Security Evaluation of Online Shopping Cart Software Design Using Neural Network
Security Evaluation of Online Shopping Cart Software Design Using Neural Network
Security Evaluation of Online Shopping Cart Software Design Using Neural Network
Security Evaluation of Online Shopping Cart Software Design Using Neural Network
1
1,2
Abstract
The alarming rate at which security breaches occurs in many software applications today call for
software to be developed more securely. As most security flaws has been attributed to design errors in
software applications it is therefore necessary that security needs to be integrated to software
applications during software development lifecycle (SDLC). However, integrating security into software
applications is an on-going challenge for developers who among other constraints are hard pressed with
limited time and budget and often considers security as afterthought. To avoid costly and difficult late
changes to software applications during SDLC we have proposed a neural network tool that matches
design scenarios to attack patterns which show possible attacks in the scenarios so that developers can
integrate proper security capability in their design. To illustrate how the tool can be used to evaluate a
real design, a case study on online shopping cart in which the tool is used to evaluate different design
scenarios is presented in this paper. The result of performance of the neural network tool in the case
study shows that developers can make informed decisions on mitigating the risks in their software
designs with the aid of this tool.
Keywords: Neural Network, Software Security, Attack Pattern
1. Introduction
In the last decade, system applications and their data have been targets of cyber-attacks. Attackers are
becoming more skilled in probing critical mission systems for security flaws with the aid of sophisticated
tools (Colins et.al, 2011) (Allen, 2008). Many successful attacks such as attack on Heartland payment
system, Sonys play station network and Google reveal that millions of credit card information was
stolen, intellectual property data were stolen, personal records of customers or employees were
exposed (Armerding 2012) (Imperva 2011). Apart from this, victims of these attacks lose millions of
dollars and face legal actions as a result of their security breach. Furthermore, the confidence of millions
of customers and businesses in the affected organization who are directly affected by the attacks
become eroded. This is confirmed in a survey conducted by Entersekt of 1000 people, in which 53% said
they have either been directly affected in credit card fraud or knew someone who had. Also, 41%
went further to say that they are convinced their accounts will be breached in the future (Entersekt,
2012)
Over the years the attack surface of software applications has increased significantly. Many software
applications which are not designed to work online are now connected to the internet. Therefore,
anybody anywhere in the world with the right capability can connect to any system and interact with it.
To secure these applications network security solutions such as perimeter security, firewalls, encryption,
anti-virus, intrusion detection system (IDS) and operating system level protection have been used.
However, as most attacks are aimed at software application directly, these forms of protection are no
longer adequate (Goertzel, et.al 2007) (Crist, 2007). In view of this, John Pescatore, vice president of
Gartner group argues that 70% of all successful attacks have exploited application vulnerability
(Desmond, 2004).
Page 83
Therefore to secure software applications, security needs to be specified within their own architecture
beyond the level of the system and network architecture. It needs to be integrated as an emergent
property of software product and not some sort of feature or function to be bolted on after the
software has been developed. Security practitioners supporting this view also argues that the way in
which the application is designed and built is significant in terms of reducing the likelihoo d and number
of vulnerabilities the application will contain (Goertzel, 2007). However, with limited time and budget,
security often takes the back seat during SDLC as developers try to release their software products into
the market early. Apart from this, many software developers lack the required knowledge on security
and are sometimes frustrated with the added burden of security which is not their only or primary
concern (Kienzle and Elder, 2003).
To assist in integrating security into software applications early during SDLC when it is easier and
cheaper to fix security flaws, we proposed a neural network based tool in a previous paper which will
enable software developers to evaluate their software design for security flaws (Adebiyi et.al, 2012).
With the aid of this tool, developers who lack knowledge of security can match attack patterns to their
software design. Based on this analysis, developers can identify possible threats to their software
product and apply appropriate security measure to mitigate the threats. Using the design of an online
shopping cart in a case study, we illustrate how attack patterns can be matched to design scenarios
using the tool in this paper.
The remainder of this paper is organized as follows. Section two gives a brief overview of the neural
network tool. Section three describes how the neural network tool is applied to an online shopping cart
in a case study. In section four, discussion on future work of this research is presented and in section
five, a conclusion to this paper is presented.
