SQL Injections Attack and Session Hijacking on E ...

1 downloads 0 Views 204KB Size Report
Oct 13, 2007 - Next, two major attacks which is the SQL injection attack and session hijacking is ..... and run in the background of the browser of educator. IV.
2014 IEEE 2014 International Conference on Computer, Communication, and Control Technology (I4CT 2014), September 2 4, 2014 - Langkawi, Kedah, Malaysia

SQL Injections Attack and Session Hijacking on E-Learning Systems Sum Keng Chung1, Ow Chee Yee2 , Manmeet Mahinderjit Singh3 , Rohail Hassan 4 1,2,3

School of Computer Sciences, Universiti Sains Malaysia, 11800, Penang, Malaysia 4 Universiti Teknologi Petronas, Bandar Seri Iskandar, Malaysia 1.2 {skchung.ucom10, ocyee.ucom10 }@student.usm.my, 3{[email protected]}, 4{[email protected]}

server computer systems, client computer systems and database systems.

Abstract—E-learning enables acquisition of knowledge and information through technologies such as computers, smartphones, tablets and wide area networks. The existence of elearning does contribute in the field of education field such as in the university because its improve the education quality and distributing and sharing of teaching material efficiently. However, due to the open-network in which e-learning tools resides, it is prone to various security attacks. In this paper, we will classify e-learning technology security based attacks into classification via active and passive attacks. Next, two major attacks which is the SQL injection attack and session hijacking is explored in-depth. Case study for each attack to investigate the vulnerabilities in e-learning system and mechanism of solutions to tackle this attack is also presented. An evaluation of the proposed solutions against the X.800 security architecture is done at the end of the study.

In this paper, we investigate the types of attacks that can be launched onto the e-learning system. The objectives of this paper are i) to classify security attacks according to the method of their propagation; ii) to investigate in depth two important attack such as SQL injection attack and session hijacking and present some existing mechanisms of defense and iii) to apply X.800 security protocol to evaluate these attacks. The outline of the paper is as follow. Section 11 present the background of e-learning systems and classifies security attacks according to their propagation mechanism. In section III, we focus on SQL injection attack and session hijacking indepth. We also investigate a case study for each attack to investigate the vulnerabilities in e-learning system and proposed a solution for each attack in section IV and V. An evaluation of the proposed solutions against the X.800 security architecture is done at the end of the study.

Index Terms— E-learning, Security, SQL injection, Session Hijacking, X.800 security architecture

I. INTRODUCTION In the recent era, the term e-learning is frequently used to represent a method of learning by using electronics. It enables acquisition of knowledge and information through technologies such as computers, smartphones, tablets and wide area networks. Through the use of e-learning, many universities have improved their learning and teaching process. Since elearning systems depend on the network, it is vulnerable to security attacks. Users often use the e-learning’s services without realizing its security and privacy concerns.

II. RELATED WORK In this section, a section on the e-learning overview, and security attacks classification is presented. A. E-learning Systems Overview An E-learning system transmits information for training or education by utilizing technology. This concept of teaching/instructing is spreading wildly and adapted to most learning platforms as it enables interactions between instructors and learner or among learners regardless of time and space. The distribution of learning materials and training are channeled through the system with the help of internet and electronic devices.

Many attacks were made on the e-learning system to exploit the information stored in it. The e-learning systems are susceptible to attacks such as identity theft, impersonation, and inadequate authentication to obtain the information in the elearning system. As the development of e-learning grows, more complex functionalities and features are developed. Though, the security might not be strong enough or overlooked by the developers. This will in turn attract attackers to invade the system to test their hacking skills or for other malicious purposes. According to a security survey, the top three types of security attacks are: insider abuses of network access, viruses and laptop/mobile device theft [1]. The attacks focus on the components of the e-learning system such as web services,

978-1-4799-4555-9/14/$31.00 ©2014 IEEE

The e-learning systems has become very popular learning methods for schools, universities and as well as businesses. There are many open source softwares as well as commercial e-learning softwares available in the market in this era. The examples of e-learning softwares are WebCT [2],[3, 4, 5] . Moodle[3] is one of the most used e-learning systems. Moodle open source softwares stand out than the rest of its competitors in the market because of its usability and user-friendliness.

