International Journal of Network Security, Issue. 1, Vol.

1, May 2009
Study of Web !!lication ttacks " #$eir
%ounter&easures
Nares$ 'u&ar
1
, 'anika S$ar&a
2
1, 2
(ni)ersity Institute of *n+ineerin+ " #ec$nolo+y, 'uruks$etra (ni)ersity, India
1
Nares$,du$an-rediff&ail.co&
2
'anikas$ar&a1.12-+&ail.co&
International Journal of Network Security, Issue. 1, Vol. 1, May 2009
Abstract/ Web application security is among the hottest
issue in present web scenario due to increasing use of web
applications for e-business environment. Web application
has become the easiest way to provide wide range of services
to users. Due to transfer of confidential data during these
services web application are more vulnerable to attacks.
Web application attack occurs because of lack of security
awareness and poor programming skills. According to
Imperva web application attack report [1 websites are
probe once every two minutes and this has been increased to
ten attacks per second in year !"1!. In this paper we have
presented most common and dangerous web application
attacks and their countermeasures.

Index Terms# $ecurity% Web Application Attacks% $&'
In(ection% )ross $ite $cripting% *$$% +roken Authentication%
$ession ,anagement.
IN#012(%#I1N
Web a!!lications are increasin+ly beco&in+ an easy
way for e3c$an+in+ infor&ation o)er internet. #$ey
si&!ly !ro)ide an interface t$rou+$ w$ic$ client can
co&&unicate. 4or $andlin+ client infor&ation, ser)ice
!ro)iders uses database w$ic$ stores client sensiti)e data.
#$is database is e3!loited in &any ways by t$e attackers
for +ainin+ users !ersonnel infor&ation. Web a!!lication
are t$e easy way for attackers to access underlyin+
database as t$ey are often )ulnerable to attacks.
ccordin+ to o!en web a!!lication security !ro5ect
61WS78 a&on+ to! ten web a!!lication )ulnerabilities ,
code in5ection attack is t$e &ost co&&on and &ost
dan+erous attack and is at nu&ber one !osition fro& !ast
se)en years followed by cross site scri!tin+ and broken
aut$entication and session &ana+e&ent. Web a!!lication
take in!ut fro& t$e user t$rou+$ te3tbo3es in t$e for& of
na&e , address , co&&ent feedback and &any t$e ways.
#$ese in!ut are connected t$rou+$ t$e database to store
t$e user in!ut )alues in t$e database table. Malicious user
in5ects t$e S9: ;uery or scri!t to !erfor& in5ection
attacks. #$ese ;uery are e3ecuted by web browser as t$e
code w$ic$ acts differently as intended by t$e
!ro+ra&&er. ut$entication and session attack occurs
w$en &alicious user $i5acks t$e on+oin+ session or
by!asses t$e aut$entication &ec$anis&. #$ese attacks
can !ro)ide t$e !ri)ile+e of an aut$enticated user to t$e
&alicious user w$ic$ can cause se)ere conse;uences
suc$ as loss of confidentiality, inte+rity, aut$entication,
aut$ori<ation =20>.
s !er 1WS7 201. t$ere are ten &a5or cate+ories
defined for web a!!lication attack in 201. release =2>
1?In5ection
2?@roken aut$entication and Session
&ana+e&ent
.?%ross Site Scri!tin+ 6ASS8
B?Insecure 2irect 1b5ect 0eferences
C?Security Misconfi+uration
D?Sensiti)e 2ata *3!osure
E?Missin+ 4unction :e)el ccess %ontrol
F?%ross Site 0e;uest 4or+ery 6%S048
9?(sin+ %o&!onents wit$ 'nown
Vulnerabilities
10?(n)alidated 0edirects and 4orwards.
In real world, it is )ery difficult to ac$ie)e co&!lete
security as so&e security flaws always e3ist w$ic$ can
attack t$e a!!lication in different ways. In ne3t section
we $a)e discuss i&!act of to! t$ree web a!!lication
attacks S9: in5ection , ASS , @roken aut$entication and
Session &ana+e&ent.
S9: INJ*%#I1N
S9: in5ection 6S9:i8 attack occurs w$en &alicious
user in5ects S9: keywords as t$e !art of in!ut. S9:i
e3ecutes due to i&!ro!er or insufficient )alidation of
in!ut. #$rou+$ S9:i attacker can +ain unaut$ori<ed
!ri)ile+e for database, e3ecute co&&ands !erfor& data
&ani!ulation o!eration on database. #$ese ;ueries can
dyna&ically construct as t$e !art of user. In5ection attack
can be classified in to t$ree cate+ories. First Order
Attack, in w$ic$ unions or sub S9: ;uery is in5ected to
t$e e3istin+ ;uery state&ents. Second Order Attacks, in
t$is &alicious code is !er&anently stored in t$e database.
