An Infrastructure Model to Detect and Prevent Web Attacks

ISBN: 978-84-944311-8-0 Edited by: ScienceKNOW Conferences C.B. July 2016 Global Conference on Applied Computing in Science and Engineering Rome (Italy), 27-29 July 2016 Organizing Committee Chairman Antonio Macías García PhD. Department of Mechanical Engineering, Energy and Materials University of Extremadura, Spain E-mail: [email protected] Co-Chairman Luís M. Sousa da Silva PhD. ISEP-School of Engineering Polytechnic Institute of Porto, Portugal E-mail: [email protected] Co-Chairman Santiago Salamanca Miño PhD. Electric, Electronic and Automatic Engineering Department Robotics, Automatics and Production Systems Group University of Extremadura, Spain E-mail: [email protected] Congress Manager Mónica Martins ScienceKNOW Conferences +44 7467 043350 [email protected] Technical Secretary Miguel Rasquinho [email protected] [1] Global Conference on Applied Computing in Science and Engineering Rome (Italy), 27-29 July 2016 Scientific Committee                               PhD. Al-Kassir, A. (Extremadura University, Spain) PhD. Brito, P. (C3i/IPP, Portugal) PhD. Canito Lobo, J. L. (University of Extremadura, Spain) PhD. Casquilho, M. (Lisbon University, Portugal) PhD. Costa, M. (Lisbon University, Portugal) PhD. Costa, C. (Salamanca University, Spain) PhD. Cuadros, P. (Extremadura University, Spain) PhD. Domínguez, J. R. (Extremadura University, Spain) PhD. Encinar, J. M. (Extremadura University, Spain) PhD. Fernández, J. (University of Oviedo, Spain) PhD. Galán, J. J. (A Coruña University, Spain) PhD. González, J.F. (Extremadura University, Spain) PhD. Jacob, S. (Oswaldo Cruz Foundation, Brazil) PhD. Jesus, M. (Lisbon University, Portugal) PhD. Lafta, W. M. (ASME, IEEE, UoIE, IIE, NSECP, AASCIT Member, Australia) PhD. López, F. (Extremadura University, Spain) PhD. Macías, A. (Extremadura University, Spain) PhD. Marcos, F. (Madrid Polytechnic University, Spain) PhD. Márquez, M. C. (Salamanca University, Spain) PhD. Merchán García, M. P. (Extremadura University, Spain) PhD. Montejo, C. (Salamanca University, Spain) PhD. Moreira, J. (Oswaldo Cruz Foundation, Brazil) PhD. Oliveira, A. (C3i/IPP, Portugal) PhD. Rodrigues, L. (C3i/IPP, Portugal) PhD. Sá, C. (ISEP/IPP, Portugal) PhD. Sabio Rey, E. (Extremadura University, Spain) PhD. Salamanca, S. (Extremadura University, Spain) PhD. Silva, L. (ISEP/IPP, Portugal) PhD. Takabi, B. (Texas A&M University, USA) PhD. Vieira Ferreira, L. F. (Lisbon University, Portugal) [2] Global Conference on Applied Computing in Science and Engineering Rome (Italy), 27-29 July 2016 Organization Technical and logistic assistance from: [3] Global Conference on Applied Computing in Science and Engineering Rome (Italy), 27-29 July 2016 Sponsors and Partners [4] Global Conference on Applied Computing in Science and Engineering Rome (Italy), 27-29 July 2016 Presentation The Global Conference on Applied Computing in Science and Engineering is organized by academics and researchers belonging to different scientific areas of the C3i/Polytechnic Institute of Portalegre (Portugal) and theUniversity of Extremadura (Spain) with the technical support of ScienceKnow Conferences. The event has the objective of creating an international forum for academics, researchers and scientists from worldwide to discuss worldwide results and proposals regarding to the soundest issues related to Applied Computing in Science and Engineering. This event will include the participation of renowned keynote speakers, oral presentations, posters sessions and technical conferences related to the topics dealt with in the Scientific Program as well as an attractive social and cultural program. The papers will be published in the Proceedings e-books. The proceedings of the conference will be sent to possible indexing on Thomson Reuters (selective by Thomson Reuters, not allinclusive) and Google Scholar. Those communications considered of having enough quality can be further considered for publication in International Journals. At the authors' choice, those works not suitable for publication in any of the congress journals will be published in an Extended Abstracts book of the Global Conference on Applied Computing in Science and Engineering, once the Conference has finished. The Conference will also have a space for companies and/or institutions to present their products, services, innovations and research results. If you or your company is interested in participating of this exhibition, please contact the Technical Secretariat here. Finally, on behalf of the Organizing Committee, I would like to invite all the Scientific Community to participate in this project, presenting papers or communications related to any of the proposed topics. [5] An Infrastructure Model to Detect and Prevent Web Attacks M. Sevri (1), N. Topaloğlu (2) (1) Gazi University, Institute of Informatics +903122023844, [email protected] (2) Gazi University, Faculty of Technology Abstract - With the widespread use of web