TABLE OF CONTENTS CHAPTER NO. TITLE PAGE NO. LIST OF TABLES LIST OF FIGURES LIST OF SYMBOLS AND ABBREVIATIONS

viii TABLE OF CONTENTS CHAPTER NO. TITLE ABSTRACT 1 PAGE NO. iii LIST OF TABLES xiv LIST OF FIGURES xvi LIST OF SYMBOLS AND ABBREVIATIONS ...
Author: Ashlyn Bradley
0 downloads 2 Views 30KB Size
viii

TABLE OF CONTENTS CHAPTER NO.

TITLE

ABSTRACT

1

PAGE NO.

iii

LIST OF TABLES

xiv

LIST OF FIGURES

xvi

LIST OF SYMBOLS AND ABBREVIATIONS

xx

INTRODUCTION 1.1

1

ENTERPRISE WEB APPLICATION PARADIGM

1

1.1.1 Web Application Architecture

1

1.1.2 Web Applications

3

1.1.3 Web Application Components

4

1.1.4 Web Functionality

4

1.1.4.1 Server-side functionality

5

1.1.4.2 Client-side functionality

6

1.1.4.3 State and sessions in web applications

7

1.2

HOLISTIC WEB SECURITY

1.3

WEB APPLICATION SECURITY

10

1.3.1 Threat Classification Taxonomy

12

SQL INJECTION

17

1.4.1 Redirecting and Reshaping the Query

17

1.4

8

1.4.1.1 Tautology

18

1.4.1.2 Union query

19

1.4.1.3 Piggy-backed query

20

ix

CHAPTER NO.

1.5

TITLE

PAGE NO.

1.4.2 Error Based Query

21

1.4.3 Injection through Stored Procedure

22

1.4.4 Blind SQL Injection

23

XPATH INJECTION

24

1.5.1 XPath Injection Motivation and Consequences 1.6

1.7

25

CROSS-SITE SCRIPTING ATTACK

26

1.6.1 Persistent XSS Attack

27

1.6.2 Non-Persistent XSS Attack

28

1.6.3 DOM based XSS Attack

30

SESSION HIJACKING

31

1.7.2 Session ID Fixation Attack

31

1.7.3 Browser Hijacking

32

1.7.4 Background XSS Propagation

33

1.7.4.1 Propagation via iframe inclusion

34

1.7.4.2 Propagation via pop under windows 1.8 1.9

2

34

WEB SERVICES FOR WEB APPLICATION SECURITY

35

ORGANIZATION OF THE THESIS

37

LITERATURE REVIEW

39

2.1

INTRODUCTION

39

2.2

VULNERABILITY ANALYSIS AND SCANNER

39

2.2.1 Limitations of the Vulnerability Scanner

41

2.3

THREAT MODELLING

42

2.4

SECURITY PERIMETER

44

x

CHAPTER NO.

TITLE

PAGE NO.

2.5

THREAT CLASSIFICATION

45

2.6

SQL INJECTION

51

2.6.1 SQL Injection Prevention-Intrusion Detection System

52

2.6.2 Static Approach for the SQL Injection Countermeasures

53

2.6.3 Dynamic Approach for the SQL Injection Countermeasures 2.6.4 Hybrid SQLIA Prevention Approach

55 58

2.6.5 Mutation Based Approach to Detect SQL Injection

60

2.7

XPATH INJECTION

61

2.8

CROSS-SITE SCRIPTING

63

2.8.1 Detection of Cross-Site Scripting Attack by the Client Side Approach

64

2.8.2 Detection of Cross-Site Scripting Attack through Server Side Deployment

67

2.8.3 Prevention of XSS Attack through Static String Analysis 2.9

SESSION HIJACKING

2.10

LIMITATIONS OF THE EXISTING

2.11

3

70 73

APPROACHES

75

OBJECTIVES

77

SYSTEM ARCHITECTURE

79

3.1

INTRODUCTION

79

3.2

WAPS- CIVS ARCHITECTURE

81

3.2.1 User Data Interceptor

83

xi

CHAPTER NO.

4

5

TITLE

PAGE NO.

3.2.2 SQL Injection Preventer

84

3.2.3 XPath Injection Preventer

85

3.2.4 Cross-Site Scripting Preventer

86

3.2.5 Session Hijacking Preventer

88

3.2.6 Error Customizer and Log File Monitor

90

3.3

WAPS- CIVS with Web Services

92

3.4

CHAPTER SUMMARY

93

SQL INJECTION PREVENTION SYSTEM

94

4.1

INTRODUCTION

94

4.2

SQL INJECTION PREVENTER

94

4.2.1 Aspect Oriented Programming

97

4.2.2 Query Interceptor

98

4.2.3 XML Schema Design

99

4.2.4 Syntactic verification Module

102

4.2.5 XML Query Generation Module

103

4.2.6 Customize Error Generation Module

106

4.3

RESULTS AND DISCUSSION

109

4.4

CHAPTER SUMMARY

113

XPATH INJECTION PREVENTER

114

5.1

INTRODUCTION

114

5.2

XPATH INJECTION MOTIVATION AND CONSEQUENCES

5.3

5.4

115

COMMON PREVENTIVE MEASURES FOR XPATH INJECTION

115

XPATH INJECTION PREVENTER

116

5.4.1 XQuery Interception

119

xii

CHAPTER NO.

