Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Vulnerability Analysis in Web Distributed Applications

Vulnerability Analysis in Web Distributed Applications

Ratings: (0)|Views: 50|Likes:

More info:

Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 1, 2011
ISSN 2067
 Vulnerability Analysis in Web Distributed Applications
Ion Ivan, Dragos Palaghita, Sorin Vinturis, Mihai Doinea
Informatics Economic Department  Academy of Economic Studies, Bucharest ROMANIAionivan@ase.ro, dpalaghita@gmail.com, sorin.vinturis@yahoo.com,mihai.doinea@ie.ase.ro
The paper analyze vulnerabilities found on web based distributed applications from differentperspectives. Classes of vulnerabilities types are identified in order to cope with their different characteristics thateach one develops. Methods for analyzing vulnerabilities of an authentication process are developed andsolutions are proposed. A model for vulnerability minimization is discussed based on an indicator built on theamount of sensitive data revealed to the end users. Risks are analyzed together with the vulnerabilities that theyexploit and measures are identified to combat these pairs.
security, vulnerabilities, risks, optimization, distributed applications.
1. Vulnerability Types
Vulnerabilities are constituted in classeswhich are susceptible to certain types of attacks.Authentication is the vulnerability classthat is opened to attacks that aim tocorrupt validation procedures meant toestablish the identity of application users.Here are some ways of attack:- brute force the method of trying allcombinations of symbols to form apassword; this is a long process that isbased on a dictionary of words. This typeof attack is hampered by:
• using complex passwords that
contain acombination of alphanumeric characterswith symbols;
• blocking access if you have a given
number of unsuccessful login attempts.- exploitation of non-efficientauthentication caused by poorprogramming error which allows access toprotected resources without the need foridentity verification. This type of attack isprevented by:
• implementation of efficient validation
• form based authentication in order to not
to permit accessing a protected page byinputting its address.Arbitrary code execution represents theclass of vulnerabilities that are susceptibleto remote code that is able to run on thedistributed application system. Types of attacks related to it are:- buffer overflow is a common method tooverwrite memory through which systeminstability is obtained by writing code onthe stack according to [1] this type of attack is prevented by using strict lengthrestrictions for fields that accept inputfrom outside the application;- SQL injection is represented by insertingSQL statements that run on the the SQLdatabase; to avoid this type of situation itis required to implement meticulousvalidation of input supplied by the userand not use it directly in SQL syntax;according to [2] SQL injection damage isprevented by ensuring that the databasesystem used runs with the minimumprivileges and is different from the systemor SYSDBA;- SSI injection is achieved by insertingcode in the application that is executed onthe server when the page is delivered; the
command “<
- # exec cmd= "ls" --
>” lists
current directory contents in a Unixsystem; this type of attack is prevented byspell checking user input and ban them if they do not satisfy the set characterrestrictions;
 Vulnerabilities that disclose confidentialinformation make up a separate class andare mainly caused by mismanagement of application resources:- existence of pages to serveadministrative purposes unprotected fromunauthorized access;- leaks are obtained by error messagesthat reveal snippets of source code lines orphrases about database information to theattacker and facilitates his attempts todestabilize the application, they areprevented by careful examination of thedata if the information appears through anerror, it is best to treat custom errors inthe application and sanitize the output inorder to prevent data disclosure;- editing hidden fields in the pages thataccess the website properties according to[1] altering them by changing the pagecontent values stored in fields intended forinternal use by the application; such typeof attack is prevented by not using hiddencontrols if necessary by blocking externalaccess to the values stored in them.The security level is in a directlyproportional relationship with the degreeof validation of user inputs data. The bestmethod of validation is to treat all non-application entries as bad as it diminishesthe chances to produce an attack in thisway.The human factor represents a large arrayof security problems:- using the same password in more thanone application is hazardous as it maycause a chain reaction if one of theapplications is malicious and registers theuser account information;- storing the password phrase in a placethat is accessible to foreign individuals thatcan gain access to it; it is also unsafe touse applications that store the usercredentials in clear text without using anytype of encryption;- using passphrases that are directlyrelated to the individual like birthdays,family name or others that are easy toguess.The human factor influence is reduced byspecific training on user accountmanagement, security procedures andcomputer security. It is important to pointout the risks that the individual andorganizational damage that can be inflictedby the misinterpretation of securitypolicies.
2. Methods for AnalyzingVulnerabilities of AuthenticationProcess
Use case analysis represents the activitiesundertaken to determine according toregular use cases attack possibilities andrepresenting them as misuse cases for theAVIO product.The developed analysis identifies pathsthat are open to cybernetic attacksinitiated by inside or outside entities.Figure 1 presents the result of the usecase analysis integrating attack methodsthat affect AVIO standard operation. Theseresults of the use case analysis activitiesare defined by the identification of possibleattacks on operations allowed within AVIOby determining the situations that arefavorable to an attacker and through whichgains access to confidential information orprovokes damage to the software system.In the use case analysis protection methodidentification is done through findingmeans and measures that handle theunwanted effects of a cybernetic attack ordirectly prevent it from happening. To thisextent the use case diagram is altered byadding methods that aim to improve thesecurity level of AVIO. These methods arepresented in Figure 2 which presents newelements that are meant to develop anefficient security system by tackling attacktypes identified in the use case analysis.By determining the countermeasuresaimed and stopping or minimizing theeffects of informatics attack necessaryinformation is obtained for risk analysisand management. The structural analysisof AVIO is represented by plannedactivities in order to determine themethods that produce attacks by takingadvantage of structural deficiencies inAVIO.
Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 1, 2011
ISSN 2067
Figure 1. Misuse case AVIO 
3. Vulnerability MinimizationModel
The vulnerability minimization is viewed asa process of improvement by transformingA into B with resource costs, but withsome performance improvements whichhelps the entire system to be moreefficient because:
it uses the existing set of resources;
achieves better quality, measured byspecialized built-in metrics.The minimization of vulnerabilities musthave all the components required for anoptimization problem:
all the information given aboutthe problem which need to be solved;
the searched result which isobtained by resolving the problem inquestion.These two components are representedby:
the function
defined as
constraints over the
for which
referring tovulnerability minimization;
defined as a local minimum forwhich there exists some
, so thatfor
such that
, theexpression
holds.Minimizing the level of vulnerability for aweb based distributed application meansimproving security. The minimization of 
system’s vulnerabil
ities can be traced andrealized at the following levels:
the physical level of vulnerability whichimproved can increase the safety of hardware equipments and accessareas;
the communication vulnerability levelwhich can be achieved by decreasingthe degree in which sensitiveinformation is partially or totallyrevealed to end-users;
the authentication vulnerability level,achieved by an adaptive algorithmwhich tries to lower the number of authentication flaws;

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->