INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303
Routine Detection Of Web Application Defence Flaws Vidhya.V1 1
Arunai Engineering College, CSE, vidhyaa.av@gmail.com
Logash Prabu.M2 2
Tagore Institute Of Engineering and Technology, CSE, logashprabu@gmail.com
Kalvina.L.R3
3
Arunai Engineering College, Department kalvinacse@gmail.com
Abstract— The detection process for security vulnerabilities in ASP.NET websites / web applications is a complex one, most of the code is written by somebody else and there is no documentation to determine the purpose of source code. The characteristic of source code defects generates major web application vulnerabilities. The typical software faults that are behind of web application vulnerabilities, taking into different programming languages. To analyze their ability to prevent security vulnerabilities ASP.NET which is part of .NET framework that separate the HTML code from the programming code in two files, aspx file and another for the programming code. It depends on the compiled language (Visual Basic VB, C sharp C#, Java Script). Visual Basic and C# are the most common languages using with ASP.NET files, and these two compiled languages are in the construction of our proposed algorithm in addition to aspx files. The hacker can inject his malicious as a input or script that can destroy the database or steal website files. By using scanning tool the fault detection process can be done. The scanning process inspects three types of files (aspx, VB and C#). then the software faults are identified. By using fault recovery process the prepared replacement statement technique is used to detect the vulnerabilities and recover it with high efficiency and it provides suggestion then the report is generated then it will help to improve the overall security of the system. Index Terms— SQL Injection; XSS Cross Site Scripting; Prepared Replacement Statement algorithm; Symbolic implementation algorithm. —————————— —————————— The Open Web Application Security vulnerabilities are critical 1 INTRODUCTION one in web application security risks, having Structured Query Language injection and Client side scripting. The advantage of SQL rganizations are increasingly becoming dependent on the Internet injection attacks is unrestricted input fields within the web for sharing and accessing information. This Internet has changed the application interface to horribly it weak the SQL query that is sent to focus of application development from stand-alone applications to the back-end information. In XSS vulnerability, the invader is try to distributed Web applications. Web applications are programs that inject into web content unintended client-side script code, typically can be executed either on a web server or in a web browser. They in markup language and JavaScript. enable to share and access information over the Internet and operate SQLi and XSS enable attackers to access not allowable intranets. Web application can support online commercial information (study, include, modify, or cross out), raise to allow the transactions, popularly known as e-commerce. Security advantaged file accounts, masquerade as alternative users (such as vulnerabilities in web applications may result in stealing of the administrator), mimic net applications, spoils web content, view, confidential data, breaking of data integrity or affect web application and manage isolated records on the server, infuse and complete availability. The task of securing web applications is one of the most server aspect programs and they permit the design of botnets according to Acunetix survey 60% of found vulnerabilities affect web applications. The most common way of securing web forbidden by the assaulter. To find attacks that inject SQL code by taking variables that applications is searching and eliminating vulnerabilities. The most efficient way of finding security vulnerabilities in web applications supposedly shouldn't be strings (e.g., numbers, dates)as a result of is manual code review. Security society actively develops automated the range of the variable is determined the assigned value. In strong approaches to finding security vulnerabilities. These approaches can written languages, this can be impossible as a result of sort of be divided into two wide categories: black-box and white-box variables is decided before runtime and therefore they decide to store a string in an exceedingly variable of another type raises an testing. miscalculation. This does not stop the incidence of vulnerabilities in The first approach is based on web application analysis from strong written languages, but only in string variables. In strong the user side, assuming that source code of an application is not written programming languages, that has less security issues, Java is available. This is to submit various malicious patterns (implementing intrinsically a protected programming language and it is a strong for example SQL injection or cross-site scripting attacks) into web written language, vulnerabilities is found in Java programs owing to application forms and to analyze its output. If any application errors implementation faults. Input injection attacks may serve a number of are observed an assumption of possible vulnerability is made. This ends. They are chosen by malicious users as a way to obtain approach does not guarantee neither accuracy nor completeness of restricted data from a back end database or to insert malicious code the obtained results. The second approach is based on web onto a web server that will in turn provide up malware to application analysis from the server side, with assumption that unsuspecting clients. These clients may find their credentials or source code of the application is available. private information exfiltrated as a result.
