7/29/2019 Application Layer Attack
1/9
Survey on Attacks targeting Web based System through Application LayerAuthor: Amit Kumar Pandey
email: [email protected], homepage: http://www.cs.kent.edu/~apandey/Prepared for Prof. Javed I. Khan
Department of Computer Science, Kent State University
Date: June 2006
Abstract: With advent of Business-to-Business (B2B) and Business-to-Consumer (B2C) interaction, it is has become a necessity that information must be exchanged in a secure and accurate way. Most of the web application contains security vulnerabilities which enables attacker to
exploit them and launch attack. As a result of attack confidentiality, integrity and availability of information are lost. This attacks which are at application level, cannot be prevented using packet inspection firewall which analyses individual IP packets for signature or allow specific
ports. What is needed is mechanism which analyses whole message stream . In addition to that specific application level attack requires specific mechanism. Attacks like content spoofing cannot be stopped unless user is made aware. In this survey, I would be discussing the different
types of attack in web applications at application level and ways to prevent them.
Other Survey's on Internetwork-based Applications
Back to Javed I. Khan's Home Page
Table of Contents:
Introduction
Web application Architecture
Different attacks
Fig.1 Types of attack
Client side
Web browserContent Spoofing
Cross site Scripting
Session fixation
Untitled Document http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html
1 of 9 9/3/2013 10:26 PM
7/29/2019 Application Layer Attack
2/9
7/29/2019 Application Layer Attack
3/9
U i l d D h // di k d / /DR05S li i k i d /i d h l
7/29/2019 Application Layer Attack
4/9
What can be done
Educating user to directly type URL of bank, rather than clicking on links in email and not to respond to email with HTML embedded forms.
Making them aware of HTTPS in the address bar and SSL padlock icon, SSL certificate which are used for authenticity.
Using antivirus software to filter spam.
Disabling HTML functionality of email.
Cross site scripting
In cross-site scripting (XSS) malicious code is executed in users browsers which are usually written in VBScript, ActiveX, java etc. The code is echoed by web site to users browser. The code is placed in web site by attacker using message boards, bulletins etc. When these pages
are viewed by user, the script present in messages is executed at user end. These scripts may read, modify or transmit data accessible by clients browser.
Example
Consider a website which redirects user Alice after login to www.abc.com/default.asp?name=alice and a server-side script generates a welcome page that says "Welcome Back Alice!". The user information are stored in a database, and the Web site places a cookie on your computer
containing a key to that database. The cookie is retrieved anytime the site is visited. An attack can be launched as follows:
The hacker sends you an e-mail that claims you've just won a vacation getaway and all you have to do is "click here" to claim your prize. The URL for the hypertext link is www.adatum.com/default.asp?name=evilScript(). User clicks on links1.
Server generates HTML, the script is treated as parameter which contains name of user.2.
Malicious script is sent to user's browser.3.
The script is executed by browser.4.
The sensitive information is sent to hacker.5.
Fig. 4 Cross site scripting
Dangers involved
Sensitive information like cookie can be stolen from user system .
Web sites can be made unreadable by making the web page unpleasant to use (e.g., via annoying banners and offensive material)
By embedding malicious FORM tags at the right place, an intruder may even be able to trick users into revealing sensitive information.
What can be done
Using HTTP-only cookies, eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script.
Filtering inputs for special character like < which denotes beginning of tag.
Disabling scripting when it isnt required.
Session fixation
Untitled Document http://medianet.kent.edu/surveys/DR05S-applicationattack-amitpandey/index.html
of 9 9/3/2013 10:26 PM
7/29/2019 Application Layer Attack
5/9
7/29/2019 Application Layer Attack
6/9
7/29/2019 Application Layer Attack
7/9
7/29/2019 Application Layer Attack
8/9
7/29/2019 Application Layer Attack
9/9