server vulnerabilities
DESCRIPTION
Server vulnerabilitiesTRANSCRIPT
RUNNING HEAD: SERVER SOFTWARE VULNERABILITIES1
SERVER SOFTWARE VULNERABILITIES2
Server software vulnerabilitiesManohar Reddy KonudulaSubmitted toDr. Blakemore DouglasMISI-605-Intelligence Vulnerability03/03/2015Ferris State University
THESIS STATEMENT In this paper we discuss about webserver vulnerabilities, database server vulnerabilities and server application vulnerabilities. We also discuss about the different techniques used for exploiting and different tools used for protection against these exploits. INTRODUCTION Software Vulnerability of elements determine the security level in networks and systems. Understanding the software vulnerability in the application is required to propose any design strategy for defending large-scale attacks. Specifically, one has to understand how exploitation and remediation of vulnerabilities and distribution of information is handled. HTTP is a generic stateless application- level protocol, which can be used to perform many tasks. Beyond its use for hypertext, HTTP is also used for naming servers and to distribute object management systems through extension of its request methods, error codes and header (Singh, Singh & Joseph, 2008). HTTP being a widely used environment provides rich set of features targeting motive attackers. This has been demonstrated by large number of vulnerabilities and exploitations that happen in web servers, browsers and applications.BODYWEB SERVER According to Graves, web servers and web applications have a very high potential to be compromised. The primary reason for this is that the systems that run web server software must be publicly available on the Internet. The web server cannot be completely isolated and to some degree must be available to legitimate users.Once a web server has been compromised, the system can provide hackers with another door into the network. Not only the web server software but also applications that run on the web server are open to attack and can be exploited. Due to their function, web servers are more accessible than other systems and less protected, so theyre easier to exploit.WEB SERVER VULNERABILITIESWeb servers, like other systems, can be compromised by a hacker. The following vulnerabilities are most commonly exploited in web servers:Misconfiguration of the Web Server Software Common issue with using Microsofts Internet Information Server (IIS) as a web server is the use of the default website. The permissions on the default website are open, meaning the default settings leave the site open to attack. For example, all users in the every one group have full control to all the files in the default website directory. It is critical to edit and restrict permissions once IIS is installed on the server as the default system user, IUSR_COMPUTERNAME, is a member of the every one group (Graves, 2010).Consequently, anyone accessing the default website will be able to access all files in the default website folder and will have dangerous permissions such as Execute and Full Control to the files. Operating System or Application Bugs, or Flaws in Programming Code All programs, including the OS and web server applications, should be patched or updated on a regular basis. For Windows systems, this includes security patches, hotfixes, and Windows Updates. All of these patches can be automated or manually applied to the systems once they have been tested (Graves, 2010).
Vulnerable Default Installation Operating system and web server software settings should not be left at their defaults when installed, and should be updated on a continuous basis (Graves, 2010).Hackers exploit these vulnerabilities to gain access to the web server. Because web servers are usually located in a demilitarized zone (DMZ) which is a publicly accessible area between two packet filtering devices and can be easily accessed by the organizations client systems an exploit of a web server offers a hacker easier access to internal systems or databases.List of Web Server Hacks:ANTHEM Web Server HackThe Data breach on Anthem, the second-biggest health insurer in the U.S., which exposed identifiable individual of millions of people, was presumably not a raving success and-get attack yet rather a managed, low-key siphoning of data over a period of months (Paganini, 2015). The data hack was intended to stay below the radar of the organization's IT and security groups, utilizing a bot infection to carry information out of the association. As indicated by Anthem, the first indications of the attack came amidst a week ago, when an IT administrator observed a database inquiry was being run utilizing his identifier code when he had not initiated it (Paganini, 2015). The organization discovered that an attack had happened, informed the FBI and enlisted an outer security specialist to research. Security researchers reported that modified malware was utilized to penetrate Anthem's systems and take control over data. The exact malware used was not revealed, yet is accounted for to be a variation of a known group of hacking tools. Security researchers findings reports that the attack may started up to three months earlier. The consultancy said that it noticed botnet type activity at Anthem affiliate companies back in November 2014.This would not be shocking, as long haul bot action is ordinary in organizations. Check Point's 2014 Security Report, in view of monitored events of more than 10,000 associations around the world, found that no less than one bot was recognized in 73% of organizations, up from 63% the prior year. 77% of bots were dynamic for more than four weeks, and normally spoke with their 'command & control every three minutes (Paganini, 2015).Bots have the capacity to evade location in light of the fact that their developers use jumbling tools to empower them to sidestep customary mark based against malware solutions. Accordingly, danger copying, otherwise called sandboxing, ought to be utilized as an extra layer of protection to stop bots before they can infect systems (Paganini, 2015). Against bot arrangements ought to additionally be conveyed to help find bots, and forestall further breaks by hindering their communications. It's additionally critical that organizations fragment their systems, dividing every portion with layers of security to prevent bot contaminations spreading generally. Division can contain contaminations in one territory of the system, alleviating the dangers of the contamination getting to and breaking delicate information in other system fragments (Paganini, 2015). With these three deterrent methodologies, organizations can significantly decrease their exposure to the kind of moderate, stealthy bot assault that seems to have struck Anthem, and abstain from being the casualty of such a substantial scale breach.
