Security vulnerabilities related to web-based data

In this digital era, organizations and industries are moving towards replacing websites with web applications for many obvious reasons. With this transition towards web-based applications, organizations and industries find themselves surrounded by several threats and vulnerabilities. One of the largest concerns is keeping their infrastructure safe from attacks and misuse. Web security entails applying a set of procedures and practices, by applying several security principles at various layers to protect web servers, web users


Introduction
Nowadays, every organization supplies an enormous amount of information to clients, employees, and the general public online via the web. While printed information is static, web-based content is dynamic and updated promptly. However, websites and web servers are exposed to various security threats. Any server connected to an online network will not only suffer from internal threats caused by employees as a result of misuse of network resources, but are also vulnerable to a range of outside threats [1,2]. Web security is extremely important in order to protect sensitive data (stored online) from unauthorized access, alteration, or destruction. Such security is accomplished by applying strict policy measures to safeguard such valuable assets. Security threats can negatively impact organization's business or reputation if attackers manage to gain access to that organization's data.

Fundemantels of Web Security
Several cornerstones must be assured to describe a system secure. The most common fundamentals are: a. Authentication Authentication is the process of successfully verifying the identity of the users for a certain application [3]. b. Authorization Authorization means giving a user a specific permission to do certain operations on specific resources [4]. Resources may include files, databases, tables, and rows. c. Auditing Auditing is important to determine if any attack or intrusion took place. In addition to effective auditing, logging is important to assure non-repudiation. Non-repudiation means that the sender of a message should not be able to prove that he has not sent that message. It should always be feasible to find out the sender of a message [5]. Confidentiality is the process of keeping the data private, and making sure that only authenticated user can view that specific data. One way to implement confidentiality is by using data encryption. e. Availability In our context, availability means that a system is always available only for legitimate users. Attackers succeed to compromise a system's availability by overloading the network so that other users cannot successfully gain access to that system [6].

Technical Vulnerabilities 3.1. SQL Injection Attack
SQL injection is a malicious attack where an attacker injects SQL commands into an SQL statement, via web page input to compromise a database. An SQL injection is capable of destroying a database [7]. Typically, on a web form for user authentication, when a user enters personal information such as username and password or other login credentials, these values are inserted into a SELECT query. If these credentials are found in the database, access is granted. Otherwise, the access is denied.
Unfortunately, most of these web forms have no mechanisms in place to block input other than names and passwords. Hence, an attacker might be able to use the input boxes to send malicious requests to the database. Consequently, these attempts could allow the attacker to interact with the database or even download it entirely [8]. There are several threats that may affect online applications. In this paper, we will highlight four of them. Namely: SQL injection attack, cookie poisoning, cross-site scripting, and buffer overflow. For the SQL code below [9]:

String SQLQuery = "SELECT Username, Password FROM users WHERE Username=' " + Username + " ' AND Password=' " + Password +" ' "; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(SQLQuery); While (rs.next()) {…}
Since user input is needed in order to run the above query. The interpreter will execute the command based on the provided input for the username and password fields [9]. Hence, if an attacker inserts 'or 0=0' as both the username and password, then the query will be constructed as: String SQLQuery ="SELECT Username, Password FROM users WHERE Username=" or 0=0" AND Password=" or 0=0"; By running the above query, the attacker managed to compromise the entire database. This is due to the fact that zero will always be equal to zero. Thus, the query will return all records in the database [9]. SQL injection attack is considered a common threat that targets database-driven applications and exposes their vulnerabilities [10]. Generally, there are two ways to carry SQL injection attacks. The first way is known as SQL Manipulation. In SQL Manipulation the attacker alters the SQL statement with the aid of built-in operation or built-in function such as UNION. The other method is known as Code Injection where an attacker manages to insert vulnerable SQL statement.
Defensive coding is one of the proposed solutions to prevent SQL injection attack. However, defensive coding is considered a challenging task. On one hand developers continuously keep adding controls in their source code. On the other hand, attackers never stop finding ways to overcome these added controls [11]. Thus, it is difficult for developers to keep up in this race. Additionally, implementing the best defensive coding techniques is very challenging and needs special set of skills. Table 1 explains some of the possible SQL injection attacks [12].
Nonetheless, SQL injection can still be prevented in several ways. Enforcing the faultlessness of the user's input value at the programming level can prevent SQL injection attacks. This means enforcing the user to provide correct information and prevent irregular values. This technique blocks unsafe values, which could be harmful to the database server. Such approach can be implemented on either database side (the client's or the server's) [12]. The following are some of the techniques for preventing SQL injection attacks: a. Static Query Statement To achieve this prevention method, the database uses parameterized statements where the server encodes the parameters as needed. b. Least Privilege The least privilege techinque may restrict users access by eliminating database connection with root access for all users, restricting the privileges (such as read and write) on the database's tables and views, rejecting access to stored procedures and special system utilities, or by utilizing stored procedures with fine-grained control. Fine-grain control will set control over the users granted roles. For example, a better alternative for granting the user access to an entire table is that a stored procedure returns only one row of data [13]. c. Web Application Gateway Web Application Gateway (WAG) works as a secure reverse web proxy. WAG can interpret more information in the HTTP protocol, and HTML content compared to a web proxy. WAG can check whether form inputs are within expectations and verifies whether hidden fields and cookies were modified. Additionally, WAG verifies whether URL flow follows the original design or not. Hence, it provides protection against other threats as well [13]. d. SQL driver proxy A SQL driver proxy functions in a similar way to web application gateway. Unlike the web application gateway, it intercepts API calls and monitors database function calls rather than intercepting network connections and monitoring HTTP requests [14]. Additionally, the proxy sanitizes error message sent from database server back to the client application [14]. This is an essential step since such messages usually reveal information about the database schema. In this type of attacks, SQL queries will be manipulate using alternate encoding, Hexadecimal, ACSII and Unicode.

