Using Security Patterns in Web-Application

Table of Contents

Chapter 1: Introduction
1.1 Problems
1.2 Aim and Objectives
Aim: The aim of this dissertation is to explore how security is incorporated by using security pattern in web-application.
1.3 Structure:

Chapter 2: Background on Web Application & Web Application Security
2.1 Background of Web- Application
2.2 Background on Web Application Security

Chapter 3: Attacks and Countermeasures of Web - Application
3.1 Eavesdropping
3.1.1 What is Eavesdropping?
3.1.2 How Eavesdropping happen?
3.1.3 Countermeasures for Eavesdropping
3.2 Exploiting Poor Authentication
3.2.1 What is Poor Authentication?
3.2.2 How the poor authentication can be exploited?
3.2.3 Countermeasures of poor authentication
3.3 Log Tampering
3.3.1 Overview of Log
3.3.2 What is log tampering?
3.3.3 Countermeasures for Log Tampering
3.4 SQL Injection
3.4.1 Overview of SQL injection
3.4.2 Countermeasures for SQL Injection
3.5 Cross-Site Scripting
3.5.1 What is Cross-Site Scripting?
3.5.2 Countermeasure of Cross-Site Scripting
3.6 HTTP Response Splitting
3.6.1 What is HTTP Response Splitting?
3.6.2 Countermeasure for HTTP Response Splitting
3.7 Reason of Attack on Web Application

Chapter 4: Introduction to Patterns
4.1. An introduction to pattern language
4.2. What is Design Pattern?
4.3 History of Design Pattern
4.4 Design Pattern Template

Chapter 5: An Introduction to Security Patterns
5.1 What is Security Pattern?
5.2 History of Security Pattern
5.3 Why Security Pattern?
5.4 Types of Security Pattern
5.5 Use and Misuse Case in Security Pattern.
5.6 Security Pattern Template

Chapter 6: Overview and Implementation of Security Patterns
6.1 Overview of Security Pattern used to address attack
6.1.1 Secure Pipe Pattern
6.1.2 Secure Proxy Pattern
6.1.3 Secure Logger Pattern
6.1.4 Intercepting Validator Pattern
6.2 Implementation of Security Pattern in Context to Attack
6.2.1 Mitigating Eavesdropping with Secure Pipe and its Related Pattern
6.2.2 Mitigating poor authentication exploit with Secure Proxy & its Related Pattern
6.2.3 Mitigating Log Tampering with Secure Logger & its Related Pattern
6.2.4 Mitigating SQL Injection, Cross- Site Scripting and HTTP Response Splitting with Intercepting Validator and its Related Pattern

Chapter 7: Analysis of Security Patterns
7.1 Analysis between main security pattern and related pattern
7.1.1 Secure Pipe Pattern versus Message Intercepting Gateway
7.1.2 Secure service proxy versus message interceptor gateway
7.1.3 Secure logger pattern versus secure pipe pattern
7.1.4 Intercepting Validator versus Intercepting Filters
7.2 Views

Conclusion

References

List of figures

Figure 1 the operation of Web Application [5]

Figure 2: Secure Pipe Pattern Diagram [39]

Figure 3: Sequence Diagram of the Secure Pipe Pattern [42]

Figure 4 Message Interceptor Gateway Pattern

Figure 5 Secure Service Proxy Pattern Diagram

Figure 6 the sequence diagram of secure proxy pattern

Figure 7 Secure Logger Pattern Structure

Figure 8 Secure logger pattern using secure pipe pattern diagram

Figure 9 Intercepting Validator pattern diagram

Figure 10 the sequence diagram of Intercepting Validator Pattern diagram

Chapter 1: Introduction

1.1 Problems

In these advance world where paper had changed its form to electronic version and office had moved itself to cloud making the entire world very small place to communicate. People have become more inclined towards the technology due to the advances in technologies as their work can be done conveniently and faster than the normal scenario.