applications, the creation of them has also become easier. While the developers of web applications focus more on the expectations from the application, they may disregard the security of the application. The increase in the use of web applications caused an increase in the amount and types of attacks to these applications. Web security might gain much importance according to how critical are the work done and the data processed by the web application. There is need for security systems which detect the attacks, prevent the attacks and remove vulnerabilities before or during an attack. Excess number of attack techniques and newly emerging attacks constitute a problem for the security of web applications. In this study, types of web attacks and the methods used for preventing these attacks are primarily examined. Also, the creation of a web security infrastructure model which utilizes various techniques in order to decrease the effect of web attacks is aimed. The attacks which are reputed to be the most critical among the types of web attacks are investigated. The techniques and methods to provide security are examined and the infrastructure model which utilizes the techniques that will achieve maximum security is aimed to be created. Keywords: web security, web application security, multi-layer security, web security infrastructure 1. Introduction – Individuals being the foremost users of online web applications; governments, institutions and organizations also utilize web applications in order to ease, speed up and extend their many activities. Web applications have several fields of use such as financial services, social services, communication services, followup, stock trailing, electronic commerce operations etc. Web applications can be used in performing very critical operations and storing data. As web applications become more indispensable in daily life, they turn into targets for hackers and attacks have been performed by using the vulnerabilities in web applications. Websites are a critical element in major attacks because they constitute a way into the network, the sensitive data and a way to reach customers and partners. Organizations need to consider their websites as parts of an entire ecosystem which needs constant care and attention if they want to retain people’s trust and confidence. According to 2016 Internet Security Threat Report of Symantec company [1], over the past three years, more than three quarters of websites scanned contained unpatched vulnerabilities, one in seven (15 percent) of which were deemed critical in 2015. As seen on Image 1, the aforementioned report shows that the percentage of scanned websites with vulnerabilities has increased in 2015 and reached 78%. Fifteen percent of the vulnerabilities detected in the websites in the year 2015 are critical. A critical vulnerability is one which, if exploited, may allow malicious code to be run without user interaction, potentially resulting in a data breach and further compromise of visitors to the affected websites. Image 2 shows the percentage of vulnerabilities which were critical among those that are detected since 2013. Image 1. Scanned websites with vulnerabilities Image 2. Percentage of vulnerabilities which were critical Image 3 shows the number of web attacks blocked each day on average since 2013. An average of one million web attacks were blocked each day in 2015, an increase of 117 percent (more than double) compared to 2014 [1]. Today, organizations administrate the incoming and outgoing traffic by placing a firewall between their local area network (LAN) and wide area network (WAN) which they connect. A typical firewall generally operates up to OSI level-4 by using features such as source and target IP addresses, port numbers, connection status (TCP or UDP) etc. The attacks which utilize the vulnerabilities in web applications can not be detected by typical Image 3. Number of web attacks blocked each day firewalls. In order to detect and avoid attacks against web applications, devices and applications called Web Application Firewall (WAF) are used. WAFs are located in front of the servers that host web applications and can perform signature-based or anomaly-based intrusion detection. An anomaly-based intrusion detection system (IDS) makes use of artificial intelligence and machine learning methods to create a model from previous data of intrusive and normal web traffic, thus generating an alarm by detecting whether an incoming web request contains intrusion patterns or not. To summarize, this paper introduces the following main contributions:   Some of the up-to-date security flaws in web applications which are used by attackers are observed. The ten most critical web application security risks (Top 10), which are in the periodical report of Open Web Application Security Project (OWASP), are selected for observation [2]. The actions to be taken and methods to be used for developing secure web applications and for preventing them against attacks are analyzed. As a result, an infrastructure model is created which can be used by organizations. This model is used for describing the actions, which are in compliance with the multi-layer architecture, to be taken by organizations in order to provide the security of web applications. 