Web Security

Web security.

Isidro Beltrán lunaIsmael Velasco miguel

Instituto Tecnológico de TuxtepecFebruary 2014

Web Security

ABSTRACT

As well as many other areas related to security, the World Wide Web presents two types of

very different problems with different solutions. On one hand, most of us use a web browser

on a regular basis and want to prevent our web clients to execute code in an attack that al-

lows you to take control of our machine. On the other hand they are web servers, to which we

do not want them look compromised by constant attacks. So what is the answer? Well there

is not a single answer. We need to follow a series of steps to protect both clients and servers.

As Server Manager you cannot force your clients to be sure, but you can protect your own

server and applications based on web attacks. Protecting the server also you can prevent

broken clients or users that have visited the hostile actions of attack sites that could damage

your accounts or data hosted on our site, sabotaging it; for example, an attack by scripting

multisite that interacts with the user account to change the password for your account on our

site.

Web Security

Keywords

World Wide Web

Scripting

servers

Web Security

INTRODUCTION

Absolute security is unprovable, maintain a secure system is to ensure three fundamental as-

pects such as: confidentiality where accessible only to authorized agents our system re-

sources, integrity within it our only system resources may be modified by our agent and avail -

ability where the resources of our systems will be available for our authorized agent.

Today security is a very important aspect in any companies or organizations where are han-

dled information of utmost importance, with this reason we decided to conduct our research in

this field because each time there more people engaged in the theft of information to get out

or to sell them to the competition.

With our research we will achieve each and every one of the readers will prevent certain at -

tacks that impairs the integrity, either personal or own company losing useful information.

Web Security

METHODOLOGY

The methodology we used was practically a great search for information in books, magazines,

as well as various websites where we have obtained information of great importance for our

work.

CHAPTER 1. WEB SECURITY

1.1. WHAT IS THE WEB SECURITY?

The Internet world and its associated elements are agile mechanisms that provide a wide

range of possibilities for communication, interaction and entertainment, such as elements of

multimedia, forums, chat, mail, communities, virtual libraries and others that can be accessed

by all audiences. However, these elements should contain mechanisms that protect and re-

duce the risk of security hosted and distributed potencializados through the same Internet ser-

vice.

Security must set standards that minimize the risks to the information or infrastructure within

any organization. These standards include hours of operation, restrictions on certain places,

user profiles, authorizations, refusals, emergency planning, protocols and everything that a

good level of security minimising the impact on the performance of employees and the Orga-

nization in general and as a main contributor to programmes made by programmers.

Security is designed to protect the assets, which include the following:

• Computational infrastructure: is a fundamental part for storage and information manage-

ment, as well as for the very functioning of the organization. The function of computer

security in this area is ensuring that the equipment is functioning properly and to antici-

pate in case of failures, theft, fire, boycott, natural disasters, failures in the power sup-

ply and any other factor that violates the infrastructure.

• Users: they are people who use the technological structure, area of communications and

managing information. The system must be protected in general that use them may not

call into question the security of the information, nor that the information handled or

stored is vulnerable.

Web Security

• Information: is the main asset. Uses and resides in the computational infrastructure and

is used by the users.

Usually it deals exclusively to ensure the rights of access to data and resources with the tools

of control and identification mechanisms. These mechanisms allow to know that the operators

have only the permissions that were given.

Ilustración 1: el servicio de seguridad y filtrado permite a las organizaciones protegerse de las amenaza.

1.2 GENERAL CONCEPTS OF SAFETY.

Privacy: refers to that the information can be known only to authorize individuals.

Integrity: refers to the security of that information not has been altered, deleted, refor-

matted, copied, etc., during the process of transmission or on your own computer's ori-

gin.

Availability: refers to information can be recovered or available at the time that is

needed.

Information Security: These are actions that are aimed at establishing guidelines to

achieve confidentiality, integrity and availability of information and continuity of opera-

tions to an event that interrupted.

Web Security

Active: A resource with which the company has and that has value can be tangible

(server, desktop, communications equipment) or intangible (information, policies, stan-

dards, procedures).

Vulnerability: exposure to risk, bug or security hole detected in a program or com-

puter system.

Threat: any situation or event possible with potential for damage, which may arise in a

system.

Risk: is a made potential, which in the event occur can negatively impact safety, costs,

programming or the scope of a business or a project process.

E-mail: e-mail is a network service that allows users to send and receive messages in-

cluding text, images, video, audio, programs, etc. through electronic communication

systems.

Ilustración 2: es importante señalar que existen ataques en distintos tipos de navegadores.