The advances in the technologies and the widespread of internet had come up with lots of advantages and disadvantages. On one hand internet had made the task very simple for a human being and one great examples is the discovery of email for sending letter to your friend, relatives etc is just a matter of seconds to anywhere in the world, as compared to olden days where if you want to send letter to someone living in abroad you have to wait fifteen days for the letter to be delivered. There are many such examples about the advantages these technologies had brought to us and the list is never ending.

On the other hand due to the widespread of internet and the huge acceptance of technologies in business community had developed a series of problem in the world. Also with the introduction of e-commerce in business further worsen the issues as business houses started doing business on the internet through readymade web-application developed by big brand such as Microsoft or Java Software or in-house web-application development.

These web-applications and business software’s had become one of the major targets for attacker because of the fact that many critical information can be derived such as credit card information, login credentials etc, from such attack and which can later be used for some financials benefits. Attack such as eavesdropping, exploiting poor authentication system, tampering the system log, cross-site scripting, SQL injection attack and HTTP Response Splitting are some of the most common attacks and very large in numbers.

One of the main reasons behind all this attack and which are already been proved by the industry experts and researcher is poor coding and design flaws of the web-application or software system. The developer who does the development of the web-application usually is not aware of the security and their main point of concentration is the functionality part of the application rather than its security implications.

Therefore, a solution should come up which will bridge up this gap between the development and security community. Additionally, the solution should also serves as the remedies for the attack which are identified above and helps in developing secure software and web-application.

In my thesis I have spoken about this solution in more detail so that the subject can easily be understood.

1.2 Aim and Objectives
Aim: The aim of this paper is to explore how security is incorporated by using security pattern in web-application.

Objectives: The Preliminary objective of this dissertation is as follows:

a. Introduce web-application and web-application security
b. Introduce design pattern and Security Pattern

The Main objective is to:

a. Identify a set of security patterns which can be used to address the issues in web-application
b. How effective these security patterns are in addressing the problems?
c. What are the benefits and liabilities of implementing this pattern in web-application?
d. Justify that security pattern actually improves the security of the web-application with proper example.

1.3 Structure:

The structure of paper is divided in four phase where each phase also includes chapters.

Phase 1 – This phase consists of two chapters where it provides introduction to web-application and web-application security along with attack and countermeasures to attack.

Phase 2 – This phase consists of two chapters where it provides introduction to design pattern and security pattern.

Phase 3 - This phase consists of two chapters where the security patterns are identified and also the implementation of the security pattern had been discussed in details along with their benefits and liabilities after implementation. This phase consist all of the work

Phase 4 - This phase consist of conclusion drawn from this thesis.

Chapter 2: Background on Web Application & Web Application Security

2.1 Background of Web- Application

Over the past 20 years, web had benefitted millions of businesses and served as the channel for the customer to communicate with the businesses for exchanging information. According to the survey more than 1 billion user uses internet today [Source - Computer Industry Almanac, 2006] and in the U.S alone the U.S e-commerce spending accounted for $102.1 billion in 2006[Source- comScore Networks, 2007]

Before explaining Web Application I would like to say the fundamental part of web application which is the word “application”. As said by Bob Baxley the word application means “a computer program designed for a specific task or use” [1]

In his document he also said that “The Fundamental purpose of all web applications is to facilitate the completion of one or more tasks” [2].

To start with the conversation I will categorize website into two forms: [3]

a. Content - Based Website.
b. Website Based for Service.

Content based website is the website which we can see in day to day life such as BBC News, ISBN Sports, Times of India etc. This kind of website is basically used for information where you can visit and read necessary information whereas the later which is service-oriented website are used for some specific task to be performed by the visitor of the website.Users who visit this kind of site have some objective to visit the website. This service –oriented based website is support by the application servers and a database servers in background which used web browser to interact with end user or client and is also known as web-application. One of the best examples of web-application is email where company like Google and Rediffmail is providing the web-based mailing client.

