Information and data transmission system security holds a place of ever-growing importance in today’s world. The expansion of the Web has provided businesses with an ideal platform for introducing and promoting their products and services.
The Web is accessible to all, being both easy to use and widespread. It frequently supplies the responsiveness necessary in today’s business environment. The emergence of portal sites, which bring together professionals in a given sector or industry, provides an essential tool for decision- making and communication among partners.
But to the extent that companies conduct their strategic activities (communication, promotion, commercialization, organization) on the Internet, they expose their actions, and the risks of being hacked become significant. The range of possibilities open to hackers is expanding to the point that certain business fundamentals, in particular confidentiality and integrity, are being challenged.
Let us now review the reasons why such security problems have arisen, the stakes involved, and some examples of possible security flaws.
1.1 Why Are There Web Security Flaws?
Web security flaws may be caused by server configuration problems, poor design, and/or poor programming of web site scripts.
The Web as we know it today is quite recent. The probability of programming errors has expanded with the profusion of programming languages and with the growing functional demands for commercial websites that are rich in content and constantly seeking to add variety and new services. Moreover, the pace of new development in this medium shows no signs of slowing. Companies must be quick to recruit information specialists, often with the result that they hire personnel who have little experience, and even less knowledge, of security problems.
In fact, few professionals today have both development competence and security expertise.
A host of factors accounts for the frequency with which security flaws are encountered.
1.2 The Stakes and the Risks
Many different types of flaws may be found on a website, and they are equally diverse in terms of the dangers that they represent. But all of them merit attention, because each can contribute to major problems.
Let us now turn to a review of the various types of security flaws, ranging from the least to the most severe:
Flaws that reveal information
Such flaws constitute the least of the problems that one might encounter, but their consequences can become extremely serious. An error of this type returns more information to the hacker than is appropriate. The hacker then uses that information as a basis to discover other, potentially more severe, problems.
Flaws of this type include directory displays (within an error returned on a page, for example), and errors returned by a script (which help the hacker to understand how the targeted script functions).
This category also includes certain Web server configuration errors, such as access to certain site directory listings (which reveal a great deal of information and which also allow sensitive files to be downloaded directly).
Flaws in Site Functionality
These flaws, which are by nature very serious, place web site functionality at risk. A hacker exploiting them can direct an application to his or her advantage. The seriousness of such flaws depends basically on the nature of the site. The risk to a simple Internet storefront may not be great, and frequently is limited to website defacement. But a very rich application may suffer more severe and varied consequences, such as access to the business’s customer files, espionage by competitors and prospective clients, and taking of unfair competitive advantage.
Many types of security problems can give rise to this type of risk. These include insertion of JavaScript, PHP or VBScript code into the website (thus allowing actions unintended by the site designers to be executed against other clients of the site), problems related to authentication (affecting the privacy of site users, with all of the legal ramifications that one can imagine) and retrieval of theoretically inaccessible information (as a result, for example, of SQL injection).
Flaws that Place the Website Host Server at Risk
These flaws can have the most profound consequences. In effect, a hacker who succeeds in taking control of a server that hosts a site has an unlimited field of action, being able to modify the site, access any confidential information desired, and use the server as a base for other illegal actions. Flaws that grant access to all of the server files (or to many of them) or which allow commands to be executed on the server can lead rapidly to such consequences.
1.3 Potential Application Flaws
The nature of flaws that can be hidden in a web application depends basically on the languages, development techniques and external programs employed on the site. Web applications can quickly become very complex and very diverse, both in terms of functionality and the components deployed. It would be a long, tedious, and ultimately impossible task to attempt to list all of the potential flaws associated with each of the languages and components in use today.
In order to represent current reality as close as possible, we will focus on analyzing the vulnerability of websites that are based on an archiin common use today. The analysis and proposed measures presented in the remainder of this paper assume these basic and primary characteristics.
1.3.1 Error Searching and Configuration Flaws
Problems with Website Configuration and Structure
Web server configuration problems frequently give rise to other vulnerabilities. An essential first step for a minimal first level of security, then, is to define an optimal configuration that limits the possibilities for external manipulation.
Classic configuration and structural problems include allowing certain directory listings to be obtained (and, therefore, certain files to be downloaded) and allowing archives and documentation to be accessed directly on the site.
Certain flaws can allow even more extensive access, to the point that files on the site can be created and deleted.
Poor Authentication Strategy
Problems can arise from a poorly designed authentication system that allows, for example, both unregistered and registered persons to be authenticated. This is the most common kind of problem, due to the fact that client passwords can be guessed and because applications may have default passwords. In some cases, cookie manipulation can also produce results of this nature.
A similar, but greater, danger lies in the possibility that, once authenticated, a legitimate but malicious client may be able to make the server believe that it is a different legitimate client, and thereby gain access to information relating to other registered accounts.
