ebook img

Implementation of a Prototype to Secure Web Applications from SQL Injection and Cross Site ... PDF

57 Pages·2017·2.54 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Implementation of a Prototype to Secure Web Applications from SQL Injection and Cross Site ...

Implementation of a Prototype to Secure Web Applications from SQL Injection and Cross Site Scripting Attacks Using an Intelligent Pattern Matching Approach GRADUATE PROJECT REPORT Submitted to the Faculty of the Department of Computing Sciences Texas A&M University-Corpus Christi Corpus Christi, Texas In Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Science By Ismail Aamir Mohammed Fall 2016 Committee Members Dr. Mario A. Garcia ____________________________ Committee Chairperson Dr. David Thomas ____________________________ Committee Member i Abstract Nowadays, due to development of the Internet, there is a substantial increase in the use of web and, the web applications have become the significant part of everyone’s life. Because of the increase in cyber-attacks, web application security has become one of the most important ongoing issue. There is an increase in risk of web attacks because of web developers not being aware of the cyber-attacks, and because of the loopholes in the prevailing technologies. The web applications have become target to many attacks like SQL injection, session management, cross site scripting and broken authentication. A lot of research is going on to safeguard these web applications from such malicious attacks. Also, there have been few tools developed to protect the web applications from malicious attacks but each of them has some specific flaws. This paper discusses an approach the flaws in the previous tools. The approach used here analyzes the validity of requests to the web applications and then generates cases for different attacks. These cases then help in differentiating the malicious and non-malicious traffic in the web applications. ii TABLE OF CONTENTS Abstract ................................................................................................................... ii Table of Contents ................................................................................................... iii List of Figures ..........................................................................................................v List of Tables ........................................................................................................ vii 1. Background and Rationale ...................................................................................1 1.1 Introduction ....................................................................................................1 1.2 Literature Review ...........................................................................................2 1.3 Problems in Existing System .........................................................................3 2. Narrative ..............................................................................................................5 2.1 Problem Statement .........................................................................................5 2.2 Motivation ......................................................................................................5 2.3 Objective .......................................................................................................6 2.4 Scope ..............................................................................................................6 3. Proposed System Design......................................................................................7 3.1 Target Web Application .................................................................................8 3.2 Intelligent Pattern Matching Module .............................................................8 3.3 Unified Modelling Language .......................................................................15 4. Implementation of the Modules .........................................................................21 5. Testing and Evaluation ......................................................................................25 5.1 User Interface ...............................................................................................25 5.2 Test Case 1: Entering Malicious Script .......................................................27 iii 5.3 Test Case 2: Malicious script to retrieve Confidential Information ............30 5.4 Test Case 3: SQLI attack to Retrieve Information .......................................33 5.5 Test Case 4: SQLI attack to Delete Table ....................................................36 5.6 Test Case 5: XSS Attack to Steal the Cookies .............................................38 5.7 Test Case 6: URL Redirection using XSS Attack .......................................41 5.8 Summary of Test Cases ...............................................................................44 5.9 Unit Test Case List.......................................................................................45 6.Conclusion and Future Enhancements ................................................................46 6.1 Conclusion ...................................................................................................46 6.2 Future work ..................................................................................................47 Bibliography ..........................................................................................................48 iv LIST OF FIGURES Fig 1. System Architecture ......................................................................................7 Fig 2. Architecture Workflow ..................................................................................8 Fig 3. Intelligent Pattern Matching Module .............................................................9 Fig 4. Invalid Request Showing SQL Injection Attack .........................................11 Fig 5. Invalid Request Showing XSS attack ..........................................................12 Fig 6. Examples of Regular Expressions ...............................................................13 Fig 7. Rules Stored in the Database .......................................................................14 Fig 8. Use Case Diagram for the Pattern Matching Module ..................................16 Fig 9. Use Case Diagram for Filtering on Target Application ..............................17 Fig 10: Class Diagram for the Pattern Matching Module ......................................19 Fig 11: Class Diagram for Filtering on Target Application ...................................20 Fig 12: Code Snippet for My Filter Class ..............................................................21 Fig 13: Code Snippet for Typesafe Request ..........................................................22 Fig 14: Log Table with its Different Columns .......................................................22 Fig 15: Table for List Analyzer .............................................................................23 Fig 16: Code Snippet for Process log info .............................................................24 Fig 17: Regular Expressions for SQLI Attacks .....................................................24 Fig 18: Scenario for Invalid Username or Password .............................................26 Fig 19: Scenario after Logging in to Application ..................................................26 Fig 20: Scenario where User Enters Malicious Script ...........................................27 Fig 21: Scenario where Script Starts Executing ....................................................28 v Fig 22: Scenario where Log ID is Set to Vulnerable .............................................29 Fig 23: Scenario where IP address is set to Block in Database .............................29 Fig 24: Error Page ..................................................................................................30 Fig 25: Scenario of XSS Attack to Retrieve Information ......................................31 Fig 26: Scenario where Attacker Retrieves the Information .................................31 Fig 27: Scenario where the Log ID is Set to Vulnerable .......................................32 Fig 28: Scenario where the IP Address is Set to Blocked ......................................33 Fig 29: Scenario of SQLI attack ............................................................................34 Fig 30: Scenario where the Log ID is Set to Vulnerable .......................................35 Fig 31: Scenario where the IP address is Set to Blocked .......................................35 Fig 32: Another scenario of SQLI Attack ..............................................................36 Fig 33: Scenario where the Log Id is Set to Vulnerable ........................................37 Fig 34: Scenario where the IP Address is Set to Blocked ......................................37 Fig 35: XSS Attack to Steal the Cookies ...............................................................38 Fig 36: XSS Attack Showing Current Session Value ............................................39 Fig 37: Scenario where the Log ID is set to Vulnerable ........................................40 Fig 38: Scenario IP Address of Attacker is Blocked .............................................40 Fig 39: URL Redirection using XSS Attack ..........................................................41 Fig 40: Scenario after URL Redirection Attack ....................................................42 Fig 41: Scenario where the Log ID is set to Vulnerable ........................................43 Fig 42: Scenario IP Address of Attacker is Blocked .............................................43 vi LIST OF TABLES Table 1: Access log header information ................................................................10 Table 2: Summary of the Test Cases .....................................................................44 Table 3: Scenario to Test Pattern Matching Module .............................................45 vii 1. Background and Rationale 1.1 Introduction: Increase in usage of web based applications has made it mandatory to secure them from a plethora of attacks. Web application layer is one of the main layer targeted by these attacks. The most important reason for these kind of attacks is because of flaws in the existing technologies and lack of understanding about security among web application developers. From the recent studies, it can be seen that more than 70% percent of attacks happen in payment card industry and also, more than 50% of authentic data is exposed to attackers from the organizations who use shared credentials [5]. Based on this figures, web security should be the most important thing to be considered while developing a web application. The two main techniques that are being used widely are default deny model and default allow model. The default allow model maintains a list of exploits, so whenever traffic passes through the application gateway, it is compared with the list and if any of the input matches the content in the list, it will be considered malicious and will be blocked [1][6]. Whereas the default deny model maintains a white list which contains all the legit values which are considered non malicious for the web applications. These legit values will be obtained from the user input of several web applications. So, whenever there will be an input to the web application, it will be compared to the values in list. If the input matches with the values in the white list, it will be considered legit and will be allowed 1 to enter. In case if it does not match the values in the white list, it will be considered malicious [1] [6]. Many issues were faced with manual maintenance of the list of cases that were used in default allow model and default deny model. In the proposed technique, an intelligent pattern matching approach will be introduced which will address the issues being faced in maintaining a list. 1.2 Literature Review Various techniques have been proposed to address the attacks in web applications. But each existing technique has its own flaws. A model has been proposed by C.M. Frenz et al., to detect cross site scripting attacks in web applications [9]. In this paper, the authors have made use of regular expressions to detect malicious attacks in web applications. This approach was not found to be robust as it only works for simple web applications [9]. Lwin Khin Shar et al., have proposed a technique which makes use of two phases to detect XSS attacks in web applications [10]. In the first phase, a taint based analysis approach is used which provides an output in HTML document showing flow of user data. In the next phase data dependency and pattern matching is analyzed which prevents the injection into the code due to cross site scripting. Again, this technique only focuses on prevention of one type of attack. A.M Chandrasekhar et al., [11] have combined K-means, fuzzy neural networks and support vector machine classifier techniques to implement a web attack detection mechanism [11]. In this mechanism, K-means algorithm is used to cluster the input 2 dataset into K clusters which are then trained using fuzzy logic. Each of the data is passed through fuzzy classifier which then generates vectors. Then a classification is done using support vector machine which helps in the detection of web attacks. In [14] Zhang et al., have proposed a technique which uses taint analysis approach to detect SQL injection and Cross site scripting attacks in web applications. This approach makes use of a flow graph to detect sink and source points in the data flow. It then taints the data in source code if the data is coming from an insecure source and targeting a sensitive sink. The main drawback of this approach is that it has a high positive false rate [14]. Sharma et al., [15] have presented an integrated approach which makes use of two modes called production mode and safe mode to detect cross site scripting and SQL injection attacks in web applications. The main drawback of this technique is that it is not able to detect vulnerabilities from more dynamic and complex applications [15]. 1.3 Problems in Existing System The most important issue was to update and maintain the list of attacks. The list of attacks being specific to each web application, it will be required to modify the list for different types of applications. It will also require continuous development due to increasing number of attacks every day [7]. Maintenance of the list of attacks is also a time consuming task. The big applications like business applications have lots of user inputs, so it will be more time 3

Description:
Texas A&M University-Corpus Christi. Corpus Christi Nowadays, due to development of the Internet, there is a substantial increase in the use of The web applications have become target to many attacks like SQL Figure 4 shows an example of invalid request in which SQL injection attack was.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.