Introduction
In this paper, a critical discussion is given in order to provide a comprehensive view of the most frequent web application violations the Injection and authentication flaws based on OWASP 2010. For doing so, the discussion paper will consider injections and authentication flaws in three different sections.
In section one, a further description regarding injections and authentication flaws is provided. Moreover, section two considers a critical discussion upon security defences against Cross site scripting and SQL injections, being two of the major vulnerabilities of web applications. Possible improvements against cross site scripting and SQL injections are presented in section three. This discussion paper concludes by providing a summary of author�s ideas in relation to injection and authentication flaws.
Section 1: Injection and Authentication flaws
Nowadays there is an increasing dependency on web applications, ranging from individuals to large organizations. The market of web applications is considered to be one of the most fast growing markets whereby personal web pages and blogs to social networks (i.e. facebook), online bank agencies and e-commerce applications are developed. The majority of articles emphasize that “almost everything is stored, available or traded on the web, making web applications a natural target for malicious minds.” . (Fonseca J, Vieita M. and Madeira H., 2009)
Another aspect of injection and authentication flaws has been stated by Ziegler (2007) in one of his articles. He believes that “websites security has been a persistent and major concern ever since the Internet became an essential part of many people�s lives” . He also considered that “injection of code into various parts of dynamic websites poses a dangerous, but also very interesting threat to security”.
Therefore, this discussion paper addresses that web applications are highly exposed to attacks and to inexperienced developers and administrators without the required experience in the area of security.
As Christian Heilman (2010) mentioned in his article, path traversal, cross-site scripting, and SQL injection are considered to be among the most serious vulnerabilities. Diagram 1shows a classification of web vulnerabilities. Therefore it is very important that web developers take the necessary means so that security issues are understandable to the users and therefore make web a safe place to operate.
DIAGRAM 1
1.1 Cross-Site Scripting (XSS)
Academics in Italy described cross site scripting (XSS) “as the vulnerability of a Web application that is essentially caused by the failure of the application to check up on user input before returning it to the client's Web browser. ” They also considered that without an adequate validation, user input may include malicious code that may be sent to other clients and unexpectedly executed by their browsers, thus causing a security attack. (Di Luca et al , 2004)
In practice for example, one of thousands twitter users Sarah Brown who have been hit by malicious use of a security flaw in the redesigned twitter site. Several press articles state that, unknowingly sent a link in which malicious code included, that would redirect anyone who only moved their mouse over it, to an adult content website. (Arthur, C. 2010)
1.2 SQL Injection
A significant vulnerability of injection and authentication flaws is what is known as SQL injection. This can be described in several ways and it is ranked at “the top in web application attack mechanisms used by hackers to steal data from organizations” . Moreover, academic studies support that “hackers' can take advantages due to flawed design, improper coding practices, improper validations of user input, configuration errors, or other weaknesses in the infrastructure”.(Shanmughaneethi S.V, Shyni S.C.E and Swamynathan S., 2009)
SQL Injection can be further described by considering real life examples such as the decision taken by the management of Nokia, in the telecommunications industry. According to the statement, “the attacker used "SQL injection" to access the forum database at developer.nokia.com. The database table records includes members� e-mail addresses and, for fewer than 7 per cent who chose to include them in their public profile, either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo!”.(Bhadi, M. 2011)
Section 2: Defences against cross-scripting and SQL injection
The significant increase in depending on web applications caused vulnerabilities with cross scripting and SQL injection being the most important as mentioned above. On that basis, this paper also describes the defences that several academics and reviewers believe will help to minimise such security deficiencies.
2.1 Cross-Site Scripting (XSS)
There are a few procedures that can be followed to help defend web applications against XSS attacks. Shar, Lwin Khin, Tan, and Hee Beng Kuan stated in their research that “most of xss attacks are based on malicious input is submitted to perform unintended actions on a HTML response page”.
2.1.1. Filtering all input
This discussion paper illustrates in Figure 1 how the form of a malicious input might appear in a browser. In such case it is recommended that the web developer must filter all input without fail and inspect all input in order to ensure that only valid data are allowed into the application.
“Instead of trying to predict what malicious data you want to reject, define your criteria for valid data, and force all input to abide by your guidelines. For example, if a user is supplying a last name, you might start by only allowing alphabetic characters and spaces, as these are safe”.( Shiflett, C., 2003)
FIGURE 1
After implementing much of the logic relating to filtering requests, I believe that concluded that it would be best to handle this in a separate application all together.