JP MORGAN Web Server HackThe computer breach at JPMorgan Chase in 2014, the biggest intrusion of an American bank to date may have been ruined if the bank had introduced a basic security fix to an ignored server in its boundless network (Julie, 2014). Giant corporations like JPMorgan spend millions security consistently to prepare for progressively modern attacks. JPMorgan Chase paid for this kind of protection, and the organization is presently centered on the internal investigation to figure out whether there are different servers left unprotected. The attack compromised the email addresses, home addresses and telephone numbers of more than 83 million households and organizations. Programmers stole the login qualifications of one of the bank's representatives and got to the greater part of the aforementioned data (Julie, 2014). As the seriousness of the intrusion which started in June however was not found until July got to be clearer, bank officials mixed for the second time in three months to contain the aftermath and to console restless clients that no cash had been taken and that their financial data stayed secure. JPMorgan Chase security team missed an update of one of its 90 servers to two-factor authentication. Two-factor authentication requires users to provide two means of identification, such as a physical token and a security code. Security experts believe that this security process could considerably reduce the incidents of identity theft, phishing and online fraud. (Julie, 2014). Hackers penetrated deep into the bank's vast network systems, arriving at more than 90 servers, the researchers with information of the investigation said. As they examine the shapes of the breach, examiners in law enforcement remain puzzled, mostly in light of the fact that there is no evidence that the attackers plundered any money from customer accounts. The hackers appeared to have obtained a list of the applications and programs that run on JPMorgans computers a roadmap of sorts which they could crosscheck with known vulnerabilities in every program and web application, looking for an entry point back into the bank's networks (Julie, 2014). Operating overseas, the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders. In its administrative filing, JPMorgan said that there was no confirmation that bank records data, including passwords or Social Security numbers, had been taken. The bank additionally noticed that there was no proof of misrepresentation including the utilization of customer data. When the bank's security team found the data breach in late July, hackers had officially obtained the highest level of authoritative benefit to many the bank's computer servers, as indicated by the individuals with learning of the examination. It is still unclear how hackers managed out to gain such profound access.Target Web Server HackThe late 2013 Target hack that exposed up to 40 million credit and debit cards and personal information for up to 70 million customers. Security analysts has revealed that a bit of malware that is "about identical" to a 207kb malicious program sold on the black market with costs beginning at $1,800 may have been responsible of the massive card information break (Smith, 2014).The malware called BlackPOS, the project "is a specialized bit of malware intended to be introduced on point-of-sale (POS) devices and record all information from credit and debit cards swiped through the contaminated framework." A more advanced version of BlackPOS offers encryption support for stolen information and retails for $2,300. Despite the fact that the maker of BlackPOS is not known, Security researchers attempted to track the individual, referred to online as Ant killer, discovering that the programmer may be based in Russia or Ukraine and have ties with different cybercrime exercises including distributed denial-of-service (DDoS) attacks and protests connected to the Anonymous gathering (Smith, 2014).The malware that was utilized as a part of the Target hack has obviously been introduced on POS machines sooner or later before November 27, with more than 40 or more commercial antivirus devices incapable for monitoring it up (Smith, 2014). Interestingly, a version of its referred to as "Reedum" by security firm Symantec may have been utilized as a part of previous attacks dating back to June 2013, and was recognized by the FBI as a POS malware system, as indicated by Google's Virustotal.com malware examining administration. Sources familiar with the investigation said that the software tools that were utilized as a part of the attack were particularly intended to stay away from detection. While its not clear how hackers figured out how to transfer the malicious code on the POS machines, its known that the attackers were able to compromise a web server, which was then used to store information taken from POS devices. The hackers were logging in remotely to that [control server], and evidently had persistent access to it, they fundamentally needed to continue going in and physically gathering the dumps. With respect to the software running on POS devices, it is believed Target, in the same way as different