Introduction data. The major risk that can be

Introduction

 

ABC Bank is a leading commercial
bank which provides their services to client with the latest technologies. To
value add the customers banking experience, bank introduce internet banking to
their own customers. To provide internet banking feature, bank develop a web
application to access their customers through the internet. This application facilitates
users to inquiry their own balances, view transaction history details, make
payments, Transfer Money to own bank account / Third party bank account also.
Since all these activities are confidential. This application need to be more
secure. For that requirement this document is drafted. In this document all the
risk which can be arise for the web application is going to identify. And
explain how to prevent and mitigate those risks. These days many IT and Non-IT
people are more concern about the security of their applications and data.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

The major risk that can be focus
on web application are describe on OWSAP Top 10 list. This list has released by
the foundation called OWSAP. Open Web Application Security Project (OWSAP) is an
online community which helps developers and security team to design and deploy
better secure applications. This community publishes articles, methodologies,
documentation, tools and technologies free of charge. This organization is a
non-profitable organization which manage and support OWASP project and
infrastructure. This foundation is not attached with any technological company
and it is run as an independent body.  OWASP
founded on 2001 by Mark Curphey and this is mainly focus on Web Security,
Application Security and Vulnerability Assessment.

 

OWSAP Top 10 is not a list of security
vulnerabilities, it describes what are the risk. The thing what might be happen
and overview of what kind of things out there currently for web application and
how to mitigates those risks. Followings are the Top 10 list.

1.      Injection

2.      Broken
Authentication and session management

3.      Cross
Site scripting XSS

4.      Broken
access Control

5.      Security
Misconfiguration

6.      Sensitive
data exposure

7.      Insufficient
attack protection

8.      Cross-site
request forgery CSFR

9.      Using
components with known vulnerabilities

10.   Under
protected APIs

This top ten list was released
from 2003 for several times and some risk on this list are available which is
on number one.

 

 

 

Injection

SQL Injection

SQLi is most common web
application attack that most anonymous attackers use to access databases. SQL
is one option to talk with the database. In SQL injection attacker use
specially developed SQL query command to bypass the logging of the application.

How SQL injection works

SQL injection attack the web
application when it requires user to input user name or password. SQL injection
base on 1=1. And its always true.

Example 1

UserName = geeshand

UserPassword  =  [email protected]

Sql = ‘SELECT * FROM Users WHERE Name
=”‘ + UserName + ‘ ” AND Pass=”‘ + UserPassword   + ‘”‘;

With above example if username or
password is in correct login attempt will fail.

In the SQL injection what
attacker really do is, use “‘or’1’=’1″ to bypass the logging screen.

Example 2

UserName = ‘or’1’=’1

UserPassword  =  ‘or’1’=’1

Sql = ‘SELECT * FROM Users WHERE Name
=”‘ + UserName + ‘ ” AND Pass=”‘ + UserPassword   + ‘”‘;

 

Sql = ‘SELECT * FROM Users WHERE Name
=”or 1=1 ” AND Pass=”or 1=1″ ‘;

 

In example 2 describe how SQL
injection is done.

 

Xpath Injection

XML path or Xpath is a language
that used for query information from XML document. Xpath injection is an attack
technique used to exploit web applications that construct Xpath queries from
user entered. An anonymous attacker can be extract XML document using Xpath querying.
This may compromise the integrity of the database and expose sensitive data.

LDAP Injection

Light weight Directory access protocol
(LDAP) is used to authenticate for some websites. LDAP store information about
the users, servers, printers and user roles. If the LDAP is used for web
application login authentication, what the attacker plan to do is, he creates a
malicious code to run and get the access to directory and view or change authentication
details. This injection also similar to SQL injection. This also occurred due
to poor input validation.

Broken Authentication
and session management

When its comes to user management
in web application, need to maintain information about users who are interacted
with web application. Instead of storing frequently changing information
through cookies it the client-side environment. Session can store data on
Server side.

Different type of Session attacks

Session high jacking

In this method hackers use source
routed IP packets to insert commands in to active communication between two
nodes on the network and acting as authenticated users.

Session fixation

Session fixation uses valid user
session to hijack the session. Hacker explores what are the weakness which have
web application manage the session ID. In this methods hacker do not create new
session id, only use existing id. The
attack contains of inducing a user to authenticate himself with a known session
ID, and then stealing the user-validated session by the acknowledge of the used
session ID.

Cross Site scripting
XSS

Cross Site Scripting is
client-side code injection to run some malicious script to break in to the web
site or a web application. Cross Site Scripting is hard to prevent
vulnerability because it occurs when invalidated or unencode user inputs. To run malicious JavaScript
code in a browser, an hacker must find a way to inject a payload into a web
page that the victim visits. An attacker can use social engineering techniques
to convince a user to visit a vulnerable page with an injected JavaScript
payload.