1.3. TECHNICAL TO ENSURE THE SYSTEM.

The most important asset that you have is the information and, therefore, should there be any

techniques that ensure, beyond the physical security that is set on the equipment in which it is

Web Security

stored. These techniques gives them the logical security that involves the application of barri-

ers and procedures that protect access to the data and only allow to access them to the per-

sons authorized to do so.

Each type of attack and each system requires a means of protection or more (in the majority

of cases is a combination of several of them)

The following are a series of measures that are considered basic to ensure a type system,

while extraordinary measures are required for specific needs and greater depth:

Use techniques of development that meet safety criteria to use for all software that implant

systems, starting from standards and sufficiently trained and aware with the security person-

nel.

• Implement physical security measures: systems fire, surveillance of the data process-

ing centers , protection against flooding, electrical protection systems against power

outages and surge systems, control of access, etc.

• Encode information: cryptology , Cryptography and criptociencia . This should be done

on all those routes that circulate the information that you want to protect, not only on

those most vulnerable. For example, if the data in a very confidential basis is pro-

tected with two levels of firewall, it has encrypted all the way between clients and

servers and the servers themselves, certificates are used and however left unen-

crypted prints sent to the network printer, would have a point of vulnerability.

• Passwords difficult to find out, for example, not to be deduced from the personal data

of the individual or by comparison with a dictionary, and they have moved with suffi-

cient frequency. Passwords, in addition, must have the sufficient complexity so an at-

tacker cannot deduce it by means of computer programs. The use of digital certificates

improves security with the simple use of passwords.

• Network surveillance. Networks carry the information, so in addition to being the usual

means of access of the attackers, also are good places to get information without hav-

ing to access the same sources. The network not only circulates the information in

computer files as such, also transported by it: email, phone conversations (VoIP), in-

stant messaging, Internet browsing, reads and writes to database, etc. Therefore, pro-

tect the network is one of the main tasks to prevent data theft. There are measures

ranging from the physical security of the points of entry until the control of connected

Web Security

equipment, for example 802.1x. In the case of wireless networks violate the security is

increased and additional measures should be taken.

• Network perimeter security, or DMZ, can generate strong rules of access between

users and not public servants and the published equipment. In this way, the weaker

rules only allow access to certain teams and never to the data, which will be after two

levels of security.

• Repellent or protective technologies: firewall , intrusion detection system AntiSpyWare

, antivirus , keys for software protection etc.

• Maintain information systems with the upgrades that most impact on safety.

• Backup copies and even remote backup system that allow maintaining the information

in two locations asynchronously.

• Control access to information through centralized and maintained permissions (type

Active Directory, LDAP, access control lists, etc.). The means to achieve this are:

• Restrict access (people of the Organization and which aren't) programs and files.

• Ensure that the operators can work but that cannot modify the programs or files that

do not match (without a supervision).

• Ensure that they used data, files and correct programs in/and/by the chosen proce-

dure.

• Ensure that the transmitted information is the same that the recipient has been sent to

which and which not to reach other. And existing systems and alternative emergency

steps of transmission between different points.

• Organize to each employee by computer hierarchy, with different keys, and permis-

sions well established, in each and every one of the systems or used application.

• Constantly update the passwords for access to computer systems, as indicated

above, and even using a program that can help the users to the management of the

large number of passwords that have to manage in today's environments, commonly

known as managers of identity.

• Redundancy and decentralization.

Web Security

Ilustración 3: para asegurar el sistema existen diferentes técnicas como las mencionadas anteriormente.

1.4. SAFETY TIPS.

• Child pornography: Avoid hosting, publish, or transmit information, messages,

graphics, drawings, sound files, images, photographs, recordings or software that di-

rectly or indirectly in sexual activities with minors, in accordance with international or

national legislation, such as Act 679 of 2001 and the 2002 Decree 1524 or that clarify

it, modify or add or all laws prohibiting it.

• Control of viruses and malicious code: Always have an updated antivirus in your

computer (s), try running it periodically, in the same way, have elements (pop-up win-

dow) pop up blockers and anti-spyware on your computer.

• Avoid visiting untrusted sites or install software of dubious origin.

• Most of the peer-to-peer applications contains programs spies that are installed with-

out you realizing. Make sure that the updates are applied in operating systems and

browsers Web on a regular basis.

• If its programs or the work performed in your computer do not require Java support,

ActiveX, Multimedia Autoplay or auto running programs, disable these. If required, ob-

tain and configure personal firewall, this will reduce the risk of exposure.