U.S. stores, have "generally utilized a home-developed programming called Domain Center of Excellence which is housed on Windows XP Embedded and Windows Embedded for Point of Service (WEPOS)" (Smith, 2014). Once introduced on POS devices, such malicious programs have the capacity to capture the information on the magnetic stripe using a credit card and debit cards while its in the systems memory quickly after a card has been swiped at the POS.Home Depot Web Server HackHome Depot Inc. said hackers got into its systems last April by stealing a password from a vendor, opening a minor gap that developed into the greatest retail-credit card breach on Record. The Company reported the break was worse than prior suspected. In addition the 56 million MasterCard accounts that were compromised, Home Depot now says around 53 million customer email addresses were stolen as well. Those addresses are by their nature semi-public, however they can be used by hackers hoping to trap individuals into giving out more sensitive information, and Home Depot cautioned its customers to be wary (Banjo, 2014).The discoveries which come after over two months of investigations by the organization, law-enforcement agents and several security faculty demonstrate the home-improvement retailer fell victim to the same kind of invasion strategies as Target Corp., where hackers got access get to a year ago by means of a Pennsylvania-based refrigeration foreman's electronic billing record. Microsoft issued a patch after the breach started, and Home Depot installed it, yet the fix came too late. Managed such get to, the hackers had the capacity move all through Home Depot's systems and over to the organization's point-of-sale systems as though they were Home Depot representatives with high-level consents, the individuals said (Banjo, 2014). The hackers then focused on 7,500 of the organization's checkout toward oneself paths in light of the fact that the registers' reference names in the computer system recognized them as payment terminals. The hackers evaded location to some extent in light of the fact that they moved around Home Depot's systems amid customary daytime business hours and outlined the malware to gather information, make moves to transmit it to an outside system and delete its traces. The malicious software introduced on the self- checkout terminals prowled undetected for five months (Banjo, 2014). Indeed, the hack may have gone unnoticed for any longer if the hackers hadn't put clusters of stolen credit card numbers available for sale, while various Home Depot administrators were away traveling for the Labor Day holiday. Home Depot's security investigators found evidence that malware had been erased from a store PC. The organization was able to affirm a breach, yet it couldn't make sure its critical business data was out of risk. At a certain point, a security specialist identified a PC at a store in Watertown, Mass., that he thought could be "patient zero," the malware's entrance point. The group took the company plane to recover the PC, strapping it to a plane seat as though it were a traveler and separating information on the flight over to Atlanta, anyhow the PC ended up being a red herring (Banjo, 2014). Rather, patient zero ended up being a server at a store south of Miami. The attack got an organization that had quite recently experienced quite a long while of moves up to PC frameworks that were out of date.DATABASEDatabases are a key target for cyber criminals because of the frequently significant nature of sensitive data bolted away inside. Whether the information is financial or holds intellectual property and corporate trade secrets, hackers worldwide can benefit from breaching an organizations' servers and looting databases. DATABASE VULNERABILITYAccording to Osborne, a Vulnerability Database is a platform aimed at gathering, maintaining up, and spreading data about found vulnerabilities focusing on genuine computer systems. Currently, there are many vulnerabilities databases that have been generally used to gather information from diverse sources on programming vulnerabilities (e.g., bugs). These information basically incorporate the portrayal of the found vulnerability, its exploitability, its potential effect, and the workaround to be connected over the vulnerable system. Cases of electronic vulnerabilities databases are the National Vulnerability Database and the Open Source Vulnerability Database. Different security vendors likewise give business vulnerability databases, utilizing full-time experts to research and distribute weakness data. The analysts say that the top ten vulnerabilities frequently found in database-driven frameworks, whether amid the creation stage, through the incorporation of uses or when upgrading and patching, are: Deployment Failures The most widely recognized reason for database vulnerabilities is an absence of due care at the moment they are deployed. Although any given database is tested for functionality and to verify it is doing what the databases is intended to do, not very many checks are made to check the database is not doing things it should not be doing (Osborne, 2013).