O
IJTET©2015
134
INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303 When a developer writes code for a web application he has a specific intent regarding what type of data to be collected, processed and stored. Web application injection attacks occur when a malicious client submits data that was unanticipated by the programmer. The programmer probably performed some degree of verification of submitted data to ensure it contains only the anticipated data type. Issues arise frequently, in the logic applied to cleansing the input. As an example, confirm that an inputted field, which is supposed to contain a valid phone number actually does, rather than some malicious code. The verification algorithm could make use of checks for the following, • Is the input of a certain length (say 7-12) characters. • Does the input contain only numbers, parentheses and dashes. • Does the area code map to a legitimate area code. SQL injection exploits weaknesses present in a web app‟s back-end database. This class of exploits is made possible when user input is not cleansed for tingle escape characters and the web application submits code amounting to a database command to the database server, where Cross-site scripting that the web pages are generated and displayed as input that is not validated properly when it occurs dynamically.
2 RELATED WORK In general, there is extensive literature on describing the vulnerabilities in web application. This section reviews about the some related work in order to explore the strengths and weakness of existing methods. Lwin Khin Shar and Lionel C. Briand , Hee Beng Kuan Tan [1], In this paper we mainly focused on SQLI, XSS, RCE, and FI vulnerabilities. By using a set of hybrid (static and dynamic) code attributes that the input confirmation and cleansing code patterns and are expected to be considerable indicators of web application vulnerabilities. Based on this hypothesis, we built vulnerability predictors that are fine grained, accurate, and scalable. Nuno Antunes and Marco Vieira [2], Web applications need a defense-in-depth approach to avoid and mitigate security vulnerabilities. This approach assumes that every security precaution can fail, so security depends on having several layers of mechanisms that wrap the failures of each other. A less expensive option is code review, a simplified version of inspections that is useful for analyzing less critical code. Sreenivasa Rao B, Kumar N [3], this paper mainly focused on analyze the design of web application security evaluation mechanisms is to identify poor coding practices. A Vulnerability evaluation (VE) is the process of recognize, quantifies, and prioritizing the vulnerabilities (security holes) in a technique the extraction step, and also a number of heuristics is for making regression models. Bojan Jovicic , Dejan Simic [4], This focuses on attacks against net applications, either to gain direct benefit by gathering non-public data or to disenable the sites of the target sites. Asp.net provides two mechanisms in exception handling. IJTET©2015
One of them is the possibility to define a custom page to display errors. This page will replace the default asp.net error page. Another mechanism is application centralized exception handling of all unhandled exceptions by implementing application on error method to get the possibility to examine each unhandled exception. Kevin Spett [5], The purpose of this paper is to educate both application developers and end users on the techniques that can be used to exploit a web application with cross-site scripting, suggest how to eliminate such vulnerabilities from web applications, and teach end users how to recognize and reduce the risk from a crosssite scripting attack.
3 PROPOSED ALGORITHM Here we present the detection of security vulnerabilities that performs a scanning process for all website/ web application files. By using scanning the Scanning process id done. It helps to identify whether the input is valid or Invalid. After scanning process, it will generate a report list of all the leaks and weak and strong vulnerabilities by displaying the name of the infected file and location and description of the file. We propose a fault detection and a new fault recovery process, the vulnerabilities can be detected and the report is generated in fault detection process. In recovery process prepared replacement algorithm (PSR) and symbolic execution algorithm are used to recover the web applications with high efficiency. Methodology Analysis of web application. Classification of software faults. Fault detection. Fault recovery. A. Analysis Of Web Application They has the capability to examine the source code of current and earlier versions of the intention in web applications, together with the security patches search to open source web applications. B. Classification Of Software Faults Then the web application are selected, then the web services for all reported SQL Injection and CSS patches that were classified. The code defects are derived from the above defect classification. C. Fault Detection The damage in the web applications are identified and detected by scanning tool. Scanning tool is used to identify the type of fault. The fault location are identified and the description are described about the type of faults. D. Fault Recovery After the detection process the recovery process taken place by prepared statement replacement and symbolic execution technique the web applications are recovered.
