Security Against Network Attacks on Web Application System

. With the development of Internet, web applications are more and more. Network attacks have become increasingly serious problem. How to make network security administrators quickly discover vulnerabilities and protect networks against attacks has become an important part of network security protection. In this paper, it introduces the principle of web vulnerabilities and implements a forum system built in some web vulnerabilities. Then it simulates the process of web attacks according to various types of vulnerabilities and gives the defensive means separately. This system can be used to conduct security training, test security tools, and practice common penetration testing techniques for network administrators and web developers.


Introduction
It was reported that "Coinhive" mining software intruded into Youtube video platform in 2018 [1]. The malicious software tried to hijack the users' CPU and excavated the encrypted currency, which is called "cryptojacking". It is a famous network attack. The 2018 global risk report released by the Davos world economic forum, showed that global leaders were worried that the threat of large-scale network attacks ware more than terrorism in January 23, 2018 [2]. The large-scale network attacks have been the third of the most likely major risks.
It is very important to be prepared for future attacks. In order to improve the network security administrators' defense skills, we implement a forum built in some common web vulnerabilities. On the forum, network attacks are simulated, and given defense means. Thus, it can provide a real attack and defense environment for users. It is very useful to users teach or learn web application security.
The rest of this paper is organized as follows. In Sect. 2, we discuss the related work in network attack. In Sect. 3 we describe common web vulnerabilities principle. Implementation of forum system is detailed in Sect. 4. Simulation of attack and defense process is shown in Sect. 5. We give the conclusion in Sect. 6.

Related Work
In foreign countries, the mainstream of vulnerability simulation environment is released by open source agencies. For example, Webgoat, dvwa, Metasploitable and so on. The most important one is Webgoat [3], which is a teaching environment released by OWASP based on OWASP TOP 10. Webgoat has common web vulnerabilities, such as SQL injection and cross site scripting. Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable [4]. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. Metasploitable is an Linux virtual machine [5]. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.
The main contributions of this paper are as follows: • We develop a forum which has common functions, for example, registering, logging in, starting new topics, replying topics and so on.

Common Web Vulnerabilities Principle
In our forum application, it introduces some common web vulnerabilities, for example, brute force vulnerability, SQL injection vulnerability, XSS vulnerability, file upload vulnerability [6][7][8].
Brue force uses exhaustive methods to decipher passwords, verification codes, etc. It can calculate the password one by one until it finds the real one. Generally, it doesn't know the scope and specification of the password.
SQL injection means that it can insert some SQL codes into query strings of domain name or page request [9]. Thus, the server is deceived to execute malicious SQL codes. In another words, SQL injection makes the database server doesn't execute the correct SQL codes, but to execute the malicious codes if it has some vulnerabilities.
XSS is known as a cross station script attack, which is a type of vulnerability on web application [10][11][12]. It makes attackers inject JavaScript codes into some web pages which have some vulnerabilities. Then the users open the URL whose pages have malicious codes on the web browser, and the malicious script is executed.
Most websites and applications have file upload function. File upload function doesn't restrict the uploaded file suffix and file type on some websites strictly, which can be attacked by uploading various malicious files into Server, for example, PHP files. When PHP files are interpreted, Trojan horse, virus, malicious script, or WebShell will be executed on the server.
File upload vulnerability is a huge harmful one, WebShell has expanded the impact of harm. Most file upload vulnerabilities can be attacked, attackers will leave WebShell in order to access to the system later.

Implementation of Forum System
In order to provide a secure and legitimate website for web attack tests, we implement a forum system. Except general forum functions, it is also built in various vulnerabilities.

The Functions of Forum System
The forum has some common functions and been built in some web vulnerabilities. The forum system is designed by thinkPHP and MVC. It has three main function, "community management", "users management" and "post management". Each function is subdivided into sub functions. The function module diagram of the forum system is shown in Fig. 1.
In addition to, we have created a database with four tables. They are "bbs_category", "bbs_user", "bbs_closeip" and "bbs_details". The information of topic category, users, IP and topics is stored in them separately. For example, the details of "bbs_details" are shown in Table 1.

Reserved Web Vulnerabilities
In the forum, it is reserved some web vulnerabilities, in order to simulate the attack. XSS vulnerability is built in registration module. In the module, it should check the users' data posted by form, but it ignores the process. The key codes are shown in Table 2.   In login module, the forum doesn't check and filter user's data. It is built in SQL injection vulnerability. At the same time, the system doesn't limit the times of login requests by users, leaving a potential threat of brute force.
For file upload vulnerability, the forum is built in the module of modifying user's avatar. In the module, user can upload an avatar file, but it doesn't be limited the size and type. Thus, user upload the files which may be malicious ones. The codes are shown in Table 3.
In addition to, some vulnerabilities are built in the module of forum community modification, user permission modification and posting new topic, replying topic, deleting topic and so on.

Attack and Defense
On the forum, we can simulate web attack and defense which help web developers better understand the processes and means of securing web applications.

Simulate Attacks
In login module, the forum system doesn't check the data of form and filter the key SQL codes. It is built in vulnerabilities. To know if there is a SQL vulnerability, we write three SQL codes, as follows: (1) select * from bbs_user where username='username' and password= 'password' (2) select * from bbs_user where username='username' and password='password' and '1'='1' (3) select * from bbs_user where username='username' and password='password' and '1'='2'  (1) and (3) are executed abnormally, and (2) is executed normally, the system has SQL vulnerability. Thus, we can try to log in as an administrator using the following SQL code: select * from bbs_user where username='admin' and password='XXX' or '1' The SQL string implements to log in the forum as an administrator without password verification. Then, the information of the forum will be revealed.
In forum system, it doesn't filter "JavaScript" codes in controller layer and put the data from web form into database directly. Thus, we simulate XSS attack. On register page, we input the following string as username: Once it is registered successfully, the malicious JavaScript code will be executed. Of course, it will cause more harm. When the followed codes are written into database, the users' information will be transferred to hacker website who open the pages built in malicious codes. The codes are as follows: To simulate file upload attack, we use hacker software to test the vulnerability. In the module of avatar modification, we upload malicious php file from the website. Then the malicious file can modify the data or execute shell script to make more serious attack.

Defense Means
To secure web applications, there will be relative defense means against network attack. In this paper, it will give some means.
In order to prevent brute force attacks, we can take restrictions on the times of requests from users. It can also increase the difficulty and cost of brute force by encrypting passwords again. The example of encrypting is shown in Table 4. It is strictly forbidden to connect directly to the database in the controller layer. The database can be accessed through the model layer, which greatly reduces the risk of SQL injection attack. Filtering user input data on form is also a common means to prevent it.
Checking user input data is the most effective and practical means to defense XSS attack. The example is shown in Table 5. In addition to, the field is limited by length and type in database which can defense many malicious attacks.
Defensing file upload attack can be implemented by prohibiting all suspicious files uploaded to the server strictly. In forum system, it adds some codes to check the size and type of files. The details are shown in Table 6.

Conclusion
In this paper, it implements a forum built in some web vulnerabilities which can aid users to learn web application security. It can be provided to network administrators to learn how to defense web attacks. At the same time, it can give some advice to web application developers who can avoid web vulnerabilities. It presents defensive measure of brute force vulnerability, SQL injection vulnerability, XSS vulnerability and file upload vulnerability, but that's not enough. We will pay more attention to other network vulnerabilities later.