SOLUTION: Artificial Intelligence Security in Hack and Defense Research Paper

1
Artificial Intelligence Security in Hack and Defence
Student Name
Department
Course
Instructor Name
Date
2
Artificial Intelligence Security in Hack and Defence
Artificial intelligence security is described as computers performing intelligent tasks
without human intervention. As a result, AI security entails using AI to detect and stop
cyberattacks with less human participation than is typically expected with traditional security
approaches. AI security techniques are frequently used to distinguish good versus bad entities by
comparing their behaviors in one environment to those in another. This procedure allows the
system to analyze and flag changes automatically. This strategy, also known as unsupervised
learning, produces many false positives and negatives. By analyzing massive volumes of data and
helping to piece together linked activity that could signal suspicious behavior, more advanced
implementations of AI security can go beyond merely recognizing good or bad behavior. In this
sense, AI security behaves almost identically to the most basic and capable human analyst.
According to a Cap Gemini Research Institute report, 69% of businesses believe AI is critical in
responding to cyberattacks (Bonfanti, 2022).
Applications of AI security are applying AI in antivirus products. Antivirus software with
AI detects network or system irregularities by recognizing programs that behave strangely.
Machine learning techniques are also used by AI antivirus to figure out how genuine programs are
interacting with an operating system. The next step is to conduct an automated network and system
analysis. Automated analysis of system and network data guarantees continuous supervision and
detection of intrusions. User behaviors’ huge volume of knowledge makes manual analysis nearly
unfeasible. Cybercriminals utilize command methods to avoid detection and breach network
defenses.
Another one is scanning emails. Because the major distribution method for dangerous links
and attachments is phishing attempts, cybercriminals prefer email communication. Anti-phishing
3
emails that use AI and machine learning for the purpose of detecting phishing are quite effective.
Anti-phishing systems also imitate clicks on the links that have been sent to detect phishing
indicators (Hoadley & Lucas, 2018).
The objectives are as indicated below:
•
AI can be utilized in multi-factor authentication settings to allow access to users while also
protecting cyber security corporations and their clients.
•
Before a full-fledged attack, AI can be employed early on to detect threats and other
potentially dangerous behavior.
•
Routine security chores can be automated with AI.
•
AI may aid human analysis in various ways, from detecting malicious attacks to ensuring
endpoint security.
Artificial intelligence can be trained to recognize even the tiniest ransomware and malware
attack behaviors before entering the system. AI-powered web-based firewalls and filtering
software are the sorts of technology. When this technology is installed on a user’s device, such as
a computer, it protects consumers while also allowing them to browse websites that raise security
and suspicion concerns. Artificial Intelligence uses machine learning, learns new patterns of fraud
over time, and new ways to defend its consumers from advanced cyber threats. The results obtained
from this research will enable us to determine how effective AI is in terms of protection from
attacks, what the user should watch out for, and identify areas for future improvement.
4
Reference
Bonfanti, M. E. (2022). Artificial Intelligence and the Offence-Defence Balance in Cyber Security.
Cyber Security: Socio-Technological Uncertainty and Political Fragmentation. London:
Routledge, 64-79.
Hoadley, D. S., & Lucas, N. J. (2018). Artificial intelligence and national security.
Remote Authentication Dial-In User Service
Abstract
This paper attempts to provide overview of RADIUS deployment in the networks. It also
introduces the various protocols like EAP that are used to implement this service and PAP,
CHAP, MSCHAP, EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-FAST, EAP-FAST that provide
authentication mechanism. These protocols are not discussed in details but only to extend to
present the idea of workflow as to how the RADIUS works in conjunction of them. Role of
RADIUS is outlined in point-to-point and VPN connection. 802.1x framework and RADIUS is
also described briefly. The various AAA protocols are discussed briefly along with DIAMETER
an enhanced version of RADIUS protocol.
1. Overview
With growing remote users like telecommuters, wireless laptops, PDA(s) trying to access
the network RADIUS is widely used in the network. RADIUS provides centralized
management of user access control and security. RADIUS manages and secures the
WLAN, remote (VPN) and wired access. It is available as standalone service like IAS
server, ACS server etc. It may also embedded be in the network devices like routers,
switches etc.
