09-09-2016, 12:16 PM
INVESTIGATION ON DETECTION AND PREVENTION MECHANISM OF APPLICATION LAYER ATTACKS IN WEB SERVICE ENVIRONMENT
1454088510-paper.docx (Size: 109.83 KB / Downloads: 7)
ABSTRACT
Security becomes more important in the broad adoption of web service. As a result, special importance has been given to development of high level security standards and protocols, but in many case the simplest application level attacks have been neglected. This paper will explore the low level vulnerability present in web service .This paper covers attacks such as cross site scripting attack, DDOS attack, SQL injection, and phishing in web service and finally provides prevention and detection mechanism for attacks .
INTRODUCTION
Web services are self-contained, self-describing, modular applications that can be published, located, and invoked across the web Enterprises and Businesses utilize Web services to perform complex transactions with minimal programming effort. Web Service Security is considered as a critical problem as service evolution goes exponential and competition among the service providers and service consumers are high.Web service providesSOAP protocol where it is an XML-based messaging protocol for exchanging information among computers. REST is the newcomer to the block it seeks to fix the problems of injection, XSS attack and phishing.
Web services are often wrapped around backend systems that have traditionally been protected by multiple layers. Security is often handled by these layers. If one layer removed, leaves the module exposed to the web and vulnerable to various attacks on the application layers. In web service with SOAP can provide a truly simple method of accessing Web servicewhile enterprises are competing to enjoy the great benefits of Web services. They are also started realizing the vulnerability of these services due to the attacks like DDoS attack, SQL
attacks happens through vulnerability present in client side (Service Consumer), web service application logic, Web service on web server, web service components and so on.
Key Issues:
Attacks occur in between HTTP to SOAP handshake (SOAP Web Service)
Attacks occur in between HTTP to HTTPS handshake (Restful Service)
Major scope for attack detection is required between HTTP to SOAP and HTTP to HTTPS.
MOTIVATION
Enterprises are competing to enjoy the great benefits of Web services. So web service is vulnerable to many attacks like DDoS attack, SQL injection, XSS attack and phishing. Key issues of web service in this paper is to detect attacks occurs in between HTTP to SOAP and HTTP to HTTPS. Detection mechanism has been provided to detect those attacks present in web application only. Need for Security Defense System in both SOAP Web Service and REST Web Service Environment. So the detection mechanism is applied for web service and effectiveness of those attacks in web service is been evaluated.
RELATED WORKS
1) XSS vulnerability is one among the top web application vulnerabilities according to recent surveys, this vulnerability occurs when a web application uses inputs received from users in web pages without properly checking them. This allows an attacker to inject malicious scripts in web pages via such inputs such that the scripts perform malicious actions when a client visits the exploited web pages. Such an attack may cause serious security violations such as account hijacking and cookie theft. Current approaches to mitigate this problem mainly focus on effective detection of XSS vulnerabilities in the programs or prevention of real time XSS attacks. As more sophisticated attack vectors are being discovered, vulnerabilities if not removed could be exploited anytime. To address this issue, an approach for removing XSS vulnerabilities in web application Based on static analysis and pattern matching techniques was presented, this approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution.
2) Web applications have brought with them new classes of computer security vulnerabilities, such as SQL injection. It is a class of input validation based vulnerabilities. Typical uses of SQL injection leak confidential information from a database, by-pass authentication logic, or add unauthorized accounts to a database. This security prevents the unauthorized access to your database and also it prevents your data from being altered or deleted by users without the appropriate permissions. Malicious Text Detector, Constraint Validation, Query length validation and Text based Key Generator are the four types of filtration technique used to detect and prevent the SQL Injection Attacks from accessing the database.
