Arjun_CDS_Assignment_2
docx
keyboard_arrow_up
School
Florida Atlantic University *
*We aren’t endorsed by this school
Course
5195
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
8
Uploaded by CountJackalMaster1024
Assignment - 2
Arjun Ravichetti
Z23718642
1. a
Can you tell if the BST site vulnerable to cross-site scripting based on the provided information? Why or why not?
Yes, BST site is indeed vulnerable to cross-site scripting based on the information given. To login and view reservations, users need to take action through the URL provided by the legitimate company. After reviewing the information, I have identified few vulnerabilities.
They are - Users can access their account by using the URL provided by the BST. When tthe user clicks on the URL, it will lead to the website's welcome page through that URL to login and
then they can browse their reservation information. The e-mail address is validated on the server,
no other proper validation at the user's side. The attacker could possibly have influenced the given URL due to a single email validation and no additional authentication. This makes it easier
for the attackers to insert the malicious code into this page, enabling them to access user data without proper validation or any other security measures. Since the e-mail address is validated on
the server, there is no extra authentication, making it simpler for attackers to hack into user information leading to cross site scripting.[1]
[1] A. Mishra and S. Juneja, "Prevention of Website from Cross Site Scripting," 2023 International Conference on Computational Intelligence, Communication Technology and Networking (CICTN), Ghaziabad, India, 2023, pp. 471-473, doi: 10.1109/CICTN57981.2023.10140659.
The next vulnerability that I noticed is, the sign-in page welcomes the user and displays their email id in the top corner of the screen. If the email is invalid, an helpful message will be displayed when the e-mail address is mistyped. This error message is providing too much information will be displayed if the user enters wrong email address. It can be seen as a vulnerability because it discloses sensitive details that are likely to be used by the attackers. They
can attempt to split the attack ino phases i.e. phase one and phase two, until they locate an active or valid user account. They may attempt to guess the password for these accounts once they have
a list of valid accounts. As the next phase, they can concentrate on guessing passwords as oon as they know that their accounts are valid.[2]
[2] Class Presentation PPT
b. [1] Provide an example of the input that would execute a cross-site scripting attack. Explain how the input works.
Input that would execute a cross-site attack,
<script>alert(LOGIN SUCCESSFUL)</script>
The above malicious script is embedded with the link
http://bestservicestravel.com/emailaddress/search?destination= <script>alert(LOGIN SUCCESSFUL)</script> “Miami”
When the user clicks the link, the request is sent to the server without proper validation of the destination value. This allws an attacker to potentially embed malicious code in the URL. For example, using the script alert, a false prompt can appear on the web page after clicking the submit button, falsely indicating a successful login. There are many other similar malicius codes that can be used to obtain sensitive information.
For example: <script>alert(document.cookie)</script>
The image shows the output of the above code to obtain user cookies.[3]
[3]T. Wang, D. Zhao and J. Qi, "Research on Cross-site Scripting Vulnerability of XSS Based on
International Student Website," 2022 International Conference on Computer Network, Electronic
and Automation (ICCNEA), Xi'an, China, 2022, pp. 154-158, doi: 10.1109/ICCNEA57056.2022.00043.
c. [1] What specific actions can BST take to defend against the attack?
To detect and prevent cross-site scripting (XSS) attacks, there are various straightforward and effective methods available. One method involves sanitizing user input data. This technique
processes the input through a sanitization function that removes unnecessary characters instead of rejecting invalid user data. Different types of escaping techniques are used depending on the location of the HTML code.[4]
[4]PMD Nagarjun and Shaik Shakeel Ahamad, "Cross-site Scripting Research: A Review," International Journal of Advanced Computer Science and Applications (IJACSA), vol. 11, no. 4, 2020.
For the given XSS attack the solution in the previous question, one kind of solution is given below
filter_var(“http://bestservicestravel.com/emailaddress/search?destination=<script>alert(LOGIN SUCCESSFUL)</ script>“Miami”, FILTER_SANITIZE_URL)
The above code removes tags from URL and gives http://bestservicestravel.com/emailaddress/search? destination="Miami" as output.
1. filter_var(“wes<script>123rd4”, FILTER_SANITIZE_INT)
The above code removes the invalid characters and gives integer 1234 as output.[4]
2. filter_var(“name<script>@example.net”, FILTER_SANITIZE_EMAIL)
The above code removes the invalid characters from email and gives name@example.net as output.[4]
3. filter_var(“<h1>XSS-Attack</h1>”, FILTER_ SANITIZE_STRING)
The above code removes tags from string and gives XSS-Attack as output.[4]
4. filter_var(“https://exp.?example?.net”, FILTER_SANITIZE_URL)
The above code removes tags from URL and gives https://exp.example.net as output.[4]
[4]PMD Nagarjun and Shaik Shakeel Ahamad, "Cross-site Scripting Research: A Review," International Journal of Advanced Computer Science and Applications (IJACSA), vol. 11, no. 4, 2020.
d. [2] Can you tell if the BST site vulnerable to injection attacks based on the provided information? Why or why not?