2. Details
RADIUS as defined by IETF‘s RFC 2865 (RADIUS authentication and authorization)
and RFC 2866 (RADIUS accounting) is based on client and server model and message
exchange takes place over UDP. It was originally created by Livingston Enterprise which
was acquired by Lucent [1]. The NAS acts as RADIUS client which passes on the user
request to the RADIUS server. The other RADIUS clients may be wireless access points,
routers and switches. The RADIUS server performs authentication, authorization and
accounting for users after it receives requests from the client. The communication
between the client and the server is encrypted using the shared secret which is never sent
over network. Both the client and server are configured with this secret before
communication can take place, and it fails if the secret does not match at both ends.
The RADIUS server supports various methods for authentication and it can be integrated
with variety of databases like SQL or LDAP databases. In this case RADIUS server
matches the authentication/authorization request with information in these databases.
RADIUS itself has its own local database where the users may be configured if it is not
deemed necessary to use external database, such users are called native users.
RADIUS server may also act as proxy server where RADIUS server forwards the
requests from a RADIUS client to another remote RADIUS server and receives the reply
from this server and forwards it back to the client. This feature is commonly used for
implementing roaming and is extensively used by the ISPs. This permits two ISPs to
allow each other’s user to dial in either’s network for service.
A RADIUS server may just service authentication and authorization or only the
accounting requests. The RADIUS server can also operate with other backend
authenticators like RSA SecurID. The RADIUS standard initially used UDP ports 1645
and 1646 for RADIUS authentication and accounting packets. The RADIUS standards
group later changed the port assignments to 1812 and 1813, but many organizations still
use the old 1645/1646 port numbers for RADIUS [2].
RADIUS allows variety of authentication mechanisms. It is an extensible protocol as the
list of the attributes can be extended with new attributes without affecting the existing
implementation. The vendors can specify their own specific attributes if necessary.
RADIUS has EAP support which allows more authentication protocols to be supported
by it. RADIUS‘s usage with EAP has extended from role in remote access to widespread
deployment in Wireless LAN. It has IPv6 support available.
The Figure 1 below summaries how the RADIUS can be implemented in a network to
provide the centralized management of the distributed services.
Figure 1: Deployment of RADIUS in the enterprise.
3. Implementations
Figure 2 : FreeRADIUS Deployment
FreeRADIUS is free open source code created by a team who call themselves the
FreeRADIUS project. The project was started in 1999 by Alan DeKok and Smoorenburg with a
General Public License. The software package includes a RADIUS server, a licensed client
library, a Pluggable Authentication Module library, and an Apache module. It is a very
complicated piece of software that requires a lot of configuration. There is plenty of “how to”
documentation and forums but incomplete. Currently there are over 50,000 deployments, 100
million users. It is Supported on UNIX operating systems, but available on many other
platforms. OpenSSL is used for it cryptographic functions. Previous versions have already had
several security attacks such as Buffer overflow, Denial of Service and SQL injections.
They even offer a survey that you can take to let them know what need improvements or updates
are needed. Department of Defense regulations prohibit the use of open source code [3][4][5].
Cisco Secure Access Control Server is another available option to control access to
your network. Authenticates, authorizes and provides audit trails. It is available in three
different types of packages ACS 4.2(soon 5.0), ACS View and ACS Express, dependent on the
size of your network. Provides remote access, wireless and network administration controls. It
supports many protocols including Extensible Authentication Protocol non-EAP protocols which
provide authentication requirements. It is setup/configured for centralized control [6][7][8].
Internet Authentication Service (IAS), windows RADIUS server supports multiple
domain setups. It works seamlessly with RRAS (Routing and Remote Access) used for small
business. It offers centralized AAA and stores its information in Active Directory.
It can forward authentication and accounting messages to other RADIUS servers. It supports
many protocols, PPP, PAP, CHAP, MS-CHAP, MS-CHAP v2. It has been replaced in
Windows Server 2008 by NPS (Network Policy Server), which can also handle VPN and 802.1x
Wireless [9][10].
