Rational Unified Treatment for Web Application Vulnerability Assessment

Rational Unified Treatment for Web Application VulnerabilityAssessment

Priya. R. L1 , Lifna. C. S2

Department of Information TechnologyVESIT, University of [email protected]

[email protected]

Dhanamma Jagli3

Master of Computer Applications Dept.,VESIT, University of Mumbai

[email protected]

Anooja Joy4

Department of Computer EngineeringVESIT, University of Mumbai

[email protected]

Abstract—Web applications are more and more accustomedoffer e-services like online banking, online searching, and socialnetworking over the web. With the boost of the web applicationsin information society, Web application software securitybecomes more and more important. With this advancement, theattacks over the web applications have conjointly multiplied. Theroot causes following these vulnerabilities are lacking of securityawareness, design flaws and implementation bugs. Detecting andsolving vulnerability is the effective technique to enhance Websecurity. Many vulnerability analysis techniques in web-basedapplications observe and report on different types ofvulnerabilities. Even though, no particular technique provides ageneric technology-independent handling of Web-basedvulnerabilities. In this paper, a replacement approach isproposed, implemented and analysed results for Web applicationVulnerability Assessment (WVA) based on the Rational UnifiedProcess (RUP) framework, hereafter referred as the RationalUnified WVA.

Keywords: Rational Unified Process, Web application VulnerabilityAssessment, The Open Web Application Security Project.

I. INTRODUCTION

A web application vulnerability assessment [1,12] is the way toidentify the mistakes in web application logic, configurations,implementation and deployment that jeopardize the securityparameters of data. Web-based attacks can lead to loss in revenue,the theft of customers' personally identifiable financial and othersensitive information, and falling out of regulatory compliance witha multitude of government and industry mandates. The only way tominimize the risk due to existing web vulnerabilities is to run avulnerability assessment on the web applications. Mitigating thethreats associated with web application vulnerabilities and theattack methods that exploit them need not be beyond the reach ofany organization.

Many organizations build security measures into their SoftwareDevelopment Life Cycle (SDLC) by implementing a process toscan for Web application vulnerabilities. This paper presents thetreatment provided to web application vulnerability assessmentthrough iterative and incremental software development processframework, especially well known for web-development programsas Rational Unified Process (RUP).

II. LITERATURE REVIEW

The Rational Unified Process [4] is a software engineeringprocess of assigning tasks and responsibilities within a softwaredevelopment organization, to ensure the production of high-qualitysoftwares. The RUP takes an evolutionary approach which has been

shown in practice to be far more effective than the traditional serial“waterfall” approach that is prevalent in many organizations.

A. The Rational Unified Process IBM has defined Rational Unified Process [5] as a web-enabled

system development process framework. It is based on soundsoftware engineering principles such as following an iterative,requirements driven, and architecture centric approach to webapplication development. Rational Unified Process has four phases[2,5] as shown in the Fig 1.

(1) Inception: Requirements capture and analysis

(2) Elaboration: System and class-level design

(3) Construction: Implementation and testing

(4) Transition: Deployment

Fig. 1. The Rational Unified Process Phases

B. The Open Web Application Security Project (OWASP)The primary aim of OWASP [7] is to train the stakeholders of

web development team about consequences of most important webapplication vulnerabilities. The OWASP Top 10 provides basictechniques to protect against various high risk problem areas andalso provides guidance on each problem area. The following are theOWASP Top 10 web application security risks, released in 2013.

1) Injection2) Broken Authentication and Session Management3) Cross Site Scripting (XSS)4) Insecure Direct Object References

2014 International Conference on Circuits, Systems, Communication and Information Technology Applications (CSCITA)

978-1-4799-2494-3/14/$31.00 ©2014 IEEE 336


337

Fig. 4. Environmental Setup

Rational Unified Treatment for WVA was performed on the WebApplication from Backtrack through Intranet. BackTrack providesusers with easy access to a comprehensive and large collection ofsecurity-related tools ranging from port scanners to Security Audit.Among the various security tools, W3af – an Open Source WebApplication Security Scanner was selected to discover, audit andexploit Web Application Vulnerabilities.

Fig. 5 w3af Environment In Fig. 5 w3af environment, lists all scan configuration profiles andtheir associated plugins. Among the nine scan configurationprofiles, OWASP profile is selected to perform Audit,Authentication, Discovery and Exploitation on the hosted website.The W3af environment also generates various forms of output forthe Vulnerability Assessment and Exploitation tasks performed,such as console, emailReport, gtkoutput and htmlFile

VI. RESULTS

The four phases of Rational Unified treatment for WVA areperformed in sequence. Starting at discovering the IT assets,followed by auditing the risks, threats and vulnerabilities associatedwith them. The treatment is proceeded by exploiting the identifiedvulnerabilities and listing out the mitigation steps to be taken by theorganization to safeguard its IT assets.

