7/29/2019 Application Layer Attack

1/9

Survey on Attacks targeting Web based System through Application LayerAuthor: Amit Kumar Pandey

email: apandey@kent.edu, homepage: http://www.cs.kent.edu/~apandey/Prepared for Prof. Javed I. Khan

Department of Computer Science, Kent State University

Date: June 2006

Abstract: With advent of Business-to-Business (B2B) and Business-to-Consumer (B2C) interaction, it is has become a necessity that information must be exchanged in a secure and accurate way. Most of the web application contains security vulnerabilities which enables attacker to

exploit them and launch attack. As a result of attack confidentiality, integrity and availability of information are lost. This attacks which are at application level, cannot be prevented using packet inspection firewall which analyses individual IP packets for signature or allow specific

ports. What is needed is mechanism which analyses whole message stream . In addition to that specific application level attack requires specific mechanism. Attacks like content spoofing cannot be stopped unless user is made aware. In this survey, I would be discussing the different

types of attack in web applications at application level and ways to prevent them.

Other Survey's on Internetwork-based Applications

Back to Javed I. Khan's Home Page

Table of Contents:

Introduction

Web application Architecture

Different attacks

Fig.1 Types of attack

Client side

Web browserContent Spoofing

Cross site Scripting

Session fixation

Untitled Document http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

1 of 9 9/3/2013 10:26 PM

7/29/2019 Application Layer Attack

2/9

7/29/2019 Application Layer Attack

3/9

U i l d D h // di k d / /DR05S li i k i d /i d h l

7/29/2019 Application Layer Attack

4/9

What can be done

Educating user to directly type URL of bank, rather than clicking on links in email and not to respond to email with HTML embedded forms.

Making them aware of HTTPS in the address bar and SSL padlock icon, SSL certificate which are used for authenticity.

Using antivirus software to filter spam.

Disabling HTML functionality of email.

Cross site scripting

In cross-site scripting (XSS) malicious code is executed in users browsers which are usually written in VBScript, ActiveX, java etc. The code is echoed by web site to users browser. The code is placed in web site by attacker using message boards, bulletins etc. When these pages

are viewed by user, the script present in messages is executed at user end. These scripts may read, modify or transmit data accessible by clients browser.

Example

Consider a website which redirects user Alice after login to www.abc.com/default.asp?name=alice and a server-side script generates a welcome page that says "Welcome Back Alice!". The user information are stored in a database, and the Web site places a cookie on your computer

containing a key to that database. The cookie is retrieved anytime the site is visited. An attack can be launched as follows:

The hacker sends you an e-mail that claims you've just won a vacation getaway and all you have to do is "click here" to claim your prize. The URL for the hypertext link is www.adatum.com/default.asp?name=evilScript(). User clicks on links1.

Server generates HTML, the script is treated as parameter which contains name of user.2.

Malicious script is sent to user's browser.3.

The script is executed by browser.4.

The sensitive information is sent to hacker.5.

Fig. 4 Cross site scripting

Dangers involved

Sensitive information like cookie can be stolen from user system .

Web sites can be made unreadable by making the web page unpleasant to use (e.g., via annoying banners and offensive material)

By embedding malicious FORM tags at the right place, an intruder may even be able to trick users into revealing sensitive information.

What can be done

Using HTTP-only cookies, eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script.

Filtering inputs for special character like < which denotes beginning of tag.

Disabling scripting when it isnt required.

Session fixation

Untitled Document http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html

of 9 9/3/2013 10:26 PM

7/29/2019 Application Layer Attack

5/9

7/29/2019 Application Layer Attack

6/9

7/29/2019 Application Layer Attack

7/9

7/29/2019 Application Layer Attack

8/9

7/29/2019 Application Layer Attack

9/9