135
INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303 4. SYSTEM DESIGN Figure 1 demonstrates the framework of our proposed approach. A. Scanning Tool A net application security scanner could be a program that communicates with online application through the net front-end so able to get security vulnerabilities within the web application and weaknesses. ASCII text file scanners, net application scanners haven't got access to the ASCII text file and to spot vulnerabilities by performing attacks. Web applications allow users to have an interactive expertise on the web browser. In static web pages, users are capable to make personal accounts like bank account this may Web application as input
Scanning tool
valid
Invalid
Attacks
Cross scripting
site
Sql Injection
Hijack session Cookie Poisoning Iframe
Fault Recovery Process
Prepared statement replacement
Symbolic execution
Report generated
FIG 1. System Architecture
add content, query databases and complete transactions. The process of providing an interactive contribution in web applications regularly collect, store and use the sensitive personal data to deliver their service. clients help from the ease of those applications, whereas tacitly interesting risk that are non-public data that hold on net applications square measure progressing to be compromised through hacker attacks, business executive leaks etc. client records are compromised because of inadequate security controls on corporate information and net applications. B. Sql Injection SQL Injection is a attack that can occur when an application uses user input that has not been checked to see that it is valid and the hacker uses this malicious input to exploit sensitive information from the database. For example, The user can enter the following malicious input : ' OR 1=1 -This would turn the database query into: SELECT au_lname, au_fname FROM authors WHERE au_id = '' OR 1=1 -Since 1=1 always evaluates to true, this query will always return more than 0 rows. The main cause of a SQL Injection vulnerability is in the concatenation of characters together to create a string, in this case a database command. The \--" is the single-line statement operator support by numerous relational file servers, together with MS SQL Server, IBM DB2, Oracle, PostgreSQL, and MySQL. In this technique, the invader be able to supply illicit code and to be executed by the server and exploit the weakness. SQL injections is an input validation problem, to accept only confident predictable inputs. Proper input validation turns out to be extremely tricky to complete the injection attack. we execute on the generated SQL queries is to validate the deficiency of tautologies from all WHERE clause. Generally, if an direct user requests to revisit all tuples (row) for a query, the query will not have a WHERE clause. In the framework of web applications, a tautology in a WHERE clause is an probable sign of an attack, in which the attacker attempts to circumvent restrictions on web users are allowed to do. Generating a SQL injection involves following process, • Insert invalid data into a web app‟s SQL database input field. • Manipulate the input until you can map out the inner workings of the unseen SQL statement. • Craft an input that will successfully escape the „data input‟ context and allow the ability to enter database commands. Map the database by with SQL queries, either by guessing table names. • Read/write/delete the data of interest with a SQL query. The most challenging part of this process is the manipulation
136 IJTET©2015
INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303 C. Client side scripting Client side scripting occurs mainly in dynamic web pages that are mixing of browser data (HTML) with the code (<script> tag) which is embedded in the data. The script can be (JavaScript, VBScript, ActiveX, HTML, or Flash) .The main objective of 'XSS' is to manipulate client-side scripts of a web application to execute in the mode desired by the malicious user. There are two main types of Client side scripting Stored Client side scripting Reflected Client side scripting Stored Client side scripting: The stored (or persistent) Client side scripting occur after the information provided by the invade r is saved via the server, and then displayed permanently on "normal" pages returned to other users. Stored XSS requires particular kind of vulnerability in the application where the data is placed in somewhere (ex. Data base) and later feedback is send to the user, this can be through Forum, Blog, etc. The attacker can send <HTML> or <JavaScript> to the application instead of the normal input to be stored in the data base, later when the victim comes to the application web site he/she will download the <HTML> or <JavaScript> located there. The application here acts as an attack site but works for the hacker. Reflected Client side scripting Reflected (or non-persistent) Client side scripting can occur once the information provided via a web client, the majority commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results and reflected back for the user, without sanitizing the request. For example, if we have a user Log-In prompt (User-Id, Password) and the user has supplied his Log-In Information. If there is no input validation for Log-In text boxes, the attacker can exploit this vulnerability to inject his malicious input 'XSS' instead of UserId. The attacker can craft an email contains a link request from the user to click on the link to update personal data. XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. Clients-site scripting (also known as XSS or CSS) allows an attacker to set in as malicious JavaScript code into the generated page and execute the script on the machine of any user that views the site. Client-site scripting could potentially impact any site that allows users to enter data. Malicious input may be transmitted via URL parameters, cookies or database queries. XSS, Stored XSS are enabled by insufficient user input sanitization. The web application presents the browser with untrusted, unvalidated data, causing it to execute scripts and compromise the data.