Email:

• Do not post your email account on untrusted sites.

Web Security

• Do not give your email account since any action shall be your responsibility.

• Do not report confidential or personal information through email.

• If a user receives a message with a warning about your bank account, must not an-

swer it

• Never respond to a HTML email with embedded forms.

• If you enter the key on an untrusted site, make sure to change it immediately for your

safety and in compliance with the duty of care that assists him as holder of the same.

Spam control:

• Never click on links inside the email even if they seem legitimate. Directly enter the

URL of the site in a new browser window

• For sites that indicate to be safe, check your SSL certificate.

• Do not I forward email chains, prevents congestions in networks and mail, as well as

the theft of information content in the headlines.

• Control of social engineering.

• Do not report confidential information you or of persons that surround it.

• Do not talk to strangers for work or personal issues that can compromise information.

• Use the right communication channels to disseminate the information.

Control of phishing:

• If a user receives an email, call, or text message with a warning about your bank ac-

count, not to answer it.

• For sites that indicate to be safe, check your SSL certificate.

• Validate with the entity with whom has a service, if the message received by mail is

valid.

Theft of passwords:

• Change your passwords frequently, at least every 30 days.

• Use strong passwords: easy to remember and hard to guess.

• Avoid setting very small passwords, it is recommended that it is at least a length of 10

characters, combined with numbers and special characters.

• Do not send key information through email or other means that is not encrypted.

Web Security

Ilustración 4: para que nuestra información no se vea amenazada evitar páginas inseguras.

Web Security

CHAPTER 2. ATTACKS AND VULNERABILITIES.

2.1 COMPUTER ATTACK

A computer attack is a method by which an individual, using a System computer tries to take

control, destabilize or damage other system computer (computer, private network, etcetera).

There are various types of cyber-attacks. Some are:

• Denial of service attack , also called DoS attack (Denial of Service), is an attack on a

system of computers or network that causes that a service or resource is inaccessible

to legitimate users, normally causing loss of network connectivity due to the consump-

tion of the bandwidth of the network of the victim or the computer of the victim system

resources overload.

• Man in the middle, sometimes abbreviated MitM, is a situation where an attacker mon-

itors (usually by a Tracker-port) a communication between two parties and falsifies the

exchanges to impersonate one.

• REPLAY attacks a form of network, attack in which a data transmission valid is mali-

ciously or fraudulently repeated or delayed. It is carried out by the author or by an ad-

versary who intercepts the information and retransmits it, possibly as part of a masked

attack.

• Zero-day attack , attack against a computer, from which is exploit certain vulnerabili-

ties, or security holes of some program or programs until they are known, or that, once

posted the existence of the vulnerability, is conducted the attack before the publication

of the patch than the solvent.

• Attack by brute force. It is not necessarily a procedure that should be performed by

computer processes, although this system would save time, energy and efforts. Brute

force attack system, tries to recover a key testing all possible combinations until you

find one that seeks, and which allows access to the system, program or file in study

Web Security

2.2. SOCIAL ENGINEERING.

Social engineering is the practice of obtaining information confidential through the manipula-

tion of users legitimate. It is a technique that can be used by certain people, such as private

investigators, criminals, or rogue computer, information, access or privileges in information

systems which allow them to perform some act that harms or expose the person or body com-

mitted to risk or abuses.

The principle that underpins the social engineering is that in any system "users are the weak

link". In practice, a social engineer will commonly use the phone or Internet to mislead people,

pretending to be, for example, an employee of a bank or any other company, a co-worker, a

technician or a client. Via the Internet or the website is used, in addition, the submission of

applications for renewal of permits access to websites or memos false seeking answers and

even the famous chains, thus leading to reveal sensitive information, or to violate the typical

security policies. With this method, the social engineers they take advantage of the natural

tendency of people react predictably in certain situations, for example providing financial de-

tails an apparent official of a Bank rather than having to find security holes in computer sys-

tems.

Perhaps most simple but very effective attack is to mislead a user to think that a system ad-

ministrator is requesting a password for several legitimate purposes. Systems of Internet

users frequently receive messages requesting passwords or information of credit card, with

the reason of "create an account", "reset configuration", or other benign; operation to this kind

of attacks they are called phishing (pronounced like "fishing", fishing). Users of these systems

should be warned early and often that they not disclose passwords or other sensitive informa-

tion to people who claim to be administrators. In fact, computer systems administrators rarely

(or never) need to know the password of users to carry out their tasks. However even this

type of attack may not be necessary in a survey carried out by the company Boixnet, 90% of

the employees of Waterloo Station Office of London revealed their passwords in Exchange for

a cheap pen.