3) Phishing is a treacherous attempt to embezzle personal information such as bank account details, credit card information, social security number, employment details, and online shopping account passwords and so on from internet users. Phishing or stealing of sensitive information on the web, has dealt a major blow to Internet security in recent times. Phishing detection and prevention approach combining URL-based and Webpage similarity based detection to identify phishing. URL-based phishing detection involves extraction of actual URL (to which the website is actually directed) and the visual URL (which is visible to the user). Link Guard Algorithm is used to analyze the two URLs and finally depending on the result produced by the algorithm the procedure proceeds to the next phase. If phishing is not detected or Phishing possibility is predicted in URL-based detection, the algorithm proceeds to the visual similarity based detection
ATTACKS
1) DDoS attack:
DDoS attack detection and malicious traffic filtering techniques have long been important but difficult problems to be addressed in web service. DDoS Detection and prevention mechanism has been provided to detect those attacks present in web application only this is mapped as oversized Xml attack and SOAP parameter DDoS in web service
a. Oversized xml attack
In a regular SOAP message components within an XML tag usually have a length of a few characters. Namespace declarations can get as long as a few hundred characters but that usually doesn't pose a problem to any XML parser. However, when used in a malicious way the components within an XML tag can be used to mount denial of service attacks. For example, by using overly long attribute names, a parser might crash because of memory exhaustion. The attack is possible because the XML standard [1] doesn't limit the size of components in XML tag
b. SOAP parameter DDoS
Usually each SOAP request contains some sort of parameter that is passed to the application logic. If the application logic doesn't check what type of parameters are passed a classical buffer overflow within the application logic can easily occur if the parameters are out of bound. A simple example is a string value whose range of values is exceeded.
2. XSS attack
Cross-site scripting is a type of computer security vulnerability basically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. XSS attack is mapped as Xml signature key retrieval XSA in terms of web service.
a. Xml signature key retrieval XSA
XML Signature in a SOAP message a public key is always needed by the receiving party in order to verify the signature. In many cases the receiving party already owns the public key of the sender. However in some scenarios the public key has to be retrieved first in order to verify the signature. How key retrieval is done is described in the SOAP security Header within the <Key Info> element. Different methods for key retrieval are possible. One method is the use of URIs to reference to a key. Internal references usually pose no problem. However, external reference can be problematic, especially when data referenced to is given back the attacker initiating the request.
3. Phishing attack
Phishing is an online deceitful activity wherein the objective of an attacker is to plagiarize a victim’s sensitive information, such as online banking account details or social security number thus deceiving people into financial loss. In web service phishing attack is mapped as WS- addressing spoofing, Reference Redirect.
a. WS-Addressing spoofing
An attacker sends a SOAP message, containing WS-Address information, to a web service server. The <Reply To> element doesn't contain the address of the attacker but instead the web service client who the attacker has chosen to receive the message. This results in unwanted traffic/SOAP messages for the receiving web service client. Depending on the amount of traffic DOS scenarios are possible.
b. Reference Redirect
XML Signature or XML Encryption in a SOAP message, the user is given a great amount of flexibility of what data is signed or encrypted. It is even possible to sign or encrypt data outside of the original SOAP message. This property can be used to mount a denial of service attack
4.SQL injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. They are been mapped as x-path injection, Xml injection, X-query injection in terms of web service
a. X-path injection
Xpath is a language used to query certain parts of a XML document. It can be compared to the SQL language used to query databases. In some cases the parameters within the SOAP Body are directly used as input for an xpath query. If this user input is not validated probably an attacker can modify the Xpath query as he wishes. In the worst case scenario the attacker is able to read out the entire XML document that is queried.
b. Xml injection
XML Injection" an attacker tries to inject various XML Tags in the SOAP message aiming at modifying the XML structure. Usually a successful XML injection results in the execution of a restricted operation. Depending on the executed operation various security objectives might get violated
c. X-query injection
XQuery Injection is a variant of the classic SQL injection attack against the XML XQuery Language. XQuery Injection uses improperly validated data that is passed to XQuery commands. This in turn will execute commands on behalf of the attacker that the XQuery routines have access to.