1.3.2 Strategies for Attacking Applications
Code Insertion
Code insertion is a major strategy for attacking websites today. The principle is to insert external source code into a database or into other files on the targeted site. In this way, the hacker is able to reprogram a part of the website and cause clients of the site, or of the host server, to experience actions unintended in the original site design. The consequences of this type of flaw vary a great deal, depending basically on the type of programming language inserted into the site. Within the framework of the reference web server that we have defined, three types of insertion are possible:
- Insertion of JavaScript Code JavaScript is a language interpreted by the browser of the client accessing an application. This language provides few opportunities to hackers, but it does allow access to certain types of sensitive information, such as the client’s authentication ID’s, which could permit a hacker to access an application by appearing to be the client.
- Insertion of PHP Code PHP is a language interpreted by the server hosting the application. Given that PHP language presents nearly infinite possibilities, an insertion of this type irremediably compromises the server and, thus, the application.
- Insertion of XML Code XML code is used to format certain types of data. An XML insertion allows the data display seized by the hacker to be hijacked, and can also lead to numerous other illicit activities.
To exploit this kind of flaw, the hacker modifies the arguments of certain PHP-specific functions, forcing the script to invoke actions that were not intended by the programmer.
The functions affected by this problem are mainly those related to file opening and inclusion, which can be hijacked to give the hacker access to files present on the server hosting the application (files containing script sources, configuration files, logs, password files, etc.).
Moreover, the include function authorizes inclusion of PHP code in a script. It also permits remote inclusion, meaning the ability to call, via the Web, web functions that are coded and located elsewhere. This makes it possible to execute external PHP code on the server, which seriously compromises the server’s security.
SQL Insertion
SQL is a language that allows databases to be queried by external elements. When a website script performs an SQL query, arguments supplied by the user are inserted. The user can try to modify these arguments, reprogramming the SQL query to access data that theoretically is prohibited.
With the widespread use of databases, and above all the ease of designing and integrating them using languages such as PHP and MySQL, this technique has become increasingly widespread and is at the heart of site hacking.
Email Relay
Enabling a web server to direct email is a technique that can be used for malicious purposes. If the user is able to designate the destination address, as is the case with many web applications, he or she can use this functionality to spam (send anonymous promotional email) or to unleash a Denial of Service (DoS) attack, which operates by overloading the mailbox. The hacker can also use this technique to gain the confidence of other users (by passing as the site administrator, for example).
2 Solutions for Increased Security
Having examined the various security problems that can or do affect applications, let us now consider the techniques and essential precautionary measures that must be taken to guarantee users an optimal level of privacy. This is a holistic response aimed at protecting the interests of the business in several respects:
- Availability of systems and applications
- Protection of critical data and client information
- Confidentiality of application source code
An authentication system, even a very elaborate one, will not provide much protection to user data if it is possible to access the entire base of user accounts because of a structural flaw in the way that the application and the database work together.
Even the slightest details are important. A security problem, even a slight one, can give rise to other flaws that are very serious. It is therefore essential to assure a sufficient level of security across all of the layers and components of the web application.
2.1.1 Web Server Security
Before all else, web server security begins with an examination of the configuration file. The server configuration file allows user rights to be delimited and the manner in which they function to be defined. It is necessary to find the optimal configuration that allows the application to function without compromising rights or supplementary services Add-on modules (which provide functionality that is supplementary to the server) may have their own configuration files that also need to be optimized.
Let us now consider several points that are essential for our reference architecture:
- php.ini Configuration File
Configuration of the PHP module is carried out using this file. The main configuration items to be taken into account are:- expose_php = Off
The PHP banner will not display in the server banner. - display_errors = Off
PHP error messages are not displayed. The least possible information is revealed to the user. - error_log = /var/log/php
This is the PHP error log file. It allows for improved script monitoring. - register_globals = Off
This prevents the direct insertion of URL arguments as variables. This necessary element may require the developer to modify the way that arguments are received by scripts.
- expose_php = Off
- httpd.conf Configuration File
An alternative way to correct this problem, and which affects the server configuration, involves suppressing the Indexes option in the directory configuration options.
Replace:
<
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
<
with:
<
Options none
Allow Override None
Order allow,deny
Allow from all
<
Another basic precaution is to ensure that the user is unable to download files to which he or she theoretically does not have access (such as site archives, login/password files, and installation scripts). A common flaw, frequently observed in application audits, allows installation scripts to be downloaded, thereby revealing the database login and password. It is essential on a production server to remove sensitive files from the website tree structure.
2.1.2 Robust Authentication
The Web essentially is an open-access medium, which is what makes it so attractive. But this represents a danger for sites seeking strict confidentiality of user data. Authentication therefore is an essential element of any web application.
There are numerous authentication systems, some more robust than others. Some employ simple concepts, while other, more complex, approaches, may rely on external hardware components, as is the case with token-based solutions.
We will now describe a software authentication mechanism based on a double-cookie approach. This is an advanced application authentication system that, as we shall see, nevertheless contains certain security flaws.
The authentication system relies on a session cookie for each authenticated user and a second cookie that is refreshed with each new request, and which we shall call the state cookie. The objective of this system is to keep a hacker who tries to steal or view the session cookie from accessing a user’s account. Unfortunately, this approach is riddled with all manner of weaknesses.