Another contemporary example of a social engineering attack is the use of attachments in e-

mails , offering, for example, "intimate" photos of some famous person or a "free" program

(often seemingly from some well-known person) but running malicious code (for example, to

Web Security

use the victim machine to send massive amounts of Spam). Now, once the malicious e-mails

first take software providers to disable the execution Automatic attachments, users must acti-

vate these files explicitly for malicious action to occur. Many users, however, open almost

blindly any attachment received, thus making the attack.

Social engineering also applies to the Act of handling face to face to gain access to computer

systems. Another example is the knowledge about the victim, through the introduction of typi-

cal logical, common passwords or knowing your past and present; answering the question:

what password would I if it were the victim?

The main defense against social engineering is to educate and train users in the use of secu-

rity policies and ensure that they are followed.

One of the most famous of recent social engineers is Kevin Mitnick. In his opinion, social en-

gineering is based on these four principles:

1. All want to help.

2. The first movement is always trusted the other.

3. We do not like to say no.

4. All we like us praise.

2.3. SQL INJECTION

SQL injection is a method of infiltration of exploit code that relies on a computer vulnerability

present in an application-level validation of entries to query a database.

The origin of the vulnerability lies in the incorrect checking or filtering of the variables used in

a program that contains either generated code SQL. It is, in fact, a mistake of a more general

class of vulnerabilities that can occur in any programming language or script that is embed-

ded inside another.

Referred to as SQL injection, without distinction, to the type of vulnerability, infiltration

method, the fact of embedding SQL exploit code and embed code portion.

Web Security

It is said that there is or was a SQL injection when, somehow, is inserted, or "injects" SQL

code invasive within the scheduled SQL code to alter the normal operation of the program

and to make running the portion of "invasive" code embedded, in the database.

This kind of intrusion usually is harmful, malicious or spyware, is therefore a problem of com-

puter security, and should be taken into account by the Programmer of the application in or-

der to prevent it. A program made with carelessness, indifference or ignorance of the prob-

lem, it may prove to be vulnerable, and the security of the system (database) can be eventu-

ally compromised.

Intrusion occurs during the execution of the vulnerable program, whether it is in computers

desktop or in sites Web , in this latter case obviously running in the Server which hosts them.

Vulnerability can occur automatically when a program "weapon carelessly" one SQL state-

ment in runtime , either during the development phase, when the programmer express the

SQL statement to execute in unprotected form. In any case, provided that the programmer

need and make use of parameters entered by the user, in order to consult a database; is, pre-

cisely, within the parameters where the intruder SQL code can be incorporated.

To execute the query on the database the code SQL injected will also run and could do a

number of things, how to insert records, modify or delete data, authorize access e, even run

another type of malicious code on the computer.

For example, assume that the following code resides in a web application and there is a pa-

rameter "username" that contains the name of the user to consult, a SQL injection could

cause follows:

The original and most vulnerable SQL code is:

Query: = "SELECT * FROM My Table WHERE name = '" + username + "';"

Web Security

Ilustración 5: el proceso de la inyección SQL

2.4 SPOOFING.

Spoofing, in terms of Security of networks refers to the use of techniques of phishing usually

with malicious applications or research.

Spoofing attacks can be classified depending on the technology used. Among them are the IP

spoofing (perhaps the best-known), ARP spoofing, DNS spoofing, Web spoofing or email

spoofing, although in general can include spoofing within any network technology susceptible

to identity theft.

Web Security

Ilustración 6: a través de la dirección ip podemos atacar a nuestra victima

IP Spoofing

IP spoofing. Basically consists in replacing the IP address TCP/IP source of a package by

another address IP to which you want to impersonate. This is usually achieved through

programmes aimed at this and can be used for any Protocol within TCP/IP as ICMP, UDP or

TCP. It must be taken into account that the responses of the host that get altered packets will

be directed to the fake IP. For example, if we send a ping (package "echo ReQuest")

suplantado, la respuesta será recibida por el host al que pertenece la IP legalmente. Este tipo

de spoofing unido al uso de peticiones origen de un paquete icmp broadcast a diferentes

redes es usado en un tipo de ataque de flood conocido como ataque Smurf. Para poder

realizar Suplantación de IP en sesiones TCP, se debe tener en cuenta el comportamiento de

dicho protocolo con el envío de paquetes SYN y ACK con su SYN específico y teniendo en

cuenta que el propietario real de la IP podría (si no se le impide de alguna manera) cortar la

conexión en cualquier momento al recibir paquetes sin haberlos solicitado. También hay que

tener en cuenta que los enrutadores actuales no admiten el envío de paquetes con IP origen

no perteneciente a una de las redes que administra (los paquetes suplantados no

sobrepasarán el enrutador).

