggest that applications written with strong typed lan- guages have a smaller number of reported vulnerabilities and exploits. We had to consider more strong typed applications to obtain a fair amount of vulnerabilities when compared to the weak typed.

According to our findings, weak typed are the preferred targets for the development of exploits. We also observed that a single fault type (MFCE) was responsible for most (76 percent) of the security problems analyzed. We saw that the fault types responsible for XSS and SQLi belong to a narrow list, which points a path to the improvement of web applications, namely in the context of code inspections and the use of tools for static analysis. This study showed that the way programmers fix vulnerabilities seems to have a degree of dependence with the type of language used. However, the number of vulnerabilities analyzed in our and other studies show that the use of a specific language is not guarantee of success in preventing vulnerabilities. It is just one of the many factors that contribute to building a safer application.

The most relevant fault types analyzed were thoroughly detailed providing enough information for the definition of vulnerability fault models that can be used by researchers interested, for example, in realistic vulnerabil- ity and attack injectors.

This work can be extended by comparing more vulner- abilities of web applications written in different languages and developed by independent programmers. Another

98 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 2, MARCH/APRIL 2014

Fig. 5. Release date of the exploits.

TABLE 8 Number of Vulnerabilities and Exploits per Application

follow-up work may focus on the importance of the attack surface in the distribution of vulnerabilities and exploits. This may compare different results of vulnerabilities and exploits of both web applications and their add-ons, regarding their size, for example.

ACKNOWLEDGMENTS

This work was partially supported by the project “ICIS—Intelligent Computing in the Inter-net of Services” (CENTRO-07-ST24-FEDER-002003), cofinanced by QREN, in the scope of the Mais Centro Program and European Union’s FEDER, and by the PEst-OE/EGE/UI4056/2011, financed by the Science and Technology Foundation.

REFERENCES [1] Acunetix Ltd., “Is Your Website Hackable? Do a Web Security

Audit with Acunetix Web Vulnerability Scanner,” http://www. acunetix.com/security-audit/index/, May 2013.

[2] G. �Alvarez and S. Petrovic, “A New Taxonomy of Web Attacks Suitable for Efficient Encoding,” Computers and Security, vol. 22, no. 5, pp. 435-449, July 2003.

[3] P. Anbalagan and M. Vouk, “Towards a Unifying Approach in Understanding Security Problems,” Proc. Int’l Symp. Software Reliability Eng., pp. 136-145, 2009.

[4] A. Avizienis, J.C. Laprie, B. Randell, and C. Landwehr, “Basic Concepts and Taxonomy of Dependable and Secure Computing,” IEEE Trans. Dependable and Secure Computing, vol. 1, no. 1, pp. 11- 33, Jan.-Mar. 2004.

[5] US-CERT Vulnerability Notes Database, “Homepage,” http:// www.kb.cert.org/vuls/, May 2013.

[6] R. Chillarege, I.S. Bhandari, J.K. Chaar, M.J. Halliday, D. Moebus, B. Ray, and M. Wong, “Orthogonal Defect Classification—A Concept for In-Process Measurement,” IEEE Trans. Software Eng., vol. 18, no. 11, pp. 943-956, Nov. 1992.

[7] S. Christey, “Unforgivable Vulnerabilities,” Proc. Black Hat Brief- ings, 2007.

[8] J. Christmansson and R. Chillarege, “Generation of an Error Set That Emulates Software Faults,” Proc. IEEE Fault Tolerant Computing Symp., pp. 304-313, 1996.

[9] S. Clowes, “A Study in Scarlet, Exploiting Common Vulnerabil- ities in PHP Applications,” http://www.securereality.com.au/ studyinscarlet.txt, 2013.

[10] T. Manjaly, “C# Coding Standards and Best Practices,” http:// www.codeproject.com/KB/cs/c__coding_standards.aspx, May 2013.

[11] J. Cohen, Statistical Power Analysis for the Behavioral Sciences, second ed., Lawrence Erlbaum, 1988.

[12] M. Cukier, R. Berthier, S. Panjwani, and S. Tan, “A Statistical Analysis of Attack Data to Separate Attacks,” Proc. Int’l Conf. Dependable Systems and Networks, pp. 383-392, 2006.

[13] A. Adelsbach, D. Alessandri, C. Cachin, S. Creese, Y. Deswarte, K. Kursawe, J.C. Laprie, D. Powell, B. Randell, J. Riordan, P. Ryan, W. Simmonds, R. Stroud, P. Verissimo, M. Waidner, and A. Wespi, “Conceptual Model and Architecture of MAFTIA,” Project IST-1999-11583, https://docs.di.fc.ul.pt/jspui/bitstream/10455/ 2978/1/03-1.pdf, 2003.

[14] Dotnet Spider, “C# Coding Standards and Best Programming P r a c t i c e s , ” h t t p : / / w w w . d o t n e t s p i d e r . c o m / t u t o r i a l s / BestPractices.aspx, May 2013.

[15] J. Durães and H. Madeira, “Emulation of Software Faults: A Field Data Study and a Practical Approach,” Trans. Software Eng., vol. 32, pp. 849-867, 2006.

[16] S. Fogie, J. Grossman, R. Hansen, A. Rager, and P. Pektov, XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress, 2007.

[17] J. Fonseca, M. Vieira, and H. Madeira, “Training Security Assurance Teams Using Vulnerability Injection,” Proc. Pacific Rim Dependable Computing Conf., pp. 297-304, 2008.

[18] J. Fonseca, M. Vieira, and H. Madeira, “Vulnerability & Attack Injection for Web Applications,” Proc. Int’l Conf. Dependable Systems and Networks, pp. 93-102, 2009.

[19] M. Fossi et al., “Symantec Internet Security Threat Report: Trends for 2010,” Symantec Enterprise Security, 2011.

[20] P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, “Modeling Security Requirements through Ownership, Permis- sion and Delegation,” Proc. IEEE Int’l Conf. Requirements Eng., pp. 167-176, 2005.

[21] W. Halfond, J. Viegas, and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,” Proc. Black Hat Briefings, 2005.

[22] L. Hatton, “The Chimera of Software Quality,” IEEE Software, vol. 40, no. 8, pp. 104-103, Aug. 2007.

[23] M. Howard, D. LeBlanc, and J. Viega, “19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them,” McGraw- Hill, 2005.

[24] IBM Global Technology Services “IBM Internet Security Systems X-Force1 2010 Trend & Risk Report,” technical report, IBM Corp., 2011.

[25] N. Jovanovic, C. Kruegel, and E. Kirda, “Precise Alias Analysis for Static Detection of Web Application Vulnerabilities,” Proc. IEEE Symp. Security and Privacy, pp. 27-36, 2006.

[26] C. Le Gues et al., “A Systematic Study of Automated Program Repair: Fixing 55 Out Of 105 Bugs for $8 Each,” Proc. Int’l Conf. Software Eng., pp. 3-13, 2012.

[27] B. Livshits and S. Lam, “Finding Security Vulnerabilities in Java Applications with Static Analysis,” Proc. USENIX Security Symp., pp. 18-18, 2005.

[28] F. Long, “Software Vulnerabilities in Java,” Cert. technical note, Software Eng. Inst., Carnegie Mellon Univ., 2005.

[29] R. Mays, C. Jones, G. Holloway, and D. Strudinsky, “Experiences with Defect Prevention,” IBM Systems J., vol. 29, pp. 4-32, 1990.

[30] K. Mitnick and W. Simon, The Art of Deception: Controlling the Human Element of Security, first ed., Wiley, 2002.

[31] S. Christey and R. Martin, “Vulnerability Type Distributions in CVE,” http://cwe.mitre.org/documents/vuln-trends/index. html, May 2007.

[32] N. Nagappan, L. Williams, J. Hudepohl, W. Snipes, M. Vouk, “Preliminary Results on Using Static Analysis Tools for Software Inspection.” Proc. Int’l Symp. Software Reliability Eng., pp. 429-439, 2004.

[33] S. Neuhaus and T. Zimmermann, “Security Trend Analysis with CVE Topic Models” Proc. Int’l Symp. Software Reliability Eng., pp. 111-120, 2010.

[34] NTA, “Tests Show Rise in Number of Vulnerabilities Affecting Web Applications with SQL Injection and XSS Most Common Flaws,” http://www.nta-monitor.com/posts/2011/03/01-tests_ s ho w _ r i s e _ in _ n um b e r _ o f_ v ul n e r a b i l i t i e s_ a f fe ct i n g _ w e b _ applications_with_sql_inject ion_and_xss _most_common_ flaws.html, May 2013.

[35] OSVDB, “Open Sourced Vulnerability Database,” http://osvdb. org, May 2013.

[36] OWASP Foundation, “OWASP Top 10,” https://www.owasp. org/index.php/Top_10_2010-Main, July 2010.

[37] A. Ozment, “Vulnerability Discovery & Software Security,” PhD thesis, Computer Laboratory Computer Security Group, Univ. of Cambridge, 2007.

[38] J. Pallant, SPSS Survival Manual, fourth ed., Open Univ. Press, 2011.

[39] Packt Publishing Ltd., “Homepage,” http://www.packtpub.com, May 2013.

[40] PCI Security Standards Council, “Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, version 1.2,” www.pcidss.ru/files/pub/pdf/padss_ v1.2_english.pdf, 2008.

[41] PHP-Nuke, “Homepage,” http://phpnuke.org, Dec. 2007. [42] The PHP Group, “Description of Core php.ini Directives,”

http://pt.php.net/register_globals, May 2013. [43] The Privacy Rights Clearinghouse, “Chronology of Data Breaches:

Security Breaches 2005-Present,” http://www.privacyrights.org/ data-breach, May 2013.

[44] W. Robertson and G. Vigna, “Static Enforcement of Web Application Integrity through Strong Typing,” Proc. 18th Conf. USENIX Security Symp. (USENIX ’09), pp. 283-298, 2009.

[45] SANS Inst., “Top 25 Most Dangerous Programming Errors,” http://www.sans.org/top25errors/, May 2013.

[46] T. Scholte et al., “An Empirical Analysis of Input Validation Mechanisms,” Proc. ACM Symp. Applied Computing, pp. 1419-1426, 2012.

[47] Secunia, “Homepage,” http://secunia.com, May 2013.

FONSECA ET AL.: ANALYSIS OF FIELD DATA ON WEB SECURITY VULNERABILITIES 99

[48] Sourceforge, “2007 Community Choice Awards,” http:// sourceforge.net/blog/cca07, May 2013.

[49] D. Stuttard and M. Pinto, The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws. Wiley, 2007.

[50] Symantec, “Symantec Report on the Underground Economy,” http://www.symantec.com/threatreport/topic.jsp?id=fraud_ activity_trends&aid=underground_economy_servers. 2008.