2. Web application vulnerabilities - Attackers can potentially use many different paths through an application to do harm to a business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention. Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may be of no consequence, or it may severely damage the business [2]. The OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations. Image 4. Different paths used by threat agents [2] The five most critical security flaws in web applications are listed below [2]. 2.1 Injections - Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. It is possible for the attacker’s hostile data to trick the interpreter into executing unintended commands or accessing data without proper authorization [2]. 2.2 Broken authentication and session management - Application functions related to authentication and session management are often not implemented correctly, which allows attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other users’ identities [2]. 2.3 Cross site scripting (XSS) - Cross-site scripting (also known as XSS or CSS) occurs when dynamically generated web pages display input that is not properly validated. This allows an attacker to embed malicious JavaScript code into the generated page and execute the script on the machine of any user that views that site. Cross-site scripting could potentially impact any site that allows users to enter data [3]. 2.4 Insecure direct object references - Insecure direct object references is a type of prevalent vulnerability that allows requests to be made to specific objects through pages or services without the proper verification of requester’s right to the content. It is mostly found in Web applications or Mobile applications. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data [2, 4]. 2.5 Security misconfiguration - There are many reasons associated with the misconfiguration vulnerabilities and their consequences in web application. The first reason is that Apache, MySQL and PHP (AMP) is arguably the most widely used web application server environment, as these components are open source. They have features such as ease of use, flexibility and portability across multiple platforms [5]. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. 3. An infrastructure model to web security – It is impossible to provide 100% security for a web application. The main goal of this study is to take precaution before the attacks, to ensure that the web application and users are least affected during an attack and to recover the system as soon as possible after an attack. Various methods and techniques are used to provide security for web applications. Image 5 shows the infrastructure model consisting of 8 layers which can be used by organizations to provide security for web applications. 3.1 Standardization – To provide more effective security for web applications; standards, rules, usage and security policies must be defined and exactly executed [6]. The security rules that are to be obeyed when developing web applications must be defined and security tests must be taken into consideration during software development phases. Authorization levels must be designated at the beginning of web application development and restrictions must be installed to limit users and developers from accessing unauthorized fields. Policies must be established about the use of web application, data and user privacy. Standardization Awarness and Training Managment Recorvery Web Security Infrastructure Assesment Prevention Response Detection 3.2 Security awareness and training – Training sessions must be organized to increase the security Image 5. Web security infrastructure model awareness of software developers and organization personnel. At this point, software developers may benefit from OWASP’s secure coding practices document [7]. Also, several training material and lecture videos about web security can be found in various web portals. Organization personnel must be trained in general web security, system awareness and secure internet usage. 3.3 Discovery and risk assessment - Discovery and risk assessment is the understanding of risk and vulnerabilities as well as expected result of possible mitigations. This can be achieved by analysis, modelling and simulation [8]. Several definitions introduce and explain applicable security technology in terms of vulnerability testing and assessment, intrusion detection, security monitoring of web traffic, encryption and hardening network architecture, system hardware and operating systems [9]. 