1. Background
The Hypertext Transfer Protocol (HTTP) is one of the most common and fundamental web services of the Internet. As its popularity grows, the risks growth with it. According to Cyberlytic[1], web application attacks accounted for over 70% of all cyber attacks in 2017. Due to the increasing number of threats, it is crucial to keep high-level security to ensure the confidentiality, integrity, and availability of information transfer.
This report has listed top 4 common cyber attacks and their countermeasures in web application area. They are:
- SQL Injection
- XSS Attack
- DDoS Attack
- Man-in-the-middle Attack
Although some other reports like OWASP[1] had listed the top 10 most critical web application security risks, those four vulnerabilities mentioned above are the most typical common one in recent years. I would give a short introduction to each attack as well as a simple scenario. Some latest cybersecurity news from the real industry would also be included. Furthermore, some countermeasures to prevent the specific attack would be presented at the end of each chapter.
2. SQL Injection
2.1 Introduction
Injection was considered as the top 1 vulnerability in web applications according to a yearly report released by The Open Web Application Security Project (OWASP) in 2017[1]. SQL Injection (Fig. 1) is the most famous type of injection in web service. As the description in Wikipedia, “SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution”[2]. It means that the attackers send untrusted command or query into a web page and try to trick the SQL interpreter in a purpose of stealing or modifying sensitive data in database.
Just imagine a scenario that you were unhappy about your final grade of a graduate course. You wanted an A+, but unfortunately, a D was given instead. You felt unfair, and an evil idea was coming into your mind: changing the score secretly. You tried to log in the course space with instructor’s account (username: “John’ or 1=1”, password: “123456” in Fig. 2). If there were a SQL vulnerability in the website, the interpreter would ignore checking the password because “1=1” is always true. So you could access your instructor’s course space without even knowing his real password.
SQL injection is well understood for many years and defenses are simple and mature, but surprisingly, some big companies still failed to prevent this attack. One of the most typical examples was TalkTalk[3], a famous telecom company in the UK. The hacker successfully accessed the sensitive information of 156,959 customers through SQL injection and got their names, addresses, dates of birth, phone numbers and email addresses. The company was fined £400,000 for the attack.
2.2 Countermeasures
Compared to other cyber attacks, the way to prevent SQL Injection is simple and technically implementable. There are four common methods to avoid SQL Injection[2].
- Parameterized query, it means that the query inputs are assigned as parameters instead of a SQL statement. Some limited rules are set in the webpage holder, and only the given value types (e.g. alphabet, number and underline) are allowed.
- Escaping, the server skips characters that have special meaning in SQL.
- Pattern check, input string is checked to know whether it matched some specific secure pattern or not.
- Database permissions, limiting web application’s authorization and only expose database content that is needed.
3. XSS Attack
3.1 Introduction
XSS (Cross-site scripting) attack is the second most prevalent issue and it is found in around two-thirds of all applications, according to OWASP 2017 [1].
Before we talk about XSS attack, let us introduce a basic web concept called the same origin policy. It means that scripts in a web page can access another web page as long as those two pages have same URI scheme, hostname, and port number. For example (Fig 3), http://attacker.com/a and http://attacker.com/b come from the same origin, while http://attacker.com/a and http://wikipedia.org do not because they have different domains. The same origin policy reduces repetitive and unnecessary authentications when the user opens another page from the same website. The new page can still access the cookies of the old page. Besides, the policy separates different web pages and prevents malicious scripts on one unknown page from accessing the sensitive data on a protected page.[4]
The same origin policy is protecting our websites, but an XSS vulnerability can easily pass the protection. The attacker may inject malicious scripts into a website and steal sensitive data such as user’s authenticated session ID. Then the hacker pretends to be the user with the stolen session ID and communicate with the server. The server treats the attacker as an authenticated user because of his session ID. This may bring great loss if this vulnerable website belongs to a bank.
