The internet world is a mystical world. Its a great place for every intellectual person. I consider every net geek as a intellectual person. This is my own definition without any rules or boundries. People use internet eighter for constructive or destructive purposes. I am inviting you to have a discussion on application security part of the internet.
The world has become a global market. Any information about the world is easily available on the internet. All that is needed is a search operation on the World Wide Web. Internet technology offers rapid information system development and easy hosting, so the information is in reach of any individual. It targets two kinds of users, first is who develops information system/portal and second is who consumes the information available on these portals for commercial or personal use.
With the passage of time the number of web portals and web enabled applications has grown exponentially. There are several business critical web applications which are very user friendly and hence popular with the businessmen. These applications have an adverse business impact on its users in case of any security vulnerability which is not acceptable to the enterprise.
Of the several High-Impact consequences of poor web security are theft of intellectual property which can be images, design and functional document or user information. Unhandled vulnerabilities in an application can lead to unplanned system downtime. Certain business critical applications are fully online. Prolonged or frequently occurring unplanned downtime causes irreparable damage to business reputation and loss of consumer confidence.
Spoofing & Fishing Attack
Also known as ‘Man in the middle attack’ spoofing is the situation where an attacker claims to be the legitimate person with whom the end user is communicating. Fishing attack is another kind of spoofing attack, also known as “Web page spoofing” attack. A hacker reproduces a web page of a legitimate web site, which is similar to original one and passes it on to the users to fool them. The end user tries to login into the false website and thus reveals his login information to the attacker.
Cross site scripting (XSS)
Cross site scripting is possible on any dynamic page if input is not validated properly. The attacker can inject a malicious java script code in the web page and can execute the code on the computer to access sensitive data. Another major consequence of cross site scripting could be stealing the cookie of a legitimate user to illegitimately gain the access of the user’s session.
Let’s consider this with a simple example.
You have created a web form in asp.net. It accepts user input search criteria. Suppose attacker has entered some java script, instead of a regular text like
. In the code behind you have written code to process this user input like this:
Search.text = txtSearch.text
Then the javascript supplied by the attacker will be executed and a message box will appear with “Hello World” text. This kind of vulnerability can be handled with proper input validation. Any data which is coming from a user must be validated.
Also known as ‘Man in the middle attack’ spoofing is the situation where an attacker claims to be the legitimate person with whom the end user is communicating. Fishing attack is another kind of spoofing attack, also known as “Web page spoofing” attack. A hacker reproduces a web page of a legitimate web site, which is similar to original one and passes it on to the users to fool them. The end user tries to login into the false website and thus reveals his login information to the attacker.
Cross site scripting (XSS)
Cross site scripting is possible on any dynamic page if input is not validated properly. The attacker can inject a malicious java script code in the web page and can execute the code on the computer to access sensitive data. Another major consequence of cross site scripting could be stealing the cookie of a legitimate user to illegitimately gain the access of the user’s session.
Let’s consider this with a simple example.
You have created a web form in asp.net. It accepts user input search criteria. Suppose attacker has entered some java script, instead of a regular text like
. In the code behind you have written code to process this user input like this:
Search.text = txtSearch.text
Then the javascript supplied by the attacker will be executed and a message box will appear with “Hello World” text. This kind of vulnerability can be handled with proper input validation. Any data which is coming from a user must be validated.
Sql Injection
Sql Injection is a technique to exploit security vulnerability on the database layer of the application. Sql injection attack can be performed on the web page which accepts user input in the form field (Textbox etc.) and uses this input to form a query which later runs on the database server. The hacker supplies a magic input to the text field on the web form, which changes the nature of the intended query. Let’s consider this with an example.
Sql Injection is a technique to exploit security vulnerability on the database layer of the application. Sql injection attack can be performed on the web page which accepts user input in the form field (Textbox etc.) and uses this input to form a query which later runs on the database server. The hacker supplies a magic input to the text field on the web form, which changes the nature of the intended query. Let’s consider this with an example.
The Programmer has written a program which constructs a SQL query based on the given input to verify the existence of user name and password into the database.
suppose there is a login screen which accepts user name and password to authenticate a user. Programmer has written a program to dynamically build a select statement based on the user input.
suppose there is a login screen which accepts user name and password to authenticate a user. Programmer has written a program to dynamically build a select statement based on the user input.
The dynamic query written by programmer is as follows:
strSql string;
strSql = “Select UserName, Password From Users where UserName = ‘” + txtUserName.text + “’ And Password = ‘“ + txtPasword.text + “’”
User has supplied the following information:
User name = Sanjiv
Password = albert
strSql string;
strSql = “Select UserName, Password From Users where UserName = ‘” + txtUserName.text + “’ And Password = ‘“ + txtPasword.text + “’”
User has supplied the following information:
User name = Sanjiv
Password = albert
At runtime the new query will be as follows:
strSql = “Select UserName, Password From Users where UserName
= ‘Sanjiv’ and Password=’albert’
If this query is executed on the database engine, it will correctly check the existence of the “Sanjiv” user in the Users table.
