• No results found

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

N/A
N/A
Protected

Academic year: 2022

Share "WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

WEB SECURITY

Oriana Kondakciu 0054118

Software Engineering 4C03 Project

(2)

The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure corresponds to software based communication interfaces, which are executed upon physical hardware. The main software application responsible for the transmitted data is the java-based browser. The design of this application is directly responsible for the reliability of the data transmitted through the Internet. Security however is usually treated as an afterthought. Despite common sense, the security is considered at the bottom of a list that includes functionality, performance, compatibility and human interface. Good faith should not be applied when transferring private information through the Internet.

The programming languages Java and JavaScript have become the power tools of choice in building web-based applications. A Web application is a dynamic extension of a web server. Its services can include remote database access and online purchases. Security weaknesses of web applications are often refer as holes or bugs. The exploitation of these weaknesses has severe

consequences which include loss and manipulation of sensitive information. The new browsers have a considerable improvement over their predecessors when it comes to security but cannot guarantee that they are bug-free. The newest technology with a superior security system is ActiveX control by Microsoft. The downside of this technology is that it is supported only by Internet Explorer browser. Also, the ActiveX controls are written and compiled using Microsoft office visual basics programs. The Java language however needs only an editor and a free compiler. ActiveX controls use certified digital signature, but it is dangerous because it has no restrictions on the variety of its use. One disturbing example is the spy-ware software usually downloaded automatically from specific websites. Java on the other hand, achieves security by restricting the behavior of applets to a set of safe actions supervises1.

The information transmitted in the Internet and mostly web browsers may contain very sensitive. It is understandable that third parties will always be interested in acquiring this information. Unauthorized use and access of sensitive data can have unprecedented consequences. The most common threats to web applications include SQL Injection, Variable manipulation, Cross Site Scripting and exploitation of their different features. The process of acquiring information illegally is usually called an attack or exploitation. SQL Injection technique is very simple; it uses the basic knowledge of the SQL language representation of the database and it exploits it. The Variable manipulation involves accessing the information after it leaves the browser on its way to the server. Once the browser's proxy settings are configured to go through the HTTP proxy, some proxy tools such as WebScarab, can see all information flowing between the client and the server; it even allows the attacker to modify any part of the request/response before sending it. Such tool can access credit card information during an online purchase. Another interesting attack that is due mostly to human negligence is the Cross-Site Scripting. Cross-Site Scripting relies on the server reflecting back user input without checking for embedded JavaScript. This can be used to steal

1 WWW Security FAQL Client Side Security. http://www.w3.org/Security/Faq/wwwsf2.html, Retrieved on April 1st.

(3)

cookies and session IDs. This information however should be deleted regularly by the user. While cookies are considered a benign vulnerability, deleting them prevents another type of exploitation that is called Browse Cache, in which the attacker can track the surfing patterns of the users. The spy-ware companies for example rely on these cookies to collect information about the user. Another very dangerous exploitation can come from using the Forgot Password feature of a web application such as an email service provider. In this case, the user has to answer its secret question. If the attacker for example, can access the secret question, he might guess the answer, and even reset the password. The remote-access method, which allows another party to control the desktop of the user’s computer, makes this exploitation really easy. Another great procedure that collects information entered through keyboard is the Keystroke loggers. They are usually a very

efficient and simple way to retrieve information. Most of these attacks are assisted by tools such as IP sniffers and Trojan horses. Port sniffing consists in the first stage of the attack. The IP sniffer uses the communications protocols to collect the ports’ status of the user’s machines. If any of the ports is unprotected, then it can be used in the second stage of the attack. Sniffing is done remotely and in large ranges of IP. That means that the attacker might be looking for any unprotected online computer. A Trojan horse is a different tool that needs to be installed on the users’ computer. Upon installation, it opens a back-door that allows the attacker to infiltrate inside the computer. This program is called a Trojan horse because it masquerades itself behind friendly applications, big size pictures or email links. Worms, which is a program that can duplicate itself upon execution, is another very common threat on the Internet. Full scale attacks on websites such as CNN or YAHOO!, are made possible by spreading a powerful worm on the Internet. The two processes that a worm performs are: duplicate and attack. The attack consists in sending data packets into a specific website. Usually the number of computers infected with the worm may exceed thousands, which causes the data traffic to exceed its capacity limits. If the number of infected computers continues to increase, the web-servers supporting the attacked website would crash and go down. Finally, biggest threats of all are the people behind these malicious programs. The two most generalized groups are called hackers and crackers. Hackers are your “friendly neighborhood” gang of attackers who would come to your house and look around but not steal. Crackers on the other hand are very dangerous, because they will actually try to damage any

information they come across too and usually they cause great damage. Most attackers do not write the malicious programs themselves; they use tools that are already created by other software programmers. A dangerous crime that an attacker might commit is identity theft which has become an increasing problem in North America.

