Free Essay

Web Application Security

In: Computers and Technology

Submitted By newborn24
Words 1620
Pages 7
Web Server Application Attacks

Brooks Gunn

Professor Nyeanchi

CIS 502

July 10, 2013

Web Server Application Attacks

Many organizations have begun to use web applications instead of client/server or distributed applications. These applications has provided organizations with better network performance, lower cost of ownership, thinner clients, and a way for any user to access the application. We applications significantly reduce the number of software programs that must be installed and maintained in end user workstations (Gregory 2010). Web applications are becoming a primary target for cyber criminals and hackers. They have become major targets because of the enormous amounts of data being shared through these applications and they are so often used to manage valuable information. Some criminals simply just want vandalize and cause harm to operations. There are several different types of web application attacks. Directory traversal, buffer overflows, and SQL injections are three of the more common attacks.

One of the most common attacks on web based applications is directory traversal. This attack’s main purpose is the have an application access a computer file that is not intended to be accessible. It is a form of HTTP exploit in which the hacker will use the software on a Web server to access data in a directory other than the server’s root directory. The hacker could possibly execute commands on the server which will lead to a full compromise of the system. The vulnerability can exist either in the web server software itself or in the web application code. In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to find any default files and directories on the system. There are some ways to mitigate the risks of traversal attacks. The developer must make sure that the latest version of their web server software is installed and sure that all patches have been applied to the server. Sensitive configuration files should never be stored inside the web root and all user input should be validated.

Buffer overflows are another way for hackers to attack a web application. A buffer overflow attack is an attempt to cause a malfunction of an application by sending more data to a program than it was designed to handle properly, causing the program to malfunction or abort (Gregory, 2010). The goal of a buffer flow attack is the change the function of a privileged program so that the hacker can ultimately control the program. These attacks are commonly used because they are easy to exploit, but also easy to prevent. Using a safe language, input validation, and implementing an application firewall that will recognize the patterns used in buffer overflows to prevent these attacks are great ways to prevent these attacks. Software patches released by vendors and programs that block known attacks are a common ways to fix the vulnerability of buffer overflows. These patches and programs are very effective at preventing known buffer overflow attacks for specific vulnerabilities, but doesn’t provide protection against unknown attacks for which a patch or program update has not been released. Users must always check for new patches and updates for programs that are released for their system. Numerous methods of defense against buffer overflow attacks have been proposed, but none of them can completely prevent or detect all kinds of buffer overflow attacks. Most of these defenses concentrate on a particular kind of buffer overflow attack.

SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database. This is one the most prevalent types of web application security vulnerability. Attackers can create, read, and modify, or delete sensitive data by exploiting SQL injection vulnerability. Most SQL injections can be prevented by adopting an input validation technique. The users should be authenticated against a set of defined rules for length, type, and syntax. Least privileges should be given to all users with permission to access the database and the database should be used for a specific application.

Denial of Service attacks is another way to attack Web servers. An attack that disables a service or makes it unreachable to its users is a Denial of Service (DOS) attack (Gregory, 2010). Attackers can carry out this type of attack in two ways. First, by sending a very high volume of messages to a service can cause malfunctions of an operating system. Second, attackers can send specially crafted messages that can cause the application or service to malfunction. Organizations should be sure to implement a strong network infrastructure because this is the first line of defense between the Internet and the web server. The frequency, sophistication, and variety of attacks perpetrated today lend support to the idea that Web security must be implemented through layered and diverse protection mechanisms known as defense-in-depth (Mies, Jansen, Scarfone, Winograd, 2007). There are a few critical tools and techniques that an infrastructure can use to protect against DOS attacks. Firewalls and routers are tools that control the flow of network traffic between networks. The firewall must have the latest patches to ensure protection of the Web server. These devices can be placed at a network boundary and block all unwanted traffic. Demilitarized zone is a technique that prevents outside users from gaining access to an organization’s internal network. This technique makes it harder for attackers to locate a Web Server on an internal network which makes it better protected. It also helps with the control of traffic to and from the Web server. Many organizations use outsourcing for their Web hosting service. This technique allows the Web server to be placed on the third party’s network, so if the Web server is compromised by a DOS attack, it would not have an effect on the organization’s production network.