#$ey attack internal a!!lication users, syste&
ad&inistrators t$rou+$ searc$ list, sub&issions, latest
!o!ular article. Lateral Injection, in lateral in5ection
&alicious user can attack 7:GS9: !rocedure t$at e)en
does not take user in!ut. It occurs w$en a )ariable w$ose
data ty!e or nu&ber is concatenated wit$ te3t of S9:
state&ent, t$ere is a c$ance of in5ection attack. W$en an
in!ut source is found by t$e attacker )arious S9:I ty!es
are used to !erfor& attack of different kinds =1C>.
A. TAUTOLOGY
tautolo+y is a state&ent t$at is always true. #$is ty!e
of attack is used to by!ass t$e aut$entication &ec$anis&
by usin+ relational o!erators for co&!arin+ o!erands to
+enerate a condition w$ic$ is always true. 4or e3a&!le
Select H fro& users w$ere userna&e I JJ 10 1I1/J
N2 !assword I Janyt$in+KL
International Journal of Network Security, Issue. 1, Vol. 1, May 2009
user is t$e database and userna&e and !assword are
t$e in!ut fields t$rou+$ w$ic$ attack is !erfor&ed. In t$is
JK10 1I1??Mwill always return true condition and
co&&only known as tautolo+y.
B. PIGGY-BACK! "U#IS
In t$is ty!e of attack an additional ;uery is a!!ended
to t$e ori+inal ;uery and ;uery is e3ecuted as t$e !art of
initial ;uery. 4or e3a&!le
Select contact fro& userinfo w$ere lo+inIK3y<K N2
!innu& IK12.KL dro! table userinfoL
Nere database e3ecutes bot$ t$e ;ueries w$ic$ dro!s
table. (sin+ t$is ty!e of attack tables can be added
deleted fro& database.
C. LOGICALLY I$CO##CT "U#IS
#$e &ain intention of t$is ty!e of attack is to find
useful infor&ation of t$e database by +eneratin+ error
&essa+e. Suc$ as nu&ber of colu&ns of t$e database ,
database na&e ,database )ersion , na&e and ty!e of eac$
colu&n. #$is infor&ation can be used furt$er for
e3!loitin+ database.
!. U$IO$ "U#Y
(nion ;uery in5ection is also known as State&ent
in5ection attack. #$is attack is !erfor&ed by insertin+
union ;uery so t$at database returns dataset w$ic$ is
union of initial ;uery. 4or e3a&!le
Select H fro& users w$ere userna&e IKK (NI1N select
H fro& ad&in/Jand !assword IKanyt$in+KO
Nere ;uery beco&es union of two select ;ueries. 4irst
;uery returns null and second returns all data fro& table
ad&in.
. STO#! P#OC!U#
Stored !rocedures are t$e code and t$ey are )ulnerable
as !ro+ra& code. 4or unaut$ori<ed or aut$ori<e user t$ey
return true or false. If t$e attacker in!uts
M,LSN(#21WNL??M for userna&e t$en stored !rocedure
+enerates followin+ ;uery
Select lo+in fro& users w$ere
userna&eIKKLSN(#21WNL?? and !asswordIKanyt$in+K.
F. I$F#$C
#$is ty!e of attack is !erfor&ed to +ain infor&ation
about t$e )ulnerable !ara&eter of t$e database. #$is ty!e
of attack create ;ueries so t$at database or a!!lication
be$a)e differently fro& as intended by t$e !ro+ra&&er.
#$e two tec$ni;ues used in t$is ty!e of attack areP@lind
In5ection and #i&in+ attacks. In blind in5ection attacker
!erfor& ;uery t$at $a)e result of true or false. If answer
is false t$en error is +enerated else a!!lication be$a)es
correctly. In ti&in+ attack attacker e3ecutes ;uery in for&
of if t$en state&ent and uses WI#410 keyword w$ic$
causes database to delay its res!onse.
%01SS SI#* S%0I7#INQ
%ross site scri!tin+ 6ASS8 is a co&&on
)ulnerability in web a!!lication !ro+ra&s.ASS
occurs w$en N#M: or Ja)aScri!t code is
in5ected into t$e database t$rou+$ in!ut sources.
If t$ese in!uts are not filtered fro& ser)er side,
t$en se)ere conse;uences &ay occur suc$ as
accessin+ and trans&ittin+ cookies, 0edirectin+
to t$ird !arty websites. #$e )icti& of t$e ASS
are t$e &ost co&&on sources suc$ as
co&&ents, feedback, searc$ en+ines. #$ey
tar+et aut$enticated users and syste&
ad&inistrators.ASS are classified in two ty!e of
attacks.=1E>
A. STO#! O# P#SIST$T ATTACK
In stored attacks t$e &alicious code in5ected by t$e
attacker is stored !er&anently in t$e database. #$e code
is acce!ted as a !art of in!ut field. #$e )icti& t$en
recei)e t$e &alicious code w$en it re;uest t$e stored
infor&ation.
