A Survey on Web Application Security

International Journal of Scientific Research in Computer Science, Engineering and Information Technology ISSN : 2456-3307 (www.ijsrcseit.com) doi : https://doi.org/10.32628/CSEIT206543 A Survey on Web Application Security Danish Mairaj Inamdar, Prof .Shyam Gupta Savtribai Phule Pune University, Pune, Maharashtra, India ABSTRACT Article Info Web application security has become real concern due to increase in attacks Volume 6, Issue 5 and data breaches. As Application becomes critical, complex and connected, Page Number: 223-228 the difficulty of achieving application security increases exponentially. Also Publication Issue : there are tools and techniques to detect such attacks, threat and vulnerabilities that exist in application which developer prevent and mitigate the risk September-October-2020 associated to it. This paper evaluates various web application attack detection mechanisms and how resistant they are against various attacking techniques. Such an evaluation is important for not only measuring the available attack defense against web application attacks but also identifying gaps to build effective solutions for different defense techniques on web application and use it for study. Based on the research, the limitations of these application attack detection techniques are identified and remedies proposed for improving the Article History current state attack detection on web applications. Accepted : 05 Sep 2020 Keywords : Input Validation; Open Web Application Security (OWASP); Published : 15 Oct 2020 Vulnerability Assessment I. INTRODUCTION is considered as Standard for Vulnerability Assessment. It includes different vulnerabilities such Insecure software is undermining our financial, as Injection, Authorization bypass, Authentication, healthcare, defense, energy, and other critical Cross site Scripting and XML External Entities. The infrastructure. The rapid pace of modern software paper is further organized as follows: the first section development processes makes risks even more critical to discover quickly and accurately. The flaws in the introduces to different vulnerabilities in web applications. Second section comprises ways to application are further exploited leading to attack on mitigate the various vulnerabilities. Third section the application. Evaluating the web application showcases the comparison of available attack security risks based on the recommendations from detection mechanism based on common security leading practices that are adopted as an application flaws. security standard that covers off around 80-90% of all common attacks and threats. In order to prevent attacks Open Web Application Security Top Ten list Copyright: © the author(s), publisher and licensee Technoscience Academy. This is an open-access article distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted noncommercial use, distribution, and reproduction in any medium, provided the original work is properly cited 223 Danish Mairaj Inamdar et al Int J Sci Res CSE & IT, September-October-2020; 6 (5) : 223-228 II. LITERATURE SURVEY It incorporates security while running application A. Vulnerabilities of Modern Web Application and wherever it resides on a server. It intercepts all calls from the application to a system, making sure Existing work in web application security focuses they are secure, and validates data requests directly especially on general security flaws: injection, cross- inside the application. site scripting, sensitive data leakage and user authorization and user authentication[1].It involves Both web and non-web applications can be protected comparison of pen-testing tools and ways to mitigate found flaws on use-case application. by using it. The technology doesn't affect application design because it's detection and protection features operate on the server the application’s running on. B. Web Application Security Approach This methodology focuses on helps the application to differentiate between the code and data present in The existing research works on securing the web the web application to detect attacks and mitigate the application showcases different approaches used such vulnerabilities. as Web Application firewall, vulnerability assessment and penetration testing[2]. The current scenario of A. Block -Diagram web application security has shortcomings as preventive mechanisms are not implemented at run- The Run-time Application Self protection time. Also, Attackers are becoming smarter by technology injects security at runtime and prevents finding new and clever ways to create malicious the application core layer from direct interaction inputs that will bypass the Firewall input filters. with user level request and response through security Passive Approaches such as Vulnerability Assessment layer protection as shown and Penetration Testing is effective in threat and attack detection but it’s time consuming process. III. PROPOSED