[51] N. Tomatis, R. Brega, G. Rivera, and R. Siegwart, “‘May You Have a Strong (-Typed) Foundation’ Why Strong Typed Programming Languages Do Matter,” Proc. IEEE Int’l Conf. Robotics and Automation, 2004.

[52] F. Valeur, D. Mutz, and G. Vigna, “A Learning-Based Approach to the Detection of SQL Attacks,” Proc. Second Int’l Conf. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ’05), pp. 123-140, 2005.

[53] Verizon, “2011 Data Breach Investigations Report,” http:// www.verizonenterprise.com/resources/reports/rp_data-breach- investigations-report-2011_en_xg.pdf, 2011.

[54] J. Walden, M. Doyle, G. Welch, and M. Whelan, “Security of Open Source Web Applications,” Proc. Int’l Symp. Empirical Software Eng. and Measurement, 2009.

[55] “WhiteHat Website Security Statistics Report, ninth ed.,” https:// www.whitehatsec.com/seekinfo/statsSpring10.html, WhiteHat Security Inc., Spring 2010.

[56] S. Zanero, L. Carettoni, and M. Zanchetta, “Automatic Detection of Web Application Security Flaws,” Proc. IEEE Int’l Symp. Secure Software Eng., 2005.

José Fonseca received the PhD degree in informatics engineering from the University of Coimbra, Portugal, in 2011. Since 2005, he has been with CISUC as a researcher. He has been teaching computer-related courses at the Poly- technic Institute of Guarda since 1993. He is the author or coauthor of more than a dozen papers in refereed conferences. His research on vulner- ability and attack injection was granted with the DSN’s William Carter Award of 2009, sponsored

by the IEEE Technical Committee on Fault-Tolerant Computing and the IFIP Working Group on Dependable Computing and Fault Tolerance (WG 10.4).

Nuno Seixas received the master’s degree in software engineering from Carnegie Mellon University and the University of Coimbra, Portugal, in 2008 and the MSc degree in informatics engineering from the University of Coimbra in 2007. From 2004 to 2006, he was with CISUC as a researcher. He has been with the Portugal Telecom Inovação company since 2005, where he is now part of the technological coordination group.

Marco Vieira is currently an assistant professor at the University of Coimbra, Portugal. He is an expert on dependability benchmarking and his research interests also include experimental dependability evaluation, fault injection, security benchmarking, software development pro- cesses, and software quality assurance, sub- jects in which he has authored or coauthored tens of papers in refereed conferences and journals. He has participated in many research

projects, both at the national and European level. He has served on program committees of the major conferences of the dependability area and acted as a referee for many international conferences and journals in the dependability and databases areas.

Henrique Madeira is currently an associate professor at the University of Coimbra, Portugal, where he has been involved in the research on dependable computing since 1987. He has authored or coauthored more than 100 papers in refereed conferences and journals and has coordinated or participated in tens of projects funded by the Portuguese government and by the European Union. He was the program cochair of the 2004 International Performance

and Dependability Symposium track of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-PDS 2004) and was appointed conference coordinator of IEEE/IFIP DSN 2008.

. For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib.

100 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 11, NO. 2, MARCH/APRIL 2014

Copyright of IEEE Transactions on Dependable & Secure Computing is the property of IEEE Computer Society and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.

Copyright of IEEE Transactions on Dependable & Secure Computing is the property of IEEE Computer Society and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.

web security/material3.pdf

Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol 3, No.4, 2012

74

Data Security Using Cryptosteganography in Web Application

Abhishek Patidar Gajendra Jagnade* Laxmi Madhuri Pranay Mehta Ronak Seth

Maharashtra Academy Of Engineering,Alandi,Pune

* E-mail of the corresponding author: praggroup@yahoo.com

Abstract

Data security using Cryptosteganography in web application is a web based application used to conceal important information through hybrid cryptography and Steganography and provide means of its secure transmission through any medium or channel .Using a web browser the user uploads the important information and an envelope image. The same is received by the Data Shielder facade web application .The web application sends the data and envelope image to the real Data Shielder .It generates a unique key and encrypts the crucial data .The key is associated with a "unique id" and preserved in a store .Then the encrypted information is embedded into the envelope image using modified BPCS technique .Finally a stego image is generated .Data Shielder returns the "unique id" and stego image to the facade web application .Web application further archives the stego image and unique key and allows the user to download it. The user can simply unzip the archive and transmit the stego image through unsecured channels like email, sockets, pen drives, cds, dvds, etc. And can keep the unique id safe. When the user wants its data back then user needs to upload the stego image and the "unique id" to the Data Shielder facade web application. The web application sends the unique id and stego image to the real Data Shielder. First it finds the encryption key from the store through the unique id. Next, reversing the BPCS Steganography, the stego image is processed and encrypted data is fetched. Finally using the encryption key decryption is done and the crucial data is fetched back. The same is returned to the facade web application, which is rendered to the user.

Keywords: Cryptography, Steganography, Stego- image, Threshold Value

1. Introduction

Cryptography and Steganography are well known and widely used techniques that manipulate information (messages) in order to cipher or hide their existence respectively. This is a web application which uses combination of Steganography and Cryptography techniques .Steganography is the art and science of communicating in a way which hides the existence of the communication. Cryptography scrambles a message so it cannot be understood. The Steganography hides the message for security. This paper describes a system, which uses both Cryptography and Steganography for better confidentiality and security. Major applications of the project are confidential communication and secret data storage which can be used by normal people to secure their data & for military purpose, government organization, private sector organization for security concern.

So this project aims to provide hybrid means of security and to improve existing BPCS technique for Steganography and to develop new cryptographic algorithm.

2. Basic Concepts and Related Work

There are many aspects to security and many applications. One essential aspect for secure communications is that of cryptography. But it is important to note that while cryptography is necessary for secure communications, it is not by itself sufficient. There are some specific security requirements for cryptography, including Authentication, Privacy/confidentiality, and Integrity Non-repudiation. The three types of algorithms are described:

(i) Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption.

(ii)Public Key Cryptography (PKC): Uses one key for encryption and another for decryption.

Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol 3, No.4, 2012

75

(iii)Hash Functions: Uses mathematical transformation to irreversibly "encrypt" information.

Steganography is the other technique for secured communication. It encompasses methods of transmitting a secret message through innocuous cover carriers in such a manner that the very existence of the embedded messages is undetectable. Information can be hidden in images, audio, video, text, or some other digitally representative code. Steganography systems can be grouped by the type of covers used (graphics, sound, text, executables) or by the techniques used to modify the covers

a) Substitution system.

b) Transform domain techniques.

c) Spread spectrum techniques.

d) Statistical method.

e) Distortion techniques.

f) Cover generation methods.

2.1 Architecture

Architecture consists of four basic blocks

1) Encryption : Matrix Mapping Method For Symmetric Key Cryptography

2) Steganography : Modified BPCS

3) Decryption Matrix Mapping Method For Symmetric Key Cryptography

4) Desteganography : Modified BPCS

Figure1. Architecture Diagram of System

2.1.1 Encryption: Matrix Mapping Method for Symmetric Key Cryptography

In this algorithm, using the key we generate a mapping matrix. Every byte of the mapping image is unique

Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol 3, No.4, 2012

76

and is with respect to key. The mapping matrix is of size 16 by 16.This algorithm is influenced by Applied cryptography in Java (Partida, A.Andina, D.Atos).

Algorithm:

1) The source file is opened for reading in binary mode.

2) Every byte of the source file is read and converted into its equivalent 8-bit binary number.

3) Split the 8-bit binary number into 4-bit higher and lower nibble number.

4) Convert these two 4-bit nibbles into its equivalent decimal value.

5) With the help of these two decimal values pickup a pixel from the mapping matrix. Where higher nibble equivalent decimal value acts as row indicator and lower nibble equivalent decimal value acts as column indicator for mapping image.

6) Replace the original pixel with the byte selected from mapping matrix.

7) Encrypted file gets generated as the above process is repeated for all the pixels.

2.1.2 Steganography: Modified BPCS

Our new Steganography uses an image as the vessel data, and we embed secret information in the bit- planes of the vessel. This technique makes use of the characteristics of the human vision system whereby a human cannot perceive any shape information in a very complicated binary pattern. We can replace all of the “noise-like” regions in the bit-planes of the vessel image with secret data without deteriorating the image quality.This algorithm is influenced by Principle and application of BPCS-Steganography(Eiji Kawaguchi and Richard O.Eason).This algorithm is termed as Modified “BPCS-Steganography,” which stands for Bit-Plane Complexity Segmentation Steganography. Input data will be vessel image and data to embed in byte format. Load the vessel image into memory. Get width and height of the memory image. Generate a threshold value. For each pixel get red, green and blue values of current pixel .

Algorithm:

Real Image and data to Embed in byte array format is given as input.

1) Load the vessel image into memory.

2) Get a "readable pen" for the memory image.

3) Get width and height of the memory image.

4) Generate a threshold value.

5) Loop for all rows of memory image

Loop for all cols of memory image

a) Using the "readable pen" get red, green and blue values of current pixel.

b) if red <= threshold and green <= threshold and blue <= threshold then

* mark the pixel as NOISY (store in a list).

6) If NOISY pixel list size >= size of data to embed go to step 8.

7) Raise Error "Content length is more than embedding capacity of Vessel Image".

8) Convert the Data to embed into SECRET BLOCKS

a) Create a empty list to hold secret blocks

b) Loop for every byte of input data

* conjugate the byte

* store the conjugated byte into secrect block list.

9) Get a "writable pen" for the memory image.

Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol 3, No.4, 2012

77

10) Loop for every element of NOISY pixel list

a) Embed 2 bytes of data from SECRET blocks into red, green and blue bands of noisy pixel.

b) Using the writable pen write the pixel into memory image.

11) Write back the memory image into IMAGE FILE.

Figure 2: Algorithm to encrypt data and embed it into image

2.1.3 Decryption: Matrix Mapping Method for Symmetric Key Cryptography

In this algorithm, using the key we generate a mapping matrix. Every byte of the mapping image is unique and is with respect to key. The mapping matrix is of size 16 by 16.

Algorithm:

1) The encrypted file is opened for reading in binary mode.

2) Every byte of the encrypted file is read and converted into its equivalent 8-bit binary number.

3) Match the byte in the mapping matrix and find out row and column number of the matched byte.

4) Form 2 nibbles using the row number and column number. Generate a 8-bit binary number from 4-bit higher (row) and lower (column) nibble number.

5) Substitute this generated 8 bit binary data in place of the current byte.

6) Original file gets generated as the above process is repeated for all the pixels.

Get the bytes from image using Desteganography and use the key to generate decryption matrix. Now match the byte which we got from image with each matrix element. And get corresponding row and column number of matched element. Convert the obtained row and column number into binary format. Deconjugate these two numbers which represents original data.

Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol 3, No.4, 2012

78

2.1.4Desteganography: Modified BPCS

Figure 3. Algorithm to decrypt data and extract from image

Image having embedded data is given as input .

Algorithm:

1) Load the image into memory.

2) Get a "readable pen" for the memory image.

3) Get width and height of the memory image.

4) Generate a threshold value.

5) Loop for all rows of memory image

Loop for all cols of memory image

a) Using the "readable pen" get red, green and blue values of current pixel.

b) If red <= threshold and green <= threshold and blue <= threshold then

mark the pixel as NOISY (store in a list)

6) Loop for every element of NOISY pixel list

a) Extract bytes of data from red, green and blue bands of noisy pixel.

b) Deconjugate the secret blocks and form data bytes.

c) Concatenate the data in a result buffer.

Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol 3, No.4, 2012

79

7) Write back the result buffer into a FILE Input data will be image having embedded data. Load the image into memory. Get width and height of the memory image. Generate a threshold value.

Conclusion & Future Enhancements

The work accomplished during this project can be summarized with the following points:

1) In this project we have presented a new system for the combination of cryptography and Steganography using matrix mapping method for Symmetric Key Cryptography and modified BPCS technique for Steganography which could be proven a highly secured method for data communication in near future.

2) Steganography especially combined with cryptography, is a powerful tool which enables people to communicate without possible eavesdroppers even knowing there is a form of communication in the first place. The proposed method provides acceptable image quality with very little distortion in the image.

3) The main advantage of this Cryptosteganography System is hybrid combination of cryptography and Steganography which provides double layer security.

In future video or audio files can be used to hide data instead of images.

References

Visual Cryptography Steganography In Images, PiyushMarwaha , PareshMarwaha

A steganography implementation ,Mehboob, B. Faruqui, R.A.

Principle and application of BPCS-Steganography,Eiji Kawaguchi and Richard O.Eason,KIT,Japan

Applied cryptography in Java ,Partida, A.Andina, D.Atos-ODS , S.A.Madrid.

Data Security Using Data Hiding , Moon, S.K. Kawitkar, R.S.,PICT, Pune.

Digital steganography: hiding data within data,Artz, D.;Los Alamos Nat. Lab., NM

This academic article was published by The International Institute for Science,

Technology and Education (IISTE). The IISTE is a pioneer in the Open Access

Publishing service based in the U.S. and Europe. The aim of the institute is

Accelerating Global Knowledge Sharing.

More information about the publisher can be found in the IISTE’s homepage:

http://www.iiste.org

The IISTE is currently hosting more than 30 peer-reviewed academic journals and

collaborating with academic institutions around the world. Prospective authors of

IISTE journals can find the submission instruction on the following page:

http://www.iiste.org/Journals/

The IISTE editorial team promises to the review and publish all the qualified

submissions in a fast manner. All the journals articles are available online to the

readers all over the world without financial, legal, or technical barriers other than

those inseparable from gaining access to the internet itself. Printed version of the

journals is also available upon request of readers and authors.

IISTE Knowledge Sharing Partners

EBSCO, Index Copernicus, Ulrich's Periodicals Directory, JournalTOCS, PKP Open

Archives Harvester, Bielefeld Academic Search Engine, Elektronische

Zeitschriftenbibliothek EZB, Open J-Gate, OCLC WorldCat, Universe Digtial

Library , NewJour, Google Scholar

web security/material4.pdf

Technology: By Sanjay Mehta Author IS senior Vice President aX Breach Secunly.

The Role of Web Application Security in Protecting Critical Business Data

T he explosion of web applications intro- duces a host of new and ever-changing threats to data security that put enterprises and consumers at risk. Hackers are contin- uously finding new ways to exploit these

applications and skirt existing security measures. What are the top web security challenges for 2009? And how can businesses protect against and remedi- ate these threats?

IDC predicts the web security appliance market to grow at a rate of 23.6 percent per year for the next five years, from $256.7 million in 2007 to $745.4 mil- lion by 2012. Such robust growth is not surprising— the SANS Institute reports that 50 percent of web applications have major vulnerabilities. Due to the es- calation of threats and high profile security breaches reported over the past few years, companies are rec- ognizing that web application security is no longer an option, but a must.

The security paradigm shift Web applications have fundamentally changed the se- curity game. Most IT professionals have traditionally been responsible for securing networks with estab- lished technologies such as network firewalls, intru- sion detection systems (IDS) and SSL VPNs. Corporate networks are relatively static from envi- ronment to environment and are not equipped to deal with the unique and complex security requirements of web applications. Companies may have dozens or even hundreds of web applications available on their websites, and many of these applications change every day.

To compound the challenges, no two web applications are the same. If two competing banks offer online bill pay func- tionality, the underlying web applications powering the function will be entirely different. As such, web applications can originate from multiple sources, including intemal development, out- sourcing, third-party packages, or inherited through merger or acquisition. It is especially challenging to secure web applica- tions when tbe application code may not even be accessible.

Top web application security threats and counteremeasures In the last year, attacks against web applications have expanded in scope from attempts to extract credit card infonnation from ecommerce sites using automated mass SQL injection bots to scraping entire libraries of valuable information from subscrip- tion-based sites. While web attacks come in a variety of flavors, there are a few common elements that put businesses at risk and allow hackers to steal databases of infonnation. By understand- ing the commonalities, security teams can better protect their data.

Injection flaws - The top reason for credit card data compro- mise, this attack technique is executed by a user who inserts SQL query commands into the web application's input fields, such as ID and password fields on a login page. In a vulnerable applica- tion the commands are sent to the back-end database, as with le- gitimate data, and the database is tricked into executing them. Attackers use this SQL injection technique to steal customer data such as credit card numbers, hold eustomer data hostage by en- crypting it or destroy it entirely.

To protect against SQL injection vulnerabilities in tbeir web applications, organizations can deploy a web application firewall to block all malicious requests coming in to the application and

26

prevent database error messages from being sent out. Many web application firewalls learn the bi-directional be- havior expected when a browser inter- acts with a server and for specific input fields. With this positive security profile, web application firewalls en- sure that anomalous data cannot be in- serted into the application. Other remediation techniques include con- figuring the web application to con- ceal database error message leakage, using the controls built into the data- base itself and adding code around each user input field to ensure only le- gitimate characters can be used.

Attacks Against Clients - Cross- site scripting attacks take advantage of web applications that have missing or insufficient input validation and do not properly output encode user supplied data when sent to clients. Attackers in- sert code into the web browser using special characters that are then exe- cuted in the browser when accessed by subsequent users. The web browsers are tricked into executing the user-sup- plied data. XSS is a technique com- monly used in phishing attacks, in which users are redirected to another, site where they are asked for sensitive information such as user names and passwords.

A web application firewall can prevent XSS attacks by blocking all attempts to inject scripts into the ap- plication. Additional remediation tac- tics include identifying all areas within an application where user input is added to the application out- put, such as product reviews or user comment pages, and adding code around each of these user input fields to ensure only legitimate characters are permitted and the data is properly encoded when added to HTML pages.

Automation - As an emerging web application security threat, scraping is unlike typical injection attacks. Each individual request looks normal with no malicious pay-

Since January 2005, more than 245 million

records containing personal information

have been stolen. Another study reports that the financial im- pact of identity theft breaches are on the rise with an average cost of $6.3 million

per incident.

load that would be detected by either positive security or negative security models. Attackers scrape websites by first creating a legitimate account on the web application. Once logged in, they launch bots to extract informa- tion in bulk, which was intended to be served up one record at a time to a legitimate subscriber. The bot allows hackers to extract volumes of infor- mation quickly and effortlessly re- sulting in data theft that can put the organization at a competitive disad- vantage. Additionally, scraping can be used as a denial-of-service attack technique.

Web application firewalls may provide anti-automation capabilities by enforcing proper thresholds on ac- cess attempts for specific application resources. When violations occur, a web application firewall can termi- nate transactions at the user session or IP level. Existing network security tools are designed to detect behavior at the network layer, not at Layer 7 or in web application sessions. Web application firewalls, however, can detect behavior at all layers.

The case for web application secu- rity technologies While the challenges of securing web applications seem severe, the cost of data leakage is even steeper. Since January 2005, more than 245 million records containing personal informa- tion have been stolen, according to the Privacy Rights Clearinghouse. And a 2007 Ponemon institute study found that the financial impact of identity theft breaches are on the rise with an average cost of S6.3 million per inci- dent.

Types of organizafions attacked most often

Source: 2008 Web Hacking Incidents Database, an annual ra- pon ot »eil applicationrelated security incidents

Today, approximately 80 percent of successful attacks against organizations occur due to exploitation of vulnerabil- ities in web applications. While web ap- plications offer new and convenient ways to interface with consumers on- line, they also expose organizations to signiticant risk. Hackers are actively an- alyzing applications to understand them and exploit their underlying mecha- nisms. Web application defects are di- rectly tied to security vulnerabilities, lost revenues and dissatisfied cus- tomers. Testing alone cannot uncover all vulnerabilities. Using a web application firewall that offers real-time monitoring for defects and protection against at- tacks of production applications is es- sential. The results should be used not only to block attacks, but to work closely witli development teams and ap- plication owners to remediate weak- nesses in tlie code itself D

web security/material5.pdf

Understanding of Web Application Security Threats & Incidents

Towards an Understanding of Web Application Security Threats and Incidents

Gerhard Steinke, Seattle Pacific University - Seattle, USA gsteinke@spu.edu

Emanuel Tundrea, Emanuel University — Oradea, Romania emanuel@emanuel.ro

Kenmoro Kelly, Seattle Pacific University - Seattle, USA kellyk4@spu.edu

ABSTRACT

This paper examines a variety of sources that provide web application security vulnerabilities and incident data. In particular, the research tracks the impact of SQL Injection, Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities. A comparison of vulnerability data versus attacks that have actually resulted in data compromises is studied to determine how the type of vulnerabilities relate to actual methods used to steal data. The paper concludes with recommendations for more secure web applications.

KEYWORDS

Web application Securify; Threats and Vulnerahility Datahases; SQL Injection; Cross-Site Scripting

INTRODUCTION

Many organizations in the 21st century are reliant on a web presence as a means to market themselves and generate revenue and profit. Though threats such as viruses, malware, and worms on client computers have always represented some of the most significant threats, there are countless web server application threats and vulnerabilities in existence that can be harmful, even fatal, to an organization and its abilify to conduct its operations. The many web applications and databases residing on organizations' servers have often been overlooked. The growth and essential nature of web applications, and the increasing number of web vulnerabilities and attacks, make web application securify one of the most crucial aspects of an organization's operations.