B. #FLCT! O# $O$ P#SIST$T ATTACK
0eflected attack occurs off t$e web ser)er,
suc$ as it is !resent in an error &essa+e or in a
searc$ result res!onse t$at includes !art of in!ut
or all of t$e in!ut sent to t$e ser)er as !art of
t$e ;uery. #$ey are also deli)ered to )icti&s )ia
redirects " forwards, suc$ as in an e?&ail
&essa+e, w$ic$ reflects t$e user to anot$er link
or to a un?trusted source or ser)er.
@01'*N (#N*N#I%#I1N " S*SSI1N
MNQ*M*N#
@roken aut$entication and session
&ana+e&ent attack occurs w$ene)er t$ere is
session $i5ackin+ or false aut$entication occurs.
It includes &ana+e&ent of $andlin+ all as!ects
of aut$entication and sessions w$ic$ can affect
t$e web ser)ers, a!!lication ser)ers, web
a!!lication en)iron&ent and can cause &isuse
of !ri)ile+es. 4or e.+. t$e attacker can c$an+e
&essa+e or can &isuse infor&ation retrie)ed.
Various cry!to+ra!$ic al+orit$&s and session
&ana+e&ent tokens are used by de)elo!ers for
t$is kind of attacks but still it is a &a5or issue
International Journal of Network Security, Issue. 1, Vol. 1, May 2009
=.>.4or $andlin+ aut$entication and session
issues )arious issues s$ould be ke!t in &ind
suc$ as P
A. PASS%O#! ST#$GT&
7asswords s$ould $a)e &ini&u& len+t$ and
a!!ro!riate use of al!$abets, nu&bers and
s!ecial keywords to a)oid +uessin+.
B. PASS%O#! US
Nu&ber of lo+in atte&!ts s$ould be
restricted as aut$enticated users will ne)er re
atte&!ts if $e for+ets t$e !assword. fter
atte&!ted &a3i&u& atte&!t user s$ould be
restricted to a)oid attack.
C. PASS%O#! C&A$G CO$T#OL
sin+le !assword c$an+e &ec$anis& s$ould
be t$ere to a)oid t$e security flaws. #$e
&ec$anis& s$ould ask for old and new
!assword but c$an+in+ e&ail address or
c$an+in+ !$one nu&ber s$ould be a)oided.
!. PASS%O#! STO#AG
7assword s$ould be stored in wit$ encry!ted or $as$ed
&et$od to !rotect t$e& fro& e3!osure.
. SSSIO$ I! P#OTCTIO$
Session I2s s$ould be lon+, co&!licated,
$a)in+ rando& nu&bers t$at cannot be easily
+uessed. It s$ould be c$an+ed fre;uently durin+
an on+oin+ session to reduce session I2
)alidity. Session I2s &ust be c$an+ed w$en
!erfor&in+ o!erations suc$ as switc$in+ to
SS:, aut$enticatin+ user, or ot$er &a5or
transitions. Session I2s c$osen by a )isitor
s$ould ne)er be acce!ted as t$e I2.
S9: INJ*%#I1N 2*#*%#I1N " 70*V*N#I1N
W$en an in!ut source is found by t$e
attacker w$ic$ can be used to !erfor& attack
)arious kinds of tec$ni;ues can be used to
detect and !re)ent =1C>.
A. 'S"L !O() Co*+ile Ti*e C,eckin- o. !/na*ic
S"L State*ents0 1#2ssell A. (cCl2re and In-ol.
&.Kr2-er3 145563
Russell proposed an approach [4] in which a set
of classes that are strongly type to a database
schema is presented. These classes are used to
generate SQL statements. The solution consists
of an executable s!ldomgen which is executed
against database. The output pro"ided by the
s!ldomgen is a dynamic lin# library$%LL&
which contains classes that are strongly typed to
database schema. These classes are #nown as
SQL%'( through which application de"eloper
constructs dynamic SQL statements .)f database
schema changes s!ldomgen is rerun generating
modified SQL%'(.SQL%'( consist of three
parts. *irst is abstract ob+ect model which is
used to construct e"ery possible "alid SQL
statement which would execute at runtime.
Second is SQL%'( generator for dynamically
generating code. Third is concrete ob+ect model
ha"ing three main types of classes SQL
statements columns where conditions. The
wea#nesses of this approach are the time
needed to construct SQL statements is more and
complexity may occur with large databases as
s!ldomgen need to be updated fre!uently.
