Common web application vulnerabilities and attacks, and recommend mitigation strategiesThe World Wide Web has evolved into a critical delivery pipeline for institutions to interact with customers, partners and employees.
Via browsers, people use web sites to send and receive information via Hypertext Markup Language (HTML) messages to web applications housed on web servers. This information, expected as legitimate messages, can be used illegitimately in unauthorized ways to compromise security vulnerabilities.
- Authentication - one of the biggest web application weaknesses is the failure to provide a means of strong authentication to verify the end user is whom he/she claims. Prior to accessing a web application, a server may require the end user to authenticate him/herself to identify the user or determine the user's access privileges. To mitigate these risks; employ strong authentication, such as HTTPS, with encrypted credentials, require authentication at specified time intervals or movement between web pages, regularly test authentication and implement authorization.
- SQL injection - Many web applications do not properly strip user input of unnecessary special characters or validate information contained in a web request before using that input directly in SQL queries. SQL injection is an attack technique that takes advantage of the web application to extract or alter information from the database. Hackers enter SQL queries or characters into the web application to execute an unexpected action that can then act in a malicious way. Such queries can result in access to unauthorized data, bypassing of authentication or the shutting down of a database, regardless of whether the database resides on the web server or a separate server. To mitigate these risks; Ensure the application will not process SQL commands from the user, Design and program web applications that prevent client-supplied values from being treated as an SQL syntax, apply default error handling.
- Denial of service - many web applications are vulnerable to denial-of-service (DoS) attacks that can consume increasing amounts of network bandwidth, causing loss of performance or a total shutdown of the affected network. DoS attacks may be as simple as repeated requests for a single URL from a single source or can be more complex with a coordinated effort from multiple machines barraging the URL. To mitigate these risks; Ensure that the application functions properly when presented with large volumes of transactions, requests or traffic, Block repeated request from a single URL, Prevent application overload by performing content filtering with the firewall.
A set of firewalls should be used to separate the interior net (and probably a demilitarized zone) from the Internet. Intrusion Detection Systems should be used to notify the system administrators of unusual activities. The firewall rules should include some sanity checks for source and destination addresses.Packets arriving from the Internet must not have a source address originating from the interior net, and vice versa. By rejecting packets from the interior net with a non-local source address, packet spoofing becomes impossible.
This technique is known as ingress and egress filtering. Even if a host is invaded by a hacker, these rules make it impossible to use that host as a platform for further attacks requiring spoofed packets. In contrast to attacks focusing on implementation or protocol errors, it is rather difficult to defend against DoS or DDoS attacks which overload the systems network connection or local resources. These attacks usually put a heavy load on the target by making regular requests very rapidly. It is hard to distinguish if a web server is stormed by thousands of clients, or if there is a DoS attack in progress.
A simple way to force the problem of heavy load is to use a server farm together with a load balancer. This will help against small attacks, but not against a DDoS started from several hundred hosts. Furthermore, increasing the number of servers is rather expensive.Attack on the Justice Department’s Web siteAn apparent denial of service attack, which overloads a site’s servers with requests for access, crippled portions of www.Justice.gov[-;0].
Its site was experiencing “a significant increase in activity, resulting in degradation in service,” and officials said they would treat the situation “as a malicious act until we can fully identify the root cause of the disruption.” A loosely affiliated group of hackers known as Anonymous said the attack was in response to DOJ’s decision to shut down Megaupload.com[-;1] on charges that the popular Web site illegally shared movies, television shows and e-books. Members of the Anonymous faction release the following video regarding the attack, along with a brief statement, neither of which details the motivation for this latest attack on the DoJ or the contents of the data the attack exposed. Anonymous members launched a series of distributed denial of service (DDoS) The statement from the group is as follows; Greetings world, we are Anonymous. Today we are releasing 1.
7GB of data that used to belong to the United States Bureau of Justice, until now. Within the booty you may find lots of shiny things such as internal emails, and the entire database dump. We lulled as they took the website down after being owned; clearly showing they were scared of what inevitably happened. We do not stand for any government or parties; we stand for freedom of people, freedom of speech and freedom of information. We are releasing data to spread information, to allow the people to be heard and to know the corruption in their government.
We are releasing it to end the corruption that exists, and truly make those who are being oppressed free. “The price we pay very often is our own freedom. The price governments’ pay is the exposure of their corruption and the truth being revealed, for the truth will set us free in the end. So once more we call on you. Hackers, activists, and freedom fighters; join us in our struggle against these corporate hypocrites (Anonymous).
Although DDoS attacks cannot be prevented outright, organizations are not defenseless. By working with their Internet service providers and deploying specialized DDoS defense technologies and services, government and political organizations can mitigate the effects of DDoS attacks to ensure that election-based information, voting details, and general political services remain available over the Internet. There are several steps that government agencies and political campaigns can implement to reduce their risk.These four best practices can help organizations mitigate the effects of DDoS attacks.
- Create a DDoS response plan far in advance of election season - A DDoS response plan lists and describes the steps that these organizations should take if or when their IT infrastructure is attacked. The plan includes steps for contacting Internet service providers (often these are also other local, state, or federal government agencies), characterizing the attack, taking mitigation steps, and possibly invoking disaster recovery measures.
As with many plans, the true value is in the planning process before an attack happens. Waiting until an attack occurs is the wrong time to find out that there are no resources available to mitigate the attack and restore voter services.
- Adopt a layered approach to DDoS defense - Generally speaking, there are two classes of DDoS attacks: high-bandwidth network layer floods and lower-volume application layer DDoS attacks. Election-oriented organizations should adopt multiple layers of DDoS defense.
Even if your Internet provider already supplies a DDoS attack mitigation service to help defend against network flood DDoS attacks, organizations also need an on-premise DDoS defense solution to fight increasingly frequent application-layer DDoS attacks.
- Secure Web applications and servers that contain election-related information - The operating systems and Web server software must be continually checked to ensure that the latest patches are applied. Custom applications should be reviewed and verified for security before deployment. Best practices for password policies and other authentication should be used.
Finally, comprehensive network security technologies, including firewall, intrusion prevention, and DDoS defense, should be key parts of the infrastructure in which the Web application server is deployed.
- Protect DNS infrastructure - The Internet domain name system (DNS) is a distributed naming system that enables us to access the Internet by using names such as www.state.gov rather than more complicated IP addresses (e.
1) on which network infrastructure relies to route messages from one computer to another. Because it is distributed, many organizations use and maintain their own DNS servers to make their systems visible on the Internet.
- Hall, J. (2012). Mcgladrey risk advisory. Retrieved October 17, 2012 fromhttp://mcgladrey.
com/Risk-Advisory-Services/The-UltraSecure-Network-ArchitectureHeadlines. (2012, 0522).
- Anonymous claims department of justice hack, data dump. Retrieved from http://anonnews.
org/press/item/1521/ Information Security: Recent Attacks on Federal Web Sites Underscore Need for Stronger
- Information Security Management: T-AIMD-99-223. (1999). GAO Reports, 1. Kennedy, S. (2005).
- Common web application vulnerabilities.
Retrieved October 17, 2012 from http://www.isaca.org/Journal/Past-Issues/2005/Volume-4/Pages/Common-Web- Application-Vulnerabilities1.aspx[-;2] Tian, Z. (2006).
- Defending against distributed denial-of -service attacks . DOI: Web Intelligence ; Agent Systems; Sep2006, Vol. 4 Issue 3, p341-351, 11p, 3 Diagrams, 1 Chart, 4 Graphs