Web Vulnerability Detection and Security Mechanisms

MECSE2010

WEB VULNEARABILITY DETECTION AND SECURITY MECHANISMS A Project Syno !"! !#$%"tte& to t'e So() #r Un"*er!"ty+ So() #r ,or t'e De-ree o. M)!ter o. En-"neer"nIn Co% #ter Sc"ence /En-"neer"nBy M!0 Anj)(" S#n"( 1)t2)r Un&er t'e -#"&)nce o. Pro.0 R0 B0 1#(2)rn" De )rt%ent o. Co% #ter Sc"ence / En-"neer"nW)(c')n& In!t"t#te o. Tec'no(o-y+ So() #r

W)(c')n& In!t"t#te o. Tec'no(o-y+ So() #r Year 2010-2011

13Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

CERTI,ICATE T'"! "! to cert".y t')t Syno !"! Re ort on WEB VULNEARABILITY DETECTION AND SECURITY MECHANISMS S#$%"tte& By M!0Anj)(" S#n"( 1)t2)r I! 'ere$y ) ro*e& "n )rt")( .#(."((%ent o. t'e &e-ree M)!ter o. En-"neer"n- "n Co% #ter Sc"ence )n& En--0

Pro. 0R0B01#(2)rn" 4#"&e En--0+De t

Pro.0R)je!' Ar-"&&" ME5CSE Coor)&"n)tor Co% #ter Sc"ence

Pro. 0Dr0 Mr!0S0S0A te H0O0D Co% #ter Sc"ence En--0+De t

Pro.0 Dr S0A0H)(2#&e Pr"nc" )(

Co% #ter Sc"ence / En-"neer"nW)(c')n& In!t"t#te o. Tec'no(o-y+ So() #r Year 2010-2011

23Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

Year 2010-2011

Table of contents
1. Abstract 2. ntroduction ". #$%ected Analytical Wor& 4. (e)uirement !. #$%ected e$%enses '. #$%ected date of schedule ,. #$%ected date of com%letion -. .onclusion (eferences ' * 1+ 1+ 1+ 11 4 !

"3Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

A$!tr)ct6
We analy/es the most common security %roblems of Web a%%lications. Web a%%lication or 0ebsite security is a ne0 conce%t 0ith many facets. Website security is to% of mind for customers conducting business on 0ebsites. Website 1ulnerability detected on the relati1e %redictability of 0ebsites to identify security issues. 2sing a bro0ser and a fe0 sim%le tric&s3 hac&ers can %enetrate a 0ebsite3 access the credit card database3 and ma&e off 0ith critical data3 customer databases or e1en intranet information and do illegal 0or& . To %ro1ide 0eb security 0hich can be used as a secure tool to define access control and security %olices for the 2(4s and coo&ies3 also additionally analy/es the 0eb 1ulnerability such as 2n1alidated n%ut3 5ro&en access control 3 5ro&en Authentication and Sessions management3 .ross Site Scri%ting 67SS83 5uffer 91erflo0s3 Denial of Ser1ice 6DoS8 Attac&s3 S:4 in;ection and nsecure .onfiguration Management m%ro%er #rror <andling3 %arameter modification3 coo&ie modification3 directory tra1ersal and unauthori/ed access etc. The results sho0s the e1aluation of security mechanisms against the attac&s and 1ulnerabilities. Securing the 0ebsites against these 1ulnerability is 1ery difficult and challenging tas& as day to day ne0 techni)ues for attac&s in1ented so the study of 1arious ty%es of 1ulnerabilities and attac&s detecting and solution is essential %art in internet 0orld. The methodology is based on the idea that 1ulnerabilities in a 0eb a%%lication and attac&ing them automatically 0e can assess e$isting security mechanisms. The security solution can %ro1ide to the e$isting 0ebsite a%%lication or to targeted 0ebsite 0hile de1elo%ing .To %ro1ide true to life results3 this methodology relies on field studies of a large number of 1ulnerabilities in 0eb a%%lications.

43Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

Intro&#ct"on6
There is an increasing de%endency on 0eb a%%lications =o0 a days3 ranging from indi1iduals to large organi/ations. Almost e1erything is a1ailable on the 0eb. Web a%%lications can be %ersonal 0eb sites3 blogs3 ne0s3 social net0or&s3 0eb mails3 ban& agencies3 forums3 e> commerce a%%lications3 etc. As the global use of 0eb a%%lications ma&es target for malicious minds. As the 0eb a%%lication is %o%ularly used for the information sharing so 0eb a%%lication soft0are security is essentially im%ortant . ?ust %ro1iding the fire0all is not ca%able of %ro1iding security for 0eb a%%lication alone. Security is the main %roblem of the 0ebsite because all ty%e of users 1isit the site and can %lace such a%%lications that are harmful for the 0ebsites. So on different ty%es of securing techni)ues are used to sa1e the 0ebsite from3 the insecure media and that is referred to as the 0ebsite security. So need security mechanisms for 1arious 1ulnerability and attac&. Also %ro1iding access control %olicies and security %olicies for 2(4 and coo&ies. The re)uest %rocessors %arse and analy/e a re)uest from client and carry out the %olicies for the re)uest. <o0e1er3 it is 1ery difficult3 e1en im%ossible3 to re)uire all code of all 0eb a%%lication. To be 0ritten in a secure 0ay considering the cost of %rogram de1elo%ment3 code mista&es3 and security &no0ledge of %rogrammers. Also additionally %ro1iding security to the e$isting 0ebsite. The frame0or& has to %ro1ide bet0een the 0ebser1er and user to %rotect from 1aaarious ty%es of 1ulnerabilities and malicious attac&s also 0ebsites should ha1e %roctect from %arameter modification and other ty%es of attac&s .These 0ebsite 1ulnerabilities may ha1e familiar names li&e S:4 n;ection and .ross>Site Scri%ting3 or less common moni&ers li&e nsufficient Authori/ation or Predictable (esource 4ocation. The solution cannot resol1e all 0eb security %roblems but at least at the %resent time3 can effecti1ely resol1e most %ractical and common 0eb a%%lication le1el security %roblem. When securing our net0or&s3 0e are conditioned to immediately thin& of fire0alls3 SS43 ntrusion Detection3 and Anti>Virus as com%onents of a com%lete solution. While they im%ro1e certain as%ects of security3 their im%act on %rotecting the 0ebsite is marginal. =e0 1ulnerabilities re)uire ne0 solutions. .ontrary to %o%ular belief3 de%loying a net0or& fire0all 0ill not %re1ent a hac&er from %enetrating a ga%ing hole in your 0ebsite. To im%ro1e the security of the Web3 0e must dis%el this and other 0idely held misconce%tions including@ AA 0ebsite that uses SS4 is secure.B AA fire0all %rotects the 0ebsite3 so itCs safe from hac&ers.B AThe 1ulnerability scanner did not re%ort any 0ebsite security issues3 so itCs secure.B AWebsite security is a de1elo%er %roblem.B AWe conduct annual security assessments on our 0ebsite3 so itCs secure.B We e$amine the fundamental com%onents of a 0ebsite3 entry %oints of Web attac&s3 attac& methodologies3 and suggested %re1enti1e measures for effecti1e 0ebsite 1ulnerability management.

!3Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

E7 ecte& An)(yt"c)( Wor26

The Protection %hase recogni/es t0o different 0ays to manage 0ebsite 1ulnerabilities@ 1. t is best to em%loy generic countermeasure conce%ts first to hel% ensure that you choose the technology best suited to your needs rather than one that claims to counter the latest hac&ing techni)ue. The experiment on our target web site which protects from the known vulnerabilities such as XSS and SQL injection, and so on while developing the website the result shows thats the website doesnt allow the vulnerabilities to attack website.

As sho0n in abo1e figure the 0ebsite consisting 0eb a%%lication 3a%%lication ser1er database to %ro1ides ser1ices and database to store data and 0eb %ro$y for %rotection to the 0eb ser1er . =o0 a dayCs ( A i.e. (ich nternet A%%lication is %ro1ided to 0eb bro0ser such as a%%lets3 Acti1e73 A;a$3 Dlash an d sil1er>light etc The o1er1ie0 of the system is the fire0all is %ro1ide bet0een user and 0eb ser1er 0hich %rotects sensiti1e data 3concurrency3 %arameter mani%ulation and session hi;ac&ing. The a%%lication in 0eb ser1er %ro1ides security configuration3 un1alidated in%ut and error handling mechanisms etc .A%%lication ser1er %ro1ides security by auditing and logging users and authori/ing users %rotecting sensiti1e data in database. '3Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

2.

t is 1ery difficult3 to re)uire all code of all 0eb a%%lications to be 0ritten in a secure 0ay considering the cost of %rogram de1elo%ment3 code mista&es3 and security &no0ledge of %rogrammers. So %rotecting the e$isting 0eb sites from the 1arious ty%es of 1ulnerabities and attac&s is challenging tas& as the %resence ad1ance technologies and s&illful attac&ers. 9ur %ro%osal to ha1e security mechanism soft0are to be %laced in bet0een internal and e$ternal fire0all to %rotect our 0eb a%%lication3 0hich %rotect against the 1arious ty%es of 1ulnerability and bloc& the malicious attac&s by %ro1iding security and access %olicies.