B. 7Static Anal/sis Fra*e8ork For !etectin- S"L
Injection 92lnera:ilities0 1;ian- F2 ,;in L2 3 1455<3
,iang *u [-] proposes the static analysis
framewor# for identifying SQL in+ection
"ulnerabilities at compile time. This framewor#
consists of (S)L )nstrumentor which
instruments byte code of an .S/.01T
application. . Symbolic 1xecution 1ngine
which examines bac# end code of each .S/
page. . Rule Library ha"ing attac# patterns. .
2onstraint Sol"er which generates "aluation of
"ariables that satisfy constraint. . Test 2ase
3enerator which carries test for the
"ulnerability of the program. .t each input box
which submits SQL !uery a hybrid constraint
sol"er is applied to find out the user input that
can be malicious and can lead to attac#. The
wea#ness of this static analysis techni!ue is that
it has not been implemented yet and designed
especially for the .01T framewor#. .fter
implementation of this framewor# it has
potential to disco"er more attac#s than blac#
box web security inspection tools.
C. '%e: A++lication Intr2sion !etection S/ste* .or
In+2t 9alidation Attack 1%AI!S3. '1 Yon-=oon Park ,
=aeC,2l Park3 1455>3
Ron+Joon 7ark !ro!osed =E> an a!!roac$ based
on web a!!lication !ara&eters w$ic$ $as
identical structures and )alues. WI2S is an
intrusion detection &et$od based on no&aly
Intrusion 2etection &odel for detectin+ in!ut
)alidation attack a+ainst web a!!lications. #$is
a!!roac$ $as four ste!s. In ste! one !ara&eters
International Journal of Network Security, Issue. 1, Vol. 1, May 2009
in N##7 re;uest is collected. In second ste! t$e
collected data keyword is transfor&ed in to
al!$abetic c$aracters for data filterin+
accordin+ to keyword re!lace&ent &atri3. In
t$ird ste! web a!!lication re;uest !rofile
si&ilarity is &easured to find &ost a!!ro!riate
nor&al web re;uest. 4or t$is key7ro2iff
for&ula is used w$ic$ is 1S267,S8 I &in
S1S2
keyrodiff
67,S8T.In t$is ste! at runti&e N##7
re;uest are c$ecked a+ainst nor&al web re;uest
!rofile. Malicious code is detected and re!orted
t$ose t$at )iolate nor&al !rofile. #$is a!!roac$
$as t$ree &odules. 4irst is data collection
&odule w$ic$ collects data. Second is nalysis
&odule w$ic$ i&!le&ents ste! two and t$ree.
#$ird is &ana+e&ent &odule w$ic$ &ana+es
attack detection and re!ort lo++in+. #$e
weakness of t$is a!!roac$ is t$at t$e !rofile
&atc$in+ is )ery e3$austi)e task and de)elo!er
knowled+e is re;uired.
!. 'An A2to*atic (ec,anis* For Saniti?in- (alicio2s
Injection ' 1=in C,ern. Lin , =an-(in C,aen ,C,en--
&si2n- Li2 3 1455>3
Jin %$ern+ :in $as !ro!osed =F> an auto&atic
&ec$anis& for saniti<in+ &alicious in5ection. It
e)aluates t$e filter rules for detection rate to
!re)ent web a!!lication attacks. #$ey su++ested
a $ybrid analysis &et$odolo+y in w$ic$ t$ey
!erfor&ed at t$ree le)elsP by a w$ite list,
blacklist and encodin+ tec$ni;ue. #$e !ro!osed
testin+ fra&ework test different cases. If t$e
out!ut of tester and t$e &onitor w$ic$ acce!t
in!ut &atc$es t$en t$ere is no attack detected.
#$e drawbacks of t$is testin+ fra&ework are t$e
e3$austi)e test cases and t$e occurrence of false
!ositi)e.
. 'S"LPro: ) A Pro@/ :ased Arc,itect2re to8ards
+reAentin- S"L injection attacks ' 1An/i li2 ,/i /2an3
1455B3
nyi :iu !ro!osed an a!!roac$ =9> t$is
a!!roac$ $as four &ain co&!onents. 4irst is
9uery %ollector w$ic$ !rocesses all !ossible
S9: ;ueries durin+ data collection !$ase.
Second is (ser In!ut *3tractor to identify user
in!ut data. #$ird is 7arse #ree Qenerator for
+eneratin+ !arse tree for in!ut ;ueries. 4ourt$ is
(ser In!ut Validator e)aluates w$et$er user
in!ut is &alicious or not. S9:7rob e3ecutes in
two !$ases t$e first is 2ata %ollection 7$ase
w$ic$ collects t$e user in!ut data. Second is
9uery *)aluation 7$ase w$ic$ e)aluates t$e
&alicious ;uery. #$is fra&ework is
i&!le&ented in 5a)a and tested on )irtual
&ac$ine wit$ MRS9: as backend database
ser)er. #$e ad)anta+e of t$is a!!roac$ is t$at it
does not re;uire access to source code of web
a!!lication and it is easily de!loyable to
e3istin+ enter!rise en)iron&ent.
