**2. Advanced security threats**

### **2.1 Web security threats**

#### **2.1.1 AJAX security**

As Web applications become increasingly complex, it is required for the performance of Web services is also increasing. AJAX (Asynchronous JavaScript and XML) (Garrett, 2005) technology is mainstream technology of Web2.0 that enables the browser to provide users with more natural browsing experience. With asynchronous communication, user can submit, wait and refresh mode freely, update partial page dynamically. So it allows users to have a smooth experience similar in desktop applications.

However, a variety of Web applications has brought us countless convenience, produced a series of security problems. When the introduction of AJAX technology, because of its inability to solve the security problems, the traditional Web security problems still exist, along with elements of the composition and structure of AJAX features, will lead to new

Web and Database Security 3

The introduction of AJAX, initially to solve the user to submit a request in the browser when the server response is required after a long wait, refresh the entire page to the next step of the problem. But AJAX technology to bring convenience, but also introduces some security

JSON (JavaScript Object Notation) (Crockford, 2006) is widely used lightweight data transmission and exchange format in AJAX. JSON is based on a subset of JavaScript and developed from JavaScript Array and Object, and the adopted text format is completely independent with language. The data of JSON and can be transmitted cross-platform. Therefore, JSON Injection and JSON Hijacking are current two aspects of security threats.

For security reasons, JavaScript code is limited to running in a sandbox, JavaScript also prohibit access to third-party domain. But sometimes you need to call in the AJAX thirdparty services, such as components Mashuop procedures. Solution to this is to build an AJAX proxy that the Web server to create a Web service, only forwarding calls to third-party Web service request. AJAX proxy allows the client calls the Web service as a third party may also have to provide AJAX proxy servers and third-party server, a crisis of confidence. First, the attacker can access through the AJAX proxy direct access to many previously unavailable resources. Meanwhile, the attacker via AJAX proxy attack on third-party Web server, you can also hide the source of the attack, showing up as if from the AJAX proxy

AJAX technology gives users a better browsing experience, but some AJAX-based application inadvertently brought the disclosure of user data. AJXA technology is widely used in such situations: a user registers a mailbox, enter the account he wants to use, after he moves to the next input section, the browser prompts the user name input box: the account that you are applying has been applied, please re-apply. This design reflects good humanbased design rule, the user does not have all the information before being prompted to fill out and submit the account has been to apply for. But in this way the user data will be leaked in the unconscious. False malicious attacker by entering any letters, numbers, combined to form the account, you can immediately know whether the mailbox has been registered. If you know the mailbox already exists, there may occur spam, or send e-mail containing the malicious XSS code may be so. Enumeration by simple repetition, the attacker can even know the mail server name of all existing accounts, which will

 AJAX framework of SQL injection; AJAX framework of XPath injection;

4. Security Threats Introduced by AJAX

a. JSON Injection and JSON Hijacking

b. Trust Crisis of AJAX Proxy

attack (Anley, 2002).

c. Disclosure of User Data

undoubtedly bring great threats.

threats.

AJAX framework for cross-site scripting attacks (XSS);

AJAX framework of denial of service attack (DOS).

AJAX framework for cross-site request forgery attacks (CSRF);

security threats. In recent years, adding AJAX elements in sites has become a very popular trend, and most websites are typical AJAX-based applications. As most of the website builders just enjoy the conveniences of AJAX technology, little is known about its security threat, resulting in most of the AJAX application sites have different levels of security risks. Here, we summarize and analysis the AJAX security threats.


JavaScript is a widely client-side scripting language, originally designed and implemented by Netscape, and it has been widely used to reduce the burden on the server. JavaScript scripting language features determine its presence in all kinds of security risks:


Asynchronous communication is the highlights and core idea of AJAX technology. But asynchronous will also introduce a series competition problems.


Programming client-side logic using JavaScript will bring the client-side logic to public. Users can easily through the browser's View Source feature to see the client code.

b. Incomplete Server

Most AJAX programmers validate user input at client-side, though it reduces the burden of server, it lefts room for security risks.

3. Traditional Web Security Threats of AJAX

AJAX framework gives users a good experience in desktop's application, users no longer have such a long wait for the server to response and refresh the page. However, this feature also poses a problem: the user does not know what the current request was sent, did not even know the current request was sent. This feature allows many of the traditional Web attacks in a more intimate manner. Main traditional Web security threats are (Razvan & Maria, 2010):

security threats. In recent years, adding AJAX elements in sites has become a very popular trend, and most websites are typical AJAX-based applications. As most of the website builders just enjoy the conveniences of AJAX technology, little is known about its security threat, resulting in most of the AJAX application sites have different levels of security risks.