DOS attack motives are difficult to establish and the damage it inflicts really does not benefit anyone (Spacey, 2011). There are five commonly known motives for DOS attacks. They are revenge, competition, politics, war, or cloaking criminal activity. Revenge is considered the most common reason for DOS attacks. This is carried out by current and ex-employees, angry customers, or anyone that has a dispute with the company. DOS attacks can also damage the reputation which can cause a decrease in sales. Criminals that want to silences political opposition is another motive for DOS attacks. They can be used as a distraction to hide other illegal activities.

There are different ways a criminal can carry out a DOS attack. It is possible to execute many of DOS attacks manually, but specialized attack tools have been developed for the purpose of executing attacks more easily and efficiently. DOS tools have made it easier for attacks to be carried out and more dangerous for targets. One of the tools used by attackers is called hping. This is a basic command line utility similar to the ping utility, but it has more functionality than the sending of a simple ICMP echo request that is the traditional ping. Hping can be used to send large volumes of TCP traffic at a target while spoofing the source IP address. This makes it appear random or originating from a specific user-defined source. A botnet is another technique used to attack. A botnet is a collection of computers under a centralized control that run autonomously and automatically. This technique allows attackers to launch an attack from multiple computers. Attackers use this technique because it amplifies the potential of an attack to cause a denial-of-service. The average botnet size is around 20,000 computers. These computers are called zombies because they are infected with malware and are controlled by an attacker.

Web server application attacks are fairly easy to carry out and it is becoming harder to mitigate these attacks. Tools have been created so that a people that are not highly skilled can perform more complex attacks. It is hard because these attacks are in the form of legitimate transactions and is not considered as something that would cause harm to the online services or an organization’s network infrastructure. Transaction like requesting a Web page can cause the malfunction of a web server if it’s coming from thousands of computers at the same time. This makes it difficult to identify and block a single attack source.

In the future, federal government agencies should implement DOS attack mitigation systems. These systems provide perimeter security for the entire network infrastructure. These mitigation systems should be able to mitigate both known and unknown attacks, have the ability to analyze user activity and detect misbehavior, have the ability to eliminate false positives, and have the ability to mitigated floods with detective hardware. Education and training is the most important step for mitigating these types of attacks. When it comes to security, what you don’t know can and will hurt you. Security professionals should be aware of the organization’s strengths and weaknesses. This can be a valuable indicator for areas to plan for additional training, continuing education, or professional certification.

References Page

Gregory, Peter (2010). CISSP Guide to Security Essentials. Boston, MA: Course Technology

Keromytis, Angelos, Misra, Vishal, Rubenstein, Dan (2003) SOS: An Architecture For Mitigating DDOS Attacks. Retrieved from: http://www.cs.columbia.edu/~angelos/Papers/jsac-sos.pdf

Spacey, John (March, 2011) The 5 Motives for DDOS Attack. Retrieved from: http://simplicable.com/new/the-5-motives-for-DDoS-attack

Tracey, Miles, Jansen, Wayne, Winograd, Theodore (2007). Guidelines on Securing Public Web Servers: Recommendation of the National Institute of Standards and Technology. Retreived from: http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf

Similar Documents

Premium Essay

Web Application Security

...Assignment 7 You may search these terms from the web resource links available under Resources to expand on the terminology and/or usage. If you do so, you must provide the reference to the resource as well as cite in your answer with (author, year, and page or paragraph number(s). 1. Create a Word document and name it CS680-Assignment_7_FirstName_LastName.doc(x) (with your name substituted for first name and last name). 2. Part I: put questions in the above file with their respective question numbers and answers, for the following: • From the SINN book – Chapter 7, Review Questions 2 to 22 even p. 292 • From the GREMB book -- Chapter 10, Review Questions 2 to 20 even pp. 275-277 3. Part II: visit the following three sites: • http://www.ieee.org • http://www.PMI.org • http://www.webappsec.org For Each of the three sides find three societies or special interest groups that deal with security, application security, or Web application security. Write a synopsis of what the organization does, and how the society or special interest group can help you become more successful Web developer when it comes to implementing security into your software design. This question must be answered with at least 60 words each part with proper citations, proper references, and formatting. Combine the answers into the same above file. From the SINN book – Chapter 7, Review Questions 2 to 22 even p. 292 2. _____________ is concerned with what an identity is allowed to......