Fig. 4 is a typical example of XSS attack. The attack finds a vulnerable website and sends a scripted-injected link to victims by email. When any victim clicks on the maliciouslink and requests the legitimate website, his browser will load the trusted website as well as executing maliciousscripts, which will send the victim’s private data to the attacker. In the end, the hacker begins his crime with the private data he receives.
Internet companies always try to prevent XSS flaw in their product as soon as possible because the vulnerability may bring serious damage. On Nov 5, 2018, online note company Evernote patched an XSS issue in rendering attachment filenames (Fig. 5). The XSS flaw allowed the attacker to add a link to his malicious JS code in the file name. When the other Evernote users clicked the share link of the file, the maliciousJS code would run. The flaw was discovered by a Chinese researcher on September 27. But instead of attacking the flaw, he recorded a demo[5] and swiftly informed Evernote of it.
3.2 Countermeasures
Preventing XSS attack can be hard depending on the complexity of the application. The key point is: always strictly check user-controllable data. Add a valid filter before processing user’s input if possible. Even if the attacker bypasses the input check and successfully submits his script, there is still a method to prevent the malicious code running: encode the HTTP response of user’s input content and prevent it being interpreted as active content. This method can stop insecure code running on other users’ web application. Besides, you can use the HTTP header: Content-Type and X-Content-Type-Options, to forbid any HTML or Javascript.
3. DDoS
3.1 Introduction
DDoS stands for distributed denial-of-service, which is one of the most famous attacks in the cybersecurity field. “It is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled”[6], at the same time, “the incoming traffic flooding the victim originates from many different sources”, which makes DDoS attack very hard to stop. It is easy to understand the DDoS attack. Just imagine a scenario when you are going to buy a printer on Black Friday (Fig 6), you go to Walmart or COSTCO but only find people are crowded at the entrance. They are congested and preventing you from entering the shop. It is a bit like a DDoS attack in some term.
Black Friday is only once a year, but DDoS attack happens almost all the time all over the world. In November 2018, Internet users of Columbia have confirmed difficulties in accessing online service for the whole week because of a large-scale DDoS attack that was launched against the country’s ISP (Internet Service Provider) [7]. On August 28, 2018, the website of Spain’s Central Bank was intermittently offline due to a DDoS attack, but luckily the disruption didn’t have any effect on the bank’s regular operation[8].
According to a report [9] released by VeriSign, a DDoS defense provider, there was a 35% increase in the number of DDoS attacks when comparing to Q2 2018 to Q1 2018 and the top 3 of the most targeted industries were financial services, IT service/cloud/saas and telecom, which accounted for 57%, 26% and 17% respectively (Fig. 7). The largest attack in Q3 had a volume of 42Gbps and a speed of 4.7Mpps and 26% of the DDoS attacks were over 5Gbps. UDP (User Datagram Protocol) flood attacks were the most popular attack type which was accounting for 56% of total attacks (Fig. 8). DDoS attack is very popular mainly because of its extremly low cost. In instance, a 300 seconds & 125Gbps bandwidth attack costs only $7.5.
In web service, HTTP flood in the application layer and SYN flood in the transport layer are two of the most common DDoS attacks.
3.1.1 HTTP flood attack
HTTP flood attack (Fig. 9) utilizes the standard valid GET/POST requests to overwhelm the target server. When the server’s capacity is saturated, then denial of service happens.
3.1.2 SYN flood attack
While for SYN flood attack, the hacker sends a succession of “SYN” requests to a targeted server, but it does not response an “ACK” after receiving the “SYN-ACK” from the server, attempting to keep server waiting and makes it unavailable to other legitimate users. SYN flood attack happens in the transport layer, but HTTP communication is based on TCP, which makes SYN flood a common way to launch a DDoS attack against application layer. Fig. 10 is an example of a normal TCP connection, and Fig. 11 shows the details of SYN Flood attack.
3.2 Countermeasures
It might be hard to distinguish the DDoS attack traffic from normal web request since they come from distributed sources. There are still ways to detect whether a client is a bot or not. One method is the captcha test: the server can deny a user to access some web service if he or she fails to fill in correct alphabets. Captcha test is commonly used in many websites like google and Amazon.