Broken databases The SQL Slammer worm of 2003 had the capacity infect more than 90 percent of vulnerable computers inside 10 minutes of deployment, bringing down a huge number of databases in minutes. This worm exploited a bug that was found in Microsoft's SQL Server database programming the earlier year, yet few system administrators installed a fix, leaving computers vulnerable (Osborne, 2013).By exploiting a buffer-overflow vulnerability, the worm's prosperity exhibits how critical introducing security patches and fixes are. In any case, whether lacking time or resources, not enough organizations keep their systems routinely fixed, leaving databases vulnerable. Data leaksDatabases may be viewed as a "back end" a part of the workplace and secure from Internet-based threats (thus information doesn't need to be encrypted), however this is not the situation. Databases likewise contain a systems administration interface, thus hackers have the capacity to capture this type of traffic to exploit it (Osborne, 2013). To avoid such a pitfall, administrators should use SSL- or TLS-encrypted communication platforms. Stolen database backups External attackers who penetrate systems to steal information are one threat, yet shouldn't we think about those inside the organization? The report recommends that insiders are likewise liable to take documents including database backups whether for money, profit or revenge (Osborne, 2013). This is a typical issue for the current endeavor, and organizations should consider encrypting documents to moderate the insider-risk. The abuse of database features The security researchers says that in the course of recent years, each database exploit they've seen has been taking into account the misuse of a standard database feature. For instance, a programmer can get access through authentic credentials before driving the administration to run self-assertive code. Although complex, much of the time, this access was gained through simple flaws that allow such systems to be taken advantage of or bypassed completely (Osborne, 2013).Future misuse can be restricted by evacuating unnecessary devices not by destroying the likelihood of zero-day exploits, however by in any event contracting the surface area hackers can study to dispatch an attack. A lack of segregationThe separation of administrator and user powers, and additionally the isolation of obligations, can make it more difficult for fraud or theft embraced by internal staff. Likewise, constraining the force of user records may give a hacker a harder time in taking complete control of a database (Osborne, 2013).Hopscotch As opposed to exploiting support flood and increasing complete access to a database in the first stage, cybercriminals frequently play a session of Hopscotch: discovering a shortcoming inside the framework that can be utilized as influence for more genuine attacks until they achieve the back-end database framework (Osborne, 2013). For example, a hacker may worm some way or another through your records division before hitting the credit card processing arena. Unless each office has the same standard of control, making separate administrator records and isolating frameworks can help alleviate the risk. SQL injectionsA prominent technique for hackers to take, SQL injections remain a critical problem in the protection of big business databases. Applications are attacked by injections, and the database administrator is left to clean up the wreckage brought on by unclean variables and malicious code which is embedded into strings, later gone to an occasion of SQL server for parsing and execution (Osborne, 2013). The most ideal approaches to secure against these dangers are to ensure web-confronting databases with firewalls and to test information variables for SQL injection during development. Sub-standard key management Key management systems are intended to keep keys safe, however the research team regularly discovered encryption keys put away on organization disk drives. Database administrators infrequently falsely accept these keys must be left on the disk in light of database failures, however this isn't genuine and setting such keys in an unprotected state can leave systems vulnerable to attack (Osborne, 2013).Database inconsistenciesFinally, the researchers found that the consistent idea which brings these vulnerabilities together is an absence of consistency, which is an administrative as opposed to database technology issue. System administrators and database developers need to build up a predictable practice in caring for their databases, staying aware of threats and verifying that vulnerabilities are dealt with (Osborne, 2013).This isn't a simple task however documentation and automation to track and roll out improvements can guarantee that the data contained in big business systems is kept secure.Database Hacks:EBAY Database HackeBay acknowledged that attackers compromised a database containing encrypted passwords and other financial related data. The database included names, email addresses, home addresses, phone numbers, and dates of birth (Brodkin, 2014). While there is "no evidence of the tradeoff bringing about unauthorized activity for eBay users," the organization is recommending that users change their passwords. The attackers were able to log into eBay employee accounts. "Cyber