Words: 2041 - Pages: 9

Free Essay

Security for Web Applications

...RECENT CYBER ATTACKS SANDEEP VEMULAPALLI 12917417 IA-606 ST.CLOUD STATE UNIVERSITY SEP4, 2015 Cyber Attack: The attempt of breaching the security layers of an organization or a system by disrupting the network and there by accessing, stealing, modifying or destroying the valuable data and using the data for fraudulent purposes, causing a loss to the organization is called a Cyber Attack Origin: The idea of cyber attacks began at the earlier development of World Wide Web (www) in this stage there was not much harm to the organization but as there was advancement in technology the number of hackers increased day by day and also the effectiveness of the hacking technology has increased a lot which results a severe damage to the organization In more recent times many organizations like manufacturing companies, IT companies, banks and health care providers have been prone to the cyber theft and they lost huge volume of information which incurred huge losses to the companies. Some of the examples include the attack on Target, Primera Blue Cross, E-Bay, JP Morgan Chase bank Sony PSN and many other. These attacks have happened because of poor security measures and the loopholes in the system by which hackers gained access and made the companies to compromise a huge volume of information. Cyber Attack on Primera Blue Cross: Primera blue cross is one of the leading insurance company in Washington .It has undergone a cyber attack on May 5th and the......

Words: 1000 - Pages: 4

Premium Essay

Directions for Web and E-Commerce Application Security

...National Instituate of Technology,Rourkela Department of Computer Science and Engineering Term Paper on Directions for Web and E-Commerce Applications Security SupervisorProf.P.M. Khilar Submitted byDinesh Shende Roll No-212CS2102 M.Tech(1st year) Directions for Web and E-Commerce Applications Security Abstract: This paper provides directions for web and e-commerce applications security. In particular, access control policies, workflow security, XML security and federated database security issues pertaining to the web and e-commerce applications are discussed. These security measures must be implemented so that they do not inhibit or dissuade the intended e-commerce operation. This paper will discuss pertinent network and computer security issues and will present some of the threats to e-commerce and customer privacy. These threats originate from both hackers as well as the e-commerce site itself. Another threat may originate at ostensibly friendly companies such as DoubleClick, MemberWorks and similar firms that collect customer information and route it to other firms. Much of this transaction information is able to be associated with a specific person making these seemingly friendly actions potential threats to consumer privacy. Many of the issues and countermeasure discussed here come from experiences derived with consulting with clients on how to maintain secure e-commerce facilities. These methods and techniques can be useful in a variety of client and......

Words: 3283 - Pages: 14

Free Essay

Fyt Task 1

...Memo To: Private Investigators LLP From: xxx Date: xxx Re: Cyber Security Analysis This memorandum has been written to outline the current threats facing the XYZ Private Investigation LLP and possible mitigation steps for them. The Cyber Security Analysis was requested and approved by John Smith and the areas reviewed were the production server, client workstations and the web server. Each of these areas were carefully looked at, in some cases employee follow-ups were made to prior complaints and a derivative of the top five threats were documented. The first area of concern is the production server used on a daily basis by your organization and contains vital information to your organization, as well as confidential and personal information about your clients. This server would be an attacker’s main target as it is the central location for data that could prove to be fruitful to an attacker. This area of concern was examined and the top five threats identified were virus protection, backdoor vulnerabilities, system updates and/or patching, physical security and logical security. Production Server The production server is generally a server that runs many crucial services for the daily operations of the network to include active directory and domain name services to name a few. Therefore by not having antivirus software on this system it can be a potential hazard to not only the services, by the data being stored here. Antivirus software today helps......