OpenRADIUS Modules are pre-spawned and reused for better management and simpler
scripts. Free to use just like freeRADIUS. It has as a unique user interface, can talk to other
RADIUS servers, multiple databases in many languages. You can also add new interfaces to
talk to different databases. Flexible behavior which allows not only user restriction but also the
amount of information it gives the user. It includes a powerful extensive dictionary. [11]
SBR-RADIUS prices range from $4,995 per server for the Enterprise Edition, up to
$22,000 per server for the Service Provider Edition. The package is offered for Windows, Solaris
and appliance versions. It was developed by Funk Software but now its part of Juniper networks
post acquisition of Funk Software. Since then support for standalone SBR RADIUS has been
dropped and it is now integrated in one of the solution for network access control called UAC
(Unified Access Control) which is placed anywhere in the network to control access to the
protected resources. It provides the same AAA functionality as the others implementations
mentioned above and has HTML/XML admin interface.
4. Backend Databases and Authentication servers
Databases used in conjunction with RADIUS are MySQL, OpenLDAP, Active Directory,
PostgreSQL, eDirectory, and Oracle.
RADIUS when setup on Active Directory allows viewing profiles and type of access from server
to computer for every user and administrator. See figure 3.
The RADIUS servers can operate with other authentication servers like RSA SecurID server,
TACACS+ server, Active Directory or Unix password files.
Figure 3: RADIUS as integrated with Active Directory [12]
5. Authentication Authorization Accounting
Authentication involves determining the identity of the user and whether the user has
appropriate permissions to what it is requesting access. This is accomplished by matching
the credentials like username and password, digital certificates, one-time tokens to
profile.
Authorization involves determining whether adequate information was provided to
connect and granting services to the user when the user is connected. This step involves
user/session specific configuration. The examples of services may be type of address the
user is assigned or duration for which the connection to the network is allowed,
QoS/differential service etc
Accounting involves tracking usage during the life time of connection. Typically the
information regarding identity of the user, the services provided to the user and duration
of service is tracked. This assists in management, billing and planning purposes.
RADIUS is one of the most popular protocols that provide centralized management in
performing distributed services of AAA. The other remote authentication protocols is
TACACS (Terminal Access Controller Access Control System) and TACACS+.
TACACS uses TCP for transport and runs on port 49. It is commonly used in Unix
environment by NAS to communicate with authentication server to perform
authentication.
TACACS+ is a protocol that provides access control to NAS devices, routers and other
devices by using more than one centralized servers. This protocol also uses TCP for
transport and runs on port 49. This protocol has capabilities like RADIUS that allows
authentication, authorization and accounting separately.
DIAMETER is enhanced version of RADIUS not backward compatible. It uses reliable
transport protocol TCP instead of UDP. It has larger space for attribute-value pairs, better
roaming support and error notification. It is defined per RFC 3588 [13].
6. RADIUS Packet, Attributes, Authentication Protocols
PACKET
The operation of the RADIUS protocol involves exchange of six types of packets
between client and server. The RADIUS packet is shown in Figure 4 has the fields as
described below.
The Code is 1 byte or 1 octet long identifies the type of the packet. The code value 1 is
used to identify the Access-Request type of packet, 2 for Access-Accept, 3 for AccessReject, 11 for Access-Challenge, 4 for Accounting-Request and 5 for AccountingResponse. Code 12 and 13 are for future use.
The Identifier is 1 byte long used to match the requests to their responses.
The Length is two bytes long indicating the length of the packet including the Code,
Identifier, Authenticator and Attributes fields. The minimum is 20 and maximum is 4096.
The Authenticator is 16 bytes long is used by RADIUS client to verify the validity of
RADIUS server’s response and used by RADIUS server for password hiding.
The Attributes contain authentication, authorization or configuration information in TLV
(Type Length Value) format.
Figure 4: RADIUS packet
MESSAGES
The operation of the RADIUS protocol involves six types of packets.
Access-Request is sent by client to RADIUS server, contains the information to
determine whether the user is allowed access to specific NAS and requested services.
Code field is set to 1 and the packet must contain User-Name attribute, NAS-IP-Address
or NAS-Identifier attribute, User-Password or CHAP-Password or State, NAS-Port or
NAS-Port-Type. If User-Password is included it is encrypted using RSA Message Digest
Algorithm MD5. The Authenticator field is called Request Authenticator in AccessRequest packet and is used for security functions.