Various organizations document web application vulnerabilities and incidents, and publish web vulnerabilities and lost data statistics. This paper examines web vulnerabilify and securify resources, including Open Web Application Securify Project (OWASP), National Vulnerabilify Database (NVD), WhiteHat Securify, Web Application Securify Consortium (WASC), Privacy Rights Clearinghouse, and the Verizon Business Data Breach Investigations, to analyze the validify and actual

54

Understanding of Web Application Security Threats & Incidents

impact of the various threats and vulnerabilities. This research focuses on three common web threats: SOL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). The paper concludes with recommendations and resources which organizations can utilize in their efforts to conduct more secure web business transactions, and maintain the security (confidentiality, integrity, and availability) of their sensitive information connected to web applications..

WEB VULNERABILITY DATA

In this section we examine sources that provide statistics on web vulnerabilities—^that have not necessarily resulted in data losses.

Web Application Security Project

The Open Web Application Security Project (OWASP) is a nonprofit organization that gathers web security statistics from contributors around the world. Every three years OWASP identifies the ten most serious risk types with regards to web application security. This "Top 10" list represents a consensus of the most critical web application security flaws. The OWASP website supplements each risk with information regarding the likelihood and impact of the threat (which are also part of the criteria for determining if/where a risk falls into the top 10), along with providing resources to help reduce each threat. The top risks for the year 2010 are as follows (OWASP, 2010):

• A l : Injection - Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

• A2: Cross-Site Scripting (XSS) - these flaws occur whenever an application takes untmsted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites or redirect the user to malicious sites.

• A3: Broken Authentication and Session Management - Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens or exploit other implementation flaws to assume other users' identities.

• A4: Insecure Direct Object References — A direct object reference occurs when a developer exposes a reference to an intemal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

• A5: Cross-Site Request Forgery (CSRF) - A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force

55

Understanding of Web Application Security Threats & Incidents

the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim. A6: Securify Misconfiguration - Good securify requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. A7: Insecure Cryptographic Storage - Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identify theft, credit card fraud, or other crimes. A8: Failure to Restrict URL Access — Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. A9: Insufficient Transport Layer Protection - Applications frequently fail to authenticate, encrypt, and protect the confidentialify and integrify of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. AlO: Unvalidated Redirects and Forwards - Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

TABLE 1. OWASP's TOP 10 W E B APPLICATION THREATS

Injection (SQL) Cross Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Securify Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards

Ranking 2004 6 4 3

10 8

2007 2 1 7 4 5

8 10 9

2010 1 2 3 4 5 6 7 8 9 10

OWASP's ranking of the top 10 web application securify threats has changed over the years. Table 1 compares OWASP's Top 10 list for the years 2004, 2007 and 2010. 56

Understanding of Web Application Security Threats & Incidents

This research focuses on three common web threats: SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) threats. In the OWASP Top 10 list, SQL Injection threats moved from position 6 in 2004, to position 1 in 2010. Cross-Site Scripting moved from 4* place in 2004 to rank 1 and 2 in 2007 and 2010 respectively. The Cross-Site Request Forgery threat didn't even make the list in 2004, but as of 2010 is in 5* place.

Since the Top 10 list is derived by a consensus of opinions from a variefy of individuals from around the world, the ranking doesn't correlate threats with actual incidents. Further discussion below provides a comparison of the threats in this Top 10 list compared to threats that have actually resulted in successful attacks on web applications.

National Vulnerabilify Database The U.S. govemment maintains a repository of vulnerabilify management data in the National Vulnerabilify Database (NVD, 2012). As of March 22, 2012, the NVD lists 50056 vulnerabilities. This research project drilled down to get more data for three common vulnerabilities: SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). The results of searches for these three vulnerabilities in the NVD since 2004 are reported in Figure 1.

2004 2005 2006 2007 2008 2009 2010 2Ö11 Figure 1. National Vulnerabilify Database - Search based on Category of

Vulnerabilify (March 22, 2012).

The number of SQL Injection vulnerabilities reached their peak in 2008, and then decreased by over 50% in 2010, and another 40% in 2011. It may mean that web designers and operators have updated their websites to address this vulnerabilify. And yet, other sources described below, document that data losses based on SQL Injection vulnerabilify remain high. The NVD data would indicate that the SQL Injection vulnerabilify will no longer have the top ranking in the next OWASP's Top 10 list.

Even Cross-Site Scripting reported vulnerabilities have decreased some from a high of 790 and 811 in 2008, 2009 respectively, to 454 reported during 2011. Yet more Cross- Site Scripting vulnerabilities are reported than any other fype of vulnerabilify. So

57

Understanding of Web Application Security Threats & Incidents

while Cross-Site Scripting was number one on the 2007 Top 10 list, it most likely will be number one again on any Top 10 list produced today. That raises the question, whether the processes to combat Cross-Site Scripting vulnerabilities are more difficult to implement, or are not taken as serious, or perhaps there is another reason why the Cross-Site Scripting vulnerabilify has been so high on various vulnerabilify lists for such a long time.

The Cross-Site Request Forgery attack vector is also on the decline after a high of 112 in 2009. Attention given to address CSRF vulnerabilities seem to have reduced its presence.

WhiteHat Security The WhiteHat Securify organization released the 11* edition (since 2006) oftheir "WhiteHat Website Security Statistics 2011 Report" (WhiteHat, 2012). WhiteHat's findings are quite different from OWASP's Top 10 in 2010 and the NVD database. Their report indicates a slight decrease in the likelihood that a website has a SQL Injection vulnerability - from 20% in 2007 to 14% in 2011 (Figure 2). The likelihood of a Cross-Site Scripting vulnerabilify has not changed much over the past 5 years - it remains very high and ranges between 64% and 71% each year. The likelihood of finding a Cross-Site Request Forgery vulnerabilify rose from 11% in 2009 to 2 1 % in 2010 and 24% in 2011. This WhiteHat data indicates little change during the last 5 years in terms of the SQL Injection and Cross-Site Scripting vulnerabilities and a recent rise of the Cross-Site Request Forgery vulnerability.

! SQL Injection

2007 2008 2009 2010 2011

Figure 2. Percent Likelihood that one of these Vulnerabilities will appear in a Website

WhiteHat Securify, 2012

In addition, the WhiteHat Securify group reported the following findings: • Most websites were exposed to at least one serious vulnerabilify nearly every

day of 2010

58

Understanding of Web Application Security Threats & Incidents

Only 16 percent of websites were vulnerable less than 30 days of the year overall During 2010, the average website had 230 serious vulnerabilities On the average, 50 percent of organizations require 116 days or less to remediate their serious vulnerabilities.

The question to be asked is why are there so many websites with known vulnerabilities? Even when vulnerabilities were identified, the study said that half the organizations took more than 116 days to remediate their vulnerabilities. This is rather surprising information.

Vupen Security

Vupen Securify is a European organization with headquarters in France that has a team of securify engineers and researchers that are "dedicated to finding new and unpatched securify vulnerabilities" (Vupen, 2012). In 2010 they conducted research on web application vulnerabilities-and discovered 110 of them, mainly SQL Injection and Cross-Site Scripting vulnerabilities. Vupen would make Cross-Site Scripting a higher concem than SQL Injection attacks - similar to the WhiteHat Securify group findings.

Figure 3. Web Application Vulnerabilities discovered by Vupen in 2010.

INCIDENTS WITH DATA LOSSES

The data and research examined to this point have focused on web vulnerabilities and technical aspects of potential incidents. The consensus is that many websites are vulnerable and "hackable". But are websites indeed being hacked and is confidential data being compromised? Whereas vulnerabilities only report that a web site could be exploited, incidents are securify breaches in which hackers actually exploited a vulnerable web site. Actual securify breaches are more significant as they indicate both, that a vulnerable web site is exploitable, and that hackers have an interest, financial or other, in exploiting it. There are a number of organizations that focus on gathering information on the impact of attacks and incidents that have been successful in compromising web applications.

59

Understanding of Web Application Security Threats & Incidents

Privacy Rights Clearinghouse

The Privacy Rights Clearinghouse is a group that publishes information on data breaches that have caused personal information (e.g.. Social Security numbers, account numbers and driver's license number) to be compromised. This group maintains a website listing publicly reported breaches that have occurred in the United States.

As of March 22, 2012, the Privacy Rights Clearinghouse website reported that since 2005 a total of 544,728,704 records were compromised due to 2,979 data breaches (PRC, 2012). While the exact cause of these breaches is not always reported, the breaches are organized by types:

• unintended disclosure • hacking or malware • payment card fraud • insider • physical loss • portable device • stationary device • unknown

The second category, "hacking or malware", is the one where web application security issues would be recorded. When one considers only the breaches reported as due to "hacking or malware", one gets 313,231,634 records compromised from 574 breaches made public since 2005. This is an astonishingly high number: 58% of the compromised records identified in the Privacy Rights Clearinghouse database were due to some type of hacking or malware.

The Privacy Rights Clearinghouse data provides some description of the situation surrounding each data breach. Since the SQL Injection vulnerability was ranked the number one web application threat in 2010 by OWASP, it was natural to check whether it was the cause of any of these breaches. A search for the term "SQL Injection" retumed 7 breaches where SQL Injections flaws were deemed to have played a role:

• March 3, 2012 University of Washington, Seattle, Washington, 31 login and password combinations released.

• April 28, 2011 DSLReports, 8000 passwords may have been exposed. • December 15, 2009 RockYou, Redwood City, Califomia, 32 million records

compromised. • January 28, 2008 Kiwanis Intemational, On-Net Services Indianapolis,

Indiana, 18,432 records compromised. • October 26, 2007 Scarborough & Tweed Pleasantville, New York, 570

records compromised. • January 17, 2007 TJ stores (TJX), Framingham, Massachusetts, 100,000,000

records compromised (one of the individuals arrested had used SQL Injection 60

Understanding of Web Application Security Threats & Incidents

to attack the website, although this wasn't the only fype of attack involved in this incident).

• September 7, 2006, Mystic Stamp Company, Camden, New York, 13 records compromised.

So while SQL Injection is the top web application threat according to OWASP, in terms of actual records compromised, it was involved in 132,027,000 (or 24%) of the over 544 million reported compromised records since 2005—no doubt a large percentage. But this is due in large part to two of the organizations breached, namely TJ stores (100 million records) and RockYou (32 million records). Otherwise the breaches due to SQL Injection vulnerabilities are miniscule compared to the total number of records compromised. Searches for other terms specifically related to web application securify, such as "Cross-Site Scripting" and "Cross-Site Request Forgery" were not found in the Privacy Rights Clearinghouse database.