Words: 2014 - Pages: 9

Free Essay

Ais - Nasdaq Data Breach

...corporation NASDAQ trading policies. The FBI along with exterior forensic associations helped carry out the investigation, despite the fact, NASDAQ OMX did not say when it was launched or when the apprehensive files were established. These files were recognized in a web application called Directors Desk. The search, which is ongoing with the help of securities supervisors, comes as investors are becoming progressively more anxious over the dependability and sanctuary of the rapid resource markets, which in North America and Europe are now more often than not online. NASDAQ Group, which runs equity and underlying assets, currency trade in the United States as well as European countries, did not give information on the hackers or on what they were up to. (Mathew J. Schwartz (2011) The breach under consideration relates to NASDAQ Directors Desk, a detailed communication system to assist board members. The company says the solution is used by over 10,000 directors around the world. It's almost impossible to establish where it comes from, however the powers that be are tracking it. The hackers were competent to set up malware that permitted them to spy on the activities of the Directors Desk folder. The US National Security Agency (NSA) as well as the Federal Bureau of Investigation (FBI) is investigating the incident. Even though, NASDAQ says that it paid out "almost a billion dollars a year on information defense" however even this sum it sounds as if was not sufficient.......

Words: 1401 - Pages: 6

Premium Essay

Stage 3 Umuc Haircuts

...each, linked to specific technology solution proposed) | Usability | High | The web application has to be easy to use because although customers may receive services without utilizing the new system, the employees and Myra will need to use it every day. The rating of High was given because while a customer may call in to schedule an appointment, someone from UMUC haircuts will still be inputting the appointment into the web application. | Maintainability | N/A | The Schedulicity web application is a third party hosted application and therefore all the maintenance and coding is performed by the third party. N/A was given as a rating because Myra, her employees, and customers do not have to maintain any of the system coding and all modifications would be performed by the third party. | Scalability | N/A | Scedulicity is a web-based application that is already used by many other businesses and many of which are much bigger in size than UMUC haircuts. There is a lot of room for growth using the application which will make the addition of more employees and managing of scheduling easy even if Myra’s business grows much larger or even if she were to open additional locations. | Reliability/ Availability | Low | UMUC haircuts will need the system to stay up and running for as long as possible in order for its customers to schedule appointments at any time during any day. Myra relies on the application to be up and running in case any schedule modifications are needed and for......

Words: 1321 - Pages: 6

Premium Essay

Rapport

...a lot of functionality over the web. Is it possible to achieve the same functionality on the web compared to an ordinary windows application? Our work aims towards evaluating which one of the solutions that is the best. Many customers wants a standalone application rich of functionality and demands to have the same functionality on the web. Is it always possible to achieve the costumer’s requirements on a web based solution or do you have to settle with an implementation of a standalone application? There are some factors that the answer depends on: performance, security, usability and implementation. The application that will be tested is developed in .Net and is a maintenance application for Business Intelligence (BI). We will have a short introduction to the Business Intelligence field to make you understand the purpose of the application. Keywords: Data Warehouse, web based, standalone, .NET, Business Intelligence Contents Abstract i Contents ii 1 Introduction 1 2 Background 3 2.1 Business Intelligence 3 2.1.1 The different steps in a Business Intelligence solution 4 2.2 Data Warehouse 4 2.3 Standalone vs. web based application 5 2.3.1 Standalone application 5 2.3.2 Web based application 5 2.3.3 Web or not from a Business Intelligence perspective 7 3 Method 9 3.1 Implementation 9 3.2 Performance 9 3.3 Security 9 3.4 Usability &......

Words: 9000 - Pages: 36

Free Essay

Lab 7 Risk Management in It

...able to: * Gain an overall understanding of an e-business transformation capitalizing on the advent of the Internet technologies and Web applications in a specific business situation. * Summarize your understanding of implementing social networking applications into an e-business model capitalizing on the advent of Internet technologies and Web applications in a specific business situation. * Summarize your understanding of identifying risks, threats, and vulnerabilities relating to Web and social networking applications in an e-business transformation. * Identify various weaknesses in Web site applications. * Understand the life cycle of software development and how security can fit into the model. * Identify the need for Payment Card Industry Data Security Standard (PCI DSS) compliance within an organization. * Identify various open source and proprietary tools used in Web application security assessment and vulnerability scanning. * Identify the available mobile communication devices and the security risks associated with each type of device. Required Source Information and Tools The following tools and resources will be needed to complete this project: * Course textbook * Access to the Internet Project Logistics Activity Name | Assigned | Due | % Grade | Project Part 1: Identify E-Business and E-Commerce Web Apps for Planned Transformation | Unit 1 | Unit 2 | 2 | Project Part 2: Identify Social Networking Apps...