JavaScript is a widely client-side scripting language, originally designed and implemented by Netscape, and it has been widely used to reduce the burden on the server. JavaScript

 JavaScript is an interpreted language. In the interpretation process, every error is a runtime error. Run-time error can only be found during runtime. If somewhere in the code the programmer has left a Bug, but the logic of the code at run time is not running to the area, then the bug will not be found, which leaving significant risks to the application. To detect, locate the error position of interpreted language is quite difficult. JavaScript is a weak typing language. Weak typing languages do not need to declare variables at the time the programmer declare the variable. This flexibility often easily

 JavaScript code has dynamic nature. It can be dynamically generated code, and used the eval-function dynamic execution; or you can directly modify the existing function. Once the attacker can gain control of the JavaScript code, he can overwrite the other user-defined methods and even the browser built-in method, thus cause many serious

Asynchronous communication is the highlights and core idea of AJAX technology. But

Programming client-side logic using JavaScript will bring the client-side logic to public.

Most AJAX programmers validate user input at client-side, though it reduces the burden of

AJAX framework gives users a good experience in desktop's application, users no longer have such a long wait for the server to response and refresh the page. However, this feature also poses a problem: the user does not know what the current request was sent, did not even know the current request was sent. This feature allows many of the traditional Web attacks in a more intimate manner. Main traditional Web security threats are (Razvan &

Users can easily through the browser's View Source feature to see the client code.

asynchronous will also introduce a series competition problems.

scripting language features determine its presence in all kinds of security risks:

Here, we summarize and analysis the AJAX security threats.

1. Security Threats of AJAX Technology a. The Deficit of JavaScript Language

leads to many problems.

malicious behaviours. b. Problems of Asynchronous

2. Issues of AJAX Framework a. Explosion of Client-Side Logic

server, it lefts room for security risks.

3. Traditional Web Security Threats of AJAX

b. Incomplete Server

Maria, 2010):


The introduction of AJAX, initially to solve the user to submit a request in the browser when the server response is required after a long wait, refresh the entire page to the next step of the problem. But AJAX technology to bring convenience, but also introduces some security threats.

a. JSON Injection and JSON Hijacking

JSON (JavaScript Object Notation) (Crockford, 2006) is widely used lightweight data transmission and exchange format in AJAX. JSON is based on a subset of JavaScript and developed from JavaScript Array and Object, and the adopted text format is completely independent with language. The data of JSON and can be transmitted cross-platform. Therefore, JSON Injection and JSON Hijacking are current two aspects of security threats.

b. Trust Crisis of AJAX Proxy

For security reasons, JavaScript code is limited to running in a sandbox, JavaScript also prohibit access to third-party domain. But sometimes you need to call in the AJAX thirdparty services, such as components Mashuop procedures. Solution to this is to build an AJAX proxy that the Web server to create a Web service, only forwarding calls to third-party Web service request. AJAX proxy allows the client calls the Web service as a third party may also have to provide AJAX proxy servers and third-party server, a crisis of confidence. First, the attacker can access through the AJAX proxy direct access to many previously unavailable resources. Meanwhile, the attacker via AJAX proxy attack on third-party Web server, you can also hide the source of the attack, showing up as if from the AJAX proxy attack (Anley, 2002).

c. Disclosure of User Data

AJAX technology gives users a better browsing experience, but some AJAX-based application inadvertently brought the disclosure of user data. AJXA technology is widely used in such situations: a user registers a mailbox, enter the account he wants to use, after he moves to the next input section, the browser prompts the user name input box: the account that you are applying has been applied, please re-apply. This design reflects good humanbased design rule, the user does not have all the information before being prompted to fill out and submit the account has been to apply for. But in this way the user data will be leaked in the unconscious. False malicious attacker by entering any letters, numbers, combined to form the account, you can immediately know whether the mailbox has been registered. If you know the mailbox already exists, there may occur spam, or send e-mail containing the malicious XSS code may be so. Enumeration by simple repetition, the attacker can even know the mail server name of all existing accounts, which will undoubtedly bring great threats.