F. 'An a++roac, For S"L injection 92lnera:ilit/
detection01(ei=2njin3 1455B3
MeiJun5in !ro!osed an a!!roac$ =10> for
detectin+ S9: )ulnerability. #$is a!!roac$
traces t$e flow of in!ut )alues t$at are used for
S9: ;uery by usin+ MN*SI S9: ;uery
&odel. @ased on t$e in!ut flow analysis, $e
+enerates test attack in!ut for t$e &et$od
ar+u&ents. used to construct S9: ;uery. #$is
a!!roac$ also +enerates a colored call +ra!$
indicatin+ secure and )ulnerable &et$od. #o
calculate efficiency t$e case studies were
!erfor&ed on two web a!!lication. #$e
ad)anta+e of t$is a!!roac$ is t$at it does not
$a)e any false !ositi)e. #$e weaknesses of t$is
a!!roac$ are t$at false ne+ati)e is t$ere. It is
tested for s&all web a!!lication so false
!ositi)e and ne+ati)e rate &ay +et )aries.
G. '(2lti-La/ered !e.ense a-ainst %e: A++lication
Attacks ' 1A:d2l #a??aC ,Ali &2r , $asir &aider ,FarooC
A,*ed3 1455B3
In =11> bdul 0a<<a; !ro!osed an a!!roac$ of
&ultilayer defenses to t$e a!!lication le)el
attacks. In t$is a!!roac$ t$ere are two &odules.
4irst is, 2etection Module in w$ic$ s!ecial
c$aracters are reco+ni<ed t$rou+$ t$ree
co&!onents 7ositi)e Security , Ne+ati)e
Security and no&aly 2etection. If keyword is
&atc$ed in any of co&!onent furt$er
!rocessin+ is sto!!ed. If t$ere is no
)ulnerability detected t$en in!ut is !assed to
ne3t &odule. naly<er and Validation is second
&odule w$ic$ +enerates e3ce!tion for error.
#$e weaknesses of t$is a!!roac$ are, it needs
de)elo!er knowled+e. 4alse !ositi)e are also
detected in t$is a!!roac$.
&. 'A !ata:ase sec2rit/ testin- sc,e*e o. 8e:
a++lication0 1Yan- &ai@ia and $an D,i,on- 3 1455B3
Ran+ Nai3ia and Nan U$i$on+ !ro!osed =12>
International Journal of Network Security, Issue. 1, Vol. 1, May 2009
database security testin+ sc$e&e of web
a!!lication. In t$is a!!roac$ t$ey su++ested a
testin+ &odel for securin+ database. #$ey
de)elo! attack rule library $a)in+ )arious
in5ection !atterns. W$ole website is scanned to
find software faults. #$e test re!orts are
+enerated for t$e test cases. #$is &et$od
auto&atically detects in!ut !oints of S9:
attacks. #$e drawback of t$is fra&ework is t$at
it can detect only si+nature S9: in5ection
attack.
I. 'Injection Attack !etection 2sin- t,e re*oAal o. S"L
"2er/ Attri:2te Aal2es ' 1=eo*-Goo Ki*3 145EE3
Jeo&?Qoo 'i& !ro!oses =1.> a si&!le effecti)e
S9: 9uery re&o)al &et$od w$ic$ uses
co&bined tec$ni;ue of static and dyna&ic
analysis. #$is &et$od co&!ares and analy<es
in!ut by re&o)in+ t$e attribute )alue of S9:
;ueries. function 4 is !ro!osed w$ic$ $as
functionality to delete t$e attribute )alue in
S9: ;ueries. #$e attribute )alue of static S9:
;uery in web a!!lication and S9: ;ueries
+enerated by t$e runti&e will be deleted. If after
re&o)in+ t$e attribute t$e ;uery &atc$es t$e
fi3ed S9: ;uery t$en t$ere is no attack
detected. @ut if so&e difference is t$ere in
;uery t$en attack is considered. #$e weakness
of t$is a!!lication is t$at it $as not been
i&!le&ented yet.
=. '#esearc, o. intelli-ent intr2sion detection s/ste*
:ased on 8e: data *inin- tec,nolo-/0 1C,ai
%en-22an-, Tan C,2n,2i, !2an Y2tin- 3 145EE3
%$ai Wen+uan+ !ro!osed =1B> an intelli+ent
a+ent tec$nolo+y wit$ database &inin+. In t$is
a!!roac$ t$ere is data ac;uisition a+ent w$ic$
stores data in local database. fter t$at data is
send to &inin+ a+ent for !re !rocessin+
analysis. #$e detection for )ulnerability is done
usin+ alar& e)aluate &odel w$ic$ create an
alar& for e)ery attack detected. #$e intelli+ent
intrusion detection wit$ web data &inin+ is also
co&!ared wit$ traditional intrusion detection
syste& in w$ic$ it is found &ore efficient. #$e
weakness of t$is a!!roac$ is t$at t$ere is need
to i&!ro)e data &inin+ al+orit$&s for
i&!ro)in+ efficiency of !ro!osed &ec$anis&.