,3Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

client

The follo0ings 1ulnerabilities fre)uently used by a hac&er to attac& 0eb a%%lications3 the study of these and im%lementation of some of these @ Un*)("&)te& In #t6 The information that dis%layed from the 0eb bro0ser is not 1alidated by the 0eb a%%lication. The a third %arty can alter the 0eb re)uest and %ass incorrect or harmful information to the 0eb bro0ser. Bro2en )cce!! contro( 6 Access control3 sometimes called authori/ation3 is ho0 a 0eb a%%lication grants access to content and functions to some users and not others. 5ut attac&er may be access higher le1el of authority. Bro2en A#t'ent"c)t"on )n& Se!!"on! %)n)-e%ent 6 0hen log in to a 0eb a%%lication3 a uni)ue session is created. f this sessions details are not %rotected correctly3 attac&er can steal it and misuse. Cro!! S"te Scr" t"n- 89SS: 6 t is a 1ulnerability in 0eb a%%lications3 using this attac&er can steal users information. B#..er O*er.(o;!6 Dor 0eb a%%lications3 an attac&er may send a chun& of data 0hich crashes the 0eb a%%lication and ta&en control of some of itCs %rocesses. S<L "nject"on 6 t is code in;ection techni)ue that e$%loits a security 1ulnerability occurring in the database layer of an a%%lication. I% ro er Error H)n&("n-6 #rror conditions that are e$%ected 0hen o%erating in normal conditions are not handled %ro%erly. Den")( o. Ser*"ce 8DoS: Att)c2!6 This is one form of attac&ed 0hich is in use from the ince%tion of nternet and World Wide Web. n this method3 attac&er 0ill use the system resources of the 0eb ser1er until other legitimate users cannot use the system. This can e1entually cause a 0eb a%%lication crash. -3Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

In!ec#re Con."-#r)t"on M)n)-e%ent6 #ach and e1ery ser1er that hosts 0eb a%%lications should be configured to be secured3 as they are not fully configured for security before e$%osing the 0eb a%%lication to %ublic. P)r)%eter %o&"."c)t"on 6 0hen an in1alid or a %rohibiti1e %arameter of a 2(4 re)uest is transferred to 0eb ser1ers 0hich occurs security %roblem. Coo2"e %o&"."c)t"on 6 .oo&ies are created to identify3 establish3 and maintain 1alid connection to a uni)ue client or user. The unauthori/ed users can easily establish a connection 0ith the ser1er by modifying the contents of the authori/ed userEs coo&ies.

D"rectory tr)*er!)( 6 Some information or files 0hich are not designed to e$%ose to users or clients can be obtained easily ;ust by tra1ersing the directory in the address area of nternet bro0sers. Un)#t'or"=e& )cce!! con."&ent")( &)t) or ."(e!6 A hac&er may brea& into bac&>end databases or interce%t such data %ac&ets in transmission containing confidential data.

Re>#"re%ent6
H)r&;)re re>#"re%ent!6 P. 0ith Minimum 1 F5 free s%ace. 1 to 2 F5 (AM.

So.t;)re re>#"re%ent!6 ?AVA 1.,.+3 ?a1a Virtual Machine 69%en source Soft0are8

O er)t"n- !y!te% !#

ort6

Will be su%%orted by Windo0s 7%GVistaG,.

*3Page

Web Vulnerability Detection and Security Mechanisms

MECSE2010

E7 ecte& E7 en!e!6
=o any other <ard0are re)uirement than P. and no soft0are e$%enses as using o%en source soft0are. Wor&ing on coding for " months 6*+ days8 ." hrs a day3 1 hrs cost @1+H 2 7 *+ I 2,+ hrs 2,+ 7 1++ I2,+++ (s.

E7 ecte& Sc'e&#(e6

Time Period
Dissertation Phase Dissertation Phase

Wor& to be com%leted
Analysis J Design of Pro;ect m%lementation J (esult Analysis

Time Period 1! days 6till Aug 2+8 1! days 6till Se%t 1+8 1! days 6till Se%t 2+ end8 2 Months6till =o1 2+ end8

Wor& to be .om%leted (e)uirement Analysis Data Fathering Data Analysis Designing

1+ 3 P a g e

Web Vulnerability Detection and Security Mechanisms

MECSE2010

4 Months6till A%r 21 end8 1 Month 6till May 2- end8

.oding J m%lementation Testing J Debugging

E7 ecte& D)te O. Co% (et"on6

Date of com%letion may 1ary de%ending u%on the 1arious features and testing3 but it is e$%ected to be com%leted by around the month of A%ril K May 2+11.

