Web Application Security - Term Paper Example

 Web Application Security Table of Contents Introduction 2 Analysis 2 Vulnerability and common scenarios 2 How the intruder can exploit it 3 Assessment of the vulnerability 4 Severity levels 4 Examples 5 Recommendations and steps to patch the vulnerability 6 Conclusion 7 References 8 Introduction The SQL injection is one of the techniques used to attack a website and hence rendering it ineffective to the users. This has a lot of negative impacts on the organizations as it leads to loss of information by the organization. On the other hand, it is also important to note that the attack not only causes harm to the website but it also renders the information stored in the website useless. Unauthorized access of information is therefore, a major concern for most organizations. The SQL injection utilizes the use of rogue commands to access the website of an organization (Kieyzun, 2009). The database information is usually distorted through the use of unauthorized codes. The passwords or other security details required to access a website are usually distorted and hence enabling the access by the intruder. The paper critically discusses the dangers of SQL injection in terms of website attacks that affects most individuals and organizations. Analysis Vulnerability and common scenarios Several forms of attack by the SQL injection are used by most attackers to access the database of the targeted websites. It is also important to note that the attacking vector is used for the purpose of attacking the targeted website. The incorrectly filtered escape characters are some of the methods that render the websites of the organizations vulnerable to attacks. This is achieved when the username is crafted in a specific and malicious way by the attacker. The information regarding all the users of a particular website may be reviewed through the use of SQL injection. Incorrect type handling is also one of the main methods that exposes the websites to vulnerability. This happens when the user field is not checked for type constrains. The blind SQL injection is also one of the forms of vulnerability that the websites may be exposed. This takes a different form as it is difficult for the messages to be exposed or viewed by the attacker. The conditional responses are also common scenarios that are experienced by he individuals and organization. This conditional response is as a result of using codes and queries when accessing the information in the websites. It may take a long period of time before the attack is managed and hence inconveniencing the website users (Hu, et al, 2010). How the intruder can exploit it The vulnerability of the website is what exposes it to the attack by the intruder. In most cases, the intruder is usually aware of the problems facing the website. The interference with parent language is one of the main methods that are used by the intruder. This is achieved by changing the parent language and thus changing the response of the website. Incorrect type handling also gives the intruder an opportunity to exploit the website. It is done by manipulating the statements and hence eliminating the need for escape characters. The intruder is thus aware of the weaknesses that a website may have and hence take advantage of it. It is also possible to display the information of website differently and hence the attack. This is applicable for the purpose of using the blind SQL injection. The attacker may also use the queries that are asked for the purpose of verification to cause an attack. Changing or manipulating the query in order to gain access to a particular website is applied by the intruder in order to gain access to a particular website. It is thus evident that the intruder usually takes advantage of the existing weaknesses within the website in order to cause an intrusion (Lam, et al, 2008). Assessment of the vulnerability The SQL injection attack is one of the most vulnerable attacks that have led to the intrusion of many sites. This is evident from records as it was considered the most vulnerable web application in 2007 and 2010 (Clarke, 2012). The attacking vector can be grouped into various classes depending on their vulnerability and technical aspects of the attack. The vulnerability of the attack by the SQL injection depends on the measures that have been put in place to guard the website from the attack. The SQL injection can be used for the purpose of accessing information from highly secured websites. This is done through the utilization of the weaknesses of the website. Most of the crucial information that has been obtained from the government websites is through the use of the SQL injection. It is also important to note that the weaknesses of the websites increases the chance of SQL attack and hence the loss of valuable information. However, it is also evident that the vulnerability of the SQL injection attack can be reduced by putting in place several measures that guards a website against the attacks (Jain, 2011). Severity levels The SQL injection can be used for the purposes of attacking any SQL database leading to severe damage and loss of information. The severity levels are very high and it may lead to the shutting down of the website after the attack. This is a common experience for most organizations whose website has been attacked. The access to personal information is one of the main effects of SQL injection that has led to the interference of private lives of most people. It is reported that there are about 71 attempts every hour on most prominent websites. Some of the attempts are usually successful while others are not. Some attackers using the SQL injection usually delete