K. 'CI!T ) !etection o. *alicio2s code injection attacks
on 8e: a++lication0 1At2l S. C,o2d,ar/ and (.L !,ore3
145E43
tul S. %$oud$ary !ro!osed =1F> code in5ection
detection tool. In t$is a!!roac$ t$ere are two
detectors 9uery 2etector and Scri!t 2etector.
9uery 2etector fra&ework consists of a
&alicious keyword te3t file. If user in!ut
consist of any &alicious keyword ;uery
detector will not allow database connecti)ity.
W$en database connection occurs for non
&alicious in!ut Scri!t 2etector furt$er filters
t$e in!ut. It filters N#M: content to !re)ent
S9: and ASS attack. #$is a!!roac$ $as been
i&!le&ented in S7.Net lan+ua+e and
e3!eri&ent s$ows successful !re)ention of S9:
and ASS attack. #$e weakness of t$is a!!roac$
is t$at it is not effecti)e a+ainst stored
!rocedure attack.
). %01SS SI#* 2*#*%#I1N N2
70*V*N#I1N
A 'BI;A$) Bro8ser Inde+endent ;SS Saniti?er For
PreAention o. ;SS attacks ' 1S,arat, C,andra A
,S.SelAek2*ar3 145EE3
)t has been proposed in [45] a techni!ue which
is in"o#ed when user in+ects code in the field of
web application. The 6T(L content is passed
to the ,SS saniti7er. Saniti7er parses the 6T(L
content and chec#s the presence of static tags.
The static tags are retained while rests of tags
are filtered out. 1"en static tags contain
dynamic content which are filtered out by
8a"aScript tester. .fter filtering 6T(L content
is con"erted into %'(. The saniti7ed user
content is retained in %'(. This approach was
tested by cheat sheet [94] contained 444 scripts
and result is obtained in "arious web browser. )t
was found that all 444 scripts were filtered out
but :),.0 .(oreo"er it reduces the anomalous
beha"ior of web browsers. The wea#ness of this
solution is that it is at the ser"er side and
browser source need to be modified for
obtaining results.
B. 'S
4
;S
4)
A SerAer Side A++roac, to A2to*aticall/
!etect ;SS Attacks0 1&ossain S,a,riar and (o,a**ad
DULKernine3 145EE3
Nossain S$a$riar =1E> !ro!osed a detection
International Journal of Network Security, Issue. 1, Vol. 1, May 2009
fra&ework w$ic$ $as si3 &odules. #$e first
&odule @oundary In5ecton in5ects boundary for
content +eneration location .#$ey a!!ly two
ty!es of boundaries N#M: %o&&ent and
Ja)aScri!t co&&ent. %o&&ents are in5ected
wit$ token to identify du!licity. #$e !olicy is
+enerated for attack detection. #$e second
&odule is 7olicy Stora+e w$ic$ stores !olicy
for attack detection. #$e t$ird &odule is Web
Ser)er w$ic$ re!resents web !ro+ra& container
w$ere in5ected boundaries !ro+ra&s can be
accessed. Web Ser)er +enerates res!onse !a+es
and forwards it to ne3t &odule. #$e fourt$
&odule is 4eature %o&!arator w$ic$ co&!ares
res!onse !a+e wit$ !olicy rules. #$e fift$
&odule is ttack 2etector w$ic$ detects and
re&o)es &alicious code and forwards res!onse
to ne3t &odule. #$e @oundary 0e&o)er is last
&odule w$ic$ re&o)es boundary in5ected
durin+ first &odule fro& safe content. #$is
a!!roac$ was tested in 5a)a and results were
obtained wit$ <ero false ne+ati)e. It also detects
ad)anced ASS. #$e weaknesses of t$is
a!!roac$ areL it suffers fro& false !ositi)e and
res!onse delays. #$e !olicy c$eckin+ !$ase is
also e3$austi)e.
II. B#OK$ AUT&$TICATIO$ F SSSIO$
(A$AG($T !TCTIO$ F
P#9$TIO$
A. 'A +rocess .or s2++ortin- risk-a8are 8e:
a2t,entication *ec,anis* c,oice ' 1Karen #ena2d3
1455G3
)n [5] ;aren Reynaud proposes a ris# aware
procedure for de"eloping web authentication
mechanism to control authentication
"ulnerabilities. The proposed methodology is
simple and well structured for enabling
de"elopers to a choose web authentication
mechanism for the particular website. The steps
are defined for choosing authentication
mechanism. )n step one the target user group is
defined for classifying users for particular web
application. )n next step possible impact of an
intrusion is defined i.e. how intrusion can affect
web application. )n third step estimated budget
is decided for features one can afford. )n fourth
step authentication mechanism is chosen by
ran#ing different mechanism using proposed
formula
'pportunity < $$3uessability = 'bser"ability
=Recordability = .nalysability &>Resisitibility&
This formula pro"ides weighting to the
authentication mechanism which helps in
pro"iding ran# to them. )n next step mechanism
is confirmed and plans for testing is determined.