Weh Application Security Consortium

The Web Application Securify Consortium (WASC) project is managed by a group dedicated to maintaining a list of actual web application related securify incidents. The WASC maintains a Web Hacking Incident Database (WHID) which provides information for the statistical analysis of web application securify incidents. Unlike other resources covering web site securify, the WHID focuses on the impact of the attack. To be included in the WHID an incident must be publicly reported, be associated with web application securify vulnerabilities, and have an identified out- come (WASC, 2012).

The WASC conducted the Web Application Security Statistics Project (WSAC, 2008), collecting information via securify audits, penetration testing, and other activities. Statistics from this project includes data on 12,186 websites, in which they detected 97,554 vulnerabilities. Analysis from the project revealed many numbers that provide significant reason for concem:

• Over 13 percent of the websites reviewed can be compromised in a completely automated fashion through methods such as SQL Injection.

• Approximately 49 percent of the web applications contained high-risk vulnerabilities (detected via automated scanning).

• 99 percent of Web applications do not comply with Payment Card Industry Data Securify Standards (PCI DSS).

• Administrative issues were responsible for 20 percent more vulnerabilities than system development errors.

• Compared to 2007, the number of sites with wide spread SQL Injection and Cross-Site Scripting vulnerabilities fell by 13 and 20 percent, respectively, however, the number of sites with different fypes of information leakage rose by 24 percent.

61

Understanding of Web Application Security Threats & Incidents

The WASC report stated that the most wide spread vulnerabilities are Cross-Site Scripting and SQL Injection. This 2008 WASC data matches OWASP's 2007 Top 10 list, where Cross-Site Scripting was the top item and SQL Injection was number two. The web application attack scene changed in 2008 and 2009. As seen in the National Vulnerabilify Database (NVD) described above, the number of SQL Injection attacks became more prevalent, increasing in 2008 and 2009 (NVD, 2012), so that the SQL Injection attack also became number one on the 2010 Top 10 list.

Statistics such as these presented by the WASC cause serious concem with many people and organizations that maintain web applications or interact with other organization's web applications. How can half of the web sites contain high-risk vulnerabilities? Why can so many web sites be compromised with automated methods, requiring no human interaction? Shouldn't we be able to protect web applications better?

Table 2 provides data from the WHID, organized by attack method and by year (WSAC, 2012). The first item to note is the high number of actual incidents that occurred in 2010 and 2011 (223 and 290 respectively). In previous years the number of web hacking incidents ranged between 18 and 87 per year. These numbers show a different trend then the NVD numbers (Figure 1), where 2008 and 2009 have the greatest number of reported vulnerabilities, and the years 2010 and 2011 numbers show a significant decrease in vulnerabilities. Could there be a lag in the number of vulnerabilities found in web applications - and one or two years later the increase in actual losses occurs due to those vulnerabilities? Maybe the long time it takes organizations to remediate known vulnerabilities could explain this lag.

TABLE 2. WEB HACKING INCIDENT DATABASE (WHID) BY YEAR AND TYPE OF ATTACK METHOD (MARCH 22, 2012).

Attack Methods Total Occurrences

Web Hacking Incident 2004

18 2005

63 2006

45

Database (WHID) 2007

87 2008

62 2009

48 20/0

223 20/7

290

SQL Injection Cross-Site

Scripting Cross-Site

Request Forgery

3

4

5

14

5

26

18

7

23

4

2

12

3

2

32

14

6

68

3

6

According to this WHID data, Cross-Site Scripting was the most common attack method between 2004 and 2006. But beginning in 2006 the SQL Injection attack was reported to be the cause of the most incidents, with a significant increase in 2011. This is much different from the vulnerabilities reported in the NVD, but it does match with the OWASP's 2010 Top 10 list.

62

Understanding of Web Application Security Threats & Incidents

Verizon Business

In conjunction with the US Secret Service and the Dutch High Tech Crime Unit, Verizon Business publishes and annual Data Breach Investigations Report, the latest being the 2012 report (Verizon, 2012). Verizon has tracked the number of compromised records since 2004. Figure 4 shows the number of compromised records on a yearly basis. Two outliers that attract attention are the high number of records compromised in 2008 and the low number in 2010.

400000000

350000000

300000000

250000000

200000000

150000000

100000000

50000000

114880(2!B09 2011

Figure 4. Compromised Records 2004-2011, Verizon Data Breach Investigation Report

Verizon also looks at the number of breaches that caused the compromise of the individual records. The number of breaches recorded by Verizon increased dramatically from 141 in 2009 to 761 in 2010 and 855 in 2011. Although there was an increase in the number of breaches from 2009 to 2010, interestingly there were fewer compromised records (Table 4).

The SQL Injection vulnerabilify was prevalent in the Verizon report. In 2010 Verizon found that 54 of the 761 breaches they investigated for 2010 dealt with SQL Injection attacks resulting in the loss of 933,157 records (Verizon, 2011). While they do not provide specific numbers of breaches and loss of records due to the SQL Injection vulnerabilify in 2011, they do say that there were a slightly higher number of breaches and loss of records in 2011 over 2010.

PROTECTING WEB APPLICATIONS

It is clear that web applications have serious vulnerabilities and some of the vulnerabilities have been exploited, causing significant impact to organizations and individuals. While the task of implementing and managing web application securify for better protection against the various threats appears daunting, these studies have

63

Understanding of Web Application Security Threats & Incidents

shown that securify can be improved with limited resources. The most obvious answer is for organizations to apply standard best practices in order to create more secure web applications. Here are a few recommendations.

A reasonable level of securify can be obtained if the proper methodologies are realized at the beginning of the web development process—building securify into the website and in all phases of the web development project. So often this is not the case (Brodkin, 2007). Incorporating a Security Development Life-Cycle (SDLC) approach for application development is recommended (Bau et. al., 2010).

Threat modeling when developing a website is helpful to better identify the necessary controls needed to be put in place (CLUSIF, 2010). Examples of controls include:

• Authentication control • Authorization control • Error handling control • Input validation control • Session management control.

Developers must leam to appreciate and write more secure code. Understanding the nature of the various vulnerabilities is essential. As a rule, Cross-Site Scripting and SQL Injection vulnerabilities are caused by improper input handling - these are really design and coding errors. OWASP offers programmers the OWASP Enterprise Securify Application Profile Interface API (ESAPI), a free/open source web application securify control library to assist programmers in writing lower-risk applications and retrofitting securify into existing applications. These ESAPI libraries serve as a solid foundation for new development as well (OWASP, 2010).

If organizations regularly scan and test their websites and web applications one could assume that their websites would be susceptible to fewer vulnerabilities. There are a variefy of black box scanners that can be used to detect vulnerabilities. Although researchers found room for improvement in detecting vulnerabilities, the scanners tested provide significant value to customers, when used systematically as part of an overall securify program (Bau et. al., 2010). Verizon Business states that even if lightweight web application scanning and testing would have occurred, many of the problems that led to major breaches could have been prevented (Verizon, 2011).

One could also ask consumers to take actions to be more secure. For example, consumers could set their browsers to block all scripting on all websites by default. The result though, is a significant reduction in functionalify—and requiring users to implement the blocking would mean they would have to know how to properly secure their browsers.

Organizations should review their web application infrastructure to ensure they provide adequate monitoring and logging mechanisms. If proper monitoring mechanisms are not in place, often attacks and successful compromises go unnoticed

64

Understanding of Web Application Security Threats & Incidents

for extended periods of time. The longer the intrusion lasts, the more severe the aftermath.

The Verizon Business report states that the cost of recommended preventive measures is "simple and cheap" for 63% of the breaches—and "difficult and expensive" for only 3% of the breaches (Verizon, 2012). So the task of improving the security of web applications is attainable—even with limited resources.

But there has to be more that can be done, then just to say that analysts must design more secure web applications, and developers must code more secure web applications, and system administrators must maintain and manage more secure web applications.

CONTRIBUTIONS OF THE STUDY

This study has reviewed a number of sources collecting data of web application security threats and actual incidents. The analysis of the data revealed different perspectives on the security of web applications and the impact of the different vulnerabilities:

• NVD shows that number of vulnerabilities due to SQL Injection, Cross-Site Scripting and Cross-Site Request Forgery have decreased each year for the last 3 years.

• WhiteHat has said that the likelihood of SQL Injection and Cross-Site Scripting vulnerabilities have remained unchanged over the last 5 years, while increasing for the Cross-Site Request Forgery vulnerability.

• The Privacy Rights Clearinghouse data identifies only one breach due to SQL Injection in 2010 and 2011 with an exposure of 8000 records.

• The WHID reports a large increase in the number of vulnerabilities overall in 2010 and 2011, particularly in SQL Injection vulnerabilities.

• The Verizon Business report documents in both 2010 and 2011 that 7 to 8% of all breaches relate to the SQL Injection vulnerability, resulting in the loss of around one million records each year.

This study has raised questions as to the validify of the various sources. What data do we believe? Are web applications becoming more secure and are we experiencing less loss of personal data? Further research is necessary to better understand the nature and criteria used by the various groups in collecting their data. What is the significance of data on vulnerabilities—if there is little to show that the vulnerabilities have been exploited and caused the loss of personal data? How do we collect better and more accurate data?

This study also questions the seriousness of the impact of various vulnerabilities. Is seriousness or impact tied to actual losses, rather than just the presence of vulnerabilities in a website? While OWASP named SQL Injection the number one

65

Understanding of Web Application Security Threats & Incidents

web application threat in 2010, the number of SQL Injection threats in the NVD have fallen to the second place and declined from 1093 in 2008 to 289 in 2011. WhiteHat's data shows the SQL Injection threat in third place, with the likelihood of a website with this vulnerabilify declining from 20% in 2007 to 14% in 2011. When looking at actual data losses from the SQL Injection vulnerabilify we find that there was only 1 data loss incident reported in the Privacy Rights Clearinghouse for 2010 and 2011, for a loss of 8000 records (and so far one incident in 2012 with a loss of 31 records attributed to the SQL Injection vulnerabilify). An outlier is the data from the WHID which shows a dramatic increase in SQL Injection hacks from 12 in 2009 to 32 in 2010 and 68 in 2011. Only the Verizon Business Data Breach Investigations Report makes a strong case that the SQL Injection vulnerabilify has serious consequences, namely they found that in 2011 8% of the breaches were due to SQL Injection vulnerabilities resulting in the loss of over one million records. How does the Verizon report indicate the loss of over one million records due to SQL Injection vulnerabilify when the Privacy Clearinghouse does not identify any lost records due to the SQL Injection vulnerabilify?

Both the Privacy Rights Clearinghouse and the Verizon Business report do not call out and attribute specific breaches due to the Cross Site Scripting and the Cross Site Request Forgery vulnerabilities. Does this mean that even if these vulnerabilities are present in many web applications, they are not of great concem? Or is it that one does not know or cannot tell what vulnerabilify led to a breach? More research and better data collection is necessary.