attackers compromised a small number of worker log-in credentials, permitting unauthorized access to eBay's corporate network," the eBay declaration said (Brodkin, 2014). "Working with law enforcement and leading security specialists, the organization is forcefully researching the matter and applying the best forensics tools and practices to secure customers. eBay discovered the unauthorized employees logins two weeks prior, and " extensive forensics accordingly identified the traded off eBay database, bringing about the organization's declaration today." Financial and credit card data was obviously not influenced as it may be "put away independently in encrypted configurations." PayPal information is likewise stored independently. eBay advised the customers of the issue and request that they change their passwords later. The organization did not say what technique it uses to obscure passwords. EBay customers should be careful about anybody reaching them asserting to be eBay or some other organization. They should also additionally suspect an increase in phishing messages (Brodkin, 2014). That implies they should abstain from clicking links in email or communicating about anything sensitive over telephone, customers who utilize their eBay passwords on different sites or administrations should immediately change it.Adobe Database HackThe recent data breach at Adobe that exposed user account data and provoked a whirlwind of password reset emails affected no less than 38 million users, the organization now says. It additionally creates the impression that the effectively huge source code leak at Adobe is growing to incorporate the organization's Photoshop group of graphical outline items (Krebs, 2013). Adobe said hackers had stolen almost 3 million encrypted client credit card records, and login information for an undetermined number of Adobe user accounts. At the time, a massive trove of stolen Adobe account information saw by security researchers demonstrated that in addition to the credit card records a huge number of user accounts crosswise over different Adobe online properties may have been traded off in the break-in (Krebs, 2013). It was hard to completely look at large portions of the records on the hackers' server that housed the stolen source on the grounds that a significant number of the indexes were secret word secured, and Adobe was hesitant to speculate on the quantity of users conceivably affected. The investigation has affirmed that the attackers got access to Adobe IDs and (what were at the time legitimate), encrypted passwords for pretty nearly 38 million dynamic clients," Adobe have finished email warning of these clients. Adobe additionally have reset the passwords for all Adobe IDs with legitimate, encrypted passwords that were accepted to be included in the episode paying little mind to whether those clients are dynamic or not (Krebs, 2013). Adobe believes that the attackers additionally acquired access to numerous invalid Adobe IDs, idle Adobe IDs, and Adobe IDs with invalid scrambled passwords, and test account information. "Adobe are still currently examining the quantity of idle, invalid and test records included in the episode." The major Part of the Adobe breach included the robbery of source code for Adobe Acrobat and Reader, and its ColdFusion Web application platform. Among the cache was a 2.56 GB-sized document called ph1.tar.gz, AnonNews.org posted a record by the same name and size that was not watchword ensured, and gave off an impression of being source code for Adobe Photoshop (Krebs, 2013).Adobe when gotten some information about the Anon News presenting's similarities on the leaked source code troves found by this distribution in late September, Adobe's administration said undoubtedly that it shows up the interlopers got at least a portion of the Photoshop source code. In both cases, Adobe said it reached the destinations facilitating the information connected to from the Anon News postings and had the data brought down (Krebs, 2013). Adobes security research investigation to date shows that a portion of Photoshop source code was gotten to by the attackers as a feature of the incident Adobe publicly disclosed on Oct. 3, 2013.Snapchat Database HackSnapchat is a mobile messaging service that promises users the ability to send private messages and media to different users that are quickly deleted from the users' phones and Snapchat's database in the wake of review. The October data breach publicly challenged the organization's guarantee of privacy security and raised vital concerns toward the obligation of both the organization and also the end-users of the application to secure data and give sufficient security. SnapSaved was one of numerous "unapproved" outsider applications that figured out Snapchat's application programming interface (API) to permit SnapSaved users to physically store pictures and media sent through Snapchat on SnapSaved's site and database (Bortnick, 2014). In a post on its Facebook page, SnapSaved's developer explained on the hack, expressing it came about because of a misconfiguration in its Apache server. As per Bortnick, this post came in light of the rumors and allegations that SnapSaved was deliberately made by programmers to get to put away Snapchat media and that SnapSaved permitted programmers access to its