Abstract
With the development of Internet, web applications are more and more. Network attacks have become increasingly serious problem. How to make network security administrators quickly discover vulnerabilities and protect networks against attacks has become an important part of network security protection. In this paper, it introduces the principle of web vulnerabilities and implements a forum system built in some web vulnerabilities. Then it simulates the process of web attacks according to various types of vulnerabilities and gives the defensive means separately. This system can be used to conduct security training, test security tools, and practice common penetration testing techniques for network administrators and web developers.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
It was reported that “Coinhive” mining software intruded into Youtube video platform in 2018 [1]. The malicious software tried to hijack the users’ CPU and excavated the encrypted currency, which is called “cryptojacking”. It is a famous network attack. The 2018 global risk report released by the Davos world economic forum, showed that global leaders were worried that the threat of large-scale network attacks ware more than terrorism in January 23, 2018 [2]. The large-scale network attacks have been the third of the most likely major risks.
It is very important to be prepared for future attacks. In order to improve the network security administrators’ defense skills, we implement a forum built in some common web vulnerabilities. On the forum, network attacks are simulated, and given defense means. Thus, it can provide a real attack and defense environment for users. It is very useful to users teach or learn web application security.
The rest of this paper is organized as follows. In Sect. 2, we discuss the related work in network attack. In Sect. 3 we describe common web vulnerabilities principle. Implementation of forum system is detailed in Sect. 4. Simulation of attack and defense process is shown in Sect. 5. We give the conclusion in Sect. 6.
2 Related Work
In foreign countries, the mainstream of vulnerability simulation environment is released by open source agencies. For example, Webgoat, dvwa, Metasploitable and so on. The most important one is Webgoat [3], which is a teaching environment released by OWASP based on OWASP TOP 10. Webgoat has common web vulnerabilities, such as SQL injection and cross site scripting. Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable [4]. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. Metasploitable is an Linux virtual machine [5]. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.
The main contributions of this paper are as follows:
-
We develop a forum which has common functions, for example, registering, logging in, starting new topics, replying topics and so on.
-
The forum has some vulnerabilities which are appear or disappear by hand. Users can understand the harm of vulnerabilities.
-
It can simulate the process of network attack. Users can launch the attack according to the types of vulnerabilities by themselves. During the process, they can understand network attack and web vulnerabilities more deeply.
-
It can provide defensive measures according to network attack. Users can learn how to defense various network attack and avoid web vulnerabilities.
3 Common Web Vulnerabilities Principle
In our forum application, it introduces some common web vulnerabilities, for example, brute force vulnerability, SQL injection vulnerability, XSS vulnerability, file upload vulnerability [6,7,8].
Brue force uses exhaustive methods to decipher passwords, verification codes, etc. It can calculate the password one by one until it finds the real one. Generally, it doesn’t know the scope and specification of the password.
SQL injection means that it can insert some SQL codes into query strings of domain name or page request [9]. Thus, the server is deceived to execute malicious SQL codes. In another words, SQL injection makes the database server doesn’t execute the correct SQL codes, but to execute the malicious codes if it has some vulnerabilities.
XSS is known as a cross station script attack, which is a type of vulnerability on web application [10,11,12]. It makes attackers inject JavaScript codes into some web pages which have some vulnerabilities. Then the users open the URL whose pages have malicious codes on the web browser, and the malicious script is executed.
Most websites and applications have file upload function. File upload function doesn’t restrict the uploaded file suffix and file type on some websites strictly, which can be attacked by uploading various malicious files into Server, for example, PHP files. When PHP files are interpreted, Trojan horse, virus, malicious script, or WebShell will be executed on the server.
File upload vulnerability is a huge harmful one, WebShell has expanded the impact of harm. Most file upload vulnerabilities can be attacked, attackers will leave WebShell in order to access to the system later.
4 Implementation of Forum System
In order to provide a secure and legitimate website for web attack tests, we implement a forum system. Except general forum functions, it is also built in various vulnerabilities.
4.1 The Functions of Forum System
The forum has some common functions and been built in some web vulnerabilities. The forum system is designed by thinkPHP and MVC. It has three main function, “community management”, “users management” and “post management”. Each function is subdivided into sub functions. The function module diagram of the forum system is shown in Fig. 1.
The function module diagram of the forum system.
In addition to, we have created a database with four tables. They are “bbs_category”, “bbs_user”, “bbs_closeip” and “bbs_details”. The information of topic category, users, IP and topics is stored in them separately. For example, the details of “bbs_details” are shown in Table 1.
4.2 Reserved Web Vulnerabilities
In the forum, it is reserved some web vulnerabilities, in order to simulate the attack. XSS vulnerability is built in registration module. In the module, it should check the users’ data posted by form, but it ignores the process. The key codes are shown in Table 2.
In login module, the forum doesn’t check and filter user’s data. It is built in SQL injection vulnerability. At the same time, the system doesn’t limit the times of login requests by users, leaving a potential threat of brute force.
For file upload vulnerability, the forum is built in the module of modifying user’s avatar. In the module, user can upload an avatar file, but it doesn’t be limited the size and type. Thus, user upload the files which may be malicious ones. The codes are shown in Table 3.