The most significant benefit of web-application that its need a web-browser as a client to interact with back end server. Web application follows the architecture of client-server environment. Client –Server environment can be explained as an environment where multiple computers have access and share the information such as entering private date into the database. [4]

The designer who develop the web-application does not have to worry to develop the client end for accessing the application for a specific computer or operating system as it uses the web browser as client that can run on any platform be it Mac, Windows or Linux. However some of the web-application only supports browser like Windows Explorer and Firefox and they are browser specific.

The technology commonly used in developing the web –application is the combination of server –side scripting such as ASP, PHP, JSP and client- side scripting known as HTML, DHTML, and JavaScript etc. The client –side deals with the overall presentation of the website and server-side takes care of the more vital part of the web-application such as storing or retrieving data from the database.

Another significant benefit of the web-application is that it can easily be implemented without much installation requirement and can also be easily deployed anywhere at no cost.

One of the vital aspects of web –application is how this web-application works? To explain the understanding of web –application operation, I will take a support of the Figure 1.1 to illustrate the operation of web –application:

illustration not visible in this excerpt

Figure 1 the operation of Web Application [5]

In the Figure above shows that the visitor had visit the company website and the initial request had been triggered by the visitor via browser to the web-server which is then forwarded to the web-application. The web-application in response to the request had accessed the database and performs the task requested such as modifying or retrieving the content of the database. After the process had been completed, the web-application then represents the information to the user via browser.

However, the future of web-application is going towards a new generation of web-application where the web-application will not need any backend server to store or retrieve data. It will be similar to the way you save your word document on your computer and it does not need server to the save that document on to the desktop.

2.2 Background on Web Application Security

The vulnerabilities in software had increased at an unexpected rate and in the year 2006, National Institute of Standards and Technology [NIST] National Vulnerability Database had recorded the informed vulnerability to something over 6,600 vulnerabilities. Due to these vulnerabilities a new trend had been emerged and the software community started including the security in their design and development phase which has resulted into overall improvement to operating system security.

As the operating system had become more secure there had been a shift in the hacker community. They started targeting the application layer vulnerabilities instead of operating system vulnerabilities. [6]

The changing business environment together with the advances in web-technologies has leaded the organization to adopt the web-application by default. Today any organization whether is it public, private or government sector depends solely on web-application to interact with customer or client.

Although the adoption of web-application in business community gives greater efficiency and convenience, it’s give rise to the new threat in security, which can be of significant risk to an organization if the I.T. Infrastructure of the organization had not been handled carefully.

As the web-application can be easily deployed, its growth is beyond expectation and due to this trend in web-application, I.T. Infrastructure became more complex and distributed which are harder to maintain from the security perspective. From almost a decade if you see then most of the organization had been dependent on the firewall for their security in order to protect their I.T Infrastructure. However now trends had been changed, hacker community is no longer targeting network perimeter such as firewall to gain access to the organization resources instead they are targeting more on the security flaws of the web-application design such as injection flaws, improper input validation etc. Therefore deploying of network perimeter will not be enough for the safeguard of web-application, a more robust security implementation is required to safeguard application from such threats.

The threats are generated in different way such as dishonest user, session-less protocols, insecure network and complex web technologies. In web-application the client end are not basically controlled by the owner of the application. Hence the input by a client cannot be fully trusted and processed directly. An attacker can masquerade as a legitimate user and thus create false message and cookies. In addition to this, HTTP is a session-less protocol and it is subjected to attack such as replay and injection attack.The HTTP Message can be easily tampered which will result in modified message and due widespread of spoofing software it can easily be spoofed or sniffed. [7]

According to the “2002 Computer Crime and Security Survey” conducted by Computer Security Institute & San Francisco FBI Computer Intrusion Squad.

“Web application incidents cost companies more than $320,000,000 in 2001.”

44% respondent to the 2002 Computer Crime and Security Survey were willing and able to quantify their financial losses .These respondents reported $455,848,000 in financial losses. [8]

Therefore the organization should understand the risk and threats properly in order to implement appropriate countermeasures or safeguard. Additionally both the technical and administrative security control must be reinforced for the security of the critical I.T. Infrastructure in response to the web-application deployment.