Web Security

ARP Spoofing

Phishing by chart forgery ARP. The construction of frames modified in order to distort the ARP

(list IP-MAC) table of a victim and force it to send packets to an attacker host rather than to its

legitimate destination request and ARP response.

The Protocol Ethernet works by MAC addresses, not by IP addresses. ARP is the Protocol

responsible for translating IP addresses to MAC addresses so that communication can be

established; so when a host wants to communicate with an IP broadcasts an ARP-Request

frame to the address of Broadcast asking the host MAC holder of the IP you want to

communicate. The computer with the requested IP responds with an ARP-Reply indicating

your MAC. Routers and hosts keep a local table with the IP-MAC relationship called ARP

table. The ARP table can be distorted by an attacker computer issued frames ARP-REPLY

with your MAC including destination valid for a specific IP, as for example the of a router, in

this way the information directed to the router would pass the attacker computer who can

scan such information and redirect if so desired. The ARP protocol works at the level of data-

binding of OSI, for which this technique only can be used on LANs or in any case on the part

of the network that is prior to the first router. One way to protect yourself from this technique is

using tables ARP static (provided that the IP network are fixed), which can be difficult in large

nets.

Other forms of protection include using ARP tables change detection programs (as Arpwatch)

and using the safety of port of the switches to prevent changes in MAC addresses.

DNS Spoofing

Phishing by domain name. It's the distortion of a relationship "Domain-IP name" before a

name resolution query, i.e., resolving an IP address false a certain name DNS or vice versa.

This can be achieved by falsifying entries in the relation name domain-IP of a server DNS,

through any vulnerability in the specifically or by its trust towards unreliable servers. Falsified

entries in a DNS server are susceptible of being infected (poison) the DNS cache of another

different server (DNS Poisoning)).

Web Spoofing

Impersonation of a real web page (not to be confused with phishing). It routes the connection

of a victim through a fake page to other WEB sites in order to gather information from the

Web Security

victim (view websites, information forms, passwords etc.). The fake web page acts as a of

proxy, requesting the information required by the victim to each original server and skipping

even the protection SSL. The attacker can modify any information from and to any server that

the victim go. The victim can open the false by any type of deception website, even opening a

simple link. Web spoofing is hardly detectable; perhaps the best measure is a plugin from the

browser at all times showing the visited server IP: If the IP never changes when you visit

different WEB pages means that we are probably suffering from this type of attack. This

attack is done by implementation of code which will rob us information. Ghost pages on which

these codes are injected to get information of the victims are usually made.

E-mail Spoofing

Spoofing in email of the address of electronic mail of other persons or entities. This technique

is used regularly for the sending of e-mail messages hoax as a perfect supplement for the use

of phishing and SPAM it is as simple as the use of a server SMTP configured for this purpose.

To protect yourself you should check the IP of the sender (to find out if that ip actually belongs

to the Agency indicating in the message) and the address of the server SMTP used.

GPS Spoofing

An attack of GPS spoofing attempts to mislead a recipient of GPS transmitting a slightly more

powerful than the received signal from the satellites of the GPS system, structured to

resemble a normal set of GPS signals. However, these signals are modified in such a way

that will cause the receiver determines a different position to the real, specifically determined

by the attacking signal somewhere. Because the GPS system works by measuring the time it

takes for a signal traveling between the satellite and the receiver, a successful spoofing

requires the attacker to know precisely where the target is such that the false signal can be

structured with the appropriate delay.

An attack of GPS spoofing begins with the transmission of a slightly more powerful signal that

delivers the correct position and then begins to slowly drift to the position desired by the

attacker, since if done too quickly attacked receiver you will lose fixation in the signal, at which

time spoofing attack would only run as an attack of disturbance .

Web Security

RESULTS

At the conclusion of the investigation of our article, we obtained all the information and

knowledge necessary for anyone to surf the web is even aware of the dangers that exist in

navigate. In the same way we made them get a set of instructions so that your personal

information not be used for profit and note indications for surfing the web.

Web Security

REFERENCES

lockhart. (2011) security hacks.Jean paul garcia muran. (2011). Hacking y seguridad en internet.Mikel gastesi. (2010). Farude online.Misha glenny. (2008). El lado oscuro de la red.Sebastien baudru. (2005). Seguridad informatica ethical hacking.