2. The Neural Network Tool
Our proposed Neural Network tool is based on the abstract and match technique through which
software flaws in a software design can be identified when an attack pattern is matched to the design.
Using well known approaches such as DFD and sequence diagrams, software developers are able to
abstract information about their software designs needed by the neural network tool for matching
possible attack patterns. When potential attack patterns are matched against the design, software
developers are able to take necessary steps in mitigating the security flaw identified. This approach
builds on the proposed method by William and Gegick (2006). The authors argue that by performing
security analysis for existing threats (SAFE-T) developers can match symbols of regularly expressed
attack patterns they have created to their software design in order to identify security flaws in the
design. The regularly expressed attack patterns consist of software components which show sequential
events that occur during an attack and are used for identifying vulnerabilities in a software design. With
this in mind, information on the components forming the attack patterns was abstracted and used as
attributes of the attack patterns. Using these attributes our proposed neural network tool was trained
to match design scenarios to the regularly expressed attack patterns. The attributes consist of the
following:
1.
2.
3.
4.
5.
6.
The Attacker
Source of attack
Target of the attack
Attack vector
Attack type
Input Validation
Page 84
7.
8.
9.
10.
11.
12.
Dependencies
Output encoding to external applications/services
Authentication
Access Control
HTTP Security
Error handling and logging
Software Design
Attack Patterns
Figure 1:
Figure 1 is an overview on the process of matching attack patterns to software design by the neural
network tool. From a software design, different design scenarios can be modeled and analyzed. For
instance, from the sequence diagram of a software design, information on components and events
involved in the design can be abstracted. This will include the actors, the resources and the actions the
actors performed in the design scenario. From a list of attack components that has been generated
using this approach, components capturing the information in the design scenario are used to model the
design scenario. Using the attack attributes above, information on the modelled design scenario is then
abstracted and analysed by the neural network tool. Based on this information, the neural network
produces an output which indicate possible attack pattern for the design scenario that has been
analysed.
3. Case Study: Online Shopping Cart Design
The design for the online shopping portal by Mohan et.al (2009) is adopted in this paper to illustrate
how the proposed neural network tool can be used to evaluate software design for security flaws. In the
design scenario, a customer visits the portal to either view or buy products. The customer searches for
the product by selecting the appropriate category and brand. To purchase the product, the customer
adds the product to the shopping cart which he can also edit by deleting already added product and
adding new product. Once the customer has completed his shopping, he checks out and he is prompted
to sign in if he is an existing customer or to register if he is not. After signing in, customer is directed to
the secure payment section where he confirms the delivery address, and also provides his payment
details. At the last stage of the order, a confirmation page is displayed to confirm shipment ID and
delivery of product with 15 days. From the design, three scenarios were evaluated. The identified attack
patterns for each scenario by the neural network tool are presented below. Figure 2 is the class diagram
for the design of the online shopping portal.
Page 85
Figure 2
3.1 Design Scenario 1: Product Selection
In this design scenario, the customer visiting the portal searches the portal by selecting the product
category and then the brand to view from different products. Product selected by the customer is
described as the cart item when it is added to the cart in the class diagram in Figure 2. The system
returns a cart id for each cart item added to the cart. Figure 3 is the sequence diagram for this scenario.
In Figure 4 the data for the cart id is stored in a backend database. Using the attack attributes above, the
data capturing the design scenario on Table 1 is generated.
Table 1: Attack attributes for scenario 1
S\n
Attributes
1
Attacker
2
Source of Attack
3
Target of Attack
4
Attack Vector
5
Attack Type
6
Input validation
7
Dependencies
Observable
No access
External
Information
Query String
Confidentiality
No Validation
Input validation and access control
Value
0
1
54
77
9
3
6
Page 86
8
9
10
11
12
Output encoding
Authentication
Access Control
HTTP Security
Error handling and Logging
3
0
4
3
0
Systems vulnerable to this kind of attack could be exploited by attackers to find out information on
products, suppliers, administrator, and customer accounts stored in backend databases. This
information can be used to stage further attacks on the system. In CVE Details online database,
ShopCartCGI version 2.3 is reported to be vulnerable to this attack under CVE-2004-0293 (CVE Details,
2004). The attacker is able to retrieve any file on the webserver using the privileges of the webserver.
