2014 International Conference on Circuits, Systems, Communication and Information Technology Applications (CSCITA)
Rational Unified Treatment for Web Application Vulnerability Assessment Priya. R. L1 , Lifna. C. S2 Department of Information Technology VESIT, University of Mumbai
[email protected] [email protected]
Dhanamma Jagli3 Master of Computer Applications Dept., VESIT, University of Mumbai
[email protected]
Anooja Joy4 Department of Computer Engineering VESIT, University of Mumbai
[email protected]
shown in practice to be far more effective than the traditional serial “waterfall” approach that is prevalent in many organizations.
Abstract—Web applications are more and more accustomed offer e-services like online banking, online searching, and social networking over the web. With the boost of the web applications in information society, Web application software security becomes more and more important. With this advancement, the attacks over the web applications have conjointly multiplied. The root causes following these vulnerabilities are lacking of security awareness, design flaws and implementation bugs. Detecting and solving vulnerability is the effective technique to enhance Web security. Many vulnerability analysis techniques in web-based applications observe and report on different types of vulnerabilities. Even though, no particular technique provides a generic technology-independent handling of Web-based vulnerabilities. In this paper, a replacement approach is proposed, implemented and analysed results for Web application Vulnerability Assessment (WVA) based on the Rational Unified Process (RUP) framework, hereafter referred as the Rational Unified WVA.
A. The Rational Unified Process IBM has defined Rational Unified Process [5] as a web-enabled system development process framework. It is based on sound software engineering principles such as following an iterative, requirements driven, and architecture centric approach to web application development. Rational Unified Process has four phases [2,5] as shown in the Fig 1. (1)
Inception: Requirements capture and analysis
(2)
Elaboration: System and class-level design
(3)
Construction: Implementation and testing
(4)
Transition: Deployment
Keywords: Rational Unified Process, Web application Vulnerability Assessment, The Open Web Application Security Project.
I. INTRODUCTION A web application vulnerability assessment [1,12] is the way to identify the mistakes in web application logic, configurations, implementation and deployment that jeopardize the security parameters of data. Web-based attacks can lead to loss in revenue, the theft of customers' personally identifiable financial and other sensitive information, and falling out of regulatory compliance with a multitude of government and industry mandates. The only way to minimize the risk due to existing web vulnerabilities is to run a vulnerability assessment on the web applications. Mitigating the threats associated with web application vulnerabilities and the attack methods that exploit them need not be beyond the reach of any organization. Many organizations build security measures into their Software Development Life Cycle (SDLC) by implementing a process to scan for Web application vulnerabilities. This paper presents the treatment provided to web application vulnerability assessment through iterative and incremental software development process framework, especially well known for web-development programs as Rational Unified Process (RUP).
Fig. 1. The Rational Unified Process Phases B. The Open Web Application Security Project (OWASP) The primary aim of OWASP [7] is to train the stakeholders of web development team about consequences of most important web application vulnerabilities. The OWASP Top 10 provides basic techniques to protect against various high risk problem areas and also provides guidance on each problem area. The following are the OWASP Top 10 web application security risks, released in 2013. 1) Injection 2) Broken Authentication and Session Management 3) Cross Site Scripting (XSS) 4) Insecure Direct Object References
II. LITERATURE REVIEW The Rational Unified Process [4] is a software engineering process of assigning tasks and responsibilities within a software development organization, to ensure the production of high-quality softwares. The RUP takes an evolutionary approach which has been
978-1-4799-2494-3/14/$31.00 ©2014 IEEE
336
2014 International Conference on Circuits, Systems, Communication and Information Technology Applications (CSCITA)
337
2014 International Conference on Circuits, Systems, Communication and Information Technology Applications (CSCITA)
Fig. 6 depicts the progress of Discovery phase in w3af environment. Logs are generated by the plugins (fingerprint_os, serverStatus and so on) selected along with the gtkoutput screen.
Fig. 4. Environmental Setup
Fig. 6. Discovery Phase in w3af
Rational Unified Treatment for WVA was performed on the Web Application from Backtrack through Intranet. BackTrack provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to Security Audit. Among the various security tools, W3af – an Open Source Web Application Security Scanner was selected to discover, audit and exploit Web Application Vulnerabilities.
Fig. 7 depicts the progress of Audit Phase by listing XSS and XSRF vulnerability in the w3af console. The second half of the figure gives a visual effect.
Fig. 7 List of XSS & XSRF vulnerability in w3af Audit The Results tab of the w3af, displays KB Browser lists all the information gathered from Web Server. In Fig. 8, Apache version is retrieved by sending an error page with request id 89 to WebServer.