METHODOLOGY As long as code and data cannot be distinguished by machines, Injection attacks will prevail. The Proposed Methodology helps to mitigate it.Run-time Application Self Protection (RASP) is a technology Fig.1. Block –Diagram RASP security layer that executes on a server and kicks in when an application is in running state. It's designed to detect attacks on an application in real time. When an application begins to run, it can protect it from untrusted input or behavior by analyzing both the B. Working Principle Using Run-time Application Self Protection by application’s behavior and the context of that Application Programming Interface Instrumentation behavior. By using this technology in the application and Dynamic White-list is achieved through three to continuously monitor its own behavior, attacks methods like lexical analysis, context determination and monkey patching. can be identified and mitigated immediately without human intervention Volume 6, Issue 5, September-October-2020 | http://ijsrcseit.com 224 Danish Mairaj Inamdar et al Int J Sci Res CSE & IT, September-October-2020; 6 (5) : 223-228 Lexical Analysis and Token Generation RASP uses lexical analysis approach to scan the input program and convert it into a sequence of Tokens. Generally, Tokenization involves sequence of characters that can be treated as a unit in the grammar of the programming language and it divides the program into valid tokens. Example of tokens: Type token (id, number, real, ..) Punctuation tokens (IF, void, return, ) Alphabetic tokens (keywords) Example of Non-Tokens: Comments, pre-processor directive, macros, blanks, tabs, newline etc. Fig 3. DOM Tree A monkey patching also know as Run-time Hooking is a way for a program to extend or modify supporting system software locally. It helps to patch functions and methods. Fig. 2. Lexical Analysis for sample code Context Determination helps to determine the context of code by parsing the test code into Document object Model Tree view to understand the syntax as shown. Based on the above methods, different flaws can be protected like SQL query injection, Operating System Command injection and Cross-site Scripting. It involves hooking Application Programming Interface by modifying behavior and flow of calls for untrusted input based on context matching. Next step involves learning about the normal behavior of the request and create a white-list based on rules formed. Finally, Run-time Application Self Protection blocks malicious request into system by detecting attacks at run-time. C. Algorithm Steps (Work-flow) RASP technique can be applied to various vulnerabilities. For Path traversal Volume 6, Issue 5, September-October-2020 | http://ijsrcseit.com 225 Danish Mairaj Inamdar et al Int J Sci Res CSE & IT, September-October-2020; 6 (5) : 223-228 Step 1 : Table 1 Hook File Input/Output Application Programming Interface io.open("/directory/filename","permissions") Step 2 : Learn about directories and file extensions Step 3: Block any unknown file directories and extensions IV. RESULT AND DISCUSSIONS Paramet Run time Web ers Application Protection Accurac Monitors y and Outbound data based and logic flaws pattern Self Inbound Detection without provide a definition of Web Application Firewalls considering and their shortcomings and justify the usage of Run- input time Application Self Protection. Web Application intercepts’s requests to a potentially vulnerable web application applying rules to evaluate whether a request contains input that might exploit leaving web applications vulnerable. For a Firewall to function at its peak, there need to know what the vulnerable inputs to the web application are so you Reliabilit Will not fail under Single point of y high load,regardless failure under of server load high load on server Platform s Any Instrumented Only web Application Application Visibility May provide detailed Offers feedback can apply the appropriate protections to these input fields. In contrast, Run-time application self protection integrates with the underlying code libraries and protect the vulnerable areas of the application at the source code level. When a user makes a function call containing parameters that might cause harm to the web application, it intercepts the call at run-time, logging or blocking the call, depending on the configuration. This method of protecting a web application differs fundamentally from a firewall. The key features that differentiate run-time application self protection is to detect attacks and vulnerabilities, no hardware requirements, zero code modification and easy integration. It also eliminates false positives as it can differentiate between passed in application. the application. This process requires complex configuration and it may fail open under high load, on matching Before examining the results of our research, we Firewall Application Firewall to detailed developers to show insight how