International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 1, January February 2013 ISSN 2278-6856

Top Five Dangerous Security Risks over Web Application

Assist. Prof. Parvin V. Ami, Assist. Prof. S. C. Malav
B. K. Mehta IT Center, Palanpur, Banaskantha, Gujarat - 385001, India

Abstract: As per a survey on January 2013, over internet

almost 629,939,191web sites are hosted [1]. Among them 70% websites are vulnerable to various methods such as SQL Injection, Inculcation attack, Cross Site Scripting, Brute forcing attack and Insecure Cryptographic Storage. This paper is representing the most serious security risks which are currently existing in the web application and causing public concern. McAfee has revealed, 49 per cent of US and Europe based online businesses experienced a security incident and Almost every second business lost an average of $35,000 in revenue, plus had to spend an average of $50,000 to fix the problem [2].So this paper identifies and discusses five web application vulnerabilities, detailing the opinions of researchers and OWASP regarding risk assessment and protection.

brute force attacks. All these vulnerability provide an easy and common plate form for stealing information of users. Due to such common vulnerabilities hackers are able to steal the data, temper the data, and use information of users in illegal purpose. Millions of juicy targets are available for hackers from where they are able to steal or manipulate the data of visitors. Therefore by this paper we are identifying a comprehensive advisory, risk assessment and protection against top five most common security risks.

2. SQL INJECTION
SQL Injection is most common techniques which may be use by attacker to enumerate or exploit database. Attacker is able to alter the back hand SQL statement by manipulating user inputs of application. SQL injection is an easy but most serious threat to any site or application that contains a database. Attacker can insert, update or delete the entry from database. SQL injections are not limited to any specific database type but that may be performing on almost any type of the database. Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures. Attacker can compromise entire server if he may be successful to obtain access to these Procedures [4]. This technique allows an attacker to retrieve crucial information from a Web server's database. This kind of attack deals with information leakage, attacker is able to execute and perform many operations such as INSERT, UPDATE or DELETE. Even it is also posible to execution of stored procedures and then steal data. Countermeasures 1. 2. You should connect database using limited users. Restrict privileges. Keep PHP magic_quotes_gpc function on. Restrict user input by mysql_real_escape_string Use Type Casting.

Keywords: web hacking, vulnerability analysis, most critical vulnerabilities, SQL Injection, Local/Remote File Inclusion, Brute force attack prevention techniques of web attack, hacking countermeasures.

1. INTRODUCTION
The Internet is a fascinating and multi-faceted technology, a survey by the internet world states the total population of world is 7,017,846,922and from them around 2,405,518,376 people are consider as internet users [2]. And surveys by net craft on Jan 2013, approximately 629,939,191web sites are hosted on server. We are able to find almost any type of information, internet is like open encyclopedia or act like a news network. We are able to share the information, send messages or establish communication with any of the person. But as per statics over internet 60% resources are not safe.

Figure 1 Common Vulnerability Statics [9] As per survey 50% website are affected by Cross site scripting attacks while 20% websites are vulnerable to SQL injection attacks. 10% websites are affected by inclusion vulnerability such local and remote file inclusion attacks while 20% websites are vulnerable to Volume 2, Issue 1 January - February 2013

3. 4.

Page 41

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 1, January February 2013 ISSN 2278-6856 3. INCLUSION ATTACKS
Inclusion attack derives in two different forms are local file inclusion and remote file inclusion. Actually Developers often need to incorporate numerous resources into their web applications such as Database content, images, PHP classes, and more are all combined together. For this purpose they generally used include function to locate the resources. Programmer may locate file which may be either available locally or they may call the file which may hosted somewhere else [4]. In both way they may use include function to perform this operation. In fact this is not safer way because the ability to execute an arbitrary file as code is unquestionably a security risk and should be protected against. However, the process of exploitation can be rather involved and is commonly misunderstood. In this attack we have clarified the risks and the complications involved in exploitation. 3.1 Local File Inclusion Generically, file inclusion vulnerability is the dynamic execution of interpreted code loaded from a file. Before we reach to prevention first hereby lets examine below vulnerable code of. <?php include("includes/" .$_GET['file']); ?> Because of above vulnerable code attacker is able to controls the page variable and can thereby force the application to execute an arbitrary file as code [5]. 3.2 Remote File Inclusion This file could be loaded remotely from an http/ftp server in the case of remote inclusions, or as we explained, locally from disk. Generally remote file inclusion vulnerabilities are trivial to exploit. <?php include($_GET['file']); ?> Remote file inclusion (RFI) is also depended on the error as same as local file inclusion. By this method attacker can access any of the file from remote server if the website is vulnerable of RFI. For example we have two website names as site1.com which is vulnerable by RFI and "site2.com" which is the website where attacker has uploaded any malicious script for example shell. Now attacker may access and execute the script which is uploaded by him through the vulnerable website [5]. Countermeasures 1. To protect from Inclusion attacks, simply make sure that we are using up-to-date scripts, and make sure that the server php.ini file has register_global, allow_url_fopen and allow_url_include disabled. 2. Strongly validate the users input. Volume 2, Issue 1 January - February 2013 3. The most common protection mechanism against Inclusion attacks is based on signatures for known vulnerabilities in the Web Application Firewall (WAF).