3.4 Prevention – Prevention is the reduction of risk by predicting threat effects. This can be achieved by means of deterrence and other “passive” countermeasures (e.g. security by design) [8]. Information security professionals must continuously mature their capabilities. It is easier to prevent, then to detect and recovery. Preventing an attack needs deep analysis and planning. Security measures must be taken to protect information from unauthorized modification, destruction, or disclosure whether accidental or intentional. At the end of the prevention phase, usage and security standards, controls and processes should be designed and implemented. Security policies, system awareness and web application usage procedures, are all interrelated and should be developed early on. The information security policy is the most important thing which all else is built [10]. 3.5 Detection – Detection is the capability of real time recognition of abnormal conditions or behaviors. This can be achieved by means of “active” sensor or technological tools [8]. The most important element of detection phase is timely detection and notification of a web attack. IDS is utilized for this purpose [10]. IDS can work signature based or anomaly based. 3.6 Response - Response is the quick reactions to threats. This can be achieved by adopting early warning, situational awareness and decision support systems [8]. Important element of response phase is creating a response plan before any attack happened. Organizations should create a response team for unwanted incidents. The response team, working with management, will quickly convene to investigate and consider specific incidents then lay out a detailed response plan for each incident according to the type of attack and the threat to the organization and its stakeholders [11]. 3.7 Recovery – First of all, access to systems must be shut down to prevent the attacker from causing more harm. The vulnerabilities which enable the attack must be detected and prevented. Vulnerability remediation and post incident analysis must be performed. By building web security incident recovery services and a properly-working backup system, system must be made fully working by performing a recovery from backup if needed. If the situation affects users, necessary warnings must be made to guarantee the safety of personal information. 3.8 Management – Better web security primarily depends on a multi-layer security architecture. Monitoring and auditing are needed to ensure the successful performing of aforementioned security systems. An administrative system must be established which guarantees the correct configuration of infrastructure components, revises the configuration when needed, detects the components which hinder the system and works synchronously with all the systems. 4. Conclusions – It has become a major problem to provide security for web applications. Web application administrators may be confused about which attacks can be inflicted on the applications and what can be done to prevent such attacks. In this study, the attacks and their respective prevention methods are generally examined and an infrastructure model is created which can be used by institutions. This model is consisted of 8 layers. It explains the necessary precautions before the attack, to ensure the system is least affected during an attack and the actions to be taken after an attack. A system is as strong as its weakest link. Thus, human factor being the foremost, the elements which endanger or threat web application’s security must be designated and necessary improvements must be made. 5. References [1] Symantec, Internet Security Threat Report. 2016. [2] OWASP, T., Top 10–2013. The Ten Most Critical Web Application Security Risks, The Open Web Application Security Project, 2013. [3] Spett, K., Cross-site scripting. SPI Labs, 2005. 1: p. 1-20. [4] Hui, W. Preventing Insecure Direct Object References In App Development. 2014; Available from: http://www.cs.tufts.edu/comp/116/archive/fall2014/hwang.pdf. [5] Eshete, B., A. Villafiorita, and K. Weldemariam. Early detection of security misconfiguration vulnerabilities in web applications. in Availability, Reliability and Security (ARES), 2011 Sixth International Conference on. 2011. IEEE. [6] Karaarslan, E., T. Tuğlular, and H. Şengonca, Enterprise Wide Web Security Infrastructure Akademik Bilişim Conferences, 2008: p. 237-246. [7] OWASP. OWASP Secure Coding Practices Quick Reference Guide. 2010; Available from: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf. [8] Flammini, F., Critical infrastructure security: assessment, prevention, detection, response. 2012: WIT Press. [9] Ralston, P.A., J.H. Graham, and J.L. Hieb, Cyber security risk assessment for SCADA and DCS networks. ISA transactions, 2007. 46(4): p. 583-594. [10] LaPiedra, J., The Information Security Process Prevention, Detection and Response, in Global Information Assurance Certification Paper. 2002. [11] Acunetix, IT Security Includes Cyber Attack Response, 2013; Available from: http://www.acunetix.com/blog/articles/security-includes-cyber-attack-response/ View publication stats