23
A Novel Frame Work to Detect Malicious Attacks
in Web Applications
N. Jayakanthan
1, R. Sivakumar
2 1Department of Computer Applications, Kumaraguru College of Technology, Coimbatore 2
Department of Computer Applications, SNS College of Technology, Coimbatore, India
ABSTRACT
The web applications are now commonly used for information sharing and high performance computation. New web applications are added every day. The attack against the web applications are so challenging. Web security is a major issue. In this paper the proposed model address various faults and attacks of web applications. The model provides a frame work “Web-fault-Detector” for preventing the web applications from various attacks like SQL injection attacks, cross site scripting session hijacking and web parameter tampering. Result justifies the efficiency of the model.
Keywords: Web attacks, Web-Fault-Detector, SQL Injection, Session Hijacking.
1. INTRODUCTION
The web attacks breaks the security of the web applications. It is a threat to manage the personal and financial information. Cross cite scripting a malicious code is injected in the web browser which breaks the client side security and allow the intruder to perform the attacks bypassing the access control. Email, websites and URLs are used for cross site scripting attacks.
The databases of the web are affected by the SQL injection attacks. Using malicious SQL statement to attack the SQL databases and allow the intruder to violate the database security and access the user information. The malicious inputs are used to bypass the access control. Some types of attacks are indented to corrupt the database applications. These kind of attacks provide inconvenient to trued organization to perform their regular operation.
Session hijacking is a unauthorized access of the valid user session to perform some taint operation. The attacker can access the cookies of the active session to retrieve the information. Another kind of attack the intruder inject some malicious code in the packet that is transferred between two legal entities. This attack also knows as the man in the middle attack.
Web parameter tampering is the attack against various parameters used in the web transactions which perform some critical activities. By injecting malicious parameter in the transaction which configures the server setting, the attacker can degrade the server performance and shut down the server. To protect the web from the parameter tampering is most challenging issue.
The proposed system address the all the issues by monitoring web transactions. And it filters the malicious activities. The system is trained to detect the malicious URL by machine learning method.
24
2.
RELATED WORK
The original CERT advisory describing the technique defined cross-site scripting (Often referred to as "CSS" or, to avoid confusion with the acronym for Cascading Style Sheets, "XSS") attacks are a means by which "malicious HTML tags or script in a dynamically generated page based on invalidated input from Untrustworthy sources".[1]
XSS attacks are rapidly gaining attention as one of the most common weaknesses in web applications; the winner of the 2002 eWeek OpenHack contest won by discovering two potential XSS vulnerabilities.[2] Mike Ter LouW and V.N. Venkatakrishnan designed a XSS defense strategy for web browsers, to protect the web browser from the untrusted content. [3]
Ke Wei et al propose a technique to defend against the attacks targeted at stored procedures. This technique combines static application code analysis with runtime validation to eliminate the occurrence of such attacks.[4] A similar work has done by M.Muthuprasanna et al to detect the occurrence of SQL Injection attack[5]
Adam Kieyzun et al developed can automatic technique for creating inputs that expose SQLI and XSS vulnerabilities. The technique generates sample inputs, symbolically tracks taints through execution.[6] Joshua J et al introduce an experiment named CookieMonster that can be ran against any cookie granting (i.e. session identification generation) application to test for strength of the cookie generation algorithm.[7].
Kolsek provides detailed information about exploiting vulnerable systems to web--based applications about session management, including specifics on session IDs, session fixation, fixation attack, URL arguments,hidden form fields, and cookies [8]
Rupinder Gill et al [9]presents techniques for improving detection of session hijacking attacks that are passive, computationally inexpensive, reliable, and have minimal impact on network performance.
Static analysis tools developed by various experts [10, 11] to detect SQL injection attacks and cross site scripting.
3.
ARCHITECTURE
Figure 1 shows the architecture of the proposed system. The components of the system as follows. 3.1 Supervisor
Supervisor monitors all the web transactions. It is primary module of the system. It activates the all other components and protect the user from malicious transaction. It permits the genuine transactions continues it operations.
25 3.2 Analyzer
It is the brain of the system. It verifies the each transaction and classifies various web attacks like Cross site scripting. SQL injection attacks, Session hijacking and malicious parameters and inform the supervisor if any of such attack detected.
3.3 Filters
Supervisor activates the filter to prevent the user from malicious transaction. Filter blocks the transaction and alerts the user. After blocking the transaction it sends a acknowledgement to the supervisor.
Figure 1: Web Fault Detector
3. METHODOLOGY
As the part of the proposed system three new tools are developed and implemented to detect the following web attacks.
3.1 Cross Site Scripting
Code injection supervisor monitors codes injected by the transactions. Even though the transactions bypass the other client side security mechanisms are easily detected by the supervisor. It alerts the system administrator during a transaction attempts to inject a code in the browser and protects the secured information maintained by the web browser
.
Table 1 below shows the algorithm of code injection supervisor which verify the nature of each transaction. The tool is developed and implemented. It detects various malicious codes and enhances the security of the web applications.