6

7

TITLE

PAGE NO.

5.4.2 XQuery Analyzer

120

5.4.3 XQuery Validation

121

5.5

RESULTS AND DISCUSSION

125

5.6

CHAPTER SUMMARY

128

CROSS-SITE SCRIPTING PREVENTER ENGINE

130

6.1

INTRODUCTION

130

6.2

CROSS-SITE SCRIPTING PREVENTION ENGINE

131

6.2.1 Interception Module

133

6.2.2 Graph Generation

134

6.2.3 Graph Traversal

139

6.2.4 Blacklist Character Verification

140

6.3

RESULTS AND DISCUSSION

142

6.4

CHAPTER SUMMARY

146

SESSION HIJACKING PREVENTER

148

7.1

INTRODUCTION

148

7.2

SESSION HIJACKING PREVENTER ARCHITECTURE

7.3

7.4

149

PREVENTION OF SESSION ID FIXATION ATTACK

151

7.3.1 Dynamic ID Generation

153

7.3.2 Dynamic Session ID Mapping

154

BROWSER HIJACKING PREVENTION

156

7.4.1 Extracting nonce Value

158

xiii

CHAPTER NO.

TITLE

PAGE NO.

7.4.2 Generate One-Time URL with rnonce Value 7.5

159

BACKGROUND XSS PROPAGATION PREVENTION

161

7.5.1 Preventing XSS propagation

163

7.5.2 Forming Domain Cluster

164

7.5.3 Sub-domain Switching

165

7.6

FILE SYSTEM LOG ENTRY

168

7.7

RESULTS AND DISCUSSION

169

7.7.1 Session ID Fixation Prevention Results

169

7.7.2 Browser Hijacking Prevention Results

172

7.7.3 Background XSS Propagation Prevention Results 7.8

8

CHAPTER SUMMARY

174 178

CONCLUSION AND FUTURE ENTANGLEMENT 180 8.1

SUMMARY

180

8.2

CONTRIBUTIONS OF THIS RESEARCH

183

8.3

JUSTIFICATION FOR THIS STUDY

184

8.4

FUTURE ENHANCEMENTS

185

REFERENCES

187

LIST OF PUBLICATIONS

200

CURRICULUM VITAE

202

xiv

LIST OF TABLES TABLE NO.

TITLE

PAGE NO.

1.1

Web application threats types and issues

13

2.1

Comparison of XSS attacks

72

4.1

SQL keywords / Non-SQL keywords classification

103

4.2

SQL keywords / Non-SQL keywords-tautology query

105

4.3

Comparison of the SQL injection preventer with other methods

110

4.4

Response time analysis with the SQL injection preventer

111

5.1

Comparison of the XPath injection preventer of WAPS-CIVS with the other methods

126

5.2

Response time assessment of the WAPS-CIVS system

127

6.1

Sample blacklist characters

141

6.2

Detection of the XSS attack with various kinds of vulnerability

143

6.3

Comparison of WAPS-CIVS with the other methods

144

6.4

Overhead response time comparison

145

7.1

Comparison of the session ID fixation attack preventer with the static analysis method

7.2

Response time comparison for session ID fixation module

7.3

171

Comparison of the browser hijacking preventer with the static analysis method

7.4

170

172

Response Time Comparison for the session ID fixation module

173

xv

TABLE NO.

7.5

TITLE

Comparison of the Background XSS propagation preventer with the static analysis method

7.6

PAGE NO.

175

Response Time Comparison for the background XSS propagation module

176

xvi

LIST OF FIGURES

FIGURE NO.

TITLE

PAGE NO.

1.1

Three-tier web application architecture

2

1.2

Holistic security approach

8

1.3

Web application attack model

11

1.4

Tautology query – SQL injection

18

1.5

Union query – SQL injection

19

1.6

Piggy back query – SQL injection

20

1.7

Background XSS propagation

34

1.8

Web Service for the web application security

36

2.1

Threat classification Taxonomy

46

2.2

Web application vulnerability by attack technique 2004-2012

50

2.3

Prevention strategies of the SQL injection attacks

52

3.1

System architecture of WAPS-CIVS

82

3.2

Overall view of SQL Injection preventer

85

3.3

XPath injection preventer

86

3.4

Overall representation of cross-site scripting preventer system

87

3.5

Session hijacking preventer

89

3.6

Error customizer and log file module

91

4.1

SQL Injection preventer system architecture

96

4.2

Architecture of aspect oriented programming

98

4.3

SQL statement classification schema

100

4.4

Select statement schema structure

101

4.5

Where schema structure

102

xvii

FIGURE NO.

TITLE

PAGE NO.