This study also suggests additional approaches to promoting more secure web applications, in addition to more secure development and maintenance of web applications. A suggestion is that web site owners and consumers place more value on third parfy providers of "trust seals". There are numerous organizations that provide trust seals to be displayed on a website. After performing some review these third parfy organizations would allow a website to display the organization's tmst seal on their website. The trust seal would indicate that the website has undergone some review and is therefore "more secure". There are website operators that undergo vetting by a certificate authorify (CA) which provides extra confirmation to a user for some domain validation. There is also an "extended validation (EV) certificate" that indicates the CA has completed an independent audit. Verisign offers an automatic weekly vulnerabilify scan for their SSL customers -thereby providing assurance to web users if they see the Verisign Trust Seal on a website (Verisign, 2012). Do consumers understand and demand more secure web applications? A Stanford and Microsoft Research study on EV displays conducted in 2006 concluded that "participants who received no training in browser securify features did not notice the extended validation indicator and did not outperform the control group", whereas "participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate" (Jackson et. al., 2006). Consumer education and awareness training is necessary.

66

Understanding of Web Application Security Threats & Incidents

In addition, this study calls attention to the need for further research on the geographic source of attacks on web applications. WHID attempts to track the origin of the attacks entered into its database (WASC, 2010). However they say that this data is seldom available in the news reports or disclosed by the victim sites. For over 72% of the attacks in the WHID database the source of the attack is not identified. For the 28% of the attacks where the origin of the attack is identified, the top countries determined to be the origin of attacks are the United States (5.7%), Turkey (3.8%), Romania (3.16%), China 2.53%) and Russia (2.53%).

The Verizon Business report has found the origin of attacks for 90% of the breaches in their database. They claim that 67% of the breaches originate from Europe-East and 20% from North America. They cannot identify only 10% of the countries of origin. Again, we have vastly different data from the different sources analyzed in this study.

CONCLUSIONS AND FURTHER RESEARCH

The growth and essential nature of the intemet, and the increasing number of web vulnerabilities, along with an increasing number of web users, make web securify one of the most crucial aspects of an organization's operations. This paper examined a variefy of web vulnerabilify and securify resources, including Open Web Application Securify Project (OWASP), National Vulnerabilify Database (NVD), WhiteHat Securify, Web Application Securify Consortium (WASC), Privacy Rights Clearinghouse and the Verizon Business Data Breach Investigations, to analyze the validify and actual impact of the various threats and vulnerabilities. These sources have provided vastly differing data.

It is a fair to assume that many organizations are reluctant to publicly disclose the details of the compromise for fear of public perception and possible impact to customer confidence or competitive advantage. One could conclude that the number of successful attacks is really much higher than those reported in the various sources examined. This lack of disclosure, not only skews the statistics, but makes fixing the root cause of the problem more difficult.

It seems the source of many vulnerabilify and attack resource sites is based on and derived from US data. There are European and Asian sites that must be examined and compared to US sources. In addition, it would be useful to determine if there is a correlation between country of origin, and fype of web vulnerabilify used in the attack.

While the discussion of which vulnerabilities are the most common, or the most dangerous, or have been found the most often, or have resulted in the most data loss, etc., are interesting ones, more focus should be put on helping organizations implement more secure web applications.

67

Understanding of Web Application Security Threats & Incidents

BIBLIOGRAPHY

Bau, J., Bursztein, E., Gupta, D. & Mitchell, J. (2010). State of the Art: Automated Black-Box Web Application Vulnerabilify Testing. Stanford Universify. Retrieved from http://cdn.ly.tl/publications/state-of-the-art-automated-black-box-web- application-vulnerabilify-testing.pdf

Brodkin, J. (2007). The Top 10 Reasons Web Sites Get Hacked. Network World. Retrieved from http://www.networkworld.com/news/2007/100407-web-site- vulnerabilities.html.

CLUSIF. (2010). Web Application Securify: Managing Web Application Securify Risks. Club De La Sécurité De L'information Francais. Retrieved from http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-2010-Web-application- securify.pdf

Jackson, C , Simon, D.R., Tan, D.S., & Barth, A. (2006). An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. Retrieved from http://www.usablesecurity.org/papers/jackson.pdf

NVD. (2012). National Vulnerabilify Database. Retrieved from: http://web.nvd.nist.gov/view/vuln/search

OWASP. (2010). OWASP Top Ten Project. Retrieved from https://www.owasp.org/index.php/Category:OWASP Top_Ten_Project

PRC. (2012). Privacy Rights Clearinghouse Chronology of Data Breaches. Retrieved from http://www.privacyrights.org/data-breach

Verisign. (2012) Web Site Malware Scanning. Retrieved from http://www.verisign.com/ssl/ssl-information-center/malware-scan-faq/index.html

Verizon. (2011). 2011 Data Breach Investigations Report. Retrieved from http://www.verizonbusiness.com/Products/securify/dbir/

Verizon. (2012). 2012 Data Breach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations- report-2012_en_xg.pdf

Vupen. (2012). Vupen Security. Retrieved from http://www.vupen.com

WASC. (2008). Web Application Securify Statistics. Retrieved from http://wvvw.webapsec.org https://files.pbworks.com/download/K7j2rUeYRw/webappsec/13247070/WASS-SS- 2008.pdf

68

Understanding of Web Application Security Threats & Incidents

WASC. (2010). The Web Hacking Incident Database 2010. Retrieved from https://www.trustwave.com/downloads/WHID_SemiannuaI_Report_2010.pdf

WASC. (2012). Web Hacking Incident Database. Retrieved from http://pr0jects.webappsec.0rg/w/page/l 3246995/Web-Hacking-Incident- Database#TopApplication Weaknesses

WhiteHat. (2012). WhiteHat Website Securify Statistics Report. Retrieved from https://www.whitehatsec.com/home/resource/stats.html http://img.en25.com/Web/WhiteHatSecurifyInc/WPstats_winterl l_llth.pdf

AUTHOR BIOGRAPHY

Gerhard Steinke completed his doctoral work at the Universify of Passau in Germany. He has taught Information Systems and Information Securify at Seattle Pacific Universify for the last 20 years. In addition, he has consulted for organizations such as Boeing, Microsoft, AT&T Wireless and the State of Washington. He has provided seminars not only in the US, but also in Mexico, Malaysia and Romania.

Emanuel Tundrea completed his doctoral work at the Universify Polytechnic of Timisoara in Romania. He has taught Management Information Systems at Emanuel Universify for the last 5 years with a focus on Databases and Software Engineering. He was part of the Object Software Component research group at the 13S Lab in Sophia-Antipolis in France.

Kenmoro Kelly completed his Master's degree in Information Systems Management at Seattle Pacific Universify. His research interest lies in the area of helping organizations manage technology risks.

69

Copyright of Journal of Information Privacy & Security is the property of Ivy League Publishing and its content

may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express

written permission. However, users may print, download, or email articles for individual use.

web security/Proposal.docx

Research Proposal Topic: Data and Web Application Security.

Introduction

Development in web application in web applications, web services and other technologies have changed the pattern business is conducted, and how information is accessed and share. Most business have shifted their majority of their operations online so that staffs from another office location, business partners from different countries can share sensitive data in real time and working towards common goal. Also, the requests of web users have changed, the users want to access any data they want anytime, these requests have forced businesses to make such data available online via web applications. Typical examples online banking system and online shopping websites. All these advancement in web applications mentioned above have also attracted malicious hackers and scammers, therefore data and web application security are importance to issue to study because of economy value of web application, data stored in the application and how it affects our day to day activities.

Discussion

Security of any system that affect our day to day activities is an interest area to carry out study and this has been a force that make to develop interest in this topic. The approach of implementing security in traditional software development may not well where security for data and web applications are consider, also, network security differs from web application security, in network security, perimeter defense such as firewalls are used to block attackers out and allow access to authorized users by configure the firewall to allow specific IP address to access specific service and block the rest but business websites and applications need to be accessed by everyone, hence administrators have to allow all incoming traffic on port 80 (HTTP) and 443(HTPS) and expect that everyone plays by the rules. Because of the reasons stated above data and web application security is an area to give special attention. From research carried out on early study, most common web application security risk can be classified into three major categories which are technical vulnerabilities, configuration vulnerabilities, and security vulnerabilities. Technical vulnerabilities are due to technical flaws in code and it causes most serious attack like injection attacks, XSS and CSRF attacks. Configurational vulnerabilities are due to architectural flaws in the system and these include encryption flaw, serve misconfiguration and predictable pages, information leakage and so on. Security vulnerabilities are due to malfunction of the application or flaws in transport layer, network layer or other layer in the network, Examples of security vulnerabilities include DOS, DNS cache poisoning, path manipulation and man in the middle attack. All these categories of vulnerabilities will be explored in this study and all approaches to detect and prevent them. Web application, Data, and Security will be the research keywords.

Timeline

Conclusion

Developing a secure web application is a continues process and tedious therefore it is impossible to find and eliminate all vulnerabilities, but this study will cover as much as possible to make it reference for future study.

Citation

Jose Fonseca, Nuno Seixas, Marca Viera, and Henrique Madeira. “ Analysis of field data on web vulnerabilities.“ IEEE transactions on dependable and secure computing vol 11, no 2, March/April 2014.

Abhishek Patidar, Gajendra Jagnade, Laxmi Madhuri, Pranay Mehta, Ronak Seth. “Data security using cryptosteganography in web application .” Computer engineering and intelligent system issn 2222-1719(paper) issn 2222-2863(online) volume 3, no 4, 2012.

Gerhard Steinke, Emanuel Tundrea, Keamoro Kelly. “Towards an understanding of web application security threats and incident .”

web security/web application security with kali linux.pdf

513

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

WEB APPLICATION SECURITY ANALYSIS USING THE KALI LINUX OPERATING SYSTEM Ivan M. Babinceva, Dejan V. Vuletićb a Serbian Armed Forces, Technical test center, Belgrade, Republic of Serbia, e-mail: babincev1301@gmail.com, ORCID iD: http://orcid.org/0000-0002-3994-9032 b Ministry of Defence of the Republic of Serbia, Defence Policy Sector, Strategic Research Institute, Belgrade, e-mail: dejan.vuletic@mod.gov.rs, ORCID iD: http://orcid.org/0000-0001-9496-2259

DOI: 10.5937/vojtehg64-9231 FIELD: Computer Sciences ARTICLE TYPE: Professional Paper ARTICLE LANGUAGE: English Abstract:

The Kali Linux operating system is described as well as its purpose and possibilities. There are listed groups of tools that Kali Linux has together with the methods of their functioning, as well as a possibility to install and use tools that are not an integral part of Kali. The final part shows a practical testing of web applications using the tools from the Kali Linux operating system. The paper thus shows a part of the posibilities of this operating system in analysing web applications security, which presents the goal of this work. Key words: security, web applications, Kali Linux.