26
Table 1. Algorithm of Code Injection Supervisor
Algorithm Code Injection supervisor ( T[1……….n]) Input : T1…..Tn // web Transactions
Output : Blocks malicious Ti
Start S1 // Start the supervisor Supervisor while (i<n) { status = S1(Ti) if status = 0 block Ti i++; } Algorithm S1 (Ti)
// Verifies the nature of the code input : Tk
{
Output : 0 (malicious Transaction) or 1 (Genuine transaction) check the nature of code Tk attempts to inject
if code is malicious return 0 else
return 1 }
3.2 SQL Injection
A new tool Query Security System (QSS) is developed. The SQL transactions which access the database are executed through QSS system. The proposed systems block the malicious SQL statements and stored procedure and prevent the databases from SQL injection attacks. QSS also checks whether the transaction the transaction violate the access control or an attempt to corrupt the database and prevent the database from such attacks. Table1 Shows a example of SQL Injection (SQLI) attack.
Table2.SQL Injection Attack
Select username and passwords from emp where user name = ' ' or ' 1 ' = ' 1 ' Select * from <tablename> where <field name> = ' " + fieldname+ ' "
3.3 Session Hijacking
Session hijacking is a major issue in present circumstance. By stealing the cookies the attacker able to access the users secured information. To handle session hijacking in the proposed system a new tool has developed known as Session Evaluator(SE) it verify the active session and remove the cookies of expired session. This method prevents user information from intruders.
27
Table3. Algorithm of Session Evaluator
Algorithm Session Evaluator ([S1……….Sn]) Input : Session
Output : Remove the cookies of inactive sessions and allow the active session 1. Check the Session ID
2. Compare the Session with Active Session Log 3. If session ID is not in the active log
a. Identify the cookies of the session b. Remove the cookies
c. Block the Session ID d. Report inactive session 4. Else
If the Session ID is in Active Log a. Allow the session to continue Report the session is active
3.4 Web Parameters
Parameter tampering is a approach to attack the web sites and affects its performance. The proposed system is for maintaining a profile for genuine parameters. The parameters of the various transactions are verified against the profile. If any suspicious parameters are found the system blocks the transaction and warn the user about the attack.
4. EVALUATION AND RESULTS
The system has developed and implemented. In initial stage the system is trained in the limited test environment using malicious transaction using machine learning methods. The various tools of the system successfully detect malicious transaction. Table 2 shows the results.
Table 4. Result of Proposed system in detecting Malicious Transaction
Sl.No
Nature of Attack
Number of attacks detected
1
Cross site scripting
25431
2
SQL Injection attacks
37612
3
Session Hijacking
31413
4
Malicious Web parameters
12500
The system is capable of detecting various malicious web transactions. It reports a high percentage detection in SQL injection attacks. Transactions holding the malicious web parameters are very low. Figure 3 shows of the result analysis.
Figure 2 Result Analysis of the Proposed System 0 5000 10000 15000 20000 25000 30000 35000 40000 Number Attacks detected Cross site scripting SQL Injection attacks Session Hijacking Malicious Web parameters
Nautre of Malicious Attack Result Analysis
28
5. CONCLUSION
The Malicious web transactions are major threat to the society. The tools of the proposed system Code injection supervisor(QIS), Query Security System (QSS) and Session Evaluator are developed and implemented The tools detects the Cross site scripting, SQL Injection attack, Session Hijacking and Malicious web parameters. The results shows the efficiency of the system. In future the system will enhanced to detect various emerging threats in web services.
REFERENCES
[1] CERT Coordination Center. "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests." CERT/CC Advisories. 3 February 2000. http://www.cert.org/advisories/CA-2000-02.html
[2] Dyck, Timothy. “OpenHack Wrap. eWeek. December 2, 2002
http://www.eweek.com/article2/0,3959,748061,00.asp
[3] Mike Ter Louw and V.N. Venkatakrishnan. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Proceedings: 30th IEEE Symposium on Security and Privacy, Oakland, May 2009.
[4] Ke Wei,M.Muthuprasanna and Suraj Kothari Preventing SQL Injection Attacks in Stored Procedures.ASWEC '06 Proceedings of the Australian Software Engineering Conference IEEE Computer Society Sydney April 2006.
[5] M.Muthuprasanna Ke Wei, and Suraj KothariEliminating SQL Injection Attacks - A Transparent Defense Mechanism SWEC '06 Proceedings of the Australian Software Engineering Conference IEEE Computer Society Sydney April 2006.
[6] Adam Kieyzun,Philip J.Karthick Jayaraman and Michael D. Ernst Guo Automatic creation of SQL Injection and cross-site scripting attacksProceeding ICSE '09 Proceedings of the 31st International Conference on Software Engineering. Hong Kong March 2009.
[7] Joshua J. Pauli, Patrick H. Engebretson, Michael J. Ham, MarcCharles J. Zautke, "CookieMonster: Automated Session Hijacking Archival and Analysis," itng, pp.403-407, 2011 Eighth International Conference on Information Technology: New Generations, 2011.
[8] M. Kolsek. Session Fixation Vulnerability in Webbased Application. Acros, 2007.
[9] Rupinder Gill, Jason Smith and Andrew Clark Experiences in passively detecting session hijacking attacks in IEEE 802.11 networks.ACSW Frontiers '06 Proceedings of the 2006 Australasian workshops on Grid computing and e-research. Hobart, Tasmania January 2006.
[10] B.Livshits and M. Lam. Finding security vulnerabilities in Java applications with static analysis. In USENIX Security, 2005.
[11] G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, 2008.[11]