 

 

 

 

 

 

 

 

 

Summary

How to mitigate and Prevent

Injection

SQL injection

1.      Prepared
Statement.

Prepared Statement
is secure method to send data to database. It sends data and the query separately
to the database. SQL injection happens when the query and the code is mixed.
The original statement is not change from other external input which transmit using
different ways SQL injection can not attack the web application.

·       
Java Enterprise Edition uses Prepared Statement with
bind variables.

·       
.Net uses parameterized queries with bind variables
(SqlCommand / OledbCommand) .

·       
Hibernate uses createQuery with bind variable.

 

2.      Stored
Procedures

Basically, stored
procedures are stored in the database. In this method Stored procedure build
with some parameters and stored in database and application call when it is
required. This Stored procedure validate all the inputs that the stored
procedure to avoiding SQL injections.

 

3.      ORM
frameworks – Currently most people use Object Relation Mapping frame works to talk
with database. Basically, what ORM doing is, its creates object which can map
with database entities. By using these frames work it is extremely hard to
exploit web application for vulnerabilities. And developer no need to worrying
about SQL injection framework will take care of that. And also this ORM need to
maintain up to date.

.net – Entity framework

JAVA – hibernate

 

 

 

Xpath Injection

When application designing phase
need to apply a proper input validation. This input validation helps the web
application being exploit by vulnerabilities.

LDAP injection

Input validation – Perform input
validation both client and server side. Limit the character set and format what
is the requirement to dictate and reject inputs need to fail for meet the
expectation.

Neutralize LDAP Meta charters –

( ) & * | = ; # ”
+ , (BLANK) need to reject when its appears with inputs.

Broken Authentication and session management

Users authentication credentials
need to be protected when stored using encryption or hashing.

Session IDs should not expose
with the URL, cause it can prevent URL rewriting.

User sessions or authentication
tokens need to be properly invalidated during logout(Timeout).

Session IDs need to be recreated
after successful login attempt.

Restricted send credentials over
unencrypted connections: Passwords, session IDs, and other credentials no need
be sent over unencrypted connections.

Strong Password policy need to be
implemented. Minimum Password length need to be 8 characters and password need
to be consist with complex password which include alphanumeric characters. With
those strength hackers could not guess the password.

Username password failure
response need to be set as Invalid username and/or password instead of using ‘Invalid
username’ for incorrect user name and ‘Invalid Password’ for incorrect Password.
After several attempts of invalid login attempt that relevant user account can
be disable for temporary. With these kinds of things also can mitigate the risk
for broken authentication.

 

Cross Site scripting XSS

 

 

 Introduction

 

ABC Bank is a leading commercial
bank which provides their services to client with the latest technologies. To
value add the customers banking experience, bank introduce internet banking to
their own customers. To provide internet banking feature, bank develop a web
application to access their customers through the internet. This application facilitates
users to inquiry their own balances, view transaction history details, make
payments, Transfer Money to own bank account / Third party bank account also.
Since all these activities are confidential. This application need to be more
secure. For that requirement this document is drafted. In this document all the
risk which can be arise for the web application is going to identify. And
explain how to prevent and mitigate those risks. These days many IT and Non-IT
people are more concern about the security of their applications and data.

The major risk that can be focus
on web application are describe on OWSAP Top 10 list. This list has released by
the foundation called OWSAP. Open Web Application Security Project (OWSAP) is an
online community which helps developers and security team to design and deploy
better secure applications. This community publishes articles, methodologies,
documentation, tools and technologies free of charge. This organization is a
non-profitable organization which manage and support OWASP project and
infrastructure. This foundation is not attached with any technological company
and it is run as an independent body.  OWASP
founded on 2001 by Mark Curphey and this is mainly focus on Web Security,
Application Security and Vulnerability Assessment.

 

OWSAP Top 10 is not a list of security
vulnerabilities, it describes what are the risk. The thing what might be happen
and overview of what kind of things out there currently for web application and
how to mitigates those risks. Followings are the Top 10 list.

1.      Injection

2.      Broken
Authentication and session management

3.      Cross
Site scripting XSS

4.      Broken
access Control

5.      Security
Misconfiguration

6.      Sensitive
data exposure

7.      Insufficient
attack protection

8.      Cross-site
request forgery CSFR

9.      Using
components with known vulnerabilities

10.   Under
protected APIs

This top ten list was released
from 2003 for several times and some risk on this list are available which is
on number one.

 

 

 

Injection

SQL Injection

SQLi is most common web
application attack that most anonymous attackers use to access databases. SQL
is one option to talk with the database. In SQL injection attacker use
specially developed SQL query command to bypass the logging of the application.

How SQL injection works

SQL injection attack the web
application when it requires user to input user name or password. SQL injection
base on 1=1. And its always true.

Example 1

UserName = geeshand

UserPassword  =  [email protected]

Sql = ‘SELECT * FROM Users WHERE Name
=”‘ + UserName + ‘ ” AND Pass=”‘ + UserPassword   + ‘”‘;

With above example if username or
password is in correct login attempt will fail.