IJTET©2015
This vulnerability is commonly seen on Search engines that echo the search keyword that was entered. Error messages that echo the string that contained the error. Forms that are filled out where values are later presented to the user. Web message boards that allow users to post their own messages. An attacker who uses client-site scripting successfully might compromise confidential information, manipulate or steal information, generate requests that can be faulty for persons of a valid customer, or execute malicious code on the end-user systems. C. Fault Detection The recommended algorithm performs a scanning procedure for all website/ application files. Our scanner tool relies on study the source code of the application depending on ASP.NET documents and the code files (Visual Basic VB and C sharp C#).To detect the security vulnerabilities and leaks. It identify the vulnerability is weak or strong type. The scanner tool tries to detect the vulnerabilities that can help hackers from the reflected output or messages, and check most of the ASP.NET server controls and the commands in the code behind that interact with the database. The detection process finds the leak file, location, description. D. Fault Recovery After detection process, it will generate a report list of all the discovered leaks and vulnerabilities by displaying the name of the infected file, the explanation and its position. The recommended algorithm will help organization to repair the vulnerabilities and improve the whole protection. This report requires a reaction from the organization to take the necessary corrections steps. There are two types of algorithm used they are Prepared Statement Replacement algorithm (PSR) Symbolic execution Prepared Statement Replacement Algorithm A prepared statement replacement (PSR) algorithm and corresponding automation for removing SQLIA vulnerabilities from vulnerable SQL statements by replacing them with secure prepared statements. This method analysis source code containing SQLIVs and generates a specific recommended code structure containing prepared statements. An SQLIV exists when an SQL statement does not keep statement structure and input separate. PSR-algorithm collects information from application‟s source code which possible including SQLIVs. Then generates secure prepared statement code that maintains functional integrity. Another algorithm which called Prepared Statement Replacement Generator (PSR-Generator) is created for automates the generation of the prepared statement-based code in Java, which results from the PSRAlgorithm.
137
INTERNATIONAL JOURNAL FOR TRENDS IN ENGINEERING & TECHNOLOGY
VOLUME 3 ISSUE 1 –JANUARY 2015 - ISSN: 2349 - 9303 PSR-Algorithm is useful for developers which have source code contains SQLIVs and need to be removed. Their proposed method is remove SQLIVs with minimal manual intervention. PSR-Algorithm is used to remove only SQLIV and does not have to be integrated into the runtime environment. Prepared statements are SQL statements that separate statement structure from statement input. Prepared statements have a static structure when they are executed and take type specific input parameters. When prepared statements are created and the statement structure is explicitly set before runtime, the statement structure cannot be changed by input variables and the statement is secured from SQLIVs. A prepared SQL statement is “prepared” by declaring the structure of the statement and putting bind variables in the places where input will go at a later time Symbolic Execution Algorithm Symbolic Execution Algorithms that automatically and systematically create tests. These algorithms decrease the input space of automated testing and discover different classes of errors. Symbolic grammars are introduced to create orders of extent less input strings without sacrificing coverage. Symbolic test generation, the program is executed on symbolic rather than concrete inputs A constraint solver is then used to generate test inputs that satisfy the symbolic constraints. The resulting test inputs are guaranteed to force the program execution along with the path preferred by the symbolic execution.