sensitive information regarding an organization. This has a negative impact on the organization as some of the information is usually classified. The integrity of the data is usually compromised by the attack and hence reducing the reliability of the information. This has a potential of misleading the clients or the organization as a whole. The attacks are quite severe as the number of attempts keeps increasing. The situation is further worsened by the efficiency of this tool to attack different types of websites. This is thus a big challenge to the information technology sector as the attacks results to losses amounting to millions of dollars (Stavrou et al, 2009). Examples According to Lee, et al (2012), many organizations across the world have been affected by the attack by SQL injection. In June 2007, a hacker was responsible for defacing the Microsoft website in the United Kingdom through the use of the SQL injection. This problem was acknowledged by Microsoft and it led to a lot of controversies. The attack is an indication of how serious the problem is considering that Microsoft is a big organization in the information technology industry. In 2008, Kaspesrky which is one of the manufactures of the best anti-virus was also attacked using the SQL injection. This happened in Malaysia and it caused the company some financial losses. This is an indication that the attacks pose a serious challenge to the organizations that are affected by the problem. The attacks using the SQL injection has also caused a lot of harm to individuals. This was the case in 2010 when attackers used the SQL injection in China and Japan to access the credit card in formation of online customers. This resulted to the loss of money by the customers to the attackers. The government websites have also fallen victim of the attacks using the SQL injection which shows how determined the attackers are. The Indian government tourist site was once attacked using the SQL injection in 2006 leading to access of crucial information regarding the government operations in the sector. It is thus evident that the hacking problem in critical and has a lot of negative impacts on the organizations that fall victims of the attack (Clarke, 2012). Recommendations and steps to patch the vulnerability Although the problem is quite complex in nature and affects most of the organizations, it is possible to protect the websites from the attacks. The use of parameterized statements is important in terms of combating the problem. This is because the parameters have the ability of detecting any attempts and hence the prevention of the attack. Escaping the characters is also an important method of preventing the attacks from taking place. This is achieved through defining the SQL injection and thus enabling its prevention. The pattern check is also important when dealing with the problem as it enables the prevention of the attack. The pattern check ensures that the flow of information is monitored and hence eliminating any unnecessary patterns that may lead to attacks on the website. Database permission is also important for the purpose of reducing attacks. This is achieved by ensuring that the users have to log in order to gain authorized access. This plays an important role in safeguarding the available information found in the website of the company. It also minimizes the chances of attacks to a great extent. Limiting the permission for access of the website is thus important for an organization in terms of dealing with the SQL injection (Ezumalai, et al, 2009). Conclusion In conclusion, the SQL attacks have a lot of potential in terms of damaging the website of an organization. This is achieved through unauthorized access to the website of an organization. The loss of crucial information is one of the negative impacts of the attack. The vulnerability of the website plays an important role in promoting the attacks. It is thus evident that the security measures that have been put in place by the company determine whether the attacks would occur or not. It is also evident that the attackers always take advantage of the weaknesses in the websites of the company. The problem is quite severe and it has a lot of negative impacts to an organization. The negative impacts have the potential of causing losses for an organization. It is also evident that some of the prominent organizations have suffered the attacks leading to major losses. It is thus evident that no organization is safe from the attacks. However, various methods can be used to mitigate the attacks. References Clarke, J. (2012). SQL injection attacks and defense. Syngress Publishing. Ezumalai, R. et al. (2009). Combinatorial Approach for Preventing SQL Injection Attacks. In Advance Computing Conference, 2009. IACC 2009. IEEE International (pp. 1212-1217). IEEE. Hu, Y. et al. (2010). Method of defense SQL injection attacks based on sequence alignment. Jisuanji Yingyong Yanjiu, 27(9), 3525-3528. Jain, K. (2011). An Authentication Mechanism against SQL Injection on Web Platform. Kieyzun, A. (2009). Automatic creation of SQL injection and cross-site scripting attacks. In Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on (pp. 199-209). IEEE. Lam, M. et al. (2008). Automatic generation of XSS and SQL injection attacks with goal- directed model checking. In Proceedings of the 17th conference on Security symposium (pp. 31-43). USENIX Association. Lee, I. et al, (2012). A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 55(1), 58-68. Stavrou, A. et al. (2009). SQLProb: a proxy-based architecture towards preventing SQL injection attacks. In Proceedings of the 2009 ACM symposium on Applied Computing (pp. 2054- 2061). ACM. Read More