Assignment: Web Application Attack Scenario Web Application Attacks
A secure web server proposes a shielded groundwork for hosting applications. The configurations of web servers have a serious role in web application’s security. Poorly configured virtual directories are a common mistake and may cause unauthorized access. It can offer a convenient back door while an unused port can be an attacker’s entry point. Also, neglected user accounts can provide access to an attacker. The fact that attackers can attack remotely makes a web server a target. The understanding of threats to a web server and following identification of the appropriate countermeasures enable anticipation to the attacks.
The main threats to a web server include: Unauthorized access, Profiling, Privileges access, Malicious programs and codes, and Denial of service.
Unauthorized access happens when a user without permissions gains access to sensitive data or does a restricted operation. The common vulnerabilities that cause unauthorized access are weak NTFS and privileged system. The countermeasures to unauthorized access involve the use of secure Web and NTFS permissions, and URL authorization.
Profiling is a procedure utilized by an attacker to gather information about a web site where the attacker uses such information to target known weak points. The common vulnerabilities that make a web server vulnerable to profiling include web servers having configuration details in open ports and unnecessary protocols. The attacks used in profiling involve NetBIOS and SMB enumeration.
Protecting yourself against profiling involve blocking all unnecessary ports, and Internet Control Message Protocol traffic as well as disabling unnecessary protocols like the NetBIOS.
Input validation can become a security problem if an attacker notices that an application makes assumptions on the input data attributes like type, range, length, or format. The attacker can then provide malicious data that damages the application.
A secure network and host level entry points suggest that the public interfaces exposed by the application are the only source of attack. The input to an application is a sure way to test the system and a way to execute malicious by an attacker. An application without proper input validation may be vulnerable to SQL injection.
An SQL injection attack makes use of the vulnerabilities in input validation to execute SQL statements in the database. It may occur when an application utilizes data input to create SQL statements to access the database. It can also happen if the program code takes advantage of stored procedures. Using SQL injection, the attacker may run random commands in the database. This vulnerability is more dangerous if the web application uses a privileged account to connect to the database. In such a case it is possible to utilize the database server to recover, manipulate, and terminate data as well as run operating system commands and in doing so, possibly infect other servers.
A web application may be vulnerable to SQL injection attacks when it allows unauthorized user inputs into the database. The code that creates dynamic SQL statements with unfiltered user input is particularly vulnerable. An attacker who injects SQL by terminating the intended SQL statement and then implementing the malicious command.
The countermeasures to prevent SQL injection includes: Doing a detailed input validation. The web application should first validate its input before making a request to the database.
Use stored procedures with parameters to access a database. This confirms that input strings are not shown as executable statements. Try to have less privileged accounts to have access to the database.
People are still the weakest link in any security. For example, a Senior Executive with privileged system security credentials opens an email that appears to be legitimate, but it is a well-disguised attack. Also, poor judgment, like browsing on a website whose security is weak. This leads to identity theft or malicious attacks.
Belapurkar, A. (2009). Distributed systems security. Chichester, UK: John Wiley & Sons.
Corporation, M. (2011). Improving Web Application Security. Sebastopol: Microsoft Press.
Hanna, S. (2012). Attacks on Emerging Architectures. Berkeley, CA.
Weinberger, J. (2012). Analysis and Enforcement of Web Application Security Policies. Berkeley, CA.