to re mediate application. into code vulnerabilities. Mainten Automatically Can gain ance understands changes to application. application context through training only This technology originated as a solution not only to simplify the test for application security risks, but to mitigate real-time threats to production applications. It has also evolved to provide powerful capabilities for database monitoring and application attack visibility leading to faster remediation. It ensures that application is protected with no impact on operations and performance. Early implementations of the technology could cause as much as 10 percent application and user data. Volume 6, Issue 5, September-October-2020 | http://ijsrcseit.com no 226 Danish Mairaj Inamdar et al Int J Sci Res CSE & IT, September-October-2020; 6 (5) : 223-228 increase in response times within the application tier, in Testing and Analysis of Web Services”, L. but performance is constantly improving. Baresi and E. Dinitto, Eds. Springer, 2007. [6]. V. CONCLUSION J. Sohn, Ryoo, J., “Securing web applications with better patches: An architectural approach for systematic input validation with security Run-time application self protection stands above any patterns,” traditional Web Application Firewall, by protecting Conference on Availability, Reliability and web applications out of the box with minimal (if any) Security. pp. 486–492 (Aug 2015) configuration needed. This feature could substantially reduce risk by enabling application protection immediately capability to upon instrument at deployment. the [7]. in: 2015 10th International Marcelo Invert Palma Salas, "Security Testing Methodology for Evaluation of Web Services It’s Robustness - Case: XML Injection”, Paulo Lício Application de Geus, Eliane Martins Institute of Computing, Programming Interface layer allows it to detect attacks precisely. It reports fewer false positives UNICAMP, Campinas, Brazil, 2015 [8]. Z. Mao, N. Li, and I. Molloy, “Defeating cross- because of it’s ability to perform context-sensitive site request forgery attacks with browser- matching. Also there is need to deal with challenges enforced authenticity protection,” in FC’09: 13 to build ideal Run-time application self Protection th International Conference on Financial Solution and Cryptography and Data Security, 2009, pp. adapt other security techniques in combination with it. 238–255 [9]. Zhou L, J. Ping, H. Xiao, Z. Wang, GeguangPu, and Z. Ding, “Automatically Testing Web VI. REFERENCES Services Choreography with Assertions, In Proceedings [1]. [5]. international Modern Web Applications, MIPRO 2017”, May and Ashikali M Hasan, “Perusal of Web Application Approach”, 2017 International Software Engineering. ICFEM’10”. Springer-Verlag, Berlin, Heidelberg, 2010. [10]. H. Hakim, Sellami, A., Abdallah, H.B., “Evaluating security in web application design Conference on Intelligent Communication and using Computational Techniques (ICCT) Manipal measurements,” in: 2016 Joint Conference of University Jaipur, Dec 22-23, 2017 M. Alenezi, Javed, Y., “Open source web the International Workshop on Software Measurement and the International application security: A static analysis approach,” Conference on Software Process and Product in: Measurement (IWSM-MENSURA). pp. 182– 2016 International Conference on Engineering MIS (ICEMIS). pp. 1–5 (Sept 2016) [4]. 12th Conference on Formal Engineering Methods Security [3]. the F. Holik, S. Neradova, “Vulnerabilities of 22- 26, 2017, Opatija, Croatia [2]. of functional and structural size 190 (Oct 2016) S. Rafique, Humayun, M., Hamid, B., Abbas, A., [11]. Daniel Nations, "Improve Your Understanding Akhtar, Iqbal, K., “Web application security of Web Applications,lifewire.com”, 17 October vulnerabilities 2016 .. detection approaches: A systematic mapping study,” in: 2015 IEEE/ACIS [12]. OWASP Secure Coding Practices, "OWASP M. Cova, V. Felmetsger, and G. Vigna, Secure Coding Practices - Quick Reference “Vulnerability Analysis of Web Applications, Guide", 11 May 2017. Volume 6, Issue 5, September-October-2020 | http://ijsrcseit.com 227 Danish Mairaj Inamdar et al Int J Sci Res CSE & IT, September-October-2020; 6 (5) : 223-228 [13]. WHITEHAT SECURITY, INC., "Web Applications Security Statistics Report 2016," WHITEHAT SECURITY, INC., 2016. [14]. Danny Allan, strategic research analyst,IBM Software Group, "Web application security:automated scanning versus manual penetration testing", IBM Software Group , January 2008. Cite this article as : Danish Mairaj Inamdar, Prof .Shyam Gupta, "A Survey on Web Application Security", International Journal of Scientific Research in Computer Science, Engineering and Information Technology (IJSRCSEIT), ISSN : 2456-3307, Volume 6 Issue 5, pp. 223-228, September-October 2020. Available at doi : https://doi.org/10.32628/CSEIT206543 Journal URL : http://ijsrcseit.com/CSEIT206543 Volume 6, Issue 5, September-October-2020 | http://ijsrcseit.com 228