INFA640 Software Vulnerability Exploitation PDF

Preview

Summary

Vulnerability Exploitation Report ...

Description

Running head: SOFTWARE VULNERABILITY EXPLOITATION

AUTHOR INFA670 Software Vulnerability Exploitation March 29, 2020

1

SOFTWARE VULNERABILITY EXPLOITATION

2

SQL Injection Description of Vulnerability Information technology is facing many issues, but security issues are more dangerous and continue to develop with the passage of time. For example, SQL injection vulnerability occurs from the limited security implementations in the database software. In an SQL injection attack, the attackers use different malicious statements or codes, and these malicious statements are inserted in the entry field of the web page or in the web application. These malicious statements then exploit the security vulnerability of the database. SQL databases are facing this vulnerability (Neil, 2016). Different database software are facing this vulnerability, because these software are not fully equipped with latest security checks and during the development of database the security flaws remain unattended or these security flaws are not detected (Neil, 2016). Databases of web applications, websites, and desktop applications are equally facing the issues of SQL injection vulnerability. But web applications are main target of this vulnerability, because web applications can be accessed by the attackers quite easily. This is why they can easily send executable codes and can execute commands by using the online GUI of these web applications and the vulnerabilities in attached databases are allowing them to execute these attacking codes or commands. In this way attackers can easily exploit these SQL injection vulnerabilities to access data (Penta Security, 2016). When SQL injection vulnerability is exploited by the hackers, then they can easily access all privileges and controls of the backend database of the particular web applications. Like this SQL injection vulnerability is allowing the hackers to add new records in the database, updated existing records in the database, delete records from the database, and also hackers can access security parameters of the database. Attackers can change any balance or record of the database, can totally delete the whole data of the database, and can

SOFTWARE VULNERABILITY EXPLOITATION

3

make whole data unavailable for the users. SQL injection vulnerability is allowing the attackers to take control of the database. The attackers can change the privileges to become administrators of the database server (Neil, 2016). SQL Injection Exploit Example SQL injection vulnerability was exploited by the attacks and they targeted the database of the Heartland Payment Systems. They did use SQL injection to access financial records of the users, card details and other security information available in the database. For this purpose they did use the web application of the victim to execute malicious codes and statements in the entry points of the web applications, like text boxes and text fields which were not validated perfectly. The hackers use these insecure text boxes to execute codes, quires and malicious statements. Finally, they did get access of all financial data of the company and an approximate $300 million loss was reported due to this SQL injection attack. Mitigation/Prevention techniques The SQL injection can be avoided by using secure and proper coding of the web application, because web applications are the entry point of this attack and vulnerable web applications are allowing the hackers to access the database (Neil, 2016). That’s why proper validation techniques must be used to validate all entry points of the web application, including all check boxes, all text boxes, text areas, and text fields which must be validated properly and these entry points must block query execution. Text box filtering is a perfect solution to avoid this SQL injection vulnerability (Penta Security, 2016). Properly coded websites can block all these type of attacks, because standard coding is allowing the developers to protect all entry points. Also this issue can be avoided by using parameters in the SQL query. Parameterized database query can be helpful to avoid this issue forever, but this practice must be exercised by

SOFTWARE VULNERABILITY EXPLOITATION

4

all developers. Updated patches must be installed to make it sure that any latest vulnerability can be avoided or blocked. Appropriable privileges are also useful to avoid this SQK injection vulnerability (Penta Security, 2016). The admin privileged accounts in the database are more vulnerable to SQL injection, that’s why database accounts with limited privileges must be used. Cross-site scripting vulnerability Description of vulnerability Different vulnerabilities are creating security threats; few vulnerabilities are based on client side scripts and few are based on database coding. Cross-site vulnerability is also known as ‘XSS’ and this vulnerability is targeting the web applications. The attackers can inject their codes and scripts on the client side scripts and these client side scripts are injected on the web pages of the websites. That’s why websites are the main target of this vulnerability and why cross site scripting vulnerability is being used by the attackers to show their own content on the webpages (Philipp, F, N, E, C, G. 2007). This vulnerability is allowing the attackers to bypass different access controls like the policy of similar origin. The attacks related to cross site scripting are increasing gradually and approximately 85% of the vulnerabilities are related to the cross site scripting (Wasserman & Su, 2008). These security threats of this vulnerability are considered very high and threat vector is still considering this security threat. Secure websites are also facing the issues of this vulnerability, because these websites are working with sensitive data and information. The cross site scripting attackers are targeting different web applications, web servers, updates and plug-in applications, because web applications are depending on the web servers, and on the plug-ins. And these plug-ins consist of many vulnerabilities: attackers can easily inject their codes and scripts in the web page content when there will be communication between

