SEC 420 Week 8 Assignment 2 Web Application Attack Scenario
Web Application Attacks
A secure Web server offers a protected foundation for hosting Web applications. The configurations of such Web servers have a critical function in Web application’s security. Improperly configured virtual directories are a very common mistake and may cause unauthorized access. An unclosed share can offer a convenient back door while an unused port can be an attacker’s entry point. Also, neglected user accounts can provide access to an attacker. The fact that attackers can attack remotely makes a Web server a soft target. The understanding of threats to a Web server and subsequent identification of the appropriate countermeasures enable anticipation to the ever-growing attacks.
The main threats to a Web server include:
• Unauthorized access
• Arbitrary code execution
• Elevation of privileges
• Malicious programs and codes (Viruses, worms, and Trojan horse)
• Denial of service
Unauthorized access occurs when a user without proper permissions gains access to restricted data or conducts a restricted operation. The common vulnerabilities that cause unauthorized access are weak NTFS and Web permissions as well as weak IIS Web access controls. The countermeasures to unauthorized access involve the utilization of secure Web and NTFS permissions, .NET Framework access control protocols and URL authorization.
Profiling also known as host enumeration is an exploratory procedure utilized by an attacker to gather information about a Web site where the attacker uses such information to target known weak points.
The common vulnerabilities that make a web server susceptible to profiling include Web servers having configuration details in banners, open ports and unnecessary protocols. The attacks used in profiling involve NetBIOS and server message block (SMB) enumeration, port scans and ping sweeps.
Countermeasures to profiling entail blocking all unnecessary ports, and Internet Control Message Protocol (ICMP) traffic as well as disabling unnecessary protocols like the NetBIOS and SMB.
Web Application threats, vulnerabilities, and countermeasures
Input validation becomes a security problem if an attacker notices that an application makes assumptions on the input data attributes like type, range, length, or format. The attacker can then provide malicious input that compromises a web application.
A secure network and host level entry points imply that the public interfaces exposed by the application are the only source of attack. The input to an application is a sure way to test the system and a means to execute malicious by an attacker. An application without proper input validation may be susceptible to SQL injection, Buffer overflows, Canonicalization and Cross-site scripting attacks.
An SQL injection attack makes use of the vulnerabilities in input validation to execute SQL statements in the database. It may occur when an application utilizes data input to create dynamic SQL statements to access the database. It may also occur if the program code utilizes stored procedures which are basically passed strings containing unfiltered user input. By use of SQL injection, the attacker may run arbitrary commands in the database. This vulnerability is magnified if the web application utilizes a privileged account to connect to the database. In such a case it is possible to utilize the database server to retrieve, manipulate, and destroy data as well as run operating system commands and in doing so, potentially compromise other servers.
Example of SQL Injection
A web application may be susceptible to SQL injection attacks when it incorporates invalidated user inputs into the database queries. The code that creates dynamic SQL statements with unfiltered user input is particularly susceptible. Consider an attacker who injects SQL by terminating the intended SQL statement with a ‘; (single quote character followed by a semicolon character) to start a new command, and then executing the malicious command.
For instance, entering the string ‘; DROP TABLE Customers – into the txtid field, submits the statement: SELECT * FROM Users WHERE UserName=”; DROP TABLE Customers –‘ to the database for execution. This statement deletes the Customers table on an assumption that the application’s login has sufficient permissions. This is the reason to use a least privileged login in the database.
An attacker can also enter ‘ OR 1=1 – into the txtuid field. This builds the statement SELECT * FROM Users WHERE UserName=” OR 1=1 – that upon execution, retrieves every row of data from the Users table as 1=1 is always true.
The countermeasures to prevent SQL injection includes:
• Perform an extensive input validation. The web application should first validate its input before making a request to the database.
• Utilize stored procedures with parameters to access a database. This ensures that input strings are not perceived as executable statements. The other alternative to the use stored procedures is to use SQL parameters when creating SQL commands.
• Make use of least privileged accounts to connect to the database.
Human nature invites risk.
People are still the weakest link in the security chain. Elements of human nature like human error. For example, a CEO with privileged system security credentials opening an email that appears to be legitimate (from a trusted source), but is a well-disguised attack. Also, poor judgment, like browsing on an E-commerce website whose security certificate is invalid. This may lead to identity theft or trigger the release of malicious attacks.
Belapurkar, A. (2009). Distributed systems security. Chichester, UK: John Wiley & Sons.
Corporation, M. (2011). Improving Web Application Security. Sebastopol: Microsoft Press.
Hanna, S. (2012). Attacks on Emerging Architectures. Berkeley, CA.
Weinberger, J. (2012). Analysis and Enforcement of Web Application Security Policies. Berkeley, CA.