Web Server Application Attacks
Running Head: Web Server Application Attacks
Web Server Application Attacks
Assignment # 1
Mariz Cebron
Common web application vulnerabilities and attacks, and recommend mitigation strategies The World Wide Web has evolved into a critical delivery pipeline for institutions to interact with customers, partners and employees. Via browsers, people use web sites to send and receive information via Hypertext Markup Language (HTML) messages to web applications housed on web servers. This information, expected as legitimate messages, can be used illegitimately in unauthorized ways to compromise security vulnerabilities a.) Authentication - one of the biggest web application weaknesses is the failure to provide a means of strong authentication to verify the end user is whom he/she claims. Prior to accessing a web application, a server may require the end user to authenticate him/herself to identify the user or determine the user's access privileges. To mitigate these risks; employ strong authentication, such as HTTPS, with encrypted credentials, require authentication at specified time intervals or movement between web pages, regularly test authentication and implement authorization. b.) SQL injection - Many web applications do not properly strip user input of unnecessary special characters or validate information contained in a web request before using that input directly in SQL queries. SQL injection is an attack technique that takes advantage of the web application to extract or alter information from the database. Hackers enter SQL queries or characters into the web application to execute an unexpected action that can then act in a malicious way. Such queries can result in access to unauthorized data, bypassing of authentication or the shutting down of a database, regardless of whether the database resides on the web server or a separate server. To mitigate these risks; Ensure
Web Server Application Attacks
Assignment # 1
Mariz Cebron
Common web application vulnerabilities and attacks, and recommend mitigation strategies The World Wide Web has evolved into a critical delivery pipeline for institutions to interact with customers, partners and employees. Via browsers, people use web sites to send and receive information via Hypertext Markup Language (HTML) messages to web applications housed on web servers. This information, expected as legitimate messages, can be used illegitimately in unauthorized ways to compromise security vulnerabilities a.) Authentication - one of the biggest web application weaknesses is the failure to provide a means of strong authentication to verify the end user is whom he/she claims. Prior to accessing a web application, a server may require the end user to authenticate him/herself to identify the user or determine the user's access privileges. To mitigate these risks; employ strong authentication, such as HTTPS, with encrypted credentials, require authentication at specified time intervals or movement between web pages, regularly test authentication and implement authorization. b.) SQL injection - Many web applications do not properly strip user input of unnecessary special characters or validate information contained in a web request before using that input directly in SQL queries. SQL injection is an attack technique that takes advantage of the web application to extract or alter information from the database. Hackers enter SQL queries or characters into the web application to execute an unexpected action that can then act in a malicious way. Such queries can result in access to unauthorized data, bypassing of authentication or the shutting down of a database, regardless of whether the database resides on the web server or a separate server. To mitigate these risks; Ensure
Bibliography: Hall, J. (2012). Mcgladrey risk advisory. Retrieved October 17, 2012 from http://mcgladrey.com/Risk-Advisory-Services/The-UltraSecure-Network-Architecture Headlines. (2012, 0522). Anonymous claims department of justice hack, data dump. Retrieved from http://anonnews.org/press/item/1521/ Information Security: Recent Attacks on Federal Web Sites Underscore Need for Stronger Information Security Management: T-AIMD-99-223. (1999). GAO Reports, 1. Kennedy, S. (2005). Common web application vulnerabilities. Retrieved October 17, 2012 from http://www.isaca.org/Journal/Past-Issues/2005/Volume-4/Pages/Common-Web- Application-Vulnerabilities1.aspx[->2] Tian, Z. (2006). Defending against distributed denial-of -service attacks . DOI: Web Intelligence & Agent Systems; Sep2006, Vol. 4 Issue 3, p341-351, 11p, 3 Diagrams, 1 Chart, 4 Graphs Williams, A. (2007, Novemeber 1). Catering to Illegals. New York Amsterdam News, pp 13,13. Retrieved February 15, 2008, from Academic Search Premier database [->0] - http://www.justice.gov [->1] - http://www.megaupload.com [->2] - http://www.isaca.org/Journal/Past-Issues/2005/Volume-4/Pages/Common-Web-