The main cause of the security flaw in this attack is that there is no sufficient sanitization of user
supplied input in the URL. Therefore, to mitigate the security flaw in this design scenario, it would be
necessary to implement security measures that will validate every user supplied input before it is used
by the system.
3.2 Design Scenario 2: Cart Submission
In this scenario, the customer checks out after adding products he decides to buy to the shopping cart.
The cart checks out each cart item by requesting the cart item class to calculate the cost. Following this,
data on the cart is stored on the database which generates a cart id for the cart. Figure 4 shows the
sequence diagram of this scenario. The data capturing the design scenario using the attack attributes is
shown in Table 2
Observable
No Access
External
Data
SQL Input
Confidentiality
No validation
Validation and access Control
Value
0
1
20
90
9
3
6
Page 88
8
9
10
11
12
Output encoding
Authentication
Access Control
HTTP Security
Error handling and Logging
None
None
Service access
Input Validation
None
0
0
3
3
0
For this design scenario, attack components capturing the information in the scenario are selected from
the list of attack components. In a similar way to design scenario 1, the attacker is performing the role of
the customer in the sequence diagram in Figure 4. Also, the attacker has no administrative access and
the source of attack is external. The target of the attack is the data stored in the backend database. SQL
Input is chosen as the attack vector as this is also a common method of attack on online system
especially for querying backend database maliciously. Since the success of this attack will lead to
disclosure of sensitive information, this attack is against the confidentiality of the system. From the
system diagram in Figure 4, there is no evidence of validation of user supplied input, sanitization of data
passed to backend systems. No authentication has been made against the customer (attacker) and no
information has been given on how error will be handled or logged.
The neural network tool produced an output of 8.9988 when the value of the attributes on Table 2 was
used as its input. This corresponds to the regularly attack pattern 9 in which the attacker injects SQL
into the URL in order to query backend databases. This attack pattern is represented as:
(User)(SQLInput)(Server)(WebApplication)(Database)(Data)
With respect to design scenario 2, the user (or attacker) could maliciously retrieve data from the
database by injecting SQL input into the URL in order to corrupt the data stored about his shopping cart,
view data on customer and administrative accounts stored in the database. The vulnerability
represented in this attack pattern was reported in CVE Database under CVE-2004-0300 about
Ecommerce Corporation Online Store Kit 3.0 releases (CVE Details, 2004). Through this vulnerability the
attacker is reported to be able to stage cross site scripting and SQL injection attacks. Under the
discussion of this vulnerability in security focus vulnerability database, it was revealed that attackers
could view or modify sensitive information in the database, disclose the administrator password by
exploiting the vulnerability (Security Focus, 2004). The cause of this security flaw is failure to properly
sanitize user supplied input in the URL. An example of this attack as listed in bugtraq vulnerability
database is stated below (Bugtraq, 2004).
http://address/directory/shop.php?cat=[query]
In order to mitigate the risk in this design scenario, security measure needs to be implemented in the
design that will sanitize user supplied input before it used to by the application in any way.
3.3 Design Scenario 3: Log in
In the log in design scenario, the customer is prompted to log into his account by supplying his log in
credentials. The log credentials are then validated by checking the details of the user on the database. If
the credentials supplied by the user are valid, the user is granted access to his account. Figure 5 shows
the sequence diagram for this scenario. The data capturing the design scenario using the attack
attributes is shown in Table 3
Page 89
Observable
No access
External
Authentication Routine
Username Entry
Confidentiality
No Validation
Validation
None
Hash password
Service access
Input Validation
None
Value
0
1
5
101
9
3
3
0
25
3
3
0
Similar to design scenario 1 and 2, the attacker on Table 3 performing the role of the customer has no
prior access to the access to the system and the source of attacker is external. For the target of the
attack, the target is the authentication routine of the system through which users are authenticated
before being allowed to view sensitive information or carry out authorized actions in the system. The
username entry functionality provided in the username field of the login page of the s ystem is chosen as
the attack vector as this is also a common method used to circumvent authentication in online systems.