Words: 737 - Pages: 3

Premium Essay

Global Pharmaceutical Industry

...End-to-End Security 5. Junos Pulse 6. Secure Meeting 7. Business Continuity with SSL VPN 8. Hardware, Management and High Availability 2 www.radiusconsultingghana.com Copyright © 2010 Juniper Networks, Inc. www.juniper.net BUSINESS CHALLENGE: GRANT ACCESS VS. ENFORCE SECURITY Maximize Productivity with Access...  Allow partner access to applications (Extranet portal)  Increase employee productivity by providing anytime, anywhere access (Intranet, E-mail, terminal services) …While Enforcing Strict Security  Allow access only to necessary applications and resources for certain users  Mitigate risks from unmanaged endpoints  Customize experience and access for diverse user groups (partners, suppliers, employees)  Enable provisional workers (contractors, outsourcing)  Enforce consistent security policy  Support myriad of devices (smartphones, laptops, kiosks) …And the Solution Must Achieve Positive ROI  Minimize initial CAPEX costs  Lower ongoing administrative and support OPEX costs 3 www.radiusconsultingghana.com Copyright © 2010 Juniper Networks, Inc. www.juniper.net THE SOLUTION: JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES Mobile User – Cafe  Secure SSL access to remote users from any device or location  Easy access from Web-browsers – no client software to manage  Dynamic, granular access control to manage users and resources SA6500 VoIP Teleworker Business Partner or Customer  Single comprehensive solution to access various application......

Words: 3503 - Pages: 15

Premium Essay

Just Cause

...article put out by Symantec, information technology security measure, on cutting edge and growing threats to internet security. Threats and new ways to make the internet ‘unsafe’ occur every minute and it is up to information technology professionals to play defense and protect the individuals that use it. This was a lengthy article, so I chose to write about some key concepts I found interesting and would like to talk about. The first issue I am discussing is financial institutions protecting against cybercriminals. A large number of financial intuitions were severely affected by the latest global financial crisis. This in turn caused many of these institutes to shut down or merge with each other. With such a headache and instability, you would think cybercriminals would stay away from this. On the contrary; in 2009, one year after the worst financial crisis since the Great Depression, the financial sector was still one of the top targeted by phishing attacks. Phishing is a term that is used when someone is trying to con you into getting sensitive data from a user in an ‘unethical’ way. Financial institutes were targeted by fishing 74% compared to other sectors. In comparison, retail stores were targeted 6% and insurance companies 3%. A lot of fishing is used by the elderly who, unwillingly, appear to be naïve. Baby boomers are a little more willing to give up information such as checking account number, social security number, birth date, and the list goes on. ......

Words: 666 - Pages: 3

Free Essay

Rich Internet Application

...the web has been embraced by millions of businesses as an economical network to communicate and exchange information with prospective clients. Along with businesses, this is also very popular among almost every individual using the internet for various purposes, be it a student, a patient, or a housewife. The web provides a mode for marketers to get to know what people visiting their sites are looking for and connecting with them in order to provide satisfactory services. The web is an exceptional sales channel for any type of organization be it schools, hospitals, businesses, etc. Despite their numerous advantages, web applications also have many drawbacks like security concerns due to improper coding or very weak firewall protection. This gives way to hackers who gain access to databases containing sensitive data like credit card information, social security information, phone numbers, and even home addresses. A virus can be used to bring the entire online business down for minutes, hours, and days causing a huge loss. Businesses need extra security to protect critical personal information of customers in order to gain customer faith and loyalty. There are many limitations of web as well such incompatibility of web apps with native apps in many areas, limited access to smartphone hardware making simple tasks like saving photos more difficult, and same app may look different across different browsers confusing mainly the older generation, etc. Rich Internet Application......