Blind Attacks
In this type of attacks anonymous user can theft useful information from database asking true and false a question through SQL statement.

Cookie Poisoning
Cookies are personal information stored on a user's machine. Modifying cookies by an attacker to gain unauthorized information about the user for malicious purposes is known as Cookie Poisoning. The attacker may use the hacked identity information to open new accounts or to obtain access to the user's existing accounts [15]. If security methods are not used, an attacker can observe a cookie to know its purpose and make some changes to it to allow the attacker accessing user information from the website that sent the cookie.
Many web applications store tracking information within cookies saved in the user computer. The tracking information usually include user IDs and time stamps. When a user logs into a website, a login web script validates his username and password and sets a cookie with his numerical identifier [16]. In many cases, cookies can be modified by attackers as they are cryptographically insecure, thus, the application is fooled and the hacker gains full access to a system. Encrypting cookie contents is a useful prevention method against cookie poisoning. Additionally, avoiding storing session ID on the server is another helpful technique.

Cross-site Scripting
Cross-site Scripting (XSS) refers to client-side code injection attack, wherein an attacker can execute malicious scripts (also commonly known as a malicious payload) into a legitimate website or web application [17]. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of not validated or not encoded user input within the output it generates [18]. For example, the script below is not harmful but will open a thousand windows: <script> for (i = 0; i < 1000; i++) window open ("http://goingzoo.com "); </script> A solution to this could be to disable script language capability in web browsers. However, some trusted websites also use a script to provide a lot of functionalities. Hence, disabling script language could prevent users from accessing those features. Another solution would be using an anti-XSS HTML parser like safeHTML. For example, a hacker could upload the following message:

"Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message."
If the victim's script is enabled in their browser, the malicious code will execute unexpectedly. Some of the scripting tags that can be embedded in a similar fashion include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>. When a server mediates client-to-client communications, site developers clearly conclude that data input is untrustworthy when it is presented to other users. Such an input will be considered unacceptable and will be filtered by the server before being sent to other readers [19].
To carry a cross-site script attack, the attacker will need to find a web page with unchecked input and embed a "poisoned link" within that web page. Once the victim clicks on the poisoned link, the script executes whatever the purpose behind it is. Note that the victim does not have to click the link; it is possible for the scripts to execute upon loading the page. Cross-site script attack can be prevented if the input data on the web server was sanitized and the cookie data encrypted. Additionally, users should turn off client-side scripting.

Buffer Overflow
Buffer Overflow occurs when an attacker attempts to send more data purposely than a program or process can handle. This kind of attack can force a system to crash [20]. The code below is an example of buffer overflow attack.
void Function( char *Input ) { char Buffer [17]; // Input is copied straight into the buffer // when no type checking is performed strcpy(Buffer, Input);} Some of the solutions to prevent buffer overflow attack is bounds checking, use of safe libraries, and running static code analysis. Developers use HTML and JavaScript to limit the number of characters to be submitted as input. Nevertheless, the HTML can still be changed by the hacker, the JavaScript can be turned off as well and then a buffer overflow attack can be submitted. To ensure ultimately safeguarding the application from this attack, all input from the client has to be carefully checked on the server. Also, a firewall or security gateway application could be installed to scan out requests with unusual length.

Conclusion
Over the past decade, web applications have evolved significantly. Such an upraise introduced new and serious security-related challenges. On one hand security researchers are putting substantial efforts to eliminate these threats, and on the other hand, attackers are still finding ways to attack and invade victims' security and privacy. This paper presented some of the fundamentals of web security, in addition to several kinds of web attacks, and discussed some prevention methods.