Chapter 3: Attacks and Countermeasures of Web - Application

With the increase in adoptability of the web-application by different organization comprises of private, public and government sector had given birth to different kind of attack on web-application.

The Open Web Application Security Project had become the industry de-facto guidelines for developing secure web-application software. The OWASP is free accessible worldwide and serves as the standard for secure development, However it is not regarded as standard officially and it’s just states a set of guidelines which are to be followed during web-application development.

The OWASP had listed the top ten vulnerabilities such as Cross-Site Scripting, Injection Flaws, and Malicious File Extension etc. The total list of the TOP TEN vulnerabilities of web application can be found on www.owasp.org

In this section of the project I will be discussing some of the most fundamental attack from the developer perspective in regard to web-application such as Eavesdropping, Poor Authentication Mechanism, Log Tempering, SQL Injection and Cross-Site Scripting and its countermeasures. However If the developer develop code by keeping in mind the security implication of the web-application then this kind of attack can be avoided. The details are discussed later on this thesis.

3.1 Eavesdropping

3.1.1 What is Eavesdropping?

Intercepting real-time private communication traffic in an unauthorized way is known as Eavesdropping. Some of the examples are insecure data transmission between computers, VOIP calls etc. The term eavesdrop had been derived from the word eaves which mean standing under the eaves of the house and listening the private conversation without the knowledge of the other. [9]

3.1.2 How Eavesdropping happen?

In my example of explanation I will be taking the scenario of the normal LAN network where all computers into the network are using the common shared media such as HUB to communicate with each other. Eavesdropping attack can be implemented in this kind of network.

In a normal network, the network interface card is usually set to a non-promiscuous mode by default and the network card is only bothered about the traffic intended to his address and leaves the other traffic. Eavesdropping attack is conducted by an attacker by setting the network interface card to promiscuous mode. Once this mode is activated the network interface card capture all traffic irrespective of its destination address ,thus an attacker can read all the traffic and can derived the password or other valuable information from the traffic if the traffic is not encrypted or secure.[10]

There are several tools available in the marketplace for eavesdropping such as ‘tcpdump’ [11] and ethereal [12].

3.1.3 Countermeasures for Eavesdropping

In this section I would be explaining the countermeasures from the perspective of web-application. As stated above that the attack happen on the network layer then how its effect the working of web-application. Following the attack, suppose an user entered his credit card detail in an website which has to processed for his payment online and during the transmission of this data, an attacker had intercepted it ,thus an attacker has a credit card information of the customer which he can used it later.

Therefore the most effective countermeasures suggested for this attack are as follows:

Proper segmentation of the network should be done and a strong security physical security should be placed. We have to first locally secure the traffic such as inside organization building or office.

The traffic should be fully encrypted during the transmission from one node to another node or one LAN to another LAN.A proper implementation of SSL and IPSEC should be done in order to provide a secure communication between nodes. [13]

3.2 Exploiting Poor Authentication

3.2.1 What is Poor Authentication?

In my example of explaining poor authentication I will take the most conventional authentication method of username and password which is widely used across every domain. Also most of the web-application used this conventional method to authenticate the client. One of the most significant weaknesses of this authentication method is that client usually uses weak password which are easy to guess and also sometime this client uses the same password across other domain for authentication.

Therefore an attacker can easily derive the password and used it for unauthorized access to the client resources.

3.2.2 How the poor authentication can be exploited?

As stated above that the client usually choose easy password which can be easily guessed. Following this scenario an attacker would deploy a dictionary attack which contain the list of most commonly used password. The dictionary attack will try the entire commonly used password on to the system for access till it successfully logged in and thus an attacker have a password which he can use and masquerade as a legitimate client to web-application and perform the task which he is not authorized to do.

3.2.3 Countermeasures of poor authentication

Several countermeasures had been suggested in the literature but among them the most common countermeasures are as follows:

[...]