Security Vulnerabilities and Mitigation Techniques of Web Applications Hossain Shahriar Department of Computer Science Kennesaw State University Kennesaw, GA 30144, USA
[email protected]
H.2.7 [DATABASE ADMINISTRATION] Security, Integrity, and Protection.
result in security breaches such as stealing of confidential information and session hijacking. Thus, it is necessity to increase the awareness of common web security vulnerabilities, their impact on the end users, and available mitigation techniques. In this tutorial, we discuss four types of web application vulnerabilities: SQLI [3], XSS [4], Cross-Site Request Forgery (CSRF) [5], and clickjacking [6]. We show examples of exploitations for each of the vulnerabilities. Then, we discuss two well-known mitigation approaches: security testing, and monitoring (e.g., [7-10]). Our discussion for security testing involves comparing existing mitigation approaches based on some common features such as test case generation, source of test case, test case granularity, and vulnerability coverage [11]. We examine existing mitigation techniques based on monitoring objectives such as code execution flow and code structure integrity. The tutorial is intended to highlight the context and applicability of mitigation approaches. The discussion would enable practitioners to choose the desired mitigation techniques based on their needs.
General Terms
2. REFERENCES
Security, Languages, Verification.
[1] J. Grossman, How does your website security stack up against peers? White Hat Report, Summer 2012, Accessed from https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf [2] Application Vulnerability Trend Report, CEZNIC White paper, 2013, Accessed from http://info.cenzic.com/rs/cenzic/images/CenzicApplication-Vulnerability-Trends-Report-2013.pdf [3] SQL Injection, https://www.owasp.org/index.php/SQL_Injection [4] XSS, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [5] Cross-Site Request forgery, https://www.owasp.org/index.php/CrossSite_Request_Forgery_(CSRF). [6] Clickjacking, https://www.owasp.org/index.php/Clickjacking [7] H. Shahriar, S. North, and W. Chen, “Early Detection of SQL Injection Attacks,” International Journal of Network Security & Its Applications (IJNSA), Vol. 5, No. 4, July 2013, pp. 53-65. [8] H. Shahriar, V. Devendran, and H. Haddad, “ProClick: A Framework for Testing Clickjacking Attacks in Web Applications,” Proc. of 6th ACM/SIGSAC International Conference on Security of Information and Networks (SIN 2013), Aksaray, Turkey, November 2013, 8 pp. (to appear). [9] H. Shahriar and M. Zulkernine, “S2XS2: A Server Side Approach to Automatically Detect XSS Attacks,” Proc. of the 9th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC), Sydney, Australia, December 2011, pp. 7-14. [10] H. Shahriar and M. Zulkernine, “Client-Side Detection of Cross-Site Request Forgery Attacks,” Proc. of the 21st IEEE International Symposium on Software Reliability Engineering (ISSRE), San Jose, USA, November 2010, pp. 358-367. [11] H. Shahriar and M. Zulkernine, “Mitigation of Program Security Vulnerabilities: Approaches and Challenges,” ACM Computing Surveys, Vol. 44, No. 3, Article 11, pp. 1-46, May 2012.
ABSTRACT Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons of existing defense mechanisms. This tutorial provides an overview of four web application security vulnerabilities: SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, and clickjacking. Then it discusses two popular mitigation approaches: security testing and monitoring. The tutorial is intended to enable practitioners for choosing the right technique to defend against web application security vulnerabilities.
Categories and Subject Descriptors C.2.0 [COMPUTER-COMMUNICATION General, Security and protection.
NETWORKS]
Keywords Web security, SQL Injection, XSS, CSRF, Clickjacking, Security testing, monitoring.
1. INTRODUCTION Web applications are implemented in different languages and many of them contain security vulnerabilities at the code level (e.g., insufficient input sanitization). Some of the vulnerabilities can be attributed to the runtime features (e.g., browsers attach cookie automatically for outgoing requests). Thus, vulnerabilities open up the door for attackers to perform malicious activities with or without the knowledge of victims. A recent survey by Grossman [1] indicates that web applications from various domains (e.g., Banking, Healthcare, IT, Education, Social Networking) are still commonly found to be vulnerable. Fixing reported vulnerabilities may easily take more than a month. Another report [2] indicates that SQL Injection (SQLI) and CrossSite Scripting (XSS) are still the two top ranked vulnerabilities widely discovered in web applications followed by session management related vulnerabilities. These vulnerabilities can
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SIN’13, November 26-28, 2013, Aksaray, Turkey. Copyright © 2013 ACM 978-1-4503-2498-4/00/10... $15.00
