1. 1
A SOLUTION FOR ATTACK VECTORS AGAINST
WEB APPLICATIONS USING AJAX
2. 2
ABSTRACT
Web applications are most predominated applications that are accessed over a
network such as Internet. Web applications are presentation-oriented that generates
interactive web pages containing various types of markup language (HTML, XML,
and so on) and dynamic content in response to requests. As there is heavy traffic in
today‟s web world it is essential to maintain security concerns and prevention
approaches in order to protect web applications from cyber culprits. These
applications are increasingly the preferred targets of cyber criminals looking to get
profit from identity theft and other illegal activities.
There are modern tools and technologies such as AJAX technology are available to
prepare web applications as simple as user friendly. Ajax web technology, by design
makes number of calls to the web server to process a user request. As there is an
increase in session management vulnerabilities and a greater risk of hackers gaining
access to the many hidden URLs that are necessary for AJAX requests to be
processed we need to provide high-end web security measures to protect web sites
from vulnerabilities.
Web security is the act of protecting authorized users from malicious threats. The
current solution addresses most common threats occurred at client side such as
CSS(Cross Site Scripting) and SQL Injection.
3. 3
INTRODUCTION
• Web application is software application accessed by
users over internet
• 2 variants.
– Static web sites
– Dynamic web applications
• Static web sites consists of content oriented web pages
used for blogs, wiki sites.
• Dynamic web applications are interactive and more
service based applications contains stored and
processed content.
• Developed using browser supported scripting, markup
languages on client side and efficient server side
programming.
• Used for social network activity, ecommerce business
applications …...
5. 5
WEB SECURITY
• Sensitive data increasingly spread over the network.
• The more number of vulnerabilities and and security
incidents reported as there wide availability of data.
• Web applications should have control over
– Confidentiality
– Integrity
– Availability
– Authentication
– Authorization
• Common vulnerabilities
– SQL Injection Attacks
– CSRF(CSS Variant) Attacks
6. 6
SQL Injection Attack
• SQLIA is server side attack that manipulates content in back
end database system
• Embeds malformed query statements in input data and
compromises query execution process.
• Attacks against confidentiality, availability and integrity
services
• Unauthorized access to database and attacks with
malformed DML statements.
• Various SQL injection formats:
– Tautologies.
• SELECT u.name FROM users u WHERE u.login=‟‟ OR 1=1 – „ AND u.passwd=***
– UNION Queries.
• SELECT acct FROM users WHERE login=‟ ‟ UNION SELECT transaction FROM transactions WHERE
acct_no=9012 – AND passwd=****
– Piggy back queries.
• SELECT name FROM users WHERE login=‟xyz‟ AND passwd=‟***‟ ; DROP TABLE system.users
8. 8
SQLIA Existing Solutions
SQL Injection
• Syntax analysis and prevention.
• White list patterns and black list patterns
• Parameterized prepared statements with attributes
9. 9
SQLIA Proposed Solution
SQL Injection Attack prevention
– Use Encode and Decode the crucial data.
– The encrypted data is persisted in database system
– User‟s input data is get encrypted before query processing
– The critical data is decrypted while retrieval from database.
Advantages:
– Malformed query formation not possible.
– No Query preprocessing or manual checks required.
Disadvantages:
– Require additional space to store cipher data instead of plain
data.
11. 11
CSRF (Cross Site Request Forgery) Attack
• CSS(Cross Site Script) is client side script attack. scripts
embedded in a page which are executed on the client-side.
• Cookie captures and hijacks legitimate users sessions.
• CSRF is typical CSS variant which sends unauthorized
commands from valid user to the server.
• Malicious script or URLs embedded into blog contents or
hidden in image tags.
– <img src=“http://buggy-site.com/hacked”/>
• Attacks against Identity theft and cheats business
transactions.
• Unauthorized crucial form data post activity.
– <script>document.getElementById(„form‟).submit()</script>
12. 12
Existing Solutions
CSS and CSRF prevention
– User input validations
– HTML encoded characters
– Client IP Binding
– Session life time limitations
– Disable the client side script executions
13. 13
CSRF Proposed Solution
• CSRF prevention approach
– Use secret XSRF token for each GET and POST requests.
– Generate unique XSRF secret token for every get request.
– Maintain the XSRF token in form pages on client side
– Validate the secret XSRF token from the form post data against the
previously generated XSRF token on server side
<form action=”fundTransfer.do” method=”POST”>
<input type=”hidden” name=”xsrfSecretToken”
value=”qiou3hkps986hn”/> <input type=”text”
name=”amount”/> <input type=”submit” value=”Send”>
</form>
Advantages:
– Unauthorized form submissions blocked.
15. 15
Instant Media --- An E-commerce Web Application
• Is an online market place e-commerce web application.
• Provides services to sell or buy soft copies by online or
offline.
• Supports messages, comments and reviews activity.
• Handles critical operations like buying and payment
functionalities.
• Showcased the application as vulnerable to CSRF and
SQLIA threats
16. 16
Modules
• User signup and login process.
• Publish soft copy items.
• Purchase soft copies and payment transaction
processing.
• Payment activity listing and search functionality.
• Messaging
• Account details maintainance
24. 24
Conclusion
• Vulnerabilities can result unauthorized access by injecting
malicious scripts.
• Most of the web security attacks targeted on critical e-
commerce web sites.
• Manual or automated inspections required in validating the
input submitted by end users.
• The suggested solution can prevent more number of CSRF,
SQLIA threats.
• No compute overhead, platform independent and scalable
solution for any web applications.
• Need to address website sever attacks like web site crawling
and hidden URLs spawn activities.
• Need to be alert and and get up to date with latest web
application development technologies.
25. 25
References
• Jayamsakthi Shanmugam, M.Ponnavaikko, XSS
Application Worms, IEEE, 8th ACIS International
Conference on Software Engineering, 2007.
• Xiang Fu, A Static Analysis Framework For Detecting
SQL Injection Vulnerabilities, IEEE, 31st Annual
International Computer Software and Applications
Conference, 2007.
• Preventive Approaches Fro Web Application‟s Security
Attacks, International Conference on Software
Engineering, 2009.
• http://www.isecpartners.com
• Jeremiah Grossman, Cross-Site Request Forgery "The
sleeping giant”. www.whitehatsec.com.
• http://www.webappsec.org/projects/statistics/