MODULES
Module 1: DDOS attack
DDoS attack detection and malicious traffic filtering techniques have long been important but difficult problems to be addressed in web service. DDoS Detection and prevention mechanism has been provided to detect those attacks present in web application only. Here In order to real-timely process the traffic, we create a real-time frequency vector (RFV = ⟨favg1, favg2. . . favgm⟩), wherein m is the number of resources in the website, such as web pages and images. Each item in RFV denotes the average frequency of one resource being visited. Three modules are included to detect DDoS attack Abnormal Traffic Detection Module, DDoS Attack Detection Module and Filter module. In abnormal traffic detection module observe the abrupt changes in the traffic of http ‘get’ requests. Once an anomalous feature is observed, a specific signal of ‘attention’ is sent to the DDoS attack detection module for further analysis. When the attention signal is passed to DDoS Attack Detection Module it detect DDoS attack using RFV. Later finding out the DDoS attack it is filtered using Filter module. In this paper DDoS attack is been mapped as oversized Xml attack and SOAP parameter DDoS .the same mechanism is applied for the attack present in web service and investigation is done to evaluate how effective it is in case of web service .
Module 2: SQL INJECTION
SQL injection is an injection attack where an attacker can execute malicious SQL statements. Here ASCII based String Matching technique is used to detect and prevent SQLIA’s. Following figure shows that the user input data enter in the Login phase from the web browser, Application Server acts as a middleware to filter the SQLI. The first level phase: When the user input enters inside the login mode, the malicious text detector is used to detect the susceptibility character which is appended with the user’s data and throw an exception that the user as a malicious attack and prevent from accessing the web application. In the Second level phase the login phase is set with constraint such as User id is allowed only the ten characters and the Password is allowed only four characters. So the user input is compared with this constraint if this level satisfies the data will be converted as SQL Query with database engine and start to compare with third level. In the third level phase Length of the number of possibility queries is stored in the array format in statically generated method. Each character is parsed and number of static Query is counted and stored in a static model then the input data is also calculated with the existed static value and compared if it matches it moves to the last phase otherwise it will be rejected as SQLIA’s
Module 3: Cross site scripting attack
Cross-site scripting is a type of computer security vulnerability basically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users.Here an automated approach that statically removes XSSVs from program source code Based on static analysis and pattern matching techniques, our approach identifies potential XSS vulnerabilities in program source code and secures them with appropriate escaping mechanisms which prevent input values from causing any script execution [3]. In this paper XSS is been mapped as Xml signature key retrieval XSA the same mechanism is applied for the attack present in web service and investigation is done to evaluate how effective it is in case of web service
Module 4: Phishing attack
Phishing is an online deceitful activity wherein the objective of an attacker is to plagiarize a victim’s sensitive information, such as online banking account details or social security number thus deceiving people into financial loss. Here link guard algorithm and pattern matching technique is used. They contain seed set and black list for pattern matching. Proactively collect DNS names that are manually input by the user when user surfs the Internet and store the names into a seed set and since these names are input by the user by hand, we assume that these names are trustworthy. Unwanted and untrusted sited are been stored in black list. Pattern Matching is designed to handle unknown attacks, they checks if it is quite similar (but not identical) with one or more names in the seed set by invoking the Similarity procedure. Similarity checks the maximum likelihood of actual DNS and the DNS names in seed set. The similarity index between two strings is determined by calculating the minimal number of changes
Evaluation parameter
• Accuracy
Accuracy is the statistical measure of how well a security testing methodology detects the vulnerabilities correctly and excludes certain non-vulnerabilities. It can be calculated by knowing the false positive rate and the false negative rate. In general, positive means detected and negative means rejected or not detected. Therefore true positive is correctly detected, true negative is correctly not detected, false positive is wrongly detected and false negative is wrongly not detected.
Accuracy (ACC) = ∑ {(T.P)+(T.N)P+N}
False positive rate (F.P.R) = ∑ {F.P/(F.P+T.N)}
False negative rate (F.N.R) = ∑ {F.N/(F.N+T.N)}
Investigation is done on detection and prevention mechanism of application layer attacks in web service environment, the accuracy metrics evaluate the effectiveness of detection mechanism used in the web service environment