A defence against cross scripting that is also considered to be important is what the Open Web Application Security Project (OWASP) supports. The not-for-profit worldwide charitable organization focused on improving the security of application software and therefore it mentions that a web developer needs to take the following measures against XSS attacks:
“-Filter all input. ”
“-Ensure that the value a web developer is getting is what it is expected. For example validates all headers, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed. ”
“-Do not attempt to identify active content and remove, filter, or sanitize it. There are too many types of active content and too many ways of encoding it to get around filters for such content ”
2.1.2. Data Validation
In my opinion, OWASP defences are reasonable although I believe that XSS attacks can be mitigated in the short run, whereby different codes may secure internet environment, and not in the long term because there are always threats in the huge field of internet.
Moreover, I agree with of what is has been proposed by OWASP with respect to data validation because it is important that no bad input data can be inserted. On that basis, java script validation such as username and password fields can be used so as to achieve the validation of all input forms. An example of data validation is shown in Figure 2.
FIGURE 2
Login Form (input data)External Validation Script
According to Martin D�rst at W3C organisation, validation of all headers is an important defence for XSS attacks and therefore the web developer needs to “make sure for the correct decoding of the document under assessment ”. In such case, “an error message will be shown if information about the encoding was not found and there is a conflict of information, or even if decoding the document according to the information found is not possible ”.
2.2 SQL Injection
This paper proposes defences with which an SQL injection can be safeguarded and therefore it should be consider prior the preparation of a code. Although it is widely known that there is not the perfect solution for each problem, the protection of a site against SQL injection could be involve the following defences:
2.2.1 Prevent database attack
A major defence is consider to be the mysql_real_escape_string() function that it escapes special characters in a string for use in an SQL statement. “ For example, the following characters are affected:
\x00 , \n , \r ,\ ,' ,"
This function returns the escaped string on success, or FALSE on failure. ”.� (w3schools.com, 2011)
Academics research shows that “errors should not be displayed to the user, containing information about the database or actual source code ”. This is because “error messages are useful to an attacker because they give additional information about the database that might not otherwise be available ” . On that basis, I also believe that the website should show a general error message rather than indicating the exact code which can be used by the attacker. For example, stripslashes() function removes backslashes added by the addslashes() function and it overall helps in cleaning up data retrieved from a database or from an HTML form.(Tajpour et al , 2010).
2.2.2 Avoid using real column names
SANS Institute (2002) research resulted to the fact that “if you have a login screen, generally there are two windows � one for the username and one for the password. This should limit to a realistic number ”.
Therefore, it is recommended that the web developer “does not use the real column names as the field names as this just makes life easier for an attacker ”.
2.2.3.Sanitize data
In my opinion, it is important for the web developer to save time and in this respect perform data on the server side. In addition the format of the code should contain different data for several validations. According to Litchfield “all of this would 'go away' if the ASP coder properly sanitised user input before letting it anywhere near an SQL query. ”( SANS Institute, 2002)
Section 3: Improvements of defences against web vulnerabilities
3.1 Cross-Site Scripting (XSS)
In such case, vulnerabilities based on malicious input are very likely to exist although several experiences of web developers show that these can be avoided by having a strong web application and a centralized mechanism for validating all input from HTTP requests. To this extent, I believe that such proposals against XSS defences are necessary, since hackers find new vulnerabilities to attack, causing several deficiencies to older validation rules. On a recent study Lin, J., Chen, J. and Liu, C (2008) “recommends an automatic mechanism adjusting validation rules. The system is designed to protect web sites from attack and do not require modification of application source code ”.
3.2 SQL Injection
Studies from SANS Institute indicate that an SQL injection attack is reduced by having proper stored procedures. It has been stated that “it is very important to use parameters at all times ”. In my opinion this is a correct approach and a simple but important recommendation against SQL injection, since this may be time consuming but it minimises possible threats. To quote Anley (2002): “Essentially, if a parameterised query is run, and the user-supplied parameters are passed safely to the query, then SQL injection is typically impossible ”.
Conclusion
Cross-site scripting (XSS) and SQL injection attacks are the major threats to any system connected to the internet. There are attackers that can cause significant damage to unprotected sites due to their intelligent actions against written codes and security of servers.Both vulnerabilities can be protected by taking sufficient and effective defences against them (as indicated above), minimising the possibility of the website being attacked by hackers.