database. The SnapSaved site now offers users the capacity to inquiry whether any of their "snaps" were leaked. While the leak may be moderately little in a vacuum (Snapchat users send more than 350 million "snaps" every day), the organization's response to the breach is critical. In the days following the hack, Snapchat faulted its users usage of third-party applications for the leak, citing to procurements of its Terms of Use understanding forbidding utilization of outsider applications in conjunction with Snapchat (Bortnick, 2014).Be that as it may, this is not the first run through Snapchat, an organization that businesses "user privacy" as its essential item, has confronted digital security issues. On December 31, 2013, hackers posted 4.6 million Snapchat users telephone numbers and usernames on a site that has subsequent to been brought down (Bortnick, 2014). Around then, the hackers expressed their inspiration was to raise open attention to Snapchat's security flaws. Snapchat confronted an investigation by the FTC for deceiving customers with respect to how the application really worked and how much user information Snapchat put away. The FTC complaint additionally highlighted Snapchat's security defects and the exact adventure included with SnapSaved, voicing concerns over the simplicity of figuring out by outsider application developers. The FTC protestation was recorded and settled much sooner than the October leak (Bortnick, 2014).As far as obligation, Snapchat's reaction depended upon its Terms of Use concurrence with clients, however the procurement depended upon is covered in the fine print of the TOU with no clarification or cautioning to clients why such outsider applications are restricted. This brings up issues of the enforceability of that procurement in a court of law (Bortnick, 2014). Snapchat's likewise experienced reputational harms the event. Snapchat's association with its users and third-party clients raises important issues concerning the commitments of substance suppliers for data security especially those that guarantee information security as a foundation of its product, for example, social media networks.AOL Database HackAOL admitted on its website that the info-looters lifted AOL users email addresses, postal addresses, address book contact data, encrypted passwords and encrypted answers to security questions that it asks when a user resets his or her password, and additionally certain employee data (Info Security, 2014). AOL's investigation started after a huge increment in the measure of spam showing up as "spoofed emails" from AOL Mail addresses. AOL accept that spammers have utilized this contact data to send spoofed messages that seemed to originate from around 2% of our email records." Spoofing is a technique utilized by spammers to make it create the impression that the message is from an email client known to the beneficiary keeping in mind the end goal to trap the beneficiary into opening it. These messages don't start from the sender's email or email administration supplier the locations are simply altered to make them give the idea that way. Spamming and spoofing aside, the more critical data appears to be safe. "Significantly, AOL has no evidence that the encryption on the passwords or the answers to security questions was broken," AOL noted (Info Security, 2014). "Furthermore, right now in the investigation, there is no sign that this incident brought about divulgence of clients' money related data, including debit and credit cards, which is additionally completely encrypted." In any case, as a safety oriented measure, users and employees should reset their passwords utilized for any AOL service and change their security question and answer. AOL is notifying possibly affected users, and "is working nearly with federal authorities to seek after this investigation to its resolution," it said. "Our security team has put improved counter measures set up and we urge our users to make proactive moves to help guarantee the security of their accounts" (Info Security, 2014). As dependably, clients ought not react or click on any connections or connections in a suspicious email, and if all else fails about the legitimacy of a message, they ought to contact the sender to affirm that he or she really sent it (Info Security, 2014). "AOL will never approach you for your secret word or some other touchy individual data over email," the organization said. "In the event that you trust you are a casualty of satirizing, consider telling your companions that your messages may have been parodied and to abstain from clicking the connections in suspicious messages." Server Application The World Wide Web has evolved into a critical delivery pipeline for organizations to interact with customers, partners and employees. Via browsers, people use web sites to send and receive information via Hypertext Markup Language (HTML) messages to web applications housed on web servers. This information, expected as legitimate messages, can be used illegitimately in unauthorized ways to compromise security vulnerabilities. In spite of institution perimeter security solutions, web application vulnerabilities provide the potential for an unauthorized party to gain access to critical and proprietary information, use resources inappropriately, interrupt business or commit fraud.