This procedure pro"ides a process for
supporting authentication mechanism for web
application. The wea#ness of this approach is
that this approach needs de"eloper #nowledge
for authenticating web application.
B. 'A2to*atic !etection O. Session Fi@ation
92lnera:ilities in %e: A++lications' 1Y2s2ki
Taka*ast2 ,Y2ji Kos2-a ,Kenji Kono3 145E43.
)n [?] @usu#e Ta#amastu proposes a techni!ue
to chec# session fixation attac#. Session
fixation is an attac# in which attac#er forces
"isitor to use session )% passed by him and can
use application as a "isitor. )n this approach
they designed a system which wor#s in three
steps. *irst step is /ac#et 2apturing captures all
the pac#ets obser"e the change of session)%s.
The system lies between the user browser and
the web application ser"er. )n second step )nitial
)nspection is done for chec#ing the
"ulnerability for session )%. The third step is
.ttac# Simulation in which system launches
attac# simulator. The attac# simulator
automatically generates the same en"ironment
as a real attac#er performs as a "irtual attac#er
and a "ictim. .t this time "irtual attac#er access
and login to web application with Session )%
$S)%& that attac#er obtained. The "irtual
attac#er chec#s whether he can login with the
obtained S)% or not. The response is chec#ed
for #eywords. *or example Awelcome "ictimB if
such type of #eyword is obtained then web
application is considered as "ulnerable. The
wea#ness of this approach is that it is difficult
to manage such #ind of "irtual en"ironment for
real world application.
4(#(0* W10'
Web a!!lication security is e3tre&ely i&!ortant
for usin+ and !ro)idin+ better ser)ices o)er
internet. #$e &ain &oti)e of a!!lication
International Journal of Network Security, Issue. 1, Vol. 1, May 2009
de)elo!er is to i&!le&ent t$e business lo+ic
correctly but des!ite of !ro!er functionin+ of
web a!!lication it &ay be )ulnerable to
dan+erous attack w$ic$ can $ar& or+ani<ation
database and re!utation. 1ur future work
includes !ro!osal of a web a!!lication security
tool w$ic$ can detect and !re)ent t$e &ost of
t$e web a!!lication attacks. 1ur !ro!osed
&ec$anis& will &ainly detect and !re)ent t$e
attacks discussed in t$is !a!er wit$ ease of
i&!le&entation and fast detection wit$ <ero
false !ositi)e " ne+ati)e. We will also !ro!ose
an a!!roac$ for secure i&!le&entation of web
a!!lication as t$e lack of security awareness is
&ain reason for web a!!lication attack.
%1N%:(SI1NS
S9: In5ection, ASS, @roken aut$entication and
session &ana+e&ent are t$e &ost dan+erous
and t$e co&&on web a!!lication attacks. #$is
sur)ey !resents study of current tec$ni;ues
a+ainst t$ese attacks. #$e !resent tec$ni;ues
suffers weaknesses suc$ as
%o&!le3 fra&ework.
Inco&!lete i&!le&entation.
0eal world i&!le&entation issues.
0es!onse delay.
)era+e ti&e in detection.
2etection of non si+nature attack.
4alse !ositi)e and false ne+ati)e.
2e)elo!er knowled+e.
Industry $as been de)elo!ed &any !ro&isin+ tec$ni;ues
to secure web a!!lication but des!ite of t$e effecti)eness
of t$ese tec$ni;ues it is necessary for a!!lication
de)elo!er to use t$e& as a !art of de)elo!in+ !rocess.
Wit$ increasin+ use of web a!!lication it is i&!ortant for
software de)elo!ers to follow a!!ro!riate security
fra&ework durin+ software de)elo!&ent life cycle for
ensurin+ better ser)ices to end users.
0*4*0*N%*S
I&!er)a Web !!lication ttack 0e!ort 2012.
$tt!PGGwww.i&!er)a.co&. 6ccessed in 2ec 20128
$tt!sPGGwww.owas!.or+Ginde3.!$!G%ate+oryP1WS7,#o!,#en,
7ro5ect.6ccesed in Jan 201.8
$tt!sPGGwww.owas!.or+Ginde3.!$!G@roken,ut$entication,and,
Session,Mana+e&ent 6ccessed in Jan 201.8
. Mc%lure and In+olf N.'ru+er, ,O S9: 21M P %o&!ile #i&e
%$eckin+ of 2yna&ic S9: State&entsO , International
%onference of Software *n+ineerin+ May 200C , %M ,77
FF?9D.