Words: 842 - Pages: 4

Free Essay

Case Study 14.1- Supply Chain Management

...because in a job market, there is short supply of skills such as database designer and database administrator. Without the specific faculty, it creates a risk to manage the database. The installation and administration expenses include updating software and installing of database and hardware. The translation cost includes the converting cost of older application into database environment. Instead of converting the hospital can choose new system. There is a need for the backup and recovery because the framework expenses are connected with those strategies. A hospital must predict the data administration cost and other activities cost related to data definition, ownership and maintenance. 6. Mountain View Hospital could use web based applications in a few ways. * Internet hospital personnel uses web based applications to create an intranet to access the databases. * Extranet application is used to third party billing with the insurance companies so hospital examines the application. * Online application permits to access the medical database and prescription drug database. The major advantage of web based application is reorganization that practice as a third party billing...

Words: 410 - Pages: 2

Free Essay

Cis 207 Week 1

...systems that have affected business in the past few years. For each system, briefly note the following:  * The system's name * The area of business it affects * What changes the system brought to the business world * What business processes changed because of the system * The system's likely future effect 1. The system's name: Social Media, i.e., Facebook, Twitter, etc. The area of business it affects: From banking to advertising, it affects all areas of business What changes the system brought to the business world: Helping them reach larger audiences; giving more choices to consumers, and made business more competitive overall. What business processes changed because of the system: Marketing, business conduct, security, etc. The system's likely future effect: More use of social media in every aspect of life. 2. The system's name: Cloud Computing The area of business it affects: From banking to advertising, it affects all areas of business What changes the system brought to the business world: Helping them reach larger audiences; giving more choices to consumers, and made business more competitive overall. What business processes changed because of the system: The way business's store and process data. The system's likely future effect: Continues use of "server" farms to store and process data. 3. The system's name: Mobile Systems The area of business it affects: From banking to advertising, it affects all areas of......

Words: 444 - Pages: 2

Premium Essay

Wearable Technology

...Internet Applications and Smart Wearable Devices Paul Kenneth Travers Instructor: Janet Durgin Course: ISSC640 American Military University September 20, 2015 Topic: The topic of this paper will be about Internet applications and wearable smart devices. Thesis: Smart wearable devices have become very popular over the last few years and being able to connect to the Internet with these devices has been very appealing. Although smart wearable devices have applications that connect to the Internet or other devices to communicate, the devices that are being made have proprietary functions that force buyers to stay with one brand and the hope that this trend continue as web-enabled applications continue to be developed. Introduction The Internet is basically a bunch of networks interconnected to make information available in one location so that anyone can view. The Internet allows devices that have wireless capabilities to connect with applications to share information. Wearable devices are currently a hot topic and being able to connect to the network and share statistics collected by the devices has been a great deal for consumers. Wearable devices have changed the technology world by giving the consumer access to Internet based applications right from their wrist. These applications are making it possible for wearable devices to send information over the Internet to websites for consumers to track goals and health statistics for popular health apps and......

Words: 1914 - Pages: 8

Premium Essay

E-Compensation

...After accessing the advantages and disadvantages of using a Web-based compensation tool versus a client-server in my opinion I think the client –server is beneficial. “Thin-client technology was designed to make the Information Technology administrator’s job easier. With the arrival of thin clients, administrators no longer had to install a product update or a service release on a client desktop; they could use think technology to connect to a remote server and run all applications from a single point. But for a while, the technology had one major flaw: It required the installation of a software product on the desktop. Thin-client technology lets companies serve applications to graphical terminals in a manner similar to that used with legacy mainframe technology. Thin clients resemble today’s client/server systems but actually function as time-sharing clients on which applications are remotely displayed (Seltzer A. Mark, 2001). A client-server is beneficial because it can be controlled locally versus a web-based server has to be controlled through a provider. Web-based servers can only be accessed through internet based but a client-based server can be accessed by any local network. A client-based server is in full control whereas a web-based server is not in control of the software on hand. “Job evaluation creates an internal hierarchy of value. In the most common form of job evaluation, a set of factors is developed that reflects characteristics that add value to work......

Words: 2311 - Pages: 10