4.6

Tree Structure with the result set

104

4.7

Tautology SQL query tree structure

105

4.8

Valuable result set

107

4.9

Log file

108

4.10

Generalized (customized) error

108

4.11

Comparison of the SQL injection preventer with other methods

111

4.12

Comparison graph for the response time of the system

112

5.1

XPath injection preventer system architecture

118

5.2

XML file for the tautology query

121

5.3

XML Schema definitions

122

5.4

XML tree structure of the XML file

123

5.5

XML file validation through SAX

124

5.6

Log file

124

5.7

Comparison of XPath injection preventer with other the methods

126

5.8

Response time analysis graph

128

6.1

Cross-site scripting prevention engine architecture

132

6.2

Servlet filter mapping

134

6.3

Script in the HTTP request

135

6.4

Graph generated for a HTTP request

136

6.5

Script in the HTTP response

137

6.6

Graph generated for a HTTP response

138

6.7

Adjacency Matrix for the HTTP request and

6.8

HTTP response

140

Comparison of the WAPS with the other methods

145

xviii

FIGURE NO.

6.9

TITLE

PAGE NO.

Response Time comparison between the WAPS-CIVS with the XSS prevention system and without the XSS prevention system

146

7.1

Session hijacking preventer architecture

150

7.2

Session ID fixation preventer engine

151

7.3

Database for session Cookies

153

7.4

Dynamic session ID mapping

154

7.5

Attacker httponly cookies

155

7.6

Original session ID crafted link

155

7.7

Prevent session ID fixation attack

156

7.8

Browser hijacking attack on Google page

157

7.9

Browser hijacking prevention system

157

7.10

One-time URL with rnonce value

159

7.11

Database for nonce value with a single user session

160

7.12

Server errors for the browser hijacking attack

161

7.13

Background XSS propagation prevention system

162

7.14

Popup window attack with user information

164

7.15

Domain cluster information

165

7.16

Selecting target domain for sub-domain switching

166

7.17

Preventing background XSS propagation

167

7.18

Sample file system log entry

168

7.19

Comparison of WAPS-CIVS with the static analysis method

7.20

Response time evaluation of the session ID fixation prevention module

7.21

170

171

Comparison of the WAPS-CIVS (Session ID fixation preventer) with the static analysis method

173

xix

FIGURE NO.

7.22

TITLE

PAGE NO.

Response time evaluation of the browser hijacking prevention module

7.23

174

Comparison of the WAPS-CIVS (Background XSS Propagation preventer) with the static analysis method

176

7.24

Response time evaluation background XSS propagation

177

7.25

Entire session hijacking prevention module’s response time assessment

178

xx

LIST OF SYMBOLS AND ABBREVIATIONS Symbols

ai,j



Adjacency Matrix with i row and j column

E



Edge

G



Graph

n



Number of Vertices

V



Vertex

Abbreviations

AJAX



Asynchronous javascript and XML

AMNESIA



Analysis and monitoring for neutralizing SQL injection attacks

ANSI /ISO



American national standards institute / international organization for standardization

AOP



Aspect oriented programming

API



Application programming interface

ASP



Active server page

AVDL



Application vulnerability description language

CERT



Centre of internet security

CFL



Context – free language

COBIT



Control objectives for information and related technology

CORBA



Common object request broker architecture

CVE



Common vulnerabilities and exposure

xxi

CWE



Common weakness enumeration

DFS



Depth-first search

DMZ



Demilitarized zone

DOM



Document object model

DoS



Denial of service

DDoS

–- Distributed denial of service

ERP



Enterprise resource planning

FSA



Final state automata

HTML



Hyper text markup language

HTTP



Hyper text transfer protocol

HTTPS



Secure hyper text transfer protocol

ID



Identifier

IDS



Intrusion detection system

IIS



Internet information services

ISO



International organization for standardization

ISP



Internet service provider

ISPAWAD



Integrated security and performance aspects for web based applications

JDBC



Java database connectivity

JSP



Java server page

LDAP



Light weight directory access protocol

MD5



Message digest 5

MSIL



Microsoft intermediate language

MUSIC



MUtation-based SQL injection vulnerabilities checking

OTC



One time cookie

OWASP



Open web application security project

PCI /DSS



Payment Card industry / data security standard

PHP



Hypertext PRE-PROCESSOR

PKI



Public key infrastructure

PQL



Program query language

xxii

RDBMS



Relational database management system

RFID



Radio frequency identification

RUP



Rational unified process

S2XS2



Server side cross site scripting

SANIA



Semantic analysis for automated testing against SQL injection

SAX



Simple application programming interface for XML

SDLC



Software development life cycle

SID



Session identifier

SOAP



Simple object application protocol

SQL – IF



SQL injection free

SQL



Structured query language

SQLIA



SQL injection attack

SSI

-

Server side include

SSL



Secure socket layer

TCP/IP



Transfer control protocol / internet protocol

TLS



Transport layer security

URL



Uniform resource locator

VBScript



Visual basic script

WAPS-CIVS –

Web applications secure system from code injection vulnerabilities through web services

WASC



Web application security consortium

WRAPS



Web referral architecture for privileged service

W3C

-

World wide web consortium

WWW



World wide web

XML



eXtensible markup language

XPath



XML path language

XQuery



XML query language

XSS



Cross-site scripting