Certainly, based on the provided information, it is confirmed that the BST site is susceptible to injection attacks. This means that an attacker has the ability to insert harmful javascript code into
the web application. This malicious code gets triggered when a user tries to log in. Consequently,
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
it can lead to a situation where the user's input data is displayed on the webpage without undergoing the necessary checks for validity.
SQL injection is also possible in the given scenario, because the only way to log in is by providing an email address, and the server doesn't properly checked and clean this input, there's a
risk. An attacker could exploit this weakness to get into the database without permission. They can do ths by sneaking harmful SQL code into the conversation between the application and the database server using tricky input.[5][2]
[2] Class Presentation PPT
[5]A. Rai, M. M. I. Miraz, D. Das, H. Kaur and Swati, "SQL Injection: Classification and Prevention," 2021 2nd International Conference on Intelligent Engineering and Management (ICIEM), London, United Kingdom, 2021, pp. 367-372, doi: 10.1109/ICIEM51511.2021.9445347.
e. [1] Provide an example of the input that would execute an injection attack. Explain how the input works.
Here is the link that user uses to access their account http://bestservicestravel.com/emailaddress.
Imagine if this URL is linked to a login form that is vulnerable and checks the input using SQL queries. In such a scenario, an attacker could potentially try a SQL injection like the following modified URL with SQL Injection
http://bestservicestravel.com/emailaddress?passowrd='123'
OR '1'='1'
The injection takes place in the “password” input field, where the payload '123' OR '1'='1' is added to the "password" parametere. The injected payload changes the SQL query so that it always evaluates to true, which could allow unauthorized access to the application or its data.[5]
[2]
[2] Class Presentation PPT
[5]A. Rai, M. M. I. Miraz, D. Das, H. Kaur and Swati, "SQL Injection: Classification and Prevention," 2021 2nd International Conference on Intelligent Engineering and Management (ICIEM), London, United Kingdom, 2021, pp. 367-372, doi: 10.1109/ICIEM51511.2021.9445347.
f. [1] What specific actions can BST take to defend against the attack?
Firstly, Whitelisting which means only allowing specific characters or patterns in input fields. For instance, in a username field, you might limt special characters to prevent harmful input. On
the other hand, blacklisting blocks certain characters or words defined by the developer, such as SQL keywords like UNION, AND, OR, to stop attackers from manipulating queries.[5]
Second is Parameterized queries are a strong defense against SQL injection. They use preset SQL templates with blank spaces for user input. The server checks and validates user input before it's sent to the database. This structure makes it tough for malicious SQL code to be directly executed in the database.[5]
[5]A. Rai, M. M. I. Miraz, D. Das, H. Kaur and Swati, "SQL Injection: Classification and Prevention," 2021 2nd International Conference on Intelligent Engineering and Management (ICIEM), London, United Kingdom, 2021, pp. 367-372, doi: 10.1109/ICIEM51511.2021.9445347
g. [2] Based on the provided information, what other vulnerabilities are present in the BST login mechanism? Be specific.
According to the information given, the BST website's login mechanism has a vulnerability due to the absence of multifactor authentication (MFA). This means that the system relies solely on a
passward for user authentication. In this situation, an attacker can utilize this weakness because only the email is used for validating user input to access the website. This singl factor authentication setup can be risky because it makes it easier for attackers to steal user credentials, potentially resulting in the loss of user account data.
I found another security issue related to error handling in the provided information. When someone enters an invalid email during login, the system shows a complete and helpful error message. This might crete a vulnerability because revealing specific information about why a login failed can lead to security problems. Attackers could use this to their advantage by repeatedly trying different email addresses. When they see an error message change, they'll know
they've found a valid email this could lead to phishing attacks . They can then focus on guessing passwords for these valid accounts. Attackers might also send fake emails that look real and contain links to a fake login page, trying to steal passwords and other imprtant information from users. Propr error handling should be taken care at the server’s end by giving generic error messages for an instance “INVALID LOGIN”.[2]
[2] Class Presentation PPT
2. Review the latest list of top 25 weaknesses (
http://cwe.mitre.org/top25/
Links to an external site.
) alongside the previous ranking. Select one weakness that changed ranking in the latest list (either up, down, or new). All references to external sources (even those
provided in the assignment or class) must be properly cited where used. Missing citations will result in no grade.
a.
[1] Describe the weakness.