Access-Accept is sent by RADIUS server to client along with necessary information to
begin the delivery of requested service. Code field is set to 2, the Identifier field is copy
of Identifier field of Access-Request to which this is a response. The Authenticator field
is called Response Authenticator for all packets sent by server and it is calculated by the
server using MD5 algorithm.
Access-Reject is sent by RADIUS server to client if the value of the attribute is not
acceptable. Code field is set to 3, the Identifier field is copy of Access-Request for which
reject is generated.
Access-Challenge is sent by RADIUS server to user through NAS a challenge requiring
response. Code field is set to 11 and relayed to user by NAS. The user responds with
required information and it is conveyed to server in another Access-Request message.
Accounting-Request is sent by NAS/client RADIUS server also performing the
accounting. The server adds a accounting record to log and acknowledges the request
while NAS activates user‘s session. The code field is set to 4 for this packet. Any
attribute that can be used in Access-Request or Access-Accept can be included.
Accounting-Response is sent by RADIUS server with code field set to 5, the Attributes
are not required for this packet. The Response Authenticator is calculated in similar way
as in Access-Accept or other packets.
Status-Server (experimental) with code field 12 is for future use.
Status-Client (experimental) with code field 13 is for future use
ATTRIBUTES
Attributes carry information between client and server. For the accounting attributes it
may be statistical information about the user e.g. account type, connection type etc. There
are two types of attributes.
Standard type are fixed and specified by the RFC.
Vendor Specific are flexible and they are defined by the vendor e.g. Cisco, 3Com etc.
The attributes are in TLV (Type Length Value) format. The type and value are 1 byte
long whereas the value may be 0 or more bytes. See Figure 5.
Type field is assigned number by IETF.
Length indicates length of this attribute including type, length and value.
Value field maybe of type text, string, address, integer or time.
Figure 5: RADIUS Attribute Format
Some standard attributes are as follows:User-Name indicates name of the user to be authenticated, type is 1 and length is more
than or equal to 3, value is of string type.
User-Password indicates password of the user to be authenticated used only in AccessRequest packets, type is 2 and is encrypted.
CHAP-Password used only in Access-Request packet, indicates the response value
provided by PPP CHAP. Type 3 is used.
NAS-IP-Address is 4 assigned to it is of length 6, contains IP address of the NAS that is
requesting user authentication. Either this attribute or NAS-Identifier must be included in
Access-request. It is value is address in four octets.
NAS-Port is assigned 5 it is of length 6, contains the physical port of the NAS that is
authentication the user. It can be used only in Access-request.
Service-Type is assigned 6, it can be included in Access-Request or Access-Accept
packets. The length is 6 and value is 4 octets, 1 for login, 2 for framed, 7 for NAS
prompt, 8 for Authenticate only and so on.
Vendor-Specific is assigned type 26 and is to allow vendors to specify their own
attributes to be used in the packets.
EAP-Message assigned 79 is for encapsulating EAP information to be exchanged
between client and RADIUS server. This is the attribute that allows EAP protocol be
used with RADIUS.
Message-Authenticator‘s role is to ensure message integrity by encrypting the EAP
messages with RADIUS shared key. It is assigned IETF number 80 [14].
AUTHENTICATION PROTOCOLS
There are various types of protocols used. The few listed below are used with Point-toPoint protocol while there are protocols used with EAP in 802.1x framework commonly
used in the WLAN.
PAP
Password Authentication Protocol is used when hosts and routers connect to PPP network
through the dial up or other dedicated lines. The peer establishes its identity with 2-way
handshake. Link establishment followed by repeated sending over of the id and password
to the authenticator until it is acknowledges or connection is terminated. It is not strong
authentication method as password is send over in clear text [15].
CHAP
Challenge-Handshake Authentication Protocol is another widely supported protocol used
in PPP link in which in contrast to PAP where the password itself is sent, the password‘s
representation is sent over during the authentication process. The authentication process
involves 3-way handshake. After link establishment authenticator sends challenge to the
peer, the peer responds by sending over a value calculated using hash algorithm called
hash function to compute MD5 hash result based on the password and the challenge. The
authenticator at this stage using the peer‘s password uses same hash function and
computes the hash result and compares. If it matches authentication is considered
successful. As hash algorithm is one way encryption it is easy to crack it [16].