That is why it is so important that attack detection and defense should be a priority for the user. Most of the attacks are directed towards websites that store the information in data bases stored in remote web servers. As a form of defense, remote access of data bases uses an encryption technique that is called MD5. SQL injection for example can be prevented by not using dynamic SQL queries or by removing all unwanted input and accepting only expected input. The encryption

(4)

technique is the best protection by far. The Variable manipulation attack can be prevented by using SSL2 or digital passports which uses 40 bit and 128 bit

encryption. In this case, the attacker has to replace the embedded certificate in the applet with a fake certificate to succeed or has to decode the public key. A higher bit encryption is illegal in North America. In the client side, spy-ware programs are not fully detected by anti-viruses, and the best way to detect them is using anti-spy ware programs. Keystroke loggers can be detected by the antivirus programs, but the oldest versions can also be seen through the Task Manager.

These programs can be detected by the antivirus because they use a Trojan horse to transmit the log files back to the attacker. A graphical keyboard eliminates this threat but they are not recommended for other security reasons. The user should always be security-conscious especially if he or she is processing sensitive information. Trojan horses are the most common way of attack but they can be easily prevented. The Internet user must not open files of size greater then 50kb without antivirus scanning. Because the usual way of transmitting a Trojan horse is through emails, the user should not click on links or download attachments that are not secured. Worms have the tendency to spread very quickly because the email account owners act with negligence. The fastest way to detect a worm is to monitor Internet data traffic. An abrupt increase in traffic is a good indication that a worm is in motion. The sniffing attack can be rejected by a well configured firewall. The new patches by Microsoft office, allow the Windows XP OS to reject remote sniffing successfully. However, 100% protection against identity theft does not exist. Most of personal information online is stored in data bases accessed by a web browser. This might be a bank account, student grades,

medical records and even top secret military records. This weakness together with human error is a great vulnerability that software engineers should try to patch up in the future years. The designer or the software engineer should consider the security from the start. Some of the security points that should be taken in consideration are: anticipate future security requirements, minimize and isolate security controls, enforce least privilege feature, structure the security-relevant functions, make security friendly and do not depend on secrecy for security. Some lawmakers consider as the most efficient way to protect the information on the Internet is by stalling and outlawing the technology that makes it possible. The author of this paper strongly disagrees with this approach. The technology is not the malicious; the people who use the technology can be. The only best way to protect the information on the Internet is by developing and expanding more security tools3 for traffic analysis and black hole monitors, key Encryption, personal certificate, host-based firewall, proxy-based defenses and other defense and detection systems. The users should also be conscious about the risks that associate the web applications. Knowledge and Education is the answer.

2 Secure Sockets Layer which is a protocol used over the Internet for securing transactions made between clients to server.

3 Rough Auditing Tool For Security scans for security flaws, FX Cop by Microsoft, Prexic and Flawfinder are is a run time and source code analyzer, Compaq ESC and Parasoft work with Java

(5)

Reference

Hazario, Jose. Defense and Detection Strategies against Internet Worms, Archtech House, 2004

Gassier, Morrier. Building a Secure Computer System, Van Nostrand Reinhold Company, New York, 1988

Web Applications,

http://java.sun.com/webservices/docs/1.0/tutorial/doc/WebApp.html, retrieved on April 1st

AppSec FAQ, http://www.owasp.org/documentation/appsec_faq.html, retrieved on April 1st

WWW Web Security FAQ: General Questions,

http://www.w3.org/Security/Faq/wwwsf1.html#GEN-Q2, retrieved on March 24th, 2005

Microsoft Server 2003,

http://www.microsoft.com/windowsserver2003/default.mspx, retrieved on March 24th, 2005

The Apache Software Foundation, http://www.apache.org, retrieved on March 24th, 2005

References

Related documents

JADD is inherited as an autosomal recessive disease meaning that animals have only one mutant copy of the region (N/A) are normal but they are carriers of the disease and they

California's post mortem right of publicity statute, section 990, recognizes the need for protection against unauthorized use of a de- ceased actor's image in a

A statistically significant negative correlation was dem- onstrated in the study cohort between the maternal serum PIGF levels, foetal heart rate (FHR), birth weight and length,

Compliance monitoring, as well as monitoring to identify potential improvements in the management of environmental, social and cultural heritage issues, is a key component of the

Multinational corporations (MNCs) have investments in other countries, more focused on adapting their products and services to each individual local market via

Previous studies have demonstrated that the phosphorylation of Ser675 and Ser552 in the C-terminus of at β-catenin promotes its nuclear accumulation and transcriptional

En este estudio la variable diámetro en la base de la copa viva presentó la mejor correlación entre varias variables probadas (DAP, diámetro del tocón, largo de la copa

35 Female labor participation may generate many intra-household effects: time allocation effects (e.g., both parents working have less time to allocate to child care or domestic