Another avenue to stop DDoS attack is Web Application Firewall (WAF, Fig 12). A WAF operates through a set of rules to filter out malicious traffic and protect your web applicaion. During a DDoS attack, you can quickly implement rate limiting by modifying WAF rules. Besides, for cloud company like Amazon, Microsoft, and CloudFlare. They have the ability to manage an IP reputation database to track and block malicious traffic. In this term, one of the effective ways for small website company to prevent against DDoS is immigrating their service to cloud like AWS or Azure and keep their web being protected by a stronger WAF.
Besides, low capacity of the back-end server makes its website vulnerable to DDoS attack. A good load balancer can help increase the capacity by balancing traffic across multiple servers. It can also mitigate the high traffic pressure when the website is exposed to a DDoS attack.
4. Man-in-the-middle Attack
4.1 Introduction
As mentioned in Wikipedia, “in cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other”[10]. It means that a MITM attacker can hear and modify messages of the communication (Fig. 13).
Just imagine a scenario that you are making a phone call with your girlfriend who lives abroad, in the same time there is a creepy man in the middle of your phone channel, and he knows every sentense you are talking. When you are saying “I love you”, he alters your heart-warming message to another heart-breaking one like “I want to break up with you”. Then your girlfriend will receive the malicious messag, and she may decide to end the relationship.
In the web service area, a MITM attacker can sniff and modify the content between users and the web applications. Among the MITM attacks that have happened during the last decade. a notable instance was about Nokia and its Xpress Browser in 2013[11]. The browser deliberately decrypted users’ HTTPS session on Nokia’s proxy server, giving the company an ability to access to users’ privacy such as credit card accounts and passwords. The web traffic flowed through HTTPS is believed to be more secure than HTTP because the content is encrypted before exposure to the Internet. But Nokia’s browser was the one who encrypted the data, and it had the ability to decrypt them. what the company had done was an MITM attack even it removed this “feature” in the later version of the browser.
Another example about MITM attack was about Sennheiser’s HeadSetup software in Nov. 2018 [12]. The software is a client application running in the background on the headset users’ PC. But it was found to be installing a root certificate into the Trusted Root CA Certificates store, which could enable MITM attacks because the hacker could install his malicious certificate in the same way, and the clients believe the hacker’s website is secure because it is certificated.
Some MITM attacks are hard to avoid because they are posted by the trusted manufacturers like Nokia and Sennheiser. But there are still two ways to prevent and detect the MITM attacks launched by real hackers: authentication and tamper detection. Authentication gives feedback about whether a given message has come from a trusted source while tamper detection merely shows evidence that a message may have been altered.
4.2 Countermeasures
4.2.1 Authentication.
HTTP (HyperText Transport Protocol) is believed to be insecure because it transports user’s content in plain text, which means anybody on the internet can sniff sensitive information in the content, and the receivers do not know whether the content is changed or not. In other words, HTTP is vulnerable to MITM attack.
HTTPS refers to HTTP over TSL (Transport Layer Security) and it was considered as the security version of HTTP. Actually, “the principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data while in transit.” and “it protects against man-in-the-middle attacks.” [13]
In HTTPS structure, a trusted third party called a Certificate Authority (CA) issues the certificates for the clients and servers (in most cases, only the server needs authentication). The certificate contains some information about the owner and its issuer. Among those, the most important one is the public key, the client will encrypt its web request with this public key and only the true owner of the certificate who holds the private key can decrypt the message. A trusted certificate of Wikipedia website was shown in Fig 16. If a MITM attack is trying to hack the conversation, the client’s browser will pop an alert and remind the user the certificate is not trusted (Fig 17).
But due to the fact that the certificate issues are caused by many kinds of problems, for example, the expired of the certificate, most of the users will still ignore the warning and “process anyway”, which makes the conversation vulnerable to MITM attacks. If you need to fill in any confidential information like credit card number, it is wise to think twice before processing ahead.