Consider a series of cases in which attacker gives different magic data to dupe the system.
strSql = “Select UserName, Password From Users where UserName
= ‘Sanjiv’ and Password=’albert’
If this query is executed on the database engine, it will correctly check the existence of the “Sanjiv” user in the Users table.
Consider a series of cases in which attacker gives different magic data to dupe the system.
[Case 1]
User name = ‘ OR 1=1 --
Now the new query based on the above input would be as follows:
Select UserName, Password from Users where UserName = ‘’ OR 1=1 -- (rest of the statement is ignored)
Since the condition in the where clause evaluates to true, the query will return all the users from the users table as a result.
Thus attacker has bypassed the login procedure and gained the illegitimate access to the application.
User name = ‘ OR 1=1 --
Now the new query based on the above input would be as follows:
Select UserName, Password from Users where UserName = ‘’ OR 1=1 -- (rest of the statement is ignored)
Since the condition in the where clause evaluates to true, the query will return all the users from the users table as a result.
Thus attacker has bypassed the login procedure and gained the illegitimate access to the application.
[Case 2]
Attacker has supplied the following Username:
User name = ‘ Having 1=1 --
Now the new query based on the above input will be as follows:
Select UserName, Password From Users Where UserName = ‘’ Having 1=1 -- (Rest of the query will be ignored)
Since the sql statement is not correct, and if the error is not handled properly the system will return the following error message:
Microsoft OLE DB Provider for ODBC Drivers error ’840e14’
[Microsoft][ODBC SQL Server Driver][SQL Server]Column ’user.UserNames’ is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/login.aspx, line 18
This error message reveals column name and table name to attacker. Lets consider the case 3, in which attacker is trying to delete a table from database.
Attacker has supplied the following Username:
User name = ‘ Having 1=1 --
Now the new query based on the above input will be as follows:
Select UserName, Password From Users Where UserName = ‘’ Having 1=1 -- (Rest of the query will be ignored)
Since the sql statement is not correct, and if the error is not handled properly the system will return the following error message:
Microsoft OLE DB Provider for ODBC Drivers error ’840e14’
[Microsoft][ODBC SQL Server Driver][SQL Server]Column ’user.UserNames’ is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/login.aspx, line 18
This error message reveals column name and table name to attacker. Lets consider the case 3, in which attacker is trying to delete a table from database.
[Case 3]
Attacker has supplied the following username:
User name = ‘ ; Drop table Users --
Now the new query based on the above input will be as follows:
Select UserName, Password From Users Where UserName = ‘’ ; Drop table Users -- (Rest of the query will be ignored)
This is the most dangerous query. If executed, it will delete the Users table from the database.
How to prevent from sql injection attacks
Validating the input strings and limiting the size of text boxes for accepting user input is of utmost priority to prevent SQL injection attacks. Always use a low privileged account to connect to database.
Denial of service (DoS) Attack
Web applications are designed to work in a request/response fashion. A user makes a request through the web browser to web server for any information or service. In Denial of Service attack, attacker floods the web server network by sending thousands of requests. So when a legitimate user tries to access the URL, server can’t process that request. This is a Denial of Service (DoS) attack.
To prevent DoS attack implement a Request Count feature in the application, this will count the number of request coming from a particular IP address. If the count exceeds a predefined number, deny the further requests coming from the same IP for some duration. This is not a complete solution of preventing a DoS attack, but it may minimize the probability of the attack.
Buffer Overflow
If the reserved space is not sufficient to contain the data supplied by the user, the data will be written in next memory cell which may be reserved by other variable or subroutine. This anomalous condition of the program is known as “Buffer Overflow” or “Buffer overrun”.
Buffer overflow is always considered as a serious security gap. This gap can be very easily exploited by the user. It is a preferred attack method for writers of viruses or Trojan horse programs.
Attacker has supplied the following username:
User name = ‘ ; Drop table Users --
Now the new query based on the above input will be as follows:
Select UserName, Password From Users Where UserName = ‘’ ; Drop table Users -- (Rest of the query will be ignored)
This is the most dangerous query. If executed, it will delete the Users table from the database.
How to prevent from sql injection attacks
Validating the input strings and limiting the size of text boxes for accepting user input is of utmost priority to prevent SQL injection attacks. Always use a low privileged account to connect to database.
Denial of service (DoS) Attack
Web applications are designed to work in a request/response fashion. A user makes a request through the web browser to web server for any information or service. In Denial of Service attack, attacker floods the web server network by sending thousands of requests. So when a legitimate user tries to access the URL, server can’t process that request. This is a Denial of Service (DoS) attack.
To prevent DoS attack implement a Request Count feature in the application, this will count the number of request coming from a particular IP address. If the count exceeds a predefined number, deny the further requests coming from the same IP for some duration. This is not a complete solution of preventing a DoS attack, but it may minimize the probability of the attack.
Buffer Overflow
If the reserved space is not sufficient to contain the data supplied by the user, the data will be written in next memory cell which may be reserved by other variable or subroutine. This anomalous condition of the program is known as “Buffer Overflow” or “Buffer overrun”.
Buffer overflow is always considered as a serious security gap. This gap can be very easily exploited by the user. It is a preferred attack method for writers of viruses or Trojan horse programs.