5. DISCUSSIONS The web application vulnerability has been identified in the website and the malicious input which contain weak code has been discovered and the vulnerability is detected and the recovery process taken place by using prepared replacement statement algorithm and symbolic execution algorithm. Thus it gives the recovered web application with high efficiency and the code is generated as strong one with high recommendation.
6. RESULTS This method used to find the vulnerabilities in the web application and website files and used to detect the faults like SQL Injection and Client side scripting. Then the detection process is done by detecting the source code line by line and it identify weak and strong type vulnerability affected in which location. Then leaks of files also identified and recover without any leakage by using prepared statement replacement technique and give suggestion and description about the faults and generate specific recommended code structure with high efficiency.
7. CONCLUSION The goal is to understand the correlation between the number of vulnerabilities and exploits, and the level of the exploit damage.
We can summarize the main differences and correlations observed in the vulnerabilities found in the field for weak and strong typed web applications. A unified repository that collects both vulnerabilities and exploits in a systematic and standardized fashion. Useful to improve the effectiveness of code inspections, as the team will be more focused on a few important code structures that can cause most vulnerabilities. The future work is to detect and recover the vulnerabilities in different programming languages and make the code more secure.
REFERENCES [1]Lwin Khin Shar and Lionel C. Briand , Hee Beng Kuan Tan, " Web Application Vulnerability Prediction Using Hybrid Program Analysis And Machine Learning". In IEEE Transaction On Dependable and secure computing, may 2013 vol, 10, no. 2, pp, 70 -83. [2]Nuno Antunes and Marco Vieira, "Defending Against Web Application Vulnerabilities". IEEE Transaction On Computer Society, February 2012 , vol , 8, no. 7. [3]Kumar N. and Sreenivasa Rao B., "Web Application Vulnerability Assessment And Preventing Techniques", International Journal of Enterprise Computing, April 2012 , Vol. 2 Issue 1. [4]Bojan jovicici M. and dejan simici P., "Common Web Application Attack Types And Security Using Asp.Net", IEEE Transaction On Computer Society September 2012, vol.3, no. 2. [5]Kevin spett H."Web Application Vulnerabilities In Cross Site Scripting". In IEEE Transaction On Dependable and Secure Computing, March 2011, vol.2,no.5. [6]Christmansson J. and Chillarege R."Generation of an Error Set that Emulates Software Faults". In IEEE Fault Tolerant Computing Symposium, 2013. [7]Carettoni L. and Zanchetta M."Automatic Detection of Web Application Security Flaws". In Proc. IEEE Transaction Secure Software Engineering 2012. [8]Atefeh Tajpour N. and Maslin Masrom K, "SQL Injection Detection and Prevention Tools Assessment". In IEEE Transaction on Computer security in May 2010. [9]Bhandari I.S. and Chaar J.K ." Orthogonal Defect Classification—A Concept for In-Process Measurement". IEEE Transaction on Software Engineering in February 2009, vol. 18, no.11, [10]Fonseca J. and Madeira H."Vulnerability & Attack Injection for Web Applications". In International Conference on Dependable Systems and Networks 2007. [11]Giorgini P. and N. Zannone," Modeling Security Requirements through Ownership, Permission and Delegation". In IEEE International Conference on Requirements Engineering ,2007.pp. 167-176. [12]Alessandro Orso R. and William G.J., "A Classification of SQL Injection Attacks and Countermeasures". In IEEE Standard on Secure Computing in March 2006. [13]Kruegel C. and Kirda E. "Precise Alias Analysis for Static Detection of Web Application Vulnerabilities". In IEEE Symposium Security and Privacy, 2006 pp. 27- 36.
138 IJTET©2015