Server Application VulnerabilitiesAccording to Kennedy, web application vulnerabilities can come from exposures in the server's operating system, server administration practices or flaws in the web application's programming. The following are common web application risks and associated best practices to help attain a more secure web application environment:Authentication- One of the biggest web application weaknesses is the failure to provide a means of strong authentication to verify the end user is whom he/she claims. Prior to accessing a web application, a server may require the end user to authenticate him/herself to identify the user or determine the user's access privileges (Kennedy, 2005). Without such authentication employed, attackers could access another user's account, view sensitive information or perform unauthorized functions.
To lessen these risks: Employ strong authentication, such as HTTPS, with encrypted credentials. Require re-authentication at specified time intervals or movement between web pages. Enforce what authenticated users are allowed to do. Regularly test authentication and all potential ways to circumvent authentication. Implement authorization (access control) (Kennedy, 2005).Session security and session IDs- When end users log into an application, the web server issues to the end user an identifier known as a session ID that can, and should, be random and set to expire at the completion of the session. The server uses the session identifier with associated data with each successive request. Session tokens often are not properly protected, allowing attackers to compromise passwords, keys, session cookies or other tokens that can defeat authentication restrictions and assume other users' identities (Kennedy, 2005). For example, the user's session ID is displayed in the URL. Even if authentication is required, it may be possible for a user to authenticate using legitimate credentials, but then change the session ID in the URL line to access another user's data without requiring re-authentication.To lessen these risks: Assign random, non-sequential session IDs and re-authenticate when accessing additional records. Protect account credentials and session tokens. Require all cookies to have an expiration date so they are valid for only a predetermined period after the user's last request. Change session tokens when the user moves from an SSL-protected resource to a non-SSL-protected resource. Invalidate the session token at the server side when the user logs out. Confirm that the session token is non-persistent and is never written to the browser's history or cache (Kennedy, 2005).SQL injection- Many web applications do not properly strip user input of unnecessary special characters or validate information contained in a web request before using that input directly in SQL queries. SQL injection is an attack technique that takes advantage of the web application to extract or alter information from the database (Kennedy, 2005). Hackers enter SQL queries or characters into the web application to execute an unexpected action that can then act in a malicious way. Such queries can result in access to unauthorized data, bypassing of authentication or the shutting down of a database, regardless of whether the database resides on the web server or a separate server.To lessen these risks: Validate user input. Strip user input of and validate special characters before using that input directly in SQL queries. Check input for appropriate/expected length. Ensure the application will not process SQL commands from the user. Design and program web applications that prevent client-supplied values from being treated as SQL syntax. Apply default error handling. Implement logical security at the database level; specify users, roles and permissions at the database layer. Conduct regular testing and identification of potential SQL injection vulnerabilities (Kennedy, 2005).Buffer overflows- Web applications may be vulnerable to buffer overflows that occur when a program attempts to store more data in a static buffer than it is designed to manage. The additional data overwrite and corrupt memory, allowing an attacker to insert arbitrary instructions on the web server or crash the system. Applications may not adequately prevent the introduction of arbitrary code into the system that could be executed with the administrator privileges of the operating system. For example, a hacker may enter a command line executable statement, such as , into a legitimate web site form under the guise of an HTTP request to gain access to the web server (Kennedy, 2005). If security configuration allows, the hacker will receive the /etc/passwd file and have access to files and, ultimately, the usernames and passwords stored on the web server.To lessen these risks: Identify buffer overflows by entering large values into form inputs, header and cookie fields. Prevent code insertion by unauthenticated sources. Validate the input field length (Kennedy, 2005).Cross-site scripting (XSS) - A web application can bring an attack to an end user's browser by using the web browser of other web users who are viewing the page. A hacker can create a web site that takes advantage of a cross-site scripting flaw. An unknowing user can visit this hacker's web site (for example, by clicking on a link within an e-mail from a friend) and the hacker's malicious code can then be executed on the unknowing user's system (Kennedy, 2005). A successful attack can disclose the end user's session token, attack the local machine or spoof content to fool the user.To lessen these risks: Filter input so end-user data cannot be interpreted as scripted content (i.e.,