As the point of interest for an attacker in this particular design scenario could be gaining access into
various accounts in the shopping portal, the success of the attack will lead to disclosure of sensitive
information. Therefore, this attack is against the confidentiality of the system. From the sequence
diagram, it can be seen that although the system attempts to validate user login details, what the user
enters in the login screen was not sanitized before it is passed on to be validated. This shows that no
Page 90
input validation was done and neither was the outgoing data sanitized before it is passed to backend
systems. For the authentication attack attribute, harsh password was used based on the assumption
that this is what is implemented in the design scenario. Also, there is no information given in the
sequence to show whether failed or successful login is logged in the system.
Using the values on table 3 as input for neural network tool, the network produced an output of
7.9786 which corresponds to regularly expressed attack pattern 8. In this attack, the attacker submits
a long string of character for the username. This causes a buffer overflow that enables the attacker to
escalate his privileges. The attack pattern is represented as:
(User)(UserNameEntry)(AuthenticationServer*)(PasswordEntry) (AuthenticationRoutine)
In essence, the attacker in design scenario 3 could enter a long string of characters in the username field
of the login page of the system when logging in. Without validating the user supplied input the systems
allows its buffer to overflow. With this vulnerability, the attacker could bypass authentication, escalate
his privilege, run arbitrary code on the system or access unauthorized information from the backend
database. CVE details online vulnerability database records this vulnerability under CVE-2004-0286
about Robot FTP server 1.0 and server 2.0 beta (CVE Details 2004). It was reported that this vulnerability
could also be exploited to cause total compromise of the systems integrity and total denial of service to
legitimate users. The exploitation of this vulnerability was demonstrated in bugtraq by using over 47
character username for logging into the application. This resulted into a denial of service (Bugtraq,
2004). The main cause of this vulnerability is reported to be failure due to insufficient boundary
checking (Security Focus, 2004). In a similar way to design scenario 1 and 2, security measures need to
be integrated in this design scenario that will validate user supplied input and check boundary
conditions in order mitigate this vulnerability.
4. Future work
Various security tools have been developed to aid software developers in integrating security into
software applications during SDLC. However, most of these tools are used in the late phase of SDLC. As
the focus of this research work is integrating security during the early phase of SDLC especially during
the design phase, it is our intention to carry out a comparative study in which the neural network tool
would be compared to security tools currently used in integrating security during the design phase of
SDLC. Result of this comparative analysis should include how effective i t is in identifying security flaws
and its performance based on security background of the user using the tools. Furthermore, to improve
the performance of the neural network tool, information from attack patterns which capture security
flaws in software designs from other authors and from CAPEC (Common Attack Pattern Enumeration
Classification) would be used in training the neural network. Also, it is desirable that the neural network
suggest possible security measures that can mitigate the vulnerability i n the attack pattern that has
been matched to the software design. This could be in form of security patterns or other security
solutions which could be applied to the software design being evaluated to make it secure. There is also
need for further testing of the neural network tool before it can gain acceptance as a tool for matching
attack pattern to software designs.
5. Conclusion
As the environment which software applications are running continues to be hostile, with more
intelligent attackers and more sophisticated attack tools, software applications needs to be developed
with security in mind so that they can continue function reliably in the presence of attacks. In this paper,
a neural network tool that can be used to match attack patterns to software design has been presented.
Page 91
Information from the regularly expressed attack patterns by William and Gegick has been used for
training the neural network. With the aid of the neural network tool software developers who have no
experience in security can evaluate their software design for security flaws and build more secured
software application. Based on the information on attack patterns matched to design scenarios,
developers are able to make informed decisions on what security capability to implement in their
software design in order to mitigate the risk that has been identified. To illustrate how the tool can be
used, a case study was carried out on an online shopping cart design. From this design, three design
scenarios were analysed by the neural network tool. Using our attack attributes, information from the
design scenarios were abstracted and analysed by the neural network tool. The design scenarios were
matched to attack patterns which show possible attack that could be carried out in the scenarios
because of inherent security vulnerability that can be exploited by attackers. As most security flaws has
been attributed to mostly software design flaws, one of the benefits of this approach is that developers
are able to resolve the flaws early during SDLC before coding begins. This help in avoiding costly
redesign later during SDLC or costly maintenance work after the software has been deployed.