Uvod Web applications contain many vulnerabilities that can compromise

integrity of web pages, reveal confidential information and disrupt the operation of the application itself. Although there are different mechanisms of protection, new vulnerabilities are revealed dailly and attackers can use them for various attacks.

514

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2 Due to the emergence of new security threats in the area of cyber

security, the creators of the BackTrack operating system created a new, specialized Linux distribution intended for Penetration testing, called Kali Linux.

Kali Linux operating system Born and released on March 13th, 2013, Kali Linux is based on

Debian and an FHS-compliant filesystem. (Muniz, Lakhani, 2013). Debian was created in 1993 as a Linux distribution. It is completely democratically organized, in hands of community, and its users are generally enthusiasts and Linux experts, because Linux administration, in comparison to other operating systems, is more complicated. Filesystem Hierarchy Standard (FHS) defines the structure of folders and it is primarily intended for Unix programmers.

Kali has many updated tools, synchronized four times a day. This means that users have the latest package updates and security fixes. Kali Linux is essencially a Linux distribution intended for penetration testing. Kali Linux has many possibilities and different types of tools - it can test network security, security of operating systems, communications, applications, etc. It can be downloaded from the Internet in a few different ways.

Kali Linux can be used in a virtual environment, by installation on a virtual machine. Also, it can be run without installation software on the hard disk, accessing an external source such as a USB or DVD. However, this is not reliable, due to a negative effect on the setup and operations of some tools. Because of its speed, accuracy and other performances, it is highly recommended to install Kali Linux on a host hard drive.

There is a possibility of parallel existence and use of two operating systems on one computer, the dual boot method, which is desirable for Windows users and Linux beginners. It is recommended to install Kali Linux in a virtual machine. This paper uses the VMWare Workstation 10 virtualization software and the Kali Linux 1.0.7 operating system.

Kali Linux offers many customized tools designed for penetration testing, categorized in the following groups, (Muniz, Lakhani, 2013), as seen in Figure 1:

515

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

Figure 1 – Kali Linux group tools Рис. 1 – список инструментов Kali Linux

Slika – 1 Grupa alata Kali Linux-a

Information Gathering: these are reconnaissance tools, used to gather data on target networks and devices. Tools range from identifying devices to protocols used.

Vulnerability Analysis: tools from this section focus on evaluating systems for vulnerabilities. Typically, these are run against systems found using the tools from the previous section.

Web Applications: these are tools used to audit and exploit vulnerabilities in web servers. However, these tools do not always refer to attacks against web servers, they can be web- based tools for testing network services.

Password Attacks: this section of tools is primarily used for perfoming Brute force attacks on passwords used for authentication.

Wireless Atacks: these tools are used to exploit vulnerabilities found in wireless protocols. In most cases, tools from this section require a wireless adapter that can be configured by the Kali Linux operating system, to be put in a particular operation mode.

516

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2 Exploitation Tools: these are tools used to exploit vulnerabilities

found in systems. Sniffing and Spoofing: these are tools used for network packet

captures and network packet manipulation. Maintaining Access: tools to be used after establishing access

to the target network or system. They provide alternative paths and approaches, if the vulnerability used for access by attacker is found and removed.

Reverse Engineering: the purpose of these tools is analyzing how a program was developed so it can be copied, modified, or so that it can lead to development of other programs. Reverse engingeering is also used for malware analysis or by researchers in discovering vulnerablities in software applications.

Stress Testing: these tools are used to evaluate how much data a system can handle. Undesired outcomes could be obtained, such as causing a device controlling network communication to open all communication channels or a system shutting down (also known as a denial of service attack).

Hardware hacking: this section contain Android tools, which could be classified as mobile, and Ardunio tools that are used for programming and controlling other small electronic devices.

Forensics: forensics tools are used to monitor and analyze computer network traffic and applications.

Reporting Tools: these tools serve to deliver information found during a penetration exercise.

System services: this is where Kali Linux services can be enabled or disabled.

Using Kali Linux tools in Web application testing A web application containing vulnerabilities threatens the security of

a database and the entire computer system, because the web page must be constantly available to provide services to users. Firewall and other similar programs do not provide protection against malicious activities in such a case, because web applications often have direct access to user databases, but also must be available outside the local network, so it is difficult to ensure security. One of the main problems is to detect web application vulnerabilities before attackers exploit them. (CARNet, 2007), (CARNet, 2008).

Vulnerability scanning uses various tools, both commercial ones and those available on the Internet, which are free for using. The main

517

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

advantage of commercial tools is the automatization of the scanning proccess offered by almost all commercial versions. The efficiency of each tool depends on the content to be searched, but most tools can conduct basic vulnerability scanning. By studying the basic features of tools, it is easy to find a suitable scanner that should be used to search vulnerabilities of individual applications.

It is recommended to start the specific tools and test web applications to detect and correct security holes prior to its use. Kali Linux is an excellent solution that contains many tools intended for scanning vulnerabilities and web application security testing. This article covers tools: Burp Suite, XSSer, Nessus, Nikto and Vega. Damn Vulnerable Web Application and Mutillidae application are used as test applications.

Burp Suite

Burp Suite is an integrated platform for performing security testing of

web applications (Burp Suite, nd). Its various tools support the entire testing process. It allows the combination of advanced manual techniques and automated attacks that accelerate the testing process and make it more effective. Burp Suite includes the following tools:

Proxy – analyzes and modifies the traffic between the browser and the target application. It intercepts and modifies HTTP traffic, easily analyzes content and manipulates requests sent to the server by a client;

Spider – analyzes the traffic that goes through the Proxy server and sends requested content to other Burp Suite tools. It keeps the entire work and allows the operation to continue where it stopped the last time;

Scanner – scans web applications. It provides a complete control of the scanned content and displays the results of scanning;

Intruder – allows performing improvized attacks that exploit vulnerabilities;

Repeater – tool for modifying HTTP requests and analyzing the received responses;

Sequencer – tool for testing randomness of session tokens of applications;

Decoder –simple tool for encoding and decoding text strings; Comparer – this tool is used to compare data, for example to

compare two or more HTTP responses; Extender – allows different extensions of the functionalities of the

Burp Suite platform.

518

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2 Burp Suite can be run in two ways:

by typing the burpsuite command in the terminal, under Applications | Kali Linux | Web Applications | Web

Application Fuzzers | burpsuite. After launching Burp Suite, this launch dashboard will be presented:

(Figure 2).

Figure 2 – Burp Suite – initial screen

Рис. 2 – Burp Suite – начальный экран Slika 2 – Burp Suite – početni ekran

This paper describes a tool Intruder, which is used to perform an

automated brute force attack on the dvwa (damn vulnerable web application) test application. Before performing the attack, it is necessary to configure Proxy. It is necessary to set the IP address and the port on which Proxy works, the localhost address and a specific port number. These settings should match the settings of the web browser (Figure 3).

519

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

Figure 3 – Proxy server configuration Рис. 3 – Настройки Proxy-сервера Slika 3 – Podešavanje Proxy servera

As seen in Figure 3, Iceweasel uses the HTTP Proxy server active on port 8080 and the IP address of the localhost, 127.0.0.1. Burp Suite Proxy must be configured in the same way. It is necessary to select Options on the tab Proxy and enter the required parameters. After that, it is necessary to enable Intercept on the same tab, to intercept requests sent to the server. By a click on the Brute Force tab in the dvwa application, the authentification window shows up.

By a click on login after entering the username and the password, the authentification request will be sent to the server through Burp Proxy, and Proxy will intercept that request. As a result, the intercepted request will be displayed on the tab Intercept in the Burp Suite platform. In the next step, the request is sent to the Intruder. It is necessary to mark the areas over which the attack will be executed, and to select a type of attack .

After creating the list of possible usernames and passwords, the attack is launched (Figure 4).

520

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2

Figure 4 – Burp Suite - launch attack Рис. 4 – Burp Suite – запуск атаки

Slika 4 – Burp Suite – realizacija napada

Figure 5 shows the results of an automated brute force attack. The attack was successfully executed, the username is admin and the password is password.

Figure 5 – Burp Suite – results shown

Рис. 5 – Burp Suite – отчет результатов Slika 5 – Burp Suite – prikaz rezultata

521

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

XSSer XSSer is an open source tool used for penetration testing.

(http://xsser.03c8.net/). It automates the process of detection and exploitation of XSS vulnerability on a web site or application (XSSer, nd). By typing the xsser --gtk command into the terminal, the initial XSSer screen shows up (Figure 6). It can also be accessed without typing commands, by clicking on the tab Applications | Kali Linux | Web Applications | Web Application Fuzzers | xsser.

Figure 6 – XSSer – initial screen

Рис. 6 – XSSer – Начальный экран Slika 6 – XSSer – početni ekran

Before starting the attack, it is necessary to set certain parameters in

the URL of the site or the tested application. After displaying the startup screen, it is necessary to click on the Expert Visor tab, choose Visor (s) and set the Connect option to ON (include connection). Then, mark the Intruder, enter the target URL and mark the Automatic.

After that, click on the button Aim!, then the button FLY!!! and XSSer will begin attack. As a result of the attack, a list of possible XSS injections will be displayed after certain time (Figure 7).

522

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2

Figure 7 – XSSer – overview of a possible injection

Рис. 7 – XSSer – отчет о возможных XSS инъекциях Slika – XSSer – prikaz mogućih XSS injekcija

Nessus Nessus is a free tool for scanning and finding vulnerabilities in

computer systems. Nessus supports over 50,000 plugins for detection of various types of vulnerabilities. A plugin typically contains information about the vulnerabilities, guides the user to confirm the existence of certain vulnerabilities and gives instructions for their removal.

Using the Nessus tool on the Kali Linux operating system requires an additional installation of Nessus, because Nessus does not belong to the set of tools contained in Kali Linux. After downloading the installation file, the installation is launched from the terminal (Figure 8), by typing the command dpkg-i in front of the file name.

Nessus operates using the Web server and the Nessusd server. The web server communicates with the Nessusd server and it is used for configurating and monitoring the scanning process, while the Nessusd server contains a plugins database and realizes the scanning process (Chuming, Manton, 2004).

523

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

Figure 8 – Nessus – installation Рис. 8 – Nessus –установка Slika 8 – Nessus – instalacija

A click on the New Scan displays a page with different types of scans

that Nessus can realize (Figure 9), which shows a wide range of its capabilities. As shown in Figure 9, Nessus supports web application testing.