Aian+ 4u ,Ain :u , M Static nalysis 4ra&ework 4or
2etectin+ S9: In5ection VulnerabilitiesO .1
st
nnual
International %o&!uter Software nd !!lication
%onference , I***, 200E .
'aren 0enaud , M !rocess for su!!ortin+ risk?aware web
aut$entication &ec$anis& c$oice M 0eliability *n+ineerin+
and Syste& Safety *lse)ier 200E 77 120B?121E
Ron+Joon 7ark , Jae%$ul 7ark , MWeb !!lication Intrusion
2etection Syste& 4or In!ut Validation ttackO , #$ird
200F International %onference 1n %on)er+ence nd
Nybrid Infor&ation #ec$nolo+y ,I***, 77 B9F?C0B.
Jin?%$ern+ :in , Jan?Min %$en , %$en+?Nsiun+ :iu , Mn
uto&atic Mec$anis& 4or Saniti<in+ Malicious In5ection M
, #$e 9
t$
International %onference 4or Roun+ %o&!uter
Scientists 200F ,I***, 77 1BE0?1BEC.
nyi liu ,yi yuan , MS9:7rob P 7ro3y based rc$itecture
towards !re)entin+ S9: in5ection attacks M , sacK&arc$
2009, %M ,77.20CB?20D1.
Mei5un5in ,On !!roac$ 4or S;l In5ection Vulnerability
2etectionO , 2009 Si3t$ International %onference 1n
Infor&ation #ec$nolo+y PNew Qenerations I*** , 77
1B11?1B1B.
bdul 0a<<a; ,li Nur , Nasir Naider , MMulti :ayer 2efense
+ainst Web !!lication M , 2009 Si3t$ International
%onference 1n Infor&ation #ec$nolo+y PNew
Qenerations , I*** ,77.B92?B9E
Ran+ Nai3ia nd Nan U$i$on+ , M 2atabase Security #estin+
Sc$e&e 1f Web !!licationO , B
t$
International %onference
1n %o&!uter Science nd *ducation,2009 , I***, 77 .
9C.?9CC.
Jeo&?Qoo 'i& , MIn5ection ttack 2etection (sin+ 0e&o)al 1f
S;l 9uery ttribute Values I*** 2011.
%$ai Wen+uuan+, #an %$un$ui, 2uan Rutin+, M 0esearc$ 1f
Intelli+ent Intrusion 2etection Syste& @ased 1n Web 2ata
Minin+ #ec$nolo+yO, I*** B
t$
International %onference
1n @usiness Intelli+ence nd 4inancial *n++. 2011, 77.
1B?1E.
Niles$ 'oc$re , Satis$ %$alukar ,,Santos$ 'akde , MSur)ey 1n
S9: In5ection ttacks nd #$eir %ounter&easures M ,
International Journal 1f %o&!utational *n+ineerin+ nd
Mana+e&ent , Vol ?1B , 1ctober 2011 .
S$arat$ %$andra V. , S.Sel)eku&ar , M@IANP@rowser
Inde!endent ASS Saniti<er 4or 7re)ention 1f ASS
ttacks.%M SIQS14# ,Se!te&ber 2011 Volu&e .D
Nu&ber C.
Nossain S$ai$riar nd Ma$a&&ad Uulkernine , MS
2
AS
2
P
Ser)er Side !!toc$ #o uto&atically 2etect ASS ttacks
, 2011 I*** Nint$ International %onference 1n
2e!endable ,uto&atic Secure %o&!utin+ , 77.E?1E
> tul S. %$oud$ary nd M.: 2$ore , M%I2# P 2etection 1f
Malicious %ode In5ection ttacks 1n Web !!licationO ,
International Journal 1f %o&!utin+ !!lications Volu&e?
C2?N0.2, u+ust 2012 , 77. 19?2C.
Rusuki #aka&astu ,Ru5i 'osu+a ,'en5i 'ono Muto&atic
2etection 1f Session 4i3ation Vulnerabilities M2012 #ent$
nnual International %onference on 7ri)acy, Security and
#rust I** ,77?112?119.
0a$ul Jo$ri , 7anka5 S$ar&a , Sur)ey 1n Web !!lication
Vulnerability *3!loitation nd Security *n+ine 4or S9:
International Journal of Network Security, Issue. 1, Vol. 1, May 2009
In5ection , 2012 International %onference 1n
%o&&unication Syste& nd Network #ec$nolo+ies , I***
, 77.BC.?BCF
ASS !re)ention c$eat s$eet 1WS7
$tt!sPGGwww.owas!.or+Ginde3.!$!GASS,6%ross,Site,Scri!t
in+8,7re)ention,%$eat,S$eet.