In addition to, some vulnerabilities are built in the module of forum community modification, user permission modification and posting new topic, replying topic, deleting topic and so on.
5 Attack and Defense
On the forum, we can simulate web attack and defense which help web developers better understand the processes and means of securing web applications.
5.1 Simulate Attacks
In login module, the forum system doesn’t check the data of form and filter the key SQL codes. It is built in vulnerabilities. To know if there is a SQL vulnerability, we write three SQL codes, as follows:
-
(1)
select * from bbs_user where username=‘username’ and password=‘password’
-
(2)
select * from bbs_user where username=‘username’ and password=‘password’ and ‘1’=‘1’
-
(3)
select * from bbs_user where username=‘username’ and password=‘password’ and ‘1’=‘2’
If (1) and (3) are executed abnormally, and (2) is executed normally, the system has SQL vulnerability. Thus, we can try to log in as an administrator using the following SQL code:
-
select * from bbs_user where username=‘admin’ and password=‘XXX’ or ‘1’
The SQL string implements to log in the forum as an administrator without password verification. Then, the information of the forum will be revealed.
In forum system, it doesn’t filter “JavaScript” codes in controller layer and put the data from web form into database directly. Thus, we simulate XSS attack. On register page, we input the following string as username:
Once it is registered successfully, the malicious JavaScript code will be executed. Of course, it will cause more harm. When the followed codes are written into database, the users’ information will be transferred to hacker website who open the pages built in malicious codes. The codes are as follows:
To simulate file upload attack, we use hacker software to test the vulnerability. In the module of avatar modification, we upload malicious php file from the website. Then the malicious file can modify the data or execute shell script to make more serious attack.
5.2 Defense Means
To secure web applications, there will be relative defense means against network attack. In this paper, it will give some means.
In order to prevent brute force attacks, we can take restrictions on the times of requests from users. It can also increase the difficulty and cost of brute force by encrypting passwords again. The example of encrypting is shown in Table 4.
It is strictly forbidden to connect directly to the database in the controller layer. The database can be accessed through the model layer, which greatly reduces the risk of SQL injection attack. Filtering user input data on form is also a common means to prevent it.
Checking user input data is the most effective and practical means to defense XSS attack. The example is shown in Table 5. In addition to, the field is limited by length and type in database which can defense many malicious attacks.
Defensing file upload attack can be implemented by prohibiting all suspicious files uploaded to the server strictly. In forum system, it adds some codes to check the size and type of files. The details are shown in Table 6.
6 Conclusion
In this paper, it implements a forum built in some web vulnerabilities which can aid users to learn web application security. It can be provided to network administrators to learn how to defense web attacks. At the same time, it can give some advice to web application developers who can avoid web vulnerabilities. It presents defensive measure of brute force vulnerability, SQL injection vulnerability, XSS vulnerability and file upload vulnerability, but that’s not enough. We will pay more attention to other network vulnerabilities later.
References
Cryptojacking news. http://www.sohu.com/a/219580006_609556. Accessed 29 Jan 2018
2018 global risk report. http://www.sohu.com/a/218458499_781333. Accessed 23 Jan 2018
Webgoat. https://sourceforge.net/projects/metasploitable. Accessed 22 Jan 2018
Damn Vulnerable Web App (DVWA). http://www.dvwa.co.uk. Accessed 25 Jan 2018
Metasploitable. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project. Accessed 1 Aug 2018
Kang, C., Zhu, Z.: Network attack and defense experimental platform based on cloud computing technology. J. Xi’an Univ. Posts Telecommun. 3, 87–88 (2013)
Zhang, L., Zhou, H.: Design of network security attack and defense experimental platform based on cloud computing technology. In: Software Guide, vol. 9, pp. 188–191 (2015)
Huang, X.: Development and implementation of network attack and defense experimental platform. Exp. Technol. Manag. 5, 73–76 (2017)
Liu, Y.: Brief discussion of the deployment and design of field exercises on Internet security. Cyberspace Secur. 8, 88–90 (2017)
Huang, J., Zhang, H., Pei, J.: Design of virtual simulation experimental teaching system for network security. Res. Explor. Lab. 10, 170–174 (2016)
Ma, L.: Design and implementation of network security attack and defense training platform. Wirel. Internet Technol. 22, 75–77 (2017)
Ye, J., Zhang, P., Gao, Y.: Design and construction of a network attack and defense combat training platform based on Openstack. Exp. Technol. Manag. 3, 86–89 (2016)
Acknowledgments
This work was supported in part by the National Key Research and Development Program of China under Grant 2018YFB0803604, 2015BAK21B01, in part by the National Science Foundation of China under Grant 61672086, 61672086.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2019 The Author(s)
About this paper
Cite this paper
Liu, Y., Wang, Z., Tian, S. (2019). Security Against Network Attacks on Web Application System. In: Yun, X., et al. Cyber Security. CNCERT 2018. Communications in Computer and Information Science, vol 970. Springer, Singapore. https://doi.org/10.1007/978-981-13-6621-5_12
Download citation
DOI: https://doi.org/10.1007/978-981-13-6621-5_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-6620-8
Online ISBN: 978-981-13-6621-5
eBook Packages: Computer ScienceComputer Science (R0)