NTA Final
Table of Contents
Abstract 3
Problem Statement 4
Identification 4
Solutions 5
Conclusion 6
References 7
Abstract
Computer networks have grown at a fast rate recently and have become synonymous with organizations that thrive on excellence. Computer networks provide such basis for interactivity, and connectivity with a lot of people and businesses around the world. Due to the fact that people can access information from around the world security concerns have also risen. Mail and Web Application Vulnerabilities are easily exploited by users and clients. These vulnerabilities are prone to interfere with programs and processes at runtime. There are several vulnerabilities in the web environment namely, password cracking, phishing, worms but we are mainly going to discuss SQL injection and its prevention measures.
NTA Final
Problem Statement
Network vulnerability is anything that that poses a potential for breach against the network system. Web applications and services use http protocol which is vulnerable and inappropriate for insistent applications. Statistics show that at most 70% of web applications are prone to security faults. Web applications are public repository making access to the public very easy, exposing it to more vulnerability. There are many risks in the web environment these include hacking, password cracking, phishing, viruses and worms but the most common in a web environment is SQL injection.
SQL injection is hacking method that allows an unauthorized attacker to access a database server therefore gaining access to resources and can modify the contents of the database (Clarke, 2012; Cumming and Russell, 2007; Stamp, 2005). SQL injection vulnerability is facilitated by applications that accept data from untrusted sources and executes queries without validating the data.
Identification
Malicious SQL statements can be introduced into a vulnerable application using many different input mechanisms, the methods include:-Injection through user input whereby the attackers inject SQL commands by providing user input. user input comes from form submissions sent to the Web application via HTTP GET or POST requests, web applications will be able to access the user input contained in these requests; Injection through manipulation of cookies, the cookies contain information generated by Web applications and stored on the client machine they restore the client’s state information; Injection through server variables (Raavi, 2009). Variables contain HTTP, network headers, and environmental variables. The variables are used for logging statistics and browsing trends (Berg, 2007).
Solutions
There are many solutions that can be considered to attain a secure application against SQL injection and other web application vulnerabilities. When it comes to SQL injection, web developers can reduce database connection privileges, protect the system account, end the use of dynamic SQL and embrace parameterized SQL (Brody, et al, 2007). Using a limited access account to connect to the database instead of admin-level can prevent vulnerabilities. SQL statements should be in stored procedures and kept on database server. In order to execute the stored procedures safe interfaces should be used such as JDBC’s Callable Statement or ADO’s Command Object (Berg, 2007).
To prevent password cracking one should ensure that a password does not have less than eight characters, should have a combination of, lower, upper cases, numbers and special characters (Basta and Halton, 2008; Edward, 2008). One should also not use personal information that can easily be detected to come up with passwords.
Phishing can be prevented by the use of anti-phishing software. This software detects phishing in the website and then displays the real website domain being used by a client (Swartz, 2003; Butler, 2007). Examples of this software are Phish Tank Site Checker, GFI Mail Essentials, Spoof Guard and Nercraft. These are just but a few of the solutions employed to curb web application vulnerabilities.
With all the web and mail vulnerabilities existing there are two ways in which to check for security vulnerabilities:-white box approach where the code is reviewed on a step to step basis. The second approach is the black box approach where you inject all possibly fault-inducing inputs in the web app and look for hints that something strange has happened.
Conclusion
The web allows users to communicate vastly with people across the world by use of social networks e.g. e-mail. Communication is one of the key elements of development in the world and that is why when there are vulnerabilities in the web environment, web developers have to come up with varied solutions to stop attacks on the web.
This paper discusses different types of vulnerabilities that can lead to secure information landing in the wrong hands. These vulnerabilities could be committed on purpose or accidentally. All computer systems and applications that are developed are prone to hacking and security faults and so the best we can do is to develop ways to make it harder to breach the security of these applications.
References
Basta, A and Halton, W. (2008).Computer Security and Penetration Testing. New York: Thompson.
Berg, R. (2007). The path to a secure application: A source code security review checklist. Waltham, MA: Ounce Labs, Inc.
Clarke, J., (2012).SQL Injection Attacks and Defense. Massachusetts: Elsevier.
Cumming, A. and Russell, G., (2007).SQL Hacks. California: O’Reilly Media, Inc.
Edward, R. (2008). High Performance Password Cracking by Implementing Rainbow Tables on NVidia Graphics Cards (IseCrack). IOWA: ProQuest.
N. Swartz, (2003). “Identity theft victims skyrocket, victims say,” Information Management Journal, vol. 39, pp. 16.
R. Butler, (2007). “A framework of anti-phishing measures aimed at protecting the online consumer’s identity,” The Electronic Library, vol. 25, pp. 517-533.
R. G. Brody, E. Mulig, and V. Kimball, (2007).”Phishing, pharming and identity theft,” Academy of Accounting and Financial Studies Journal, vol. 11, pp. 43-56, 2007.
Raavi, B. (2009). SQL Injection Vulnerability Detection Technique Software During Development. California: California State University, Long Beach.
Stamp, M., (2005).Information Security: Principles and Practice. New Jersey: John Wiley & Sons.