Figure 9 – Nessus – some of the possibilities Рис. 9 – Nessus – некоторые возможности

Slika 9 – Nessus – neke od mogućnosti

524

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2 A click on the Web Application Tests displays a page where the user

has to set certain parameters and perform settings (Figure 10). The BASIC card allows entering the name of scanning, the description and the targeted URL address. The Mutillidae application is used as a test application. Using Schedule options and Email Notifications, Nessus allows periodical scanning and reporting via e-mail.

Figure 10 – Nessus – data entry Рис. 10 – Nessus – ввод данных

Slika 10 – Nessus – unos podataka

Nikto Nikto is a very popular open source tool for testing web application

security. It is written in the Perl programming language. Nikto is platform independent, so it can work on both Windows and Linux. Nikto's tools are based on a Perl module called libwhisker that allows finding CGI scripts on web servers. The Libwhisker module is included in the standard Nikto software package, but it is advisable to regularly update it with new versions (CARNet, 2003).

Although it can be treated as deficiency, Nikto uses the CLI, which is suitable for the remote start of the tool, using an SSH connection. There is no graphical user interface. It is designed so that it does not require a graphical access to the system to install and run. During the scan, Nikto sends a large number of requests to the server and then analyzes the received responses. Nikto is capable of sending data in the form of HTTP requests so it can test the XSS (Cross Site Scripting) and SQL Injection vulnerabilities.

After starting, Nikto will begin scanning and results will be displayed in the terminal (Figure 11).

525

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

Figure 11 – Nikto - results shown in the terminal

Рис. 11 – Nikto – отчет выявленных результатов Slika 11 – Nikto – prikaz rezultata u terminalu

Based on the displayed results, the application is vulnerable. If the

user uses the command -o (output) and determines the output file, the results will be saved in the output file. In this case, the results are stored in the file testic.html. Opening the testic.html file using the web browser allows an access to the scan results, which are presented in the form of web pages (Figure 12).

Figure 12 – Nikto – presentation of the report in the Iceweasel browser

Рис. 12 – Nikto – отчет в браузере Iceweasel Slika 12 – Nikto – prikaz izveštaja u Iceweasel pretraživaču

526

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2

Vega Vega is a free tool designed to test the security of web applications.

It is used to check the vulnerability of web applications such as SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and many others. It is written in the programming language Java, contains a graphical environment and runs on various operating systems (https://subgraph.com/vega/).

Vega contains an automated scanner that conducts vulnerability testing. According to many sources, this is one of the best free tools for vulnerability assessment.

Vega has a very simple graphical environment. With the launch of the new scanning and entering the target URL, the preparation for web applications scanning is completed. Vega can be run in one of two ways:

typing the vega command into the terminal, clicking on Applications | Kali Linux | Web Applications | Web

Vulnerability Scanners | Vega, The initial screen is displayed after start (Figure 13).

Slika 13 – Vega – početni ekran Figure 13 – Vega – initial screen

Рис. 13 – Vega – начальный экран

527

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

Vega contains Scanner and Proxy buttons in the upper right corner of the initial screen. Clicking on the Scanner button in the upper right corner and then clicking on the Scan button in the upper left corner will display a window to enter the targeted URL address (Figure 14).

Figure 14 – Vega – entry of the targeted URL

Рис. 14 – Vega – ввод целевого URL Slika 14 – Vega – unos ciljanog URL-a

The next step is to select a specific scanning mode so that

vulnerability can be tested (Figure 15).

Figure 15 – Vega - ways of scanning

Рис. 15 – Vega – способы сканирования Slika 15 – Vega – načini skeniranja

528

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2 During scanning, the Vega groups discovered vulnerabilities

according to the level of risk. Website View in the upper left corner shows the tested applications and other URL addresses associated with the tested applications (Figure 16). The Scan Alerts window in the lower left corner displays the categories of the discovered vulnerabilities (Figure 16).

Figure 16 – Vega – scanning

Рис. 16 – Vega – сканирование Slika 16 – Vega – skeniranje

As a scanning result, Vega will present a report on the discovered vulnerabilities. The vulnerabilities are grouped according to the level of risk to the tested application (Figure 17).

Figure 17 – Vega – report Рис. 17 – Vega – отчет

Slika 17 – Vega – izveštaj

529

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

Conclusion The paper describes different tools used for security testing and finding

vulnerabilities in web applications. All tools are an integral part of the Kali Linux operating system, except Nessus, which is additionally installed thus showing a possibility of upgrading Kali Linux with new tools. This article shows how the tools operate, demonstrates practically how to configure and use different tools, and which vulnerabilities were discovered using these tools. This paper presents only a part of the Kali Linux operating system possibilities in the analysis of the web application security. It is shown that the Kali Linux operating system is very efficient, considering the fact that it contains enough tools to implement a complete web application test. Although this paper describes only five, it should be noted that Kali Linux contains over thirty tools for testing web applications.

For a detailed web application test, it is necessary to use all the tools available. Detecting XSS, SQL injection and other vulnerabilities is a laborious and time-consuming job. Therefore, it is useful to have several automated scanners which will conduct an analysis of the application and prepare a report for a relatively short period of time. The number of vulnerabilities will be higher or lower, depending on the tools. Discovered vulnerabilities should be manually checked.

Although automated scanners facilitate the work of conducting web application tests, they have a deficiency since they are not able to independently decide on the appropriate action to be taken on the basis of the semantics of the content viewed and analyzed. For now, this can be performed only by the user, but tools with this ability are being developed.

It is important to emphasize that it is not advisable to use only one tool in the analysis of web application security. Scans show a lot of fake vulnerabilities and some of them are not detected. The experience and knowledge of the person who conducts testing is a crucial factor for quality and a complete analysis of web applications.

References Burp Suite. . . Preuzeto sa https://portswigger.net/burp/ CARNet. 2003. Analiza Nikto CGI Skenera.Zagreb: Hrvatska akademska istrazivacka

mreza., str. 2-9. CARNet. 2007. Analiza Nessus alata.Zagreb: Hrvatska akademska istrazivacka mreza.,

str. 5-25. CARNet. 2008. Usporedba besplatnih alata za ispitivanje sigurnosti Web aplikacija.

Zagreb: Hrvatska akademska istrazivacka mreza., str. 5-20. Chuming, C., & Manton, M. 2004. A Web Interface for Nessus Network Security

Scanner. U: International Conference on Internet Computing, Las Vegas, Nevada, USA, str. 383-389 p. 383-389.

530

V O

JN O

T E

H N

IČ K

I G LA

S N

IK /

M IL

IT A

R Y

T E

C H

N IC

A L

C O

U R

IE R

, 2 01

6. , V

ol 6

4, N

o 2 Muniz, J., & Lakhani, A.(2013). Web Penetration Testing with Kali Linux. Preuzeto sa

https: //www. packtpub. com/networking-and-servers/web-penetration-testing-kali-linux Vega Preuzeto sa https://subgraph.com/vega/ XSSer Preuzeto sa http://xsser.03c8.net/

АНАЛИЗ БЕЗОПАСНОСТИ ВЕБ-ПРИЛОЖЕНИЙ ОПЕРЦИОННОЙ СИСТЕМОЙ KALI LINUX Иван В. Бабинцевa, Дејан В. Вулетичб а Университет оборонны в г. Белград, Военная академия, кафедра военной электроники, Республика Сербия, б Министерство обороны Республики Сербия, Институт стратегических иследованний, Белград ОБЛАСТЬ: компьютерные науки ВИД СТАТЬИ: профессиональная статья ЯЗЫК СТАТЬИ: английский Резюме:

В статье дается описание операционной системы Kali Linux, включая цели и возможности ее использования. Приведен список инструментов системы Kali Linux, способ работы ее конкретных инструментов, а также возможность установки и использования инструментов, которые не являются частью операционной системы Kali Linux. В заключительной части статьи, наглядно представлено тестирование веб-приложений с применением инструментов операционной системы Linux Кали. Таким образом, представлена часть возможностей Кали Linux операционной системы, применяемой для анализа безопасности веб-приложений, что являлось целью данной работы.

Kлючевыe слова: безопасность, Веб-приложения, Kali Linux.

ANALIZA BEZBEDNOSTI WEB APLIKACIJA OPERATIVNIM SISTEMOM KALI LINUX Ivan M. Babinceva, Dejan V. Vuletićb a Univerzitet odbrane u Beogradu, Vojna akademija, Vojnoelektronsko inženjerstvo, Republika Srbija, b Ministarstvo odbrane Republike Srbije, Sektor za politiku odbrane, Institut za strategijska istraživanja, Beograd OBLAST: računarske nauke VRSTA ČLANKA: stručni članak JEZIK ČLANKA: engleski

531

B ab

in ce

v, I.

e t a

l, W

eb a

pp lic

at io

n se

cu rit

y an

al ys

is u

si ng

th e

K al

i L in

ux o

pe ra

tin g

sy st

em , p

p. 5

13 –5

31

Sažetak:

U radu je opisan operativni sistem Kali Linux , njegove namene i mogućnosti. Navedene su grupe alata kojima Kali Linux raspolaže, način rada određenih alata koje ovaj sistem sadrži, kao i mogućnost instalacije i korišćenja alata koji nisu njegov sastavni deo. U završnom delu rada praktično je prikazano testiranje web aplikacija korišćenjem alata iz operativnog sistema Kali Linux. Time je prikazan deo mogućnosti ovog operativnog sistema u analizi bezbednosti web aplikacija, što predstavlja cilj ovog rada.

Ključne reči: bezbednost, web aplikacija, Kali Linux.

Paper received on / Дата получения работы / Datum prijema članka: 08. 10. 2015. Manuscript corrections submitted on / Дата получения исправленной версии работы / Datum dostavljanja ispravki rukopisa: 30. 10. 2015. Paper accepted for publishing on / Дата окончательного согласования работы / Datum konačnog prihvatanja članka za objavljivanje: 02. 11. 2015. © 2016 The Authors. Published by Vojnotehnički glasnik / Military Technical Courier (www.vtg.mod.gov.rs, втг.мо.упр.срб). This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/rs/). © 2016 Авторы. Опубликовано в "Военно-технический вестник / Vojnotehnički glasnik / Military Technical Courier" (www.vtg.mod.gov.rs, втг.мо.упр.срб). Данная статья в открытом доступе и распространяется в соответствии с лицензией "Creative Commons" (http://creativecommons.org/licenses/by/3.0/rs/). © 2016 Autori. Objavio Vojnotehnički glasnik / Military Technical Courier (www.vtg.mod.gov.rs, втг.мо.упр.срб). Ovo je članak otvorenog pristupa i distribuira se u skladu sa Creative Commons licencom (http://creativecommons.org/licenses/by/3.0/rs/).

Copyright of Military Technical Courier / Vojnotehnicki Glasnik is the property of Military Technical Courier / Vojnotehnicki Glasnik and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.