4.2.2 Tamper detection.
Due to the complexity of encryption and decryption of HTTPS, it takes quite a large amount of time to make a connection between the clients and the server. And the cost time can be double when there existing a MITM attack because the hacker should decrypt the conversation and encrypt it again after altering the content. In this case, one of the ways to detect the potential MITM attack is latency examination. By checking the discrepancies in response times compared to the regular normal data, we might find a anormal conversation, which may be a potential MITM attack. Futhermore, machine learning methods like decision tree or hidden Markov model are also used to detect the attack.
Conclusion
Cyber attacks have lead disastrous and grievous consequences in web applicaion. This report has introducted top 4 common cyber attackers: SQL Injection, XSS Attack, DDoS Attack, Man-in-the-middle Attack, and their countermeasures in web application. For each attack, a short introduction and a simple scenario were given. Some latest news of cybersecurity from the real industry were included as well. In the end of each chapter, some countermeasures to prevent the specific attack were listed.
Reference
[1] GitHub. (2018). OWASP/Top10. [online] Available at: https://github.com/OWASP/Top10 [Accessed 8 Dec. 2018].
[2] En.wikipedia.org. (2018). SQL injection. [online] Available at: https://en.wikipedia.org/wiki/SQL_injection [Accessed 8 Dec. 2018].
[3] Ico.org.uk. (2018). TalkTalk gets record £400,000 fine for failing to prevent October 2015 attack. [online] Available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/ [Accessed 8 Dec. 2018].
[4] En.wikipedia.org. (2018). Same-origin policy. [online] Available at: https://en.wikipedia.org/wiki/Same-origin_policy [Accessed 8 Dec. 2018].
[5] Osborne, C. (2018). Evernote for Windows patch resolves stored XSS vulnerability | ZDNet. [online] ZDNet. Available at: https://www.zdnet.com/article/evernote-for-windows-patch-resolves-stored-xss-vulnerability/ [Accessed 8 Dec. 2018].
[6] En.wikipedia.org. (2018). Denial-of-service attack. [online] Available at: https://en.wikipedia.org/wiki/Denial-of-service_attack [Accessed 8 Dec. 2018].
[7] Cimpanu, C. (2018). Cambodia’s ISPs hit by some of the biggest DDoS attacks in the country’s history | ZDNet. [online] ZDNet. Available at: https://www.zdnet.com/article/cambodias-isps-hit-by-some-of-the-biggest-ddos-attacks-in-the-countrys-history/ [Accessed 8 Dec. 2018].
[8] Bankinfosecurity.com. (2018). Bank of Spain Hit by DDoS Attack. [online] Available at: https://www.bankinfosecurity.com/bank-spain-hit-by-ddos-attack-a-11430 [Accessed 8 Dec. 2018].
[9] Verisign.com. (2018). Protect Your Business with Verisign’s Security Services – Verisign. [online] Available at: https://www.verisign.com/assets/report-ddos-trends-Q22018.pdf [Accessed 8 Dec. 2018].
[10] En.wikipedia.org. (2018). Man-in-the-middle attack. [online] Available at: https://en.wikipedia.org/wiki/Man-in-the-middle_attack [Accessed 8 Dec. 2018].
[11]https://gigaom.com/2013/01/10/nokia-yes-we-decrypt-your-https-data-but-dont-worry-about-it
[12] Inquirer, T., attacks, S., reading, F., Latest, I. and read, M. (2018). Sennheiser’s HeadSetup software is vulnerable to MITM attacks | TheINQUIRER. [online] http://www.theinquirer.net. Available at: https://www.theinquirer.net/inquirer/news/3067212/sennheisers-headsetup-software-vulnerable-to-man-in-the-middle-attacks [Accessed 8 Dec. 2018].
[13] En.wikipedia.org. (2018). HTTPS. [online] Available at: https://en.wikipedia.org/wiki/HTTPS [Accessed 8 Dec. 2018].