Reference List
Conferences
Foncseca, J., Viera, M. and Madeira, H. (2009). Vulnerability and attack injection for web applications. In: Dependable Systems and Networks, IEEE/IFIP International Conference, Lisbon, Portugal , 2009, pp. 93 � 102 [Online] DOI: 10.1109/DSN.2009.5270349 (Accessed 18 December 2011).
Di Luca, G.A., Fasolino, A. R., Mastoianni, M and Tramontana, P.(2009). Identifying cross site scripting vulnerabilities in Web applications. In: Web Site Evolution, 2004. WSE 2004. Proceedings. Sixth IEEE International Workshop 2004, pp. 71-80 [Online] DOI: 10.1109/WSE.2004.10013 (Accessed 18 December 2011).
Shammughaneethi, S.V., Shyni, S.C.E. and Swamynathan, S. (2009). SBSQLID. Securing Web Applications with Service Based SQL Injection Detection. In: Advances in Computing, Control, and Telecommunication Technologies, 2009. ACT � 09. International Conference, Trivandrum, Kerala, 2009, pp. 702-704 [Online] DOI: 10.1109/ACT.2009.178 (Accessed 19 December 2011)
Shar, L. K. And Tan, H.B.K. ( 2010). Auditing the defence against cross site scripting in the web application. In: Security and Cryptograpfy (SECRYPT), Proceedings of the 2010 International Conference, Athens, Greece, 2010, pp. 1-7 [Online]. Available at: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5741657 (Accessed 20 December 2011)
Tajpoor, A., Masrom, M., Heydari, M.Z and Ibrahim, S. (2010). SQL injection detection and prevention tools assessment, In: Computer Science and Information Technology (ICCSIT), 3rd IEEE International, 2010, pp. 518 - 522 [Online] DOI: 10.1109/ICCSIT.2010.5563777 (Accessed 27 December 2011).
Lin, J., Chen, J. and Liu, C (2008) An Automatic Mechanism for Adjusting Validation Function In: Advanced Information Networking and Applications - Workshops, 2008. AINAW 2008. 22nd International Conference, Okinawa , 2010, pp. 602-607 [Online] DOI:10.1109/WAINA.2008.89
Magazine or journal articles available on the internet
Ziegler, P.S., (2007). �XSS-Cross Site Scripting�. [Online] Hakin9 IT security magazine. Available at: http://hakin9.org/xss-%e2%80%93-cross-site-scripting/ (Accessed 17 December 2011).
Heilman, C., (2010). �Web Security Primer. Are you part of the problem�. [Online]. Available at: http://coding.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/ (Accessed 18 December 2011).
Arthur, C., (2010). Twitter Bug Malicius XSS, [online]. Available at: http://www.guardian.co.uk/technology/blog/2010/sep/21/twitter-bug-malicious-exploit-xss (Accessed 19 December 2011).
Bhati, M.,2010. Hacker Steals User Records From Nokia Developer Site, EFYTimes.com, [Online] Available at: http://efytimes.com/e1/fullnews.asp?edid=68084 (Accessed 20 December 2011).
World Wide Web
OWASP, (2010). XSS Prevention Cheat Sheet. [Online] Available at: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet (Accessed 21 December 2011).
Durst, M., (2010). Checking HTTP Headers [Online]. Available at: http://www.w3.org/International/questions/qa-headers-charset (Accessed 22 December 2011).
Shiflett, C., 2003, Foiling Cross Site Attackes [Online] Available at: http://shiflett.org/articles/foiling-cross-site-attacks#comments (Accessed 22 December 2011).
W3schools.com., (2011) Available at: http://www.w3schools.com/php/func_mysql_real_escape_string.asp (Accessed 27 December 2011).
SANS Institute InfoSec Reading Room, (2002) SQL Injection: Modes of Attack, Defence, and Why It Matters [Online] Available at: http://www.sans.org/reading_room/whitepapers/securecode/sql-injection-modes-attack-defence-matters_23 (Accessed 28 December 2011).
Anley, C., (2002) "Advanced SQL Injection in SQL Server Applications". NGSSoftware Insight Security Research (NISR) Publication. [Online] Available at: http://crypto.stanford.edu/cs155/papers/sql_injection.pdf (Accessed 29 December 2011).