Reference
[1] Adebiyi A., et.al., (2012), Applicability of Neural Network to Software Security In
proceedings of the UKSim 14th International Conference on Computer Modelling and
Simulation, Cambridge, United Kingdom, pp19-24
[2] Allen, J.T. (2008), Tackling software security: An increasing threat CIO, Available at:
http://www.cio.com/article/440106/Tackling_Software_Security_An_Increasing_Threat
(Last
accessed November 2012)
[3] Armerding, T. (2012) The 15 worst data breaches of the 21st century CSO, Available at:
http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21stcentury (Last accessed November 2012)
[4] Bugtraq (2004) ZH2004-07SA (security advisory): Multiple Sql injection Available at:
http://marc.info/?l=bugtraq&m=107712117913185&w=2, (Last accessed November 2012)
[5] Bugtraq
(2004)
Buffer
overflow
in
Robot
FTP
Server
Available
at:
http://marc.info/?l=bugtraq&m=107696194306878&w=2 (Last accessed November 2012)
[6] Colins, W., Coates, M., Melton, J. and Groves, D. (2011) Creating attack aware software applications
with real time defenses, Crosstalk, The Journal of Defense Software Engineering, Vol.24(5), p14-18
[7] Crist, J., (2007) Web Based Attacks SAN Institute Reading room, Available at:
http://www.sans.org/reading_room/whitepapers/application/web-based-attacks_2053
(Last
accessed November 2012)
[8] CVE Details (2004) CVE-2004-0286 CVE, Available at: http://www.cvedetails.com/cve/CVE-20040286 (Last accessed November 2012)
[9] CVE Details (2004) CVE-2004-0293 CVE, Available at: http://www.cvedetails.com/cvedetails.php?cve_id=CVE-2004-0293 (Last accessed November 2012)
[10]CVE Details (2004) CVE-2004-0300 CVE, Available at: http://www.cvedetails.com/cvedetails.php?cve_id=CVE-2004-0300 (Last accessed November 2012)
[11]Desmond, P. (2004) All-out blitz against web attacks, Network World, Available at:
http://www.networkworld.com/techinsider/2004/0517techinsidermain.html
(Last accessed
November 2012)
[12]Entersrkt, (2012) 41% of people believe online banking and shopping is akin to playing Russian
Roulette Entersrkt, Available at: http://www.entersekt.com/russian-roulette.php (Last accessed
November 2012)
Page 92
[13]Goertzel, K.M. (2007) Software security Assurance Cyber Security & Information Assusrance (CSIA)
Available at: http://iac.dtic.mil/csiac/download/security.pdf, (Last accessed November 2012)
[14] Mohan, A. et.al, (2009) Online shopping portal Symbiosis Centre for Information Technology
Pune, Available at: http://www.scribd.com/doc/20467513/CaseStudy-Online-Shopping-Cart, (Last
accessed November 2012)
[15]Imperva, (2011) Security Trend 2012 Imperva, Available at:
http://www.imperva.com/docs/HI_Security_Trends_2012.pdf (Last accessed November 2012)
[16]Kienzle, M. D and Elder, M.C. (2002) Final Technical Report: Security Patterns for Web Application
Development, Defense Advanced Research Project Agency (DARPA), Available at:
http://www.scrypt.net/~celer/securitypatterns/final%20report.pdf (Last Accessed: October 2012)
[17]Security Focus (2004) Ecommerce Corporation Online Store Kit Multiple SQL Injection
Vulnerabilities Available at: www.securityfocus.com/bid/9687/discuss, (Last accessed November
2012)
[18]Security Focus (2004) RobotFTP Server Username Buffer Overflow Vulnerability, Available at:
http://www.securityfocus.com/bid/9672/info (Last Accessed: October 2012)
[19]Williams, L. and Gegick, M. (2006) On the design of more secure software-intensive systems by use
of attack patterns, Information and Software Technology, Vol. 49, pp381-397
Page 93