Web Server Application Attacks

Brooks Gunn

Professor Nyeanchi

CIS 502

July 10, 2013

Web Server Application Attacks

Many organizations have begun to use web applications instead of client/server or distributed applications. These applications has provided organizations with better network performance, lower cost of ownership, thinner clients, and a way for any user to access the application. We applications significantly reduce the number of software programs that must be installed and maintained in end user workstations (Gregory 2010). Web applications are becoming a primary target for cyber criminals and hackers. They have become major targets because of the enormous amounts of data being shared through these applications and they are so often used to manage valuable information. Some criminals simply just want vandalize and cause harm to operations. There are several different types of web application attacks. Directory traversal, buffer overflows, and SQL injections are three of the more common attacks.

One of the most common attacks on web based applications is directory traversal. This attack’s main purpose is the have an application access a computer file that is not intended to be accessible. It is a form of HTTP exploit in which the hacker will use the software on a Web server to access data in a directory other than the server’s root directory. The hacker could possibly execute commands on the server which will lead to a full compromise of the system. The vulnerability can exist either in the web server software itself or in the web application code. In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to find any default files and directories on the system. There are some ways to mitigate the risks of traversal attacks. The developer must make sure that the latest version of their web server software is installed and sure that all patches have been applied to the server. Sensitive configuration files should never be stored inside the web root and all user input should be validated.

Buffer overflows are another way for hackers to attack a web application. A buffer overflow attack is an attempt to cause a malfunction of an application by sending more data to a program than it was designed to handle properly, causing the program to malfunction or abort (Gregory, 2010). The goal of a buffer flow attack is the change the function of a privileged program so that the hacker can ultimately control the program. These attacks are commonly used because they are easy to exploit, but also easy to prevent. Using a safe language, input validation, and implementing an application firewall that will recognize the patterns used in buffer overflows to prevent these attacks are great ways to prevent these attacks. Software patches released by vendors and programs that block known attacks are a common ways to fix the vulnerability of buffer overflows. These patches and programs are very effective at preventing known buffer overflow attacks for specific vulnerabilities, but doesn’t provide protection against unknown attacks for which a patch or program update has not been released. Users must always check for new patches and updates for programs that are released for their system. Numerous methods of defense against buffer overflow attacks have been proposed, but none of them can completely prevent or detect all kinds of buffer overflow attacks. Most of these defenses concentrate on a particular kind of buffer overflow attack.

SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database. This is one the most prevalent types of web application security vulnerability. Attackers can create, read, and modify, or delete sensitive data by exploiting SQL injection vulnerability. Most SQL injections can be prevented by adopting an input validation technique. The users should be authenticated against a set of defined rules for length, type, and syntax. Least privileges should be given to all users with permission to access the database and the database should be used for a specific application.

Denial of Service attacks is another way to attack Web servers. An attack that disables a service or makes it unreachable to its users is a Denial of Service (DOS) attack (Gregory, 2010). Attackers can carry out this type of attack in two ways. First, by sending a very high volume of messages to a service can cause malfunctions of an operating system. Second, attackers can send specially crafted messages that can cause the application or service to malfunction. Organizations should be sure to implement a strong network infrastructure because this is the first line of defense between the Internet and the web server. The frequency, sophistication, and variety of attacks perpetrated today lend support to the idea that Web security must be implemented through layered and diverse protection mechanisms known as defense-in-depth (Mies, Jansen, Scarfone, Winograd, 2007). There are a few critical tools and techniques that an infrastructure can use to protect against DOS attacks. Firewalls and routers are tools that control the flow of network traffic between networks. The firewall must have the latest patches to ensure protection of the Web server. These devices can be placed at a network boundary and block all unwanted traffic. Demilitarized zone is a technique that prevents outside users from gaining access to an organization’s internal network. This technique makes it harder for attackers to locate a Web Server on an internal network which makes it better protected. It also helps with the control of traffic to and from the Web server. Many organizations use outsourcing for their Web hosting service. This technique allows the Web server to be placed on the third party’s network, so if the Web server is compromised by a DOS attack, it would not have an effect on the organization’s production network.

DOS attack motives are difficult to establish and the damage it inflicts really does not benefit anyone (Spacey, 2011). There are five commonly known motives for DOS attacks. They are revenge, competition, politics, war, or cloaking criminal activity. Revenge is considered the most common reason for DOS attacks. This is carried out by current and ex-employees, angry customers, or anyone that has a dispute with the company. DOS attacks can also damage the reputation which can cause a decrease in sales. Criminals that want to silences political opposition is another motive for DOS attacks. They can be used as a distraction to hide other illegal activities.

There are different ways a criminal can carry out a DOS attack. It is possible to execute many of DOS attacks manually, but specialized attack tools have been developed for the purpose of executing attacks more easily and efficiently. DOS tools have made it easier for attacks to be carried out and more dangerous for targets. One of the tools used by attackers is called hping. This is a basic command line utility similar to the ping utility, but it has more functionality than the sending of a simple ICMP echo request that is the traditional ping. Hping can be used to send large volumes of TCP traffic at a target while spoofing the source IP address. This makes it appear random or originating from a specific user-defined source. A botnet is another technique used to attack. A botnet is a collection of computers under a centralized control that run autonomously and automatically. This technique allows attackers to launch an attack from multiple computers. Attackers use this technique because it amplifies the potential of an attack to cause a denial-of-service. The average botnet size is around 20,000 computers. These computers are called zombies because they are infected with malware and are controlled by an attacker.

Web server application attacks are fairly easy to carry out and it is becoming harder to mitigate these attacks. Tools have been created so that a people that are not highly skilled can perform more complex attacks. It is hard because these attacks are in the form of legitimate transactions and is not considered as something that would cause harm to the online services or an organization’s network infrastructure. Transaction like requesting a Web page can cause the malfunction of a web server if it’s coming from thousands of computers at the same time. This makes it difficult to identify and block a single attack source.

In the future, federal government agencies should implement DOS attack mitigation systems. These systems provide perimeter security for the entire network infrastructure. These mitigation systems should be able to mitigate both known and unknown attacks, have the ability to analyze user activity and detect misbehavior, have the ability to eliminate false positives, and have the ability to mitigated floods with detective hardware. Education and training is the most important step for mitigating these types of attacks. When it comes to security, what you don’t know can and will hurt you. Security professionals should be aware of the organization’s strengths and weaknesses. This can be a valuable indicator for areas to plan for additional training, continuing education, or professional certification.

References Page

Gregory, Peter (2010). CISSP Guide to Security Essentials. Boston, MA: Course Technology

Keromytis, Angelos, Misra, Vishal, Rubenstein, Dan (2003) SOS: An Architecture For Mitigating DDOS Attacks. Retrieved from: http://www.cs.columbia.edu/~angelos/Papers/jsac-sos.pdf

Spacey, John (March, 2011) The 5 Motives for DDOS Attack. Retrieved from: http://simplicable.com/new/the-5-motives-for-DDoS-attack

Tracey, Miles, Jansen, Wayne, Winograd, Theodore (2007). Guidelines on Securing Public Web Servers: Recommendation of the National Institute of Standards and Technology. Retreived from: http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf