Web Server Application Attacks

Christopher Jones
Theories of Security Management
Dr. Alaba Oluyomi

Most web attacks are executed by several different methods to interrupt the functions of web servers. Web applications incorporate several applications to make it work properly. The web administrator must monitor the databases, extended markup languages, and script interpreters to stay ahead of hackers. All website that are running on a web server are prone to compromise, even though they are coded. Attackers take advantage of vulnerabilities of the web server. Attacker takes advantage of vulnerabilities within the implementation of TCP/IP protocol suites. With the slow reactions to correct these deficiencies, attackers are shifting to the application layers and mainly the web. This is in part caused by most companies open their firewall systems to web traffic. Most of the attacks are broad, and comes in many versions that fall into similar categories. Companies are making their web servers more secure, so attacks are moving to the vulnerability of web application flaws. Below are types of attacks on a web server 1
Web application vulnerabilities can be categorized as follows; Web server vulnerabilities, Manipulation of URLs, Exploitation of weaknesses in session identifiers and authentication systems, HTML code Injection and Cross-Site Scripting, and SQL Injection. SQL injection is a technique often used to attack data driven applications. This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database. SQL injection is a code injection technique that exploits security vulnerability in an application's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from an application form into the database of an application to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
In operational environments, it has been noted that applications experience an average of 71 attempts an hour. SQL injection attack is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project. The attacking vector contains five main sub-classes depending on the technical aspects of the attack's deployment: A complete overview of the SQL Injection classification is presented in the next figure. The Storm Worm is one representation of Compounded SQLIA. This classification represents the state of SQLIA, respecting its evolution until 2010—further refinement is underway. This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. These results in the potential manipulation of the statements performed on the database by the end-user of the application. Cross-site scripting is a type of computer security vulnerability typically found in Web applications. Due to breaches of browser security, XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. Security on the web is based on a variety of mechanisms, but much of it is based on an underlying concept of trust known as the same origin policy. This basically states that if you believe that content from https://mybank.example is granted permission to access resources on your system, and then any content from that site will share these permissions, while content from https://othersite.example will have to be granted permissions separately.
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems they rely on. Exploiting one of these, they fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.
The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain.
Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution. The results of a code injection attack can be disastrous. For instance, code injection is used by some computer worms to propagate. A web server has a guestbook script, which accepts small messages from users, and typically receives messages such as however a malicious person may know of code injection vulnerability in the guestbook, and enters a message such as
If another user views the page then the injected code will be executed. This code can allow the attacker to impersonate another user. However this same software bug can be accidentally triggered by an unassuming user which will cause the website to display bad HTML code.
Most of these problems are related to erroneous assumptions of what input data is possible, or the effects of special data. Classic examples of dangerous assumptions a software developer might make about the input to a program include: Certain types of code injection are errors in interpretation, giving special meaning to mere user input. Similar interpretation errors exist outside the world of computer science such as the comedy routine Who's on First?. In the routine, there is a failure to distinguish proper names from regular words. Likewise, in some types of code injection, there is a failure to distinguish user input from system commands. Use of code injection is typically viewed as a malevolent action, and it often is. Code injection techniques are popular in system hacking or cracking to gain information, Privilege escalation or unauthorized access to a system. To protect the web server from SQL Injection, Cross-site Scripting, and code injection you must hardened the web server. The applications must be quality tested and proven to be secure; you can then add additional layers of protection to improve the security posture. “One approach using open-source software would be to use the mod security Apache module with a modified Snort rule set on the Web server itself, CHROOT Apache, provide file integrity monitoring of the Web server files using AIDE, and then add Snort as either a HIDS or NIDS”2 . Along with the protections that are put in place, you must update the rule sets and actively read the logs to detect abnormal activities on the server.
Describe an architectural design to protect Web servers from a commonly known Denial of Service (DOS) attack? The architectural design to protect web server is to install a secure layer that interface between the embedded web server and the embedded client. Install a location guard which is used between the client and the embedded web server. It is used to hide the location of the server. Then you have a routing guard that checks whether the request file is available in any file server.
a. Examine the motivations of this type of attack? The attack happened because the DOJ was closing down a download site megaupload.com. In response to the closing a Denial of service attack was launched.
b. Identify the tools and techniques that you would have used in this attack and why? The tools used in this attack were flooding the server with access request. This was done to deny the DOJ service to the department for two hours
c. Determine if Web server application attacks are as easy to carry out as they seem? No, because the servers are setup with several layers of security. You have to have a working knowledge of the servers the DOJ have to access them. You also need to know the security software the DOJ is using to get around them 4. Suggest the best mitigation or defense mechanisms against Web server application attacks on federal government Websites in the future? Have a team to monitor you server and update security rules and software. Also monitor the logs to find any wrong activity
REF
Microsoft; Web Application Security Fundamentals; J.D. Meier et al.; June 2003

Symantec; Five Common Web Application Vulnerabilities; Sumit Siddharth and Pratiksha Doshi; April 2006 2

European Journal of Scientific Research ISSN 1450-216X Vol.61 No.2 (2011), pp. 194-202
© EuroJournals Publishing, Inc. 2011

http://en.kioskea.net/contents/attaques/attaques-web.php3 1