Conc(#!"on6
The internet and 0eb becoming 1ulnerable as the ad1anced in technologies and s&ills are %ut for 0rong reasons3 the hac&er attac&s in much ad1ance and com%le$ .So the solution has to %ro1ide for the 1arious ty%es of 1ulnerabilities. e focus on the test in web vulnerabilit! detection, and present solution to make the detection more efficient. 9ur %ro%osal to %ro1ide security to e$isting 0ebsites and additionally also 0e de1elo%ed a target 0eb site 0hich %ro1ides security against the &no0n 1ulnerabilities such as 2n1alidated n%ut3 5ro&en access control 3 5ro&en Authentication and Sessions management3 .ross Site Scri%ting 67SS83 5uffer 91erflo0s3 Denial of Ser1ice 6DoS8 Attac&s3 S:4 in;ection and nsecure .onfiguration Management m%ro%er #rror <andling3 %arameter modification3 coo&ie modification3 directory tra1ersal and unauthori/ed access etc 3 the result shows that can detect almost all the pages that ma! contains vulnerabilities in the target web site and provide the solution on that web sites. Although our solution cannot resol1e all 0eb security %roblems but at least at the %resent time3 can effecti1ely resol1e most %ractical and common 0eb a%%lication le1el security %roblem.

Re.erence6
10 A We$ Sec#r"ty So(#t"on B)!e& On 9ML Tec'no(o-y Teng 41L Ping ManL .ommunication Technology3 2++'. ..T E+'. nternational .onference on Digital 9b;ect dentifier@ 1+.11+*G ..T.2++'."41*,! Publication Mear@ 2++' 3 Page6s8@ 1 > 4 20V#(ner)$"("ty / )tt)c2 "nject"on .or ;e$ ) ("c)t"on! Donseca3 ?.L Vieira3 M.L Madeira3 <.L De%endable Systems J =et0or&s3 2++*. DS= E+*. ###G D P nternational .onference on 11 3 P a g e

Web Vulnerability Detection and Security Mechanisms

MECSE2010

Digital 9b;ect dentifier@ 1+.11+*GDS=.2++*.!2,+"4* Publication Mear@ 2++* 3 Page6s8@ *" K 1+2 ?0T'e We$ Att)c2er Per! ect"*e 5 A ,"e(& St#&y Donseca3 ?oseL Vieira3 MarcoL Madeira3 <enri)ueL Soft0are (eliability #ngineering 6 SS(#83 2+1+ ### 21st nternational Sym%osium on Digital 9b;ect dentifier@ 1+.11+*G SS(#.2+1+.21 Publication Mear@ 2+1+ 3 Page6s8@ 2** K "+@.htt%@GG000.emate>econtent.orgGsecurityGto%>1+>0eb>security>threats>%art>1G A. htt%@GG000.emate>econtent.orgGsecurityGto%>1+>0eb>security>threats>%art>2G

m%lementation Details@ The ob;ecti1e is to build a real time 0ebsite 0ith follo0ing fundamentals 18 At the time of (egistration3 A user must %ro1ide a 1alid email D. 2%on registration3 an automated mail 0ill be sent to the user. 9nly after clic&ing the mail3 his account should be acti1ated. 28 9nly one instance of email D can be used for registration. This eliminates the s%am attac&. "8 2ser needs to change his %ass0ord after e1ery s%ecific %eriod of time for secured transaction. 48 2serEs %ass0ord should not be sa1ed 3 rather a hash must be generated and database must contain only the hash of the %ass0ord. !8 At the time of registration3 user must ans0er %redifined ca%tcha )uestion3 if unable3 the user 0ill be mar&ed as S%am. '8 2ser %rofile should be encry%ted 0ith A#S encry%tion ,8 The site must s%ecify roles based on Admin3 Authenticated 2ser3 Fuest. Sessions should ha1e different %ermission accordingly. -8 The site 0ill be %ro1ided 0ith a Dire0all system to bloc& s%ecific P addresses. *8 The site should %ro1ide on the fly content management@ i.e. user can create content and edit it. other users may comment on the site. 1+8 The 0ebsite should ha1e a coo&ie management and should filter the coo&ies based on %riority. 118 The site should ha1e rules so that user 0ith s%ecific %oints can access s%ecific %art of the site. The site must be de1elo%ed 0ith Dru%al,$3 0hich is a content management soft0are 0ith front end as Ph% and bac&end as MyS)l.

12 3 P a g e

Web Vulnerability Detection and Security Mechanisms

MECSE2010

1" 3 P a g e