Fig. 5 w3af Environment In Fig. 5 w3af environment, lists all scan configuration profiles and their associated plugins. Among the nine scan configuration profiles, OWASP profile is selected to perform Audit, Authentication, Discovery and Exploitation on the hosted website. The W3af environment also generates various forms of output for the Vulnerability Assessment and Exploitation tasks performed, such as console, emailReport, gtkoutput and htmlFile VI. RESULTS The four phases of Rational Unified treatment for WVA are performed in sequence. Starting at discovering the IT assets, followed by auditing the risks, threats and vulnerabilities associated with them. The treatment is proceeded by exploiting the identified vulnerabilities and listing out the mitigation steps to be taken by the organization to safeguard its IT assets.
Fig. 8. KB Browser listing information gathered from Web Server
338
2014 International Conference on Circuits, Systems, Communication and Information Technology Applications (CSCITA)
VII. CONCLUSION In this paper, we were successful in integrating Rational Unified Process framework into Web application Vulnerability Assessment. This framework identifies the IT assets of an organization and helps to locate various vulnerabilities that exists in the target machine. Also it generated reports on identified threats in different formats. These vulnerabilities are then exploited from a determined intruder or attacker. The reports generated from first three phases of RUP model forms a basis to provide appropriate counter measures to high level management of an enterprise inorder to secure the web application. Such iterative approach will help to reduce the vulnerabilities in the web resources and protect web application and network assets from various hackers and attackers. ACKNOWLEDGMENT We are grateful to Dr. (Mrs.) Nupur Giri (HOD, Computer Engineering) and Dr. (Mrs.) M. Vijayalakshmi (HOD, Information Technology), for giving time and resources for the successful completion of our work.
Fig. 9. Exploit tab listing all the vulnerabilities to be exploited In Fig. 9, Exploit tab lists all the vulnerabilities gathered from Web Server. On double clicking the vulnerability list, the selected vulnerability can be exploited successfully as shown in Fig. 10.
[1]. [2].
[3]. [4]. [5].
[6].
[7].
Fig. 10 Exploitation of XPATH injection vulnerabilities The fourth phase, Evasion is performed based on the reports generated from the first three phases as shown in above figures. The report of the first phase, Discovery (depicts in Fig. 6) clearly lists out the IT assets and resources associated with the target machine. In Audit phase, (depicts in Fig. 7 and 8) the vulnerabilities are identified and forwards to KBBrowser. The Exploit phase (as shown in Fig. 9), lists out all vulnerabilities that can be exploited from the attacker’s machine. After selection of specific vulnerabilities from the window (depicts in Fig.9), the status of exploitation are depicted in Fig. 10. The above mentioned reports are then formulated in multiple formats such as email attachment, HTML file, XML file and text (as shown in Fig. 5). Based on these reports as benchmark, the top level management of an enterprise could exercise security measures with regard to their business rules, formulated to protect the IT assets and resources of the target machine.
REFERENCES M. Gregg, and D. Kim, “Inside Network Security Assessment: Guarding your IT Infrastructure”. J. Dhanamma, and T. Rohini, “The Unified Approach for Organizational Network Vulnerability Assessment”, IJSEA, Vol 4, No.5, September 2013. A. Riancho, “w3af User Guide”–Document Version 2.1, August, 2012. I. Jacobson, G. Booch, and J. Rumbaugh, “Rational Unified Process – Best Practices for Software Development Teams”, Rational Software Corp.,White Paper , TP026B, Rev 11/01. P. Kruchten, “The Rational Unified Process 3rd Edition: An Introduction". Reading, MA: Addison-Wesley Longman, Inc., 2004. W. Royce, “Software Project Management: A Unified Framework”. Reading, MA: Addison-Wesley Longman, Inc., 1998. https://www.owasp.org/index.php/Category:OWASP_Top_Te n_Project
[8]. K. Sharma and N. Kumar, SWART: Secure Web Application Response Tool, (ICCCCM), 2013 [9]. H. Tian, X. Jing, L. Kunmei, and Z. Ying, Research on strongassociation rule based web application vulnerability detection, ICCSIT 2009 [10]. H. T. Le, Evaluating AVDL descriptions for web application vulnerability analysis, 2008. ISI [11].Understanding web application security challenges, IBM White paper, Web Application Security Management, January 2008. [12]. S. Splaine, Testing Web Security: Assessing the Security of Web Sites and Applications, Wiley Publication.
339
2014 International Conference on Circuits, Systems, Communication and Information Technology Applications (CSCITA)
340