First of all, in the case of cookie theft, the two cookies generally are stolen at the same time, so that the hacker gains access to the user account as long as the true user does not make a new request. When the user does make such a request, the session in progress is shut down automatically, and both the user and the hacker are disconnected. But this tactic does give the hacker a few moments to retrieve the information he or she wants. The only way to keep this from happening is to associate the user’s IP address with the session. By rejecting all calls from other IP addresses, it is possible to prevent third-party intervention attempts and also to preserve the sessions of legitimate users.
Another flaw sometimes observed in this authentication system arises from the predictability of the static session cookie. Depending on how it is implemented, this system can present major problems if the cookie is not generated in a truly random way.
2.1.3 Script Security
Generally, website script security is based on meticulous verification of arguments that are input by the user. Potential vulnerabilities often involve modification of script arguments so that they execute actions not intended by the programmer. Arguments must, therefore, be verified one by one and execution prevented if an argument appears to have been modified.
One of the best approaches is to build a library. This library should offer verification functions for the different kinds of vulnerabilities that exist. The programmer may invoke these functions as needed for each argument of each script. Such libraries exist and are available on the Internet. They are very easy to build and understand.
Let us look now at the functionality that such a library should support:
2.1.3.1 Cross-Site Scripting
The verification procedures associated with cross-site scripting should be made on every argument that, immediately or ultimately, may be included in a web page. Such arguments include information or data provided by the user, session information such as the login, and information returned on the web page following an error. Certain less-obvious arguments, such as the Header Referrer and session cookies, likewise may contain errors.
This type of verification ought to be performed frequently. Safe tags are database identifiers passed in arguments and, more generally, arguments intended to be compared with stored data.
The purpose of these verifications is to prevent the insertion of JavaScript or VBScript on the server. If you should decide to authorize HTML insertion on the site, you should also filter the functions that are able to execute that code. Otherwise, you should suppress all HTML tag insertions.
JavaScript execution:
JavaScript events contained in HTML tags:
onLoad, onMouseOver
String insertion to the site structure:
2.1.3.2 File Manipulation
These verification procedures are necessary for all arguments that can be passed using a file manipulation function such as the open and include functions in PHP. Because the associated risks are enormous, it may be wise to create, for example, a function that allows a file manipulation attempt to be isolated. This could incorporate into the argument the directory from which the file must be opened. Any attempt to open the file outside of that directory could thus be prevented.
It is likewise necessary to confirm that operations are carried out in a specific part of the system, as established by the programmer, and thereby prevent modification of other directories or websites.
In the case of files and/or directories:
Path modification: ; .. or ..
Root access: ; / at the start of the string
Prevent unintended directory access
Prevent calls over the Web: http://
2.1.3.3 SQL Insertion
These verification procedures must be carried out for all parameters that might be used to frame a database query. One solution is to escape out all special characters and ensure that query arguments appear within quotation marks. This solution prevents the SQL command interpreter from interpreting special characters as SQL elements.
These are the special characters to be monitored:
' " , ; ( )
Key SQL characters:
FROM LIKE WHERE
2.1.3.4 XML Insertion
Within some application frameworks, the user is able to add XML tags into XML files generated by the application. A filter for user-inserted data is therefore useful to prevent any insertion of XML tags.
2.1.4 Secure Data Recovery
Data is stored in databases in accordance with an entity-relationship diagram which outlines the rights and memberships of the various entities. Each request should be able to certify that the user making the request is authorized to access data. SQL language is designed to perform this sort of verification through set comparison. Recovered data should not rely solely on identifiers passed in script arguments, but should also verify whether the user in fact has the right to access the entities to which the identifiers correspond.
2.2 Linking Security with Development
"An information system’s security is as good as the security of the weakest link in the system." This statement implies that an information security policy involves global management of all of the elements comprising the system. It is important to ensure the security of every aspect of the site in order to be able to claim optimal security.
The first line of defense for a web application is established in the development phase. This means that the programmer should consider any data input by users to be potentially dangerous, and should analyze each kind of input and filter for it accordingly. This also means that the programmer should be familiar with the circumvention techniques used by hackers in order to guard against them.
Today, web applications still represent a young technology, in full sway but whose potential is still far from fully exploited. It is difficult to bring together the necessary development and security expertise, and many of the applications, scripts and libraries that have been written and are being written neglect certain indispensable elements of verification and security.
Intelliwall is a web firewall designed to detect and intercept application attacks using a learning-based artificial intelligence engine: the neural network. Intelliwall distinguishes between normal and malicious traffic. Located upstream from web servers, it constitutes an effective external defense against all attempts to manipulate web applications to perform tasks other than those for which they were written. It addresses the security flaws inherent in all web application development and alerts the developer to code vulnerabilities.
3 About Bee Ware
Bee Ware SAS is a software publishing company in France with a capitalization of 37,000 Euros. Founded by Nicolas DIRAND and Christophe GUYARD, BeeWare’s technical and commercial teams offer information security solutions for the protection of Web sites (Internet, intranet and extranet) from application attacks.
Based in France at Aix-en-Provence and Paris, and in Belgium at Bruxelles, Bee Ware serves the European market with the support of a network of partners.
jai mAta di
No comments:
Post a Comment
thanks