Impropere input validation is a security weakness, It was ranked 4th in 2022 and is now ranked 6th in 2023 in the CWE Top 25 list. Improper input validation is a security weakness that occurs while. for an instance when an software doesn't check the information or input it gets from the user safely and correctly, it becomes a security risk or a vulnerability. Ths means that attacker can insert malicious code into the software or in the application, and when it is running or getting
executed it can harm the software or an application.[6][7][8]
[6]L. Braz, E. Fregnan, G. Çalikli and A. Bacchelli, "Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; --," 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), Madrid, ES, 2021, pp. 499-511, doi: 10.1109/ICSE43902.2021.00054.
[7]
cwe.mitre.org/top25/
[8]
portswigger.net/daily-swig/cwe-top-25-these-are-the-most-dangerous-software-weaknesses-
of-2022
b.
[1] Discuss how the weakness can be detected.
There are a number of ways to detect improper input validation are Code Review for Vulnerability Detection: People who review code can examne it closely for signs of bad input
validation. They look for things like using unsafe functions or not filtering the input properly.
Penetration Testing: We can test the software by trying to sneak in harmful code. This helps find problems with how the software handles input validation.[6][7][8]
[6]L. Braz, E. Fregnan, G. Çalikli and A. Bacchelli, "Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; --," 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), Madrid, ES, 2021, pp. 499-511, doi: 10.1109/ICSE43902.2021.00054.
[7]
cwe.mitre.org/top25/
[8]
portswigger.net/daily-swig/cwe-top-25-these-are-the-most-dangerous-software-
weaknesses-of-2022
c.
[1] Describe how the weakness can be mitigated.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
The weakness can be mitigted by Input Filtering: The process of input filtering encompasses the elimination or sanitization of malicious characters from user input prior to its processing by the application.
Encoding/Escaping: It's like making sure that when something goes out forom one part of a systm to another, it doesn't get misunderstood or cause problems.[9]
[9]
https://cwe.mitre.org/data/definitions/20.html
d.
[1] Why do you think it is/was considered a top vulnerability?
There are two main reasons for this. First, it is common vulnerability found in mny applications ,
and also it’s because finding and usng vulnerabilities is quite straightforward for attackers. They can easily take control of a system, steal data, or disrupt an application. Second, many developers lack essential knowledge about software security, which creates openings for attackers to exploit vulnerabilities. There's also a lack of awareness among developers, and sometimes they ignore these security issues.[6]
[6]L. Braz, E. Fregnan, G. Çalikli and A. Bacchelli, "Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; --," 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), Madrid, ES, 2021, pp. 499-511, doi: 10.1109/ICSE43902.2021.00054.
e.
[1] Why do you think it is new/removed/changed places compared to the earlier ranking?
I thnk there are a few reasons why improper input validation has moved from 4th to 6th plce in the list of the 25 most dangerous software weaknesses for 2023. First, more people are learning abut the issue and how to deal with it, so developers are getting better at fixing it[6]. Second, we have better tools now to find and stop imprper input validation problems. These newer issues might be taking some attention away from improper input validation in the top 25 list. And I believe lot of developers are aware about this vulnerability since it is comon vulnerability.
REFERENCES
[1] A. Mishra and S. Juneja, "Prevention of Website from Cross Site Scripting," 2023 International Conference on Computational Intelligence, Communication Technology and Networking (CICTN), Ghaziabad, India, 2023, pp. 471-473, doi: 10.1109/CICTN57981.2023.10140659.
[2] Class Presentation PPT
[3]T. Wang, D. Zhao and J. Qi, "Research on Cross-site Scripting Vulnerability of XSS Based on
International Student Website," 2022 International Conference on Computer Network, Electronic
and Automation (ICCNEA), Xi'an, China, 2022, pp. 154-158, doi: 10.1109/ICCNEA57056.2022.00043.
[4]PMD Nagarjun and Shaik Shakeel Ahamad, "Cross-site Scripting Research: A Review," International Journal of Advanced Computer Science and Applications (IJACSA), vol. 11, no. 4, 2020.
[5]A. Rai, M. M. I. Miraz, D. Das, H. Kaur and Swati, "SQL Injection: Classification and Prevention," 2021 2nd International Conference on Intelligent Engineering and Management (ICIEM), London, United Kingdom, 2021, pp. 367-372, doi: 10.1109/ICIEM51511.2021.9445347.
[6]L. Braz, E. Fregnan, G. Çalikli and A. Bacchelli, "Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; --," 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), Madrid, ES, 2021, pp. 499-511, doi: 10.1109/ICSE43902.2021.00054.
[7]
cwe.mitre.org/top25/
[8]
portswigger.net/daily-swig/cwe-top-25-these-are-the-most-dangerous-software-weaknesses-
of-2022
[9]
https://cwe.mitre.org/data/definitions/20.html