SOFTWARE VULNERABILITY EXPLOITATION

5

two trusted parties. When this sensitive information is arrived at the client web page, then attackers can easily inject their code in this ongoing communication (Wasserman & Su, 2008). This thing can help out the attackers to gain control of the webpage and to control all sessions on web page. Also by using this vulnerability the attackers can access session cookies of particular web page. Cross-site scripting is allowing hackers to get information from the web browser of the user, like particular information saved on the web browser about particular web page or about particular website. Web browsers are saving the login information of the users related to different websites and this information can be accessed by hackers by using cross-script vulnerability. There are persistent and non-persistent cross-site scripting attacks (Philipp, F, N, E, C, G. 2007). Cross-site scripting exploit example For example, for non-persistent attack the users are directed to visit or access crafted link and this link is crafted by the hackers or attackers. When user open this crafted link, then the crafted code in the URL will be executed by the victim’s browser, in this way the hackers can get information about the user like login details, cookies details and search history, etc. For example, there is a web page with name “index.php” and the code of the web page is given below.

The attack can craft a URL and then this URL will be sent to the target user or victim. The crafted URL is given below.

This above crafted URL will be clicked by the victim and this URL will load in the web browser of the victim and this will show message or alert box and this alert box will consist of message

SOFTWARE VULNERABILITY EXPLOITATION

6

with key word “attacked”. In this way, cross-site scripting vulnerability can be exploited. And cross side scripts are included in the URL. Mitigation/Prevention techniques The XSS can be avoided by using the method of escaping string input. In this way, the untrusted scripts must be blocked or avoided and HTML documents must consist of trusted scripts. If there will be requirement to included untrusted code or string in the HTML document, then entity encoding of the HTML must be included (Philipp, F, N, E, C, G. 2007). Also CSS escaping and escaping of JavaScript is best technique. Validation of risky HTML input is another method to avoid XSS, the web application and web forms are allowing the users to input HTML and it is quite difficult to stop XSS attack while get HTML input from users. That’s why, untrusted or dangerous HTML code must be checked by using HTML sanitization and this engine will make it sure that there is not any XSS code in the HTML (Wasserman & Su, 2008). Extra security parameters while using cookies for the user authentication is another mitigation technique, the session cookies are being used by the websites for authentication and XSS can access these cookies, that’s why secure websites are connecting these cookies with the IP address of the user (Philipp, F, N, E, C, G. 2007). In this way, cookies must be tied up with IP address of the original user and only that IP address can access those saved cookies. Script disable method is another technique to avoid XSS attack. Websites are using different scripts like JavaScript to complete their functions, but many web applications are developed without any script, that’s why it is allowed to the end user to disable scripts from web browser (Wasserman & Su, 2008). In this way, the XSS attacks can be avoided.

SOFTWARE VULNERABILITY EXPLOITATION

References Neil D. (2016). SQL Injection Cheat Sheet & Tutorial: Vulnerabilities & How to Prevent SQL Injection Attacks. Retrieved from http://www.veracode.com/security/sql-injection Philipp, F, N, E, C, G. (2007). Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. Secure Systems Lab Technical University Vienna. Retrieved from https://seclab.ccs.neu.edu/static/publications/ndss2007xss.pdf Penta Security. (2016). "What is SQL injection and how can you prevent it from happening?" Penta Security Systems Inc. Retrieved from https://www.pentasecurity.com/blog/sqlinjection-web-vulnerabilities/ Wassermann, G., & Su, Z. (2008). Static detection of cross-site scripting vulnerabilities, 2008 ACM/IEEE 30th International Conference on Software Engineering, Leipzig, 2008, 171180

7...