MSCHAP (v1/v2)
Microsoft Challenge-Handshake Authentication Protocol is Microsoft’s version of the
CHAP. There are version 1 and version 2 available. Version 1 is deprecated. It used MD4
and DES encryption algorithm and is used in Microsoft‘s networks.
7. Extensible Authentication Protocol (EAP)
EAP is an internet standard described in RFC 3748 that provides a framework for network
access clients and the authentication servers which can be extended with specific
authentication mechanism. EAP only defines how the messages are to be exchanged between
client, authenticator and authentication server. EAP does not require IP protocol to
communicate as it uses the link layer.
It was originally developed for use with PPP but now it is used with IEEE 802.1x for wired
and wireless access. In the framework the client may be a remote user trying to access a
network and authenticator may be wireless access point or 802.1x wired switch and for
backend authentication server RADIUS server may be used.
In order to allow exchange of EAP messages two additional attributes have been defined in
RADIUS specification as per RFC 3579.
The commonly supported EAP protocols are as follows:EAP-MD5 (Message- Digest 5) as specified in RFC 1194, username and password are used
as authentication credentials. This is simple protocol. RADIUS server authenticates a
connection request by verifying MD5 hash of user’s password. The server sends the client a
random challenge to which client responds by hashing the challenge and its password with
MD5. It does not provide server authentication therefore it open to attacks making it more
suited to wired networks.
EAP-TLS (Transport Level Security) as specified in RFC 2716 provides strong security by
requiring both client and server to be validated and authenticated by using PKI certificates.
The EAP message interaction between client and server is protected against eavesdropping
due to TLS tunnel. The disadvantage with this protocol is usage of certificates at both ends
which makes it tedious to maintain as the certificates have to be installed and maintained at
both places.
EAP-TTLS (Tunneled TLS) is based on internet draft proposed by Funk and Certicom. It is
an extension of TLS that provides benefits of strong encryption without requiring mutual
certificates on both client and server. It only requires authentication server to be validated to
client with certificates and client can use username and password for authenticating to server.
A TLS tunnel can be used to protect EAP messages.
PEAP (Protected EAP protocol) is draft similar to EAP-TTLS in terms of mutual
authentication functionality and is proposed by RSA Security, Cisco and Microsoft as
alternative to EAP-TTLS. The EAP weakness are handled by protecting user credentials,
securing EAP negotiation, standardizing key exchanges, supporting fragmentation &
reassembly and supporting fast reconnects.
Cisco LEAP (Lightweight EAP Protocol) was developed to address security issues of
wireless networks. LEAP is form of EAP that requires mutual authentication between client
and authenticator, if the authentication is successful network connection opens. LEAP is
based on user name and password instead of certificates. This proprietary to Cisco and not
adopted by other networking vendors
EAP Flexible Authentication via Secured Tunnel (EAP-FAST) is protocol created by
Cisco and was submitted to the IETF. EAP-operates just like PEAP and has two phases. In
phase one is secure encrypted tunnel setting up and phase two is a MS-CHAPv2 session that
verifies the client to the authentication server. The encrypted tunnel established in Phase one
provides a safe environment for the MS-CHAPv2 session and protects it against the
dictionary attacks. The difference is that EAP-FAST uses a PAC (Protected Access
Credentials) shared secret to set up the tunnel where as PEAP uses the server side digital
certificate to set up a TLS tunnel. A unique user specific PAC file is generated from a single
EAP-FAST Master Key on the authentication server for each and every user. The PAC may
be automatically provisioned by ACS server and this step is also identified as Phase 0 [17].
The use authentication protocols listed above security issues like dictionary attack and manin-the-Middle attack are resolved.
Dictionary Attack: During the password authentication session the attacker attempts to
crack the password using brute force message. 802.1X solves this type of attack by using
the TLS tunnel between the client and authenticator thus protecting the username and
password exchange.
Man-in-the-Middle Attack: The attacker intercepts the packets between the client and
authenticator after obtaining necessary information by inserting their host between the
two, this becoming the man in the middle. Usage of PKI certificates provides protection
against such attacks [18].