Web and Database Security 5

SQL Inject refers that the attackers deceive database server to execute unauthorized wilful inquire and illegal operation through adding extra SQL statement element to the end of predefined inquire statement in application programs. The essence of SQL Inject is utilizing the bugs caused by the programmers who did not detect or incomplete detect the database inquiry request, submitting malicious SQL statement and cheating server executes malicious

The main reason for SQL injection attack to succeed is that when dynamically generating SQL statement commands, websites only directly using the subscribers inputted data

In SQL attack process, the attackers firstly trial the SQL inject bugs in application programs by design inputs. The executive SQL statements are then imported to control implement programs. After obtaining the database information, the attackers acquire the administration

Discovery of SQL inject bugs brings necessary information to further attack. Before SQL attack, the attackers need to identify the aim database platform and decide what SQL attack

 Add single quotes etc. characters to the end of submitted inquiry. So that attackers judge if the inject bugs exist depending on estimating database type of prompt message

 Push `and 1=1` and `and 1=2` to the end of submitted inquiry. Bugs exist when `and 1=1` stay regular and `and 1=2` go wrong, and then illegal inquiry and other malicious behavior occur. It means that illegal inquire statements can be added after inquiring

A regular method to find bugs is to judge database style by the build-in variable and

After finding out the bugs, attacks including illegal inquire database, obtaining secret

 Speculating table name and field name. Attackers take advantage of SQL statement, such as `and (select count(\*) from TestDB.dbo.tablename)>0;` to guess table name. If the

Obtaining field value. After getting table name and column name, field value is

After these two steps, the attackers can get data, user name, password and information in

information and users data, controlling database and server system occur.

table name have existed, the webpage returns to regular.

generated by utilizing ASCII word-by-word decoding.

inquiry. At last, the attackers can get the sensitive data or control the whole website.

**2.2.1 SQL inject** 

1. SQL Inject Principle

without any verification.

authority of server system.

a. Discovery of SQL Inject Bugs

return from the server.

function of database. b. SQL Inject Bugs Utilization

database.

and assaultable bugs existed.

statements or methods should utilize (Halfond et al., 2006). The common methods for SQL inject bugs are as follows:

2. Process and Methods of SQL Attack

#### **2.1.2 Cross site scripting**

Cross-site Scripting (also known as XSS or CSS) occurs when dynamically generated Web pages display input that is not properly validated. In XSS, malicious attackers acted as normal visitors upload Malicious Script as JavaScript codes etc. to Web server by utilizing the bugs of utility programs or codes in the Web server. Attackers also send URL links including malicious script to objective users. When Web users visit the pages containing malicious script or open the received URL links codes in the Web sites, users' browsers will auto-load and execute the malicious script codes. This attacking procedure indicates that XSS is actually a simple attack technology. In most cases, malicious attackers attack users indirectly by utilizing Web server, and direct attack occurs merely.

XSS is a passive attack. First of all, by utilizing the XSS bugs in the Web programs, malicious attackers construct a trap page and the malicious script can be saved in the page content or URL. The URL of this page is then announced in the BBS after embedding to e-mails or disguising attractive titles. If the users visit ULR, the JavaScript will be executed by attackers' browser. The procedure of XSS attack is shown in fig. 1.

Fig. 1. The Process of Cross Site Scripting Attack

#### **2.2 Database security threats**

Database security relates to two parts: data visiting and data recovery. The first part can be realized by using a suitable authorization to make sure that the legal users can get their right data and reject all exceeding authority at the same time. The latter part means that database can recover the data securely and completely.

Recently, database is facing the problem of security hole e.g. privilege elevation, SQL inject, XSS, data leakage and improper error processing.

#### **2.2.1 SQL inject**

4 Security Enhanced Applications for Information Systems

Cross-site Scripting (also known as XSS or CSS) occurs when dynamically generated Web pages display input that is not properly validated. In XSS, malicious attackers acted as normal visitors upload Malicious Script as JavaScript codes etc. to Web server by utilizing the bugs of utility programs or codes in the Web server. Attackers also send URL links including malicious script to objective users. When Web users visit the pages containing malicious script or open the received URL links codes in the Web sites, users' browsers will auto-load and execute the malicious script codes. This attacking procedure indicates that XSS is actually a simple attack technology. In most cases, malicious attackers attack users

XSS is a passive attack. First of all, by utilizing the XSS bugs in the Web programs, malicious attackers construct a trap page and the malicious script can be saved in the page content or URL. The URL of this page is then announced in the BBS after embedding to e-mails or disguising attractive titles. If the users visit ULR, the JavaScript will be executed by

**Web Server**

**Atteckers Victim Users**

**Entice Users Click Trap Pages**

**Send Privacy Information to Attackers**

Database security relates to two parts: data visiting and data recovery. The first part can be realized by using a suitable authorization to make sure that the legal users can get their right data and reject all exceeding authority at the same time. The latter part means that database

Recently, database is facing the problem of security hole e.g. privilege elevation, SQL inject,

**Request Trap Pages**

**Malicious Script to Users' Browser**

**Send**

indirectly by utilizing Web server, and direct attack occurs merely.

attackers' browser. The procedure of XSS attack is shown in fig. 1.

**Malicious**

**2.2 Database security threats** 

**Fabricate**

Fig. 1. The Process of Cross Site Scripting Attack

can recover the data securely and completely.

XSS, data leakage and improper error processing.

**Trap**

**Pages**

**2.1.2 Cross site scripting** 

#### 1. SQL Inject Principle

SQL Inject refers that the attackers deceive database server to execute unauthorized wilful inquire and illegal operation through adding extra SQL statement element to the end of predefined inquire statement in application programs. The essence of SQL Inject is utilizing the bugs caused by the programmers who did not detect or incomplete detect the database inquiry request, submitting malicious SQL statement and cheating server executes malicious inquiry. At last, the attackers can get the sensitive data or control the whole website.

The main reason for SQL injection attack to succeed is that when dynamically generating SQL statement commands, websites only directly using the subscribers inputted data without any verification.

2. Process and Methods of SQL Attack

In SQL attack process, the attackers firstly trial the SQL inject bugs in application programs by design inputs. The executive SQL statements are then imported to control implement programs. After obtaining the database information, the attackers acquire the administration authority of server system.

a. Discovery of SQL Inject Bugs

Discovery of SQL inject bugs brings necessary information to further attack. Before SQL attack, the attackers need to identify the aim database platform and decide what SQL attack statements or methods should utilize (Halfond et al., 2006).

The common methods for SQL inject bugs are as follows:


After finding out the bugs, attacks including illegal inquire database, obtaining secret information and users data, controlling database and server system occur.


After these two steps, the attackers can get data, user name, password and information in database.

Web and Database Security 7

Perfect security protection methods merely existed, so that a multiple-protection system is constructed to protect each layer. When one layer is broken, any other layers can still protect

Methods as installing fire wall, setting up isolation region for protected resource, encrypting the sensitive information being stored and transmitted, providing identity authentication and building secret passage, providing digital signature for audit and tracking to software

The most popular security method is providing an isolation region to LAN or website. Fire wall of LAN is a function module inside computer or network equipments between innernet and Internet. Its purpose is to provide security protection to an innernet or host and control access objects, so it can also called access control technology. There are two operation mechanisms for fire wall e.g. packet filtering and agency. Packet filtering aims at the service provided by host of special IP address. Its basic principle is to intercept and capture IP packet of IP layer in network transmission, then find out resource address and destination address, source port and destination port of IP packet. Whether to transmit IP packet is

Agent is achieved in the application layer, the basic principle is to construct an independent agent program for Web services, and client program and the server can only exchange information by their own agent programs rather than allow them to interact directly with

This method is particularly effective to protect confidential information, which can prevent wiretapping and hacking. Transmission encryption in Web services is in general achieved in the application layer. When WWW server sends confidential information, firstly, it selects keys to encrypt the information, based on the receiver's IP address or other identification; After browser receives the encrypted data, it decrypts the encrypted data according to source address or other identification of the information in IP packet to get the required data. In addition, transmission, encryption and decryption of information at the IP layer also can be achieved by encrypting and decrypting the whole message to ensure information

3. Provide Identity Authentication for the Client / Server Communication and Establish A

Currently some network security protocols e.g. SSL and PCT have appeared, which are based on the existing network protocol. These two protocols are mainly used for not only protecting confidential information but also preventing other unauthorized users to invade

SSL protocol is a private communication and includes technology of authentication, signature, encryption for the server, which can not only provide authentication for the server but also provide authentication for the client according to the options of the server.

without any security guarantee are adopted to ensure Web service security.

8. Multiple-protection Principle

based on fixed filtering principle.

security at the network layer.

Secure Channel

their own host.

2. Encryption for Confidential Information

information.

each other.

1. Install Fire Wall

 Further attack. From definition and principle of SQL inject, we know that attackers are interested in administrators authorizations rather than their account numbers. The administrator authorizations will bring further attack and acqire higher authorization for attackers to add Trojan to webpages.