4. CROSS SITE SCRIPTING

Cross site scripting is common application-layer web attacks also known as XSS is gaining popularity among attackers as an easy exposure to find in Web sites. XSS in itself is a threat which is brought about by the internet security weaknesses of client-side scripting languages such as HTML and JavaScript. Generally there are three types of XSS. (1) Reflected (persistence) XSS (2) Stored (Transient) XSS (3) DOM based XSS. Actually this type of vulnerability may found if web application has the search functionality. XSS vulnerabilities target scripts embedded in a page which are executed on the client-side (in the users web browser) rather than on the server-side. Every month cross-site scripting attacks are found in commercial sites and advisories are published explaining the threat. XSS is the most common security vulnerability in software today. An attacker can steal and use users cookie before the user's session cookie expires. An attacker can connect users to a malicious server of the attacker's choice [6]. Countermeasures 1. By disabling scripting languages in the Web browser as well as the HTML-enabled e-mail client provides the most protection. 2. By properly filtering and validating the input received. 3. By properly encoding or filtering the output returned to the user.

5. BRUTE FORCE ATTACK

Certain protocols are affected by the brute force attack such as FTP, Terminal Service, IMAP, POP3 and SMTP. In brute force attack attackers try to apply all possible combination of words on target system using automated script. Actually brute forcing attack can be done on encryption also, where attacker is able to decrypt the real string by brute forcing hash value. Generally most people use weak password or common password such as such numeric value or phone numbers, birth date information, vehicle number etc. in such cases it is very easy to gain users password by brute forcing method. There are thousands of software and programs out there on internet which are able to easily exploit such weak password. Infect a password attack that does not attempt to decrypt any information, but continue to try different passwords. Brute-force can be done by different way for example, attacker may use all the dictionary words against the targets if he believe or has reason to believe. Brute force attack is tradition attack and may be time consuming. There is no specific time to successful this attack it may possible that attack may take couple of hours or several days to produce desirable output. However it is also Page 42

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 1, January February 2013 ISSN 2278-6856
possible that after waiting of months attack may be fail. The amount of time it takes to complete these attacks is dependent on how complicated the password is and how well the attacker knows the target [7]. Countermeasure 1. In application layer you may use CAPTCHA system. 2. You should restrict false password attempt limit. 3. Users should be advice to change their password often. 4. Password should not be common, for example you should make your password which should have combination of characters, numeric and special characters. such vulnerabilitys impact are dangerous so our approach is to defeat the vulnerability by detailing the researchers opinions and implementing simple but effective and easily applicable preventions patches. The paper provides some recommendation for adapting these five web application vulnerabilities.

References
[1] January 2013 Web Server Survey http://news.netcraft.com/ [opened on 11/01/2013] [2] INTERNET USAGE STATISTICS
The Internet Big Picture World Internet Users and Population Stats

6. INSECURE CRYPTOGRAPHIC STORAGE

Most of web application use database so that they can stored the data. Most of programmers who are bothering about the security use different encryption to storing the data such as md5, sha1, sha256 etc however there are many attacks are associated with it and Weak encryption based attacks target the implementation or the algorithm itself, that is used in implementing password based authentication. In some cases, the implementation of a password based authentication system uses encryption techniques. If the attacker has access to the location where the passwords are stored, and if there are suitable conditions for the attacker to break the passwords, then it is pretty much a situation of compromise. Web applications sometimes use cryptographic functions in order to secure data. Unless these functions are coded properly For example a web application stored data in database by converting it in md5 algorithm in this case if attacker gain the hash value still there is a risk for an application that attacker may decode the md5 hash using brute forcing techniques or he may use rainbow attack to gain the real string [8]. Countermeasures 1. One should use only approved public algorithms. These include AES, RSA and public key. 2. Cryptography stores private keys with care. Try not to submit key over channels that are not guaranteed secure. 3. Use salted hashing techniques, add your own logical operations on it.

www.internetworldstats.com/stats.htm [opened on 11/01/2013] [3] Hasan, Ashikali M. Hackers Eye with CD (English Edition). Computer World. [4] Joel Scambray, Mike Shema, Joel Scambray, Hacking Exposed Web App, Tata McGraw-Hill Education, 2006, ISBN- 978-0070619807 [5] Jason Andress, Ryan Linn, Coding for Penetration Testers: Building Better Tools, Elsevier, 2011, ISBN-

978-1597497305
[6] Jeremiah Grossman, Xss Attacks: Cross Site Scripting Exploits and Defense,Syngress Media, Elsevier Limited, Oxford, 2007, ISBN- 9781597491549 [7] Ryan C. Barnett, Preventing Web Attacks With Apache, Addison-Wesley, 2006, ISBN-9780321321282 [8] Denise Sutherland, Mark Koltko-Rivera, Cracking Codes and Cryptograms For Dummies, John Wiley & Sons, 2009, ISBN-978-0470591000 [9] http://nvd.nist.gov/ National Vulnerability Database Version 2.2, visited on 27th Jan 2013 AUTHOR
Assist. Prof. Parvin V. Ami has achieved Engineering in computer science and has completed her master in Information system. Currently she is working as Assistant Professor in B.K Mehta IT Center. Articles have been published in international journals. Her area of interest are computer forensic, database security, penetration testing, System programming, Ecommerce model designing and implementation, network security and computer security. Assist. Prof. S. C. Malav has achieved Engineering in computer science and has completed his master in Computer Science. Currently he is working as Assistant Professor in B.K Mehta IT Center. Articles have been published in international journals. His area of interest are database security, System programming, Ecommerce applications and computer security.

7. CONCLUSION
By this paper we have highlighted top five common but dangerous web application threats which are SQL Injection attack, Inclusion attack, Cross site Scripting attack, brute force attack and Insecure Cryptographic Storage. Some time simple mistake produces such risk which may harm the entire structure at major level and Volume 2, Issue 1 January - February 2013

Page 43