8. RADIUS Operation (Dial-In/VPN/802.1x)
Dial-In User using RADIUS Client and Server:
Figure 6: Dial-in User Authentication
In the above diagram, the interaction is shown between dial-in user and the RADIUS
client and server. User initiates the Point-to-Point protocol authentication to the Network
Access Server which prompts for username and password. User replies back with the
information. RADIUS client sends username and encrypted password to the RADIUS server
which responds back with either accept, reject or challenge. Finally RADIUS client acts on
the services bundled with accept or reject. The RADIUS server can support a variety of
methods to authenticate a user. It can support PPP, PAP or CHAP, UNIX login and others
[19].
Windows 2000 RADIUS Server to Authenticate a Cisco VPN Client
Figure 7: VPN User Authentication
In the above diagram, we use Windows 200 RADIUS server to authenticate a VPN client
user. Here the VPN concentrator receives a request from the VPN Client with username and
password. Before VPN concentrator sends the information to WIN 2K, it hashes it, using the
HMAC/MD5 algorithm. Then it sends authentication packet to RADIUS server to have
information sent securely [20].
Wireless authentication using RADIUS server:
Figure 8: 802.1x WLAN Authentication
Wireless provides port-based authentication which involves communication between a
supplicant (a client), authenticator (a wired Ethernet or wireless access point) and
authentication server (RADIUS database).The wireless access point act as a guard to protect
network. The client or user does not get past authenticator until the supplicant’s identity is
authorized. With 802.1x port-based authentication, the supplicant provides credentials, such
as user name / password or digital certificate, to the authenticator, and the authenticator
forwards the credentials to the authentication server for verification. If the credentials are
valid (in the authentication server database), the supplicant (client device) is allowed to
access resources located on the protected side of the network [21].
9. Glossary
TLS (Transport Layer Security) – crypto protocols that provide security and data integration
NTLM (NT LAN Manager) – Microsoft authentication protocol
Samba – comes from Service Message Block, free software that provides file and print
services
PAM (Pluggable Authentication Module) library – low level auth. scheme integrated into a
high level interface
PHP – a script language used to make dynamic web pages
PKI – Public Key Infrastructure
Apache module – sharing files over the internet
OpenSSL – open source functions like SSL and TSL protocols
10. References
[1] RADIUS from Answers.com Retrieved from http://www.answers.com/topic/radius-1
on May 2, 2009
[2] RADIUS Overview Retrieved from
https://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrcadmin/html/Concepts2.html on May2, 2009
[3] The FreeRADIUS Project Retrieved from http://freeradius.org/ on April 30, 2009
[4] BSD License Definition, Retrieved from http://www.linfo.org/bsdlicense.html on
April 30, 2009
[5] Radius Protocol and Implementation and Weakness Retrieved from
http://www.security.nnov.ru/news1563.html on April 30, 2009
[6] Cisco Secure Access Control Server for Windows Retrieved from
http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html on May 1, 2009
[7] BSDRadius Retrieved from http://en.wikipedia.org/wiki/BSDRadius on May 1, 2009
[8] Powerful RADIUS Server Performance Retrieved from
http://www.interlinknetworks.com/performance.htm on May 2, 2009
[9] Internet Authentication Service Retrieved from http://technet.microsoft.com/enus/network/bb643123.aspx on May 2, 2009
[10] Internet Authentication Service Retrieved from
http://en.wikipedia.org/wiki/Internet_Authentication_Service on May 2, 2009
[11] OpenRADIUS Retrieved from http://www.xs4all.nl/~evbergen/openradius/ on May
2, 2009
[12] FreeRADIUS Active Directory Integration Retrieved from
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration on May 3, 2009
[13] Diameter Retrieved from http://en.wikipedia.org/wiki/Diameter_(protocol) on May
5, 2009
[14] Remote Authentication Dial-In User Service (RADIUS) Retrieved from
http://tools.ietf.org/html/rfc2865 on May 3, 2009
[15] PPP Authentication Protocols Retrieved from
http://www.networksorcery.com/enp/rfc/rfc1334.txt on May 3, 2009
[16] Challenge Handshake Authentication Protocol (CHAP) Retrieved from
http://technet.microsoft.com/en-us/library/cc775567.aspx on May 3, 2009
[17] EAP Authentication protocols for WLANs Retrieved from