338

Instructors are able to produce high quality online learning materials with ease and the system improves the satisfaction of the learner towards online learning.



B. Security Attacks Classification Next, some of the possible security attacks that can be launched on the e-learning system is discussed. These attacks can be classified into active attacks or passive attacks. There are differences between active attack and passive attack. Active attack means the attack that can modify the information or data of the target. During active attack, the attacker will try to break into target system and input some data into the target system, which will change the data and information of the system. Passive attack does not break into the system and requires no human intervention. Instead of modify the data or information of the system, passive attack is more like listening to communication of targeted system. Table 1 demonstrates the security attacks classification based on active and passive attacks..





TABLE 1: CLASSIFICATION OF ACTIVE ATTACKS AND PASSIVE ATTACKS ON ELEARNING. Active Attacks

Passive Attacks

Integrity Attacks

Blocking attack

Malicious Code Attacks

Session Eavesdropping Attacks



Traffic Modification Attacks



Traffic Deletion Attacks Forgery (counterfeit) Attacks Authentication Attacks Man-in-the-Middle Attacks (MITM) Node Attacks



Replay Attacks SQL Injection Insider /Distributed DoS attacks Key Management Attacks



Below are the possible attacks that can be conducted to current e-learning system. • Traffic Modification Attacks These kinds of attacks are more common during data or packet transfer. During data or packet transfer, attackers will try to intercept the packet data that are being transferred. After that, they will rearrange and modify some of the selected or specific bits of the packet data [8]. • Traffic Deletion Attacks The theory is same with the traffic modification attack. Instead of modification bit in packet data, attackers will just randomly delete some data that currently exist on the communication channels [8]. • Forgery (counterfeit) Attacks Attackers can create a fake or false representation of data that does not exist in e-learning and direct users to another address. Attackers also can use this attack to conduct a session hijack attack by interrupt and







339

intercept a communication and continue the communication with the targeted end-user [8]. Authentication Attacks Attacker will try to masquerades as a legal or legitimate user when performing this attack. There are many ways to masquerades as a legal user. One of the easiest ways is to steal password, credential or password from legitimate user. Man-in-the-Middle Attacks (MITM) Attackers will be the middle man and intercepts messages or data between users and e-learning servers. When this attack is conducted, both users and elearning might not know that their communication session has been compromised by third party. Blocking attack Blocking attack means block users from access to elearning site. Commonly, information or data of targeted e-learning will be attacked by attackers and they obtain the permission to get access to the targeted e-learning. Insider DoS Attacks Insider DoS attacks mean legitimate user who is known as insider will start to attack by flooding traffic to all other members and make the e-learning website become jammed or subverted by creating many unnecessary send and receive processes. Distributed denial-of-service attacks The attack mechanism is similar with insider DoS attack. Instead of the attack is being launched by the member in the e-learning, this attack is being conducted by outsider by directing multiple end-user computers to launch the attack. Node Attacks The node here means the session communication that involved senders and receivers in e-learning. Attacker will attack through a vulnerability of legitimate user node[19]. Session Eavesdropping Attacks Attackers will observe the traffic sent and received between learner’s processes in e-learning. This attack will not modify the content of e-learning but attackers will observe the traffic transfer between users and elearning. Key Management Attacks Attackers will conduct key management attack to gain access to e-learning system. Attackers take granted of the vulnerability of key management scheme and use the information that gained from the legitimate user to pass by the encryption scheme so that they can access the private content of the e-learning. Replay Attacks Attackers will intercept a communication channel between users and e-learning and record down the encrypted message. After that, they can masquerade as a legitimate user with the encrypted message. Integrity Attacks

Integrity attacks are very common in e-learning as attackers can change the information or data of the elearning system so that they can get the result or objective they want. It tries to modify or destroy information that located in e-learning site without any permission or authorization. • Malicious Code Attacks

CommSy, eFront and Moodle. All of these e-learning softwares are user-friendly open source application and can be obtained easily without costing much to the organization. In their study, they have used two vulnerability scanners to identify the loopholes in these four open source e-learning softwares. The two scanners are Netsparker and N-Stalker. These two scanners have confirmed that SQL injection can be launched on CommSy while the other three e-learning software are not vulnerable to the injection. In another research by Mohamed [6], the author uses a web vulnerability scanner named Acunetix that could check for wide range of web application vulnerabilities. His study focuses on educational web applications in Kuwait University. In this study, it can be concluded that the university’s educational web applications are susceptible to SQL injection and also other types of attacks.