Fig. 6 depicts the progress of Discovery phase in w3afenvironment. Logs are generated by the plugins (fingerprint_os,serverStatus and so on) selected along with the gtkoutput screen.

Fig. 6. Discovery Phase in w3af

Fig. 7 depicts the progress of Audit Phase by listing XSS andXSRF vulnerability in the w3af console. The second half of thefigure gives a visual effect.

Fig. 7 List of XSS & XSRF vulnerability in w3af Audit

The Results tab of the w3af, displays KB Browser lists all theinformation gathered from Web Server. In Fig. 8, Apache version isretrieved by sending an error page with request id 89 to WebServer.

Fig. 8. KB Browser listing information gathered from Web Server


338

Fig. 9. Exploit tab listing all the vulnerabilities to be exploited

In Fig. 9, Exploit tab lists all the vulnerabilities gathered from WebServer. On double clicking the vulnerability list, the selectedvulnerability can be exploited successfully as shown in Fig. 10.

Fig. 10 Exploitation of XPATH injection vulnerabilities

The fourth phase, Evasion is performed based on the reportsgenerated from the first three phases as shown in above figures.The report of the first phase, Discovery (depicts in Fig. 6) clearlylists out the IT assets and resources associated with the targetmachine. In Audit phase, (depicts in Fig. 7 and 8) thevulnerabilities are identified and forwards to KBBrowser. TheExploit phase (as shown in Fig. 9), lists out all vulnerabilities thatcan be exploited from the attacker’s machine. After selection ofspecific vulnerabilities from the window (depicts in Fig.9), thestatus of exploitation are depicted in Fig. 10. The above mentionedreports are then formulated in multiple formats such as emailattachment, HTML file, XML file and text (as shown in Fig. 5).Based on these reports as benchmark, the top level management ofan enterprise could exercise security measures with regard to theirbusiness rules, formulated to protect the IT assets and resources ofthe target machine.

VII. CONCLUSION

In this paper, we were successful in integrating Rational UnifiedProcess framework into Web application Vulnerability Assessment.This framework identifies the IT assets of an organization and helpsto locate various vulnerabilities that exists in the target machine.Also it generated reports on identified threats in different formats.These vulnerabilities are then exploited from a determined intruderor attacker. The reports generated from first three phases of RUPmodel forms a basis to provide appropriate counter measures tohigh level management of an enterprise inorder to secure the webapplication. Such iterative approach will help to reduce thevulnerabilities in the web resources and protect web application andnetwork assets from various hackers and attackers.

ACKNOWLEDGMENT

We are grateful to Dr. (Mrs.) Nupur Giri (HOD, ComputerEngineering) and Dr. (Mrs.) M. Vijayalakshmi (HOD,Information Technology), for giving time andresources for the successful completion of our work.

REFERENCES

[1]. M. Gregg, and D. Kim, “Inside Network Security Assessment: Guarding your IT Infrastructure”.

[2]. J. Dhanamma, and T. Rohini, “The Unified Approach forOrganizational Network Vulnerability Assessment”, IJSEA,Vol 4, No.5, September 2013.

[3]. A. Riancho, “w3af User Guide”–Document Version 2.1,August, 2012.

[4]. I. Jacobson, G. Booch, and J. Rumbaugh, “Rational Unified Process – Best Practices for Software Development Teams”, Rational Software Corp.,White Paper , TP026B, Rev 11/01.

[5]. P. Kruchten, “The Rational Unified Process 3rd Edition: AnIntroduction". Reading, MA: Addison-Wesley Longman, Inc.,2004.

[6]. W. Royce, “Software Project Management: A UnifiedFramework”. Reading, MA: Addison-Wesley Longman, Inc.,1998.

[7]. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

[8]. K. Sharma and N. Kumar, SWART: Secure Web Application Response Tool, (ICCCCM), 2013

[9]. H. Tian, X. Jing, L. Kunmei, and Z. Ying, Research on strong-association rule based web application vulnerability detection, ICCSIT 2009

[10]. H. T. Le, Evaluating AVDL descriptions for web application vulnerability analysis, 2008. ISI

[11].Understanding web application security challenges, IBM White paper, Web Application Security Management, January 2008.

[12]. S. Splaine, Testing Web Security: Assessing the Security of Web Sites and Applications, Wiley Publication.


339


340