In the SQL injection what
attacker really do is, use “‘or’1’=’1″ to bypass the logging screen.

Example 2

UserName = ‘or’1’=’1

UserPassword  =  ‘or’1’=’1

Sql = ‘SELECT * FROM Users WHERE Name
=”‘ + UserName + ‘ ” AND Pass=”‘ + UserPassword   + ‘”‘;

 

Sql = ‘SELECT * FROM Users WHERE Name
=”or 1=1 ” AND Pass=”or 1=1″ ‘;

 

In example 2 describe how SQL
injection is done.

 

Xpath Injection

XML path or Xpath is a language
that used for query information from XML document. Xpath injection is an attack
technique used to exploit web applications that construct Xpath queries from
user entered. An anonymous attacker can be extract XML document using Xpath querying.
This may compromise the integrity of the database and expose sensitive data.

LDAP Injection

Light weight Directory access protocol
(LDAP) is used to authenticate for some websites. LDAP store information about
the users, servers, printers and user roles. If the LDAP is used for web
application login authentication, what the attacker plan to do is, he creates a
malicious code to run and get the access to directory and view or change authentication
details. This injection also similar to SQL injection. This also occurred due
to poor input validation.

Broken Authentication
and session management

When its comes to user management
in web application, need to maintain information about users who are interacted
with web application. Instead of storing frequently changing information
through cookies it the client-side environment. Session can store data on
Server side.

Different type of Session attacks

Session high jacking

In this method hackers use source
routed IP packets to insert commands in to active communication between two
nodes on the network and acting as authenticated users.

Session fixation

Session fixation uses valid user
session to hijack the session. Hacker explores what are the weakness which have
web application manage the session ID. In this methods hacker do not create new
session id, only use existing id. The
attack contains of inducing a user to authenticate himself with a known session
ID, and then stealing the user-validated session by the acknowledge of the used
session ID.

Cross Site scripting
XSS

Cross Site Scripting is
client-side code injection to run some malicious script to break in to the web
site or a web application. Cross Site Scripting is hard to prevent
vulnerability because it occurs when invalidated or unencode user inputs. To run malicious JavaScript
code in a browser, an hacker must find a way to inject a payload into a web
page that the victim visits. An attacker can use social engineering techniques
to convince a user to visit a vulnerable page with an injected JavaScript
payload.

 

 

 

 

 

 

 

 

 

Summary

How to mitigate and Prevent

Injection

SQL injection

1.      Prepared
Statement.

Prepared Statement
is secure method to send data to database. It sends data and the query separately
to the database. SQL injection happens when the query and the code is mixed.
The original statement is not change from other external input which transmit using
different ways SQL injection can not attack the web application.

·       
Java Enterprise Edition uses Prepared Statement with
bind variables.

·       
.Net uses parameterized queries with bind variables
(SqlCommand / OledbCommand) .

·       
Hibernate uses createQuery with bind variable.

 

2.      Stored
Procedures

Basically, stored
procedures are stored in the database. In this method Stored procedure build
with some parameters and stored in database and application call when it is
required. This Stored procedure validate all the inputs that the stored
procedure to avoiding SQL injections.

 

3.      ORM
frameworks – Currently most people use Object Relation Mapping frame works to talk
with database. Basically, what ORM doing is, its creates object which can map
with database entities. By using these frames work it is extremely hard to
exploit web application for vulnerabilities. And developer no need to worrying
about SQL injection framework will take care of that. And also this ORM need to
maintain up to date.

.net – Entity framework

JAVA – hibernate

 

 

 

Xpath Injection

When application designing phase
need to apply a proper input validation. This input validation helps the web
application being exploit by vulnerabilities.

LDAP injection

Input validation – Perform input
validation both client and server side. Limit the character set and format what
is the requirement to dictate and reject inputs need to fail for meet the
expectation.

Neutralize LDAP Meta charters –

( ) & * | = ; # ”
+ , (BLANK) need to reject when its appears with inputs.

Broken Authentication and session management

Users authentication credentials
need to be protected when stored using encryption or hashing.

Session IDs should not expose
with the URL, cause it can prevent URL rewriting.

User sessions or authentication
tokens need to be properly invalidated during logout(Timeout).

Session IDs need to be recreated
after successful login attempt.

Restricted send credentials over
unencrypted connections: Passwords, session IDs, and other credentials no need
be sent over unencrypted connections.

Strong Password policy need to be
implemented. Minimum Password length need to be 8 characters and password need
to be consist with complex password which include alphanumeric characters. With
those strength hackers could not guess the password.

Username password failure
response need to be set as Invalid username and/or password instead of using ‘Invalid
username’ for incorrect user name and ‘Invalid Password’ for incorrect Password.
After several attempts of invalid login attempt that relevant user account can
be disable for temporary. With these kinds of things also can mitigate the risk
for broken authentication.

 

Cross Site scripting XSS