Malicious code attacks can be considered as integrity attack. Integrity attack might not non-malicious in origin. Same as integrity attack, malicious code attacks also attempts to change or modify the data of the e-learning site. It may be more destructive than integrity attack. Malicious code can be in different forms like Trojan horse, worm or virus. In addition, one dangerous cyber-attack is to use peer to peer botnet attack in propoagating virus and worm to the network. For instance, an elearning tool infected by malicious code could stand as a host and propagate and distribute the malicious code to the client machines accessing the tool. Solution to trace and eliminate this type of botnet attacks has been proposed by [10, 11]. Shang et.al [10] propose the use of L-hop distance in terms of shortest path between nodes in unweighted graphs to tackle botnet attacks. This method derived from [11] which focus on optimal control theory. The author evaluated the botnet herder on the rate of infection under given levels of entrance and defense optimally and design policies that evolve with time for ultimately solving the botnet defense problem

B. Session Hijacking Attack Session hijacking attack which is also known as cookie hijacking. It is often being used by attacker to gain unauthorized access to the particular system to obtain any information and service they want. To conduct this attack, attackers usually will focus on victim’s IP packets so that they can insert some commands or script into an active communication so that they can obtain any relevant information perhaps session ID of victims as well [14]. Besides that, attackers will also try to locate the victim’s cookie. It is because users’ session ID often stored in a cookie. The real case to be discussed here is BLACKBOARD LEARN system which is known as one of the most popular elearning system in higher education worldwide. However, this system is considered insecure. The main reason for attackers to target Blackboard is because the repository of assignment and exam grades and exam papers In version 8 of BLACKBOARD LEARN system, it does not prevent attackers can insert executable code to the system or by sending email with viruses from BLACKBOARD LEARN system. Thus, attackers can use this vulnerability to perform a session hijacking attack by inserting a cross site scripting code in the assignment and submit it to educator. Once the educator open and check the submitted assignment, the code will be executed and run in the background of the browser of educator.

III. CASE STUDIES- SQL INJECTION & SESSION HIJACKING In this section, we will investigate two active based attacks which are SQL injection and session hijacking. Next, two case studies presented in this paper are SQL injection and session hijacking. A. SQL Injection Attack SQL injection is an active attack that poses threat to web application that uses database by injecting SQL queries into data-plane input. This type of attacks aims to exploit the system by changing the intended effects of SQL query by inserting new keywords or operators into the SQL query. It enables attacker go gain unlimited access into the web application’s database and also sensitive information in it. By obtaining the sensitive information contained in the database, it can further lead to identity thefts, loss of confidential information or even fraud cases. This attack is classed as one of the most serious threats for web applications [12,13]. In the current era, the e-learning softwares are frequently used by education institutes to conduct online learning for the learners or students. A recent research conducted by Violettas et al. [9] to study the vulnerabilities of popular e-learning softwares. In his findings, the e-learning software are not fully capable in defencing themselves from attackers. In their study, they selected four of e-learning software which is ATutor,

IV. PROPOSED SOLUTIONS FOR SQL INJECTIONS & SESSION HIJACKING In this section, the proposed solution for SQL injections and session hacking are presented. A. Encryption Algorithm with RSA and Blowfish A proposed solution would be to incorporate RSA and Blowfish encryption algorithm into the e-learning’s web server system. This proposed solution was introduced by Ahuja et al. in[7]. Through these cryptographic algorithms, it will introduce another level of authentication in addition to the authentication mechanism provided by the database. Since the authentication mechanism can be bypassed through SQL injection attacks, another secure authentication method has to be introduced. The

340

proposed solution’s mechanism works by providing two-layer authentication with the first layer provided by the RSA and Blowfish. Like any normal web applications, the login and registering process remain the same, the difference in the proposed solution is that an additional key is generated by the server which are the hexadecimal value of the user’s password. There are two stages to process the users’ access which are the access request and access granting process. • Access Request process

the concept of ticket from Kerberos, OTC can store the state information that is required to validate the token. Each web application only can access its own server to retrieve information stored in the encrypted ticket by sharing a longterm key among the web application’s servers. However, user no needs to access the contents of the ticket. The value stored in the browser can be defined as credential while value that attached on each request is defined as token. With the definition, it can be said that OTC credentials that stored in the browser can be referred to create OTC tokens. The token consists of the credential’s ID, the token’s expiration time, the session nonce, a hash-based message authentication code and the corresponding session ticket. Each information is will be used to validate the request that web application received.

Access is provided to the database by the server after verifying user’s authentication. The login step is as usual where users enter their username and password. The system will then convert the password into hexadecimal value. This hexadecimal value will act as the key to encrypt the username and password using the blowfish encryption. An SQL query will then be generated for the user request with their username, password, encrypted username and encrypted password. This query will then be encrypted with RSA encryption using an public key. The encrypted query then is sent to the server. • Access Grant process

V. EVALUATION We will use the recommendation of X.800 security architecture to measure the effectiveness of the proposed solutions. A. Encryption Algorithm with RSA and Blowfish The proposed solution works by securing the authentication process and only enables access to the database once the user is verified. The proposed solution adds the authentication exchange mechanism standard in X.800 into the e-learning system. It uses Blowfish encryption algorithm to encrypt the password in the client side and then this encrypted password will be decrypted in the server side and verified by the server. If the user is not authorized then access will not be granted to the user. Also, this proposed solution has matches the encipherment standard by employing RSA for encryption and decryption of SQL query. It uses public key for the encryption at the client side and a private key which is unique to the server for the decryption.

When the server receives the encrypted query, the server will use its private key to decrypt the received SQL query. Once decrypted, the server obtains the username and password and fetches the key of the user generated by the server, which is essentially the hexadecimal value of the user’s password. They fetched key value is then used to decrypt the encrypted username and encrypted password sent along with the previously encrypted SQL query. If the decrypted username and password matches an entry in the authorized users table, then only access to the database is granted to the user. If there is no match, the query is rejected. The proposed solution provides a more secure authentication method and also an efficient SQL query generation. The encryption on the client side and the decryption on the server side would strengthen the security of the system and making it difficult for attacker’s attempt to intrude the system database. The SQL query and login credential are both encrypted and the database will only execute the query once the login credential are verified.

A proper and secure e-learning system should have comply with the X.800’s security services which are authentication, access control, data integrity, data confidentiality and nonrepudiation. A generic e-learning would have comply with authentication and access control by requiring user login and each user may have different rights depending on their role and course undertaken. Data integrity and confidentiality is achieved by only providing access based on the role of the user. Learners have their set of controls while instructors have theirs. Data are only visible to those who are authorized to access it. Security mechanism such as notarization in X.800 security architecture is also present in typical e-learning system where the system will record necessary information whenever an activity is done. The main trade-off of applying Blowfish and RSA based encryption is the reduction of transmission performance due to the size of keys.

A. One-Time Cookies Cookies are often target of session hijacking attack. Since HTTP is a stateless protocol which is less secure than HTTPS, HTTP cookies are often been targeted by session hijacking attack. Although this can be prevented by using HTTPS which provide protection for user’s password when they login in their account, HTTP is better in terms of performance. Since users are more concern about the performance then security, HTTP is widely been used.

B. One-Time Cookies

In order to protect cookies from being session hijacked, One-Time Cookies (OTC) has been selected in prevent the session hijacking. OTC provides a more secure way to authentication cookies which is not require state in web application. A static token will be generated to authenticate each request based on session key. The token is unique and cannot be used for other purpose or other request. By referring

X.800 security architecture has been used to evaluate OTC to determine whether OTC is fulfilling the standard of X.800 security criteria. From the evaluation, it can be concluded that there are four criteria of X.800 has been achieved.

341



ASEE/IEEE Frontiers in Education Conference, October 10 – 13, 2007. [4] S. Kumar and K. Dutta, “Investigation on Security In Lms Moodle,” International Journal of Information Technology and Knowledge Management, vol. 4, No. 1, pp. 233–238, JanuaryJune 2011. [5] A. Al-Ajlan and H. Zedan, “ Why Moodle,” 12th IEEE International Workshop on Future Trends of Distributed Computing Systems, IEEE computer society, 2008 [6] M. Al-Ibrahim, "Are our Educational Technology Systems Secured?," International Journal for e-Learning Security (IJeLS), Volume 1, Issues 3/4, September/December 2011. [7] A. Ahuja, P. Arora, S. Singh, S. Srivastava, and S.Kandasamy. "Preventing SQL injection attacks using Blowfish and RSA," Computer Science and Engineering, Elixir Comp. Sci. & Engg. 53,pp 2 2012 [8] M. Nickolova and E. Nickolov, “Threat Model For User Security In E-Learning Systems”, International Journal "Information Technologies and Knowledge" Vol.1 / 2007. [9] G. E. Violettas, T. L. Theodorou, and G. C. Stephanides, "ELearning Software Security: Tested for Security Vulnerabilities & Issues," Best Practices in Management, Design and Development of e-Courses: Standards of Excellence and Creativity", 2013 Fourth International Conference on. IEEE, 2013. [10] Y. Shang, W. Luo, and S. Xu, L-hop percolation on networks with arbitrary degree distributions and its applications, Physical Review E, 2011, vol. 84, no. 3, 031113. [11] Y. Shang, Optimal attack strategies in a dynamic botnet defense model, Applied Mathematics and Information Sciences, 2012, vol. 6, no. 1, 29--33. 3. [12] D. Aucsmith. Creating and Maintaining Software that Resists Malicious Attack. http://www.gtisc.gatech.edu/bio aucsmith.html, Distinguished Lecture Series, September 2004.. [13] T. O. Foundation. Top Ten Most Critical Web Application Vulnerabilities, 2005. http://www.owasp.org/documentation/topten.html. [14] “Session Hijacking”, webopedia. [Online]. [Accessed May 2014] . Available from: http://www.webopedia.com/TERM/S/session_hijacking.html

Authentication

OTC provides a more secure way to authenticate cookies which are not require state in web application. To achieve this, OTC will generate a unique token which cannot be used by other web application to authenticate each request by referring to session key. By using the concept of ticket from Kerberos, the token will validated with the state information stored in OTC. •

Access control

OTC also restrict in access control of web application. As mentioned above, OTC will validate the token to ensure that each web application only can access its particular server. This will only allow web application to access this own server to retrieve information from server while other web applications that do not belongs to this website do not have to the right to access it. •

Data confidentiality

OTC also ensures data confidentiality. OTC credential will be created once user successfully login to generate a new session. The credential consists of HMAC and session ticket which is used to validate HMAC and web request. Thus it is important to handle this important data. •

Encipherment

Encipherment also been used by OTC. HMAC which is known as hash-based message authentication code contain the information of token expiration time, web form information and request’s URL. This information is computed and store inside HMAC. VI. CONCLUSION AND FUTUREWORKS The e-learning systems are very important entity in the educational field where it acts as a medium to transmit teaching and learning process across the internet. Further works would be to expand the investigation of attacks on e-learning system and also proposing a more secure e-learning architecture. A more secure and effective e-learning system should be developed as open source to enable the learning and teaching process to proceed smoothly without worrying about security and privacy. ACKNOWLEDGEMENT This research paper is supported by Universiti Sains Malaysia (USM) Short Term Grant – 304/PKOMP/6312145. REFERENCES [1] R. Bojanc, and B. J. Blazic, “An economic modelling approach to information security risk management,” International Journal of Information Management, vol. 28, no.5, pp. 413–422, 2008. [2] E.W.T. Ngai, J.K.L. Poon, and Y.H.C. Chan, “Empirical examination of the adoption of WebCT using TAM,” Computers & Education, Elsevier vol. 48, pp. 250–267, 2007.K. Elissa, “Title of paper if known,” unpublished. [3] M. Machado and E. Tao, “Blackboard vs. Moodle: Comparing User Experience of Learning Management Systems,” 37th

342