This report examines the security threats of web applications that take place in the world today. This report will be focusing specifically on Data Tampering or Data manipulation in web applications, that is, by explaining the type of threat and its methods of how it works and the types of ways it can occur. It will also be discussing the amount of risk it involves, and the types of ways to prevent and counter measure this type of threat of that web applications face.
Tampering is one of the biggest security threats faced by web applications. It is used to change or edit files found in web applications which are usually used by multi-million business corporations across the world. Tampering started in the late 1980’s as a way to sabotage data or plant a malicious or destructive program to delete data. Since then it has progressed and enhanced through the years. In the year 2000, hackers were able to perform data fabrication and falsification to deceive the uses of the web application. From then on, tampering with web applications are becoming easier for attackers because of the advanced technology being produced and released every year, that is to say that these technologies provide easy to use tools and application programs to simplify data tampering or data manipulation in computer systems. Tampering comes with a certain amount of risks both to the attacker and the computer user, that is, tampering is a computer crime that can lead to large fines being issued or sentenced to long period of time in imprisonment to the attacker or hacker if he/she is caught tampering with a government or multi-corporation company; and risks for the computer user are later discussed in the project. There are various ways to perform data tampering and there are ways to counter measure or prevent them from happening which will all be discussed and explained in the Background study.
TYPE OF THREAT: TAMPERING
Tampering means changing or deleting a resource without authorization. A web application is an application that is accessed through a web browser over the internet. Data tampering in web applications simply means a way in which a hacker or a malicious user gets into a web site and changes, deletes or to access unauthorized files. A hacker or malicious user can also tamper indirectly by using a script exploit that is the hacker would get the script to execute by masking it as a user input from a page or as a web link.
Data tampering or data manipulation can usually be done through the following ways: Cookies, HTML Form Fields, URL Query Strings, HTTP Headers and Password Cracking.
Cookies are used as a mechanism to store user details and preferences and other data including session tokens. Cookies that are persistent and non-persistent, insecure or secure can be altered by the user and sent to the server with Uniform Resource Locator requests, therefore any malicious user or hacker can modify cookie content to his advantage allowing the attacker to access the files needed.
HTML FORM FIELDS TAMPERING
When a user makes selections or changes on a web or an HTML page, the selection is stored as form field values which are then delivered to the application as an HTTP request. HTML usually stores field values as Hidden Fields, which are not shown to the screen of the user but are collected and submitted as strings or parameters during form submissions. Whether these form fields can be hidden, pre-selected or free form, they can all be tampered or manipulated by the hacker to submit whatever values he/she chooses.
URL QUERY STRINGS TAMPERING
URL tampering comes with all of the problems associated with Hidden Form Fields. One of two methods is used by the HTML forms to submit their results, either POST or GET. Usually the method GET is used, showing all form element names and their values in the query string of the next URL that the hacker sees. Hackers find tampering with query strings easier than tampering with hidden form fields. All that the hacker has to do is look at the URL in the user’s address bar.
For example; a web page allows the authenticated user to select one of his pre-populated accounts from a drop-down box and debit the account with a fixed unit amount. His/her choices are recorded by pressing the submit button. The page is actually storing the entries in form field values and submitting them using a form submit command. The command sends the following HTTP request: http://www.victim.com/example?accountnumber=12345&debitamount=1, now all what the hacker has to do is could construct his/her own account number and change the parameters like the following: http://www.victim.com/example?accountnumber=67891&creditamount=999999999. (Curphey M, Smith T et al. (The Open Web Application Security Project), 2002)
PASSWORD CRACKING TAMPERING
A password cracker is an application program that is used to help a hacker or malicious user to identify an unknown password to a computer or network resources to obtain or allow unauthorized access to its resources. The hacker would attempt to gain valid credentials from an authentication system by large numbers of repeated authentication attempts by using different passwords. Password cracking application program uses two primary methods to search or identify correct passwords which are the brute force and dictionary searches. When the application program uses brute force, it simply runs through combinations of all kinds of characters with a predetermined length until it identifies the correct combination which is for the computer system. When it uses the dictionary search, the application program searches each word in the dictionary for the correct password for the computer system.
HTTP HEADER TAMPERING
HTTP headers are used by the web server software and the user only. Most web applications do not use them. Some web developers choose to monitor incoming headers and it is important to notice that request headers are originally from the client or user side, and they might be altered by an attacker. Normal web applications do not allow header alteration or modification. A hacker will have to write his own program to perform the HTTP request or may use a freely available proxy that will allow easy modification of any data sent from the web application.
AMOUNT OF RISKS INVOLVED
- Hacker can eavesdrop on important conversions.
- Browser cache may contain contents of private messages.
- Data validation may allow SQL injection: SQL injection is a process whereby the hacker would insert a malicious code into strings that are later passed to a SQL Server for parsing and execution leaving it vulnerable to attack.
- Hackers or attackers may be able to read, change or alter other user’s messages.
- Authorization may fail, allowing unauthorized access leading to deletion of important files.
Data Tampering is usually caused for business purposes, that is, rival companies attack each other to gain important information about one another such as sales files or new projects on prototype products being stolen for the other companies benefit. This usually ends with one company closing down because of the deletion of the companies archives of important files which are needed to keep the company running its day to day activities.
PREVENTION AND COUNTER-MEASURES
A primary defense against data tampering is to use a firewall and windows security to lock down important files, directories and other resources. The web application should also run with minimum privileges. Guarding against script exploits by not trusting any information that comes from a user or even from a database. Appropriate and safe steps should be taken when getting information from untrusted sources, to make sure it does not contain any malicious executable code.
Counter-Measures to prevent data tampering are done through the following ways: by using data signing and harsing, using digital signatures, using strong authorization, using tamper resistant protocols across communication links, using secure communication links with protocols that provide message integrity, also by using strong and powerful firewalls, and long passwords that consist of alphanumeric characters, by also blocking IP addresses for a certain period of time which will cause repeated failed login attempts by the attacker.
Also by using access controls to protect data in persistent stores to ensure that only authorized users can access and modify the data, and by using role based security to define which users can view data and which users can modify data.
Data tampering or data manipulation is a way that a hacker or a malicious user gets into a web site and changes, deletes or to access unauthorized files. Hackers or malicious users can cause data tampering indirectly by using a script exploit to mask itself as a user input from a page. Data tampering can be done either through; cookie tampering, that is, modifying cookies to allow access for files and documents; HTML form field tampering which deals with hackers changes values in HTML forms; URL query string tampering which deals with changing values in HTML forms accessed through the address bar of a user; Password cracking tampering which consists of a hacker using an application or tool which allows him/her to obtain the unknown password for unauthorized access to a computer system; HTTP header tampering which allows malicious users to modify data through available proxies.
Data tampering causes risks such as important information exposed, deletion of files, eavesdropping on unauthorized conversations, and important messages being changed or altered. Data tampering can be counter measured by using: data harshing and signing, digital signing, strong authorization, tamper resistant protocols across communication links, strong firewall and by using long alphanumeric passwords.
- Bagal R. Threats and countermeasures: S.T.R.I.D.E [online]. http://www.24x7code.com/main/threats.aspx. (2009). (Accesses 19 January 2009)
- Casteele S.V. (2004). THREAT MODELING FOR WEB APPLICATIONS USING THE STRIDE MODEL [eBook]. Royal Holloway, University of London. Available from http://www.securityworld.be/security/threat modeling for web application using the STRIDE model.pdf. [Cited 18 January 2009].
- Curphey M, Scambray J, Olson E. (2003). Internetworking Improving Web Application Security: Threats and Countermeasures. Microsoft Corporation.
- Curphey M, Smith T et al, OWASP. Parameter Manipulation [online]. http://www.cgisecurity.com/owasp/html/ch11s04.html. (2002). (Accesses 19 January 2009)