http://www.ciscopress.com/articles/article.asp?p=369223&seqNum=5 on May 4, 2009
[18] White Paper: 802.1X Authentication & Extensible Authentication Protocol (EAP)
Retrieved from www.scribd.com/doc/7434181/8021X-AUTHENTICATIONEXTENSIBLE-AUTHENTICATION-PROTOCOL-EAP on May 5, 2009
[19] How Does RADIUS work? Retrieved from
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800945cc.shtml
on May 5, 2009
[20] Windows 2000 RADIUS Server authentication using VPN Client
Retrieved from
http://supportwiki.cisco.com/ViewWiki/index.php/Using_RADIUS_Servers_with_VPN_
3000_Products on May 5, 2009
[21] Wireless authentication using RADIUS server
Retrieved from http://en.wikipedia.org/wiki/802.1x on May 5,2009
Page 1 of 14
1. Executive summary
Nowadays, web application usage has become very popular and software vulnerabilities
affecting web applications are becoming more and more prevalent and devastating. The most
common vulnerability for web applications is to accept a filesystem path as a request
parameter, and then perform some action on the specified path. For example, retrieving a file
and returning it to the user, or may be even writing or deleting a file. This can allow attackers
to access files that they should not be able to access, such as source code, configuration and
critical system files. Between 2016 and 2017, the number of vulnerabilities published to the
National Vulnerability Database (NVD) increased by 127 percent with web application
vulnerabilities making up 51 percent of all disclosed vulnerabilities for 2017.
This paper presents:
➢
➢
➢
➢
➢
Introduction to basic concepts of Directory traversal or a path traversal attack.
What an attacker can do if your website is vulnerable.
Understand the directory traversal attack or path traversal attack with examples.
How to identify if you are vulnerable.
Preventing Directory Traversal attacks.
Key – vulnerability, security, web, application, directory, path, traversal
Page 2 of 14
Table of Contents
1. Executive Summary ………………………………………………………………………………………………………………..2
2. Introduction ……………………………………………………………………………………………………………………………4
3. Directory Traversal Attack………………………………………………………………………………………………………6
4. How to identify if you are vulnerable………………………………………………………………………………………..7
5. How does a Directory Traversal work? ……………………………………………………………………………………8
6. Path Traversal Vulnerable Functionality and Example Source Code ………………………………………10
6.1 Dynamic template inclusion………………………………………………………………………………………..10
6.2 File Upload………………………………………………………………………………………………………………..11
6.3 Filesystem management………………………………………………………………………………………………11
6.4 Serving files from the filesystem………………………………………………………………………………….12
6.5 Storing content on the filesystem………………………………………………………………………………….12
7. Preventing Directory Traversal attacks ………………………………………………………………………………….13
8. Conclusion …………………………………………………………………………………………………………………………….14
9. References …………………………………………………………………………………………………………………………….14
Page 3 of 14
2. Introduction
Directory traversal or a path traversal attack is a web security vulnerability that allows an
attacker to read arbitrary files on the server that is running an application and access other
locations in the server’s file system that should not be accessible to a regular user, even one who
is logged in. In some cases, an attacker might be able to write to arbitrary files on the server,
allowing them to modify application data or behavior, and ultimately take full control of the
server. This might contain application source code or configuration and critical system files.
Figure: An example of path traversal attack.
Page 4 of 14
According to a study done by Contrast Security, the Directory Traversal vulnerability is one of
the most common attacks nowadays (August 2019). The most common attacks are SQL injection
and cross-site scripting and path traversal. Path transversal accounted for 17 percent of all
attacks, targeting 69 percent of web applications. Path traversal was also one of the top ten most
dangerous software errors, according to a report published by MITRE last month, based on about
25,000 CVEs from the past two years.
Figure: Likelihood of Custom Code Attacks by Vector
Figure: Change in Percent of Applications Targeted July to August
Page 5 of 14
Figure: Attacks Per Application
3. Directory traversal attack
By using directory traversal attack method, an attacker can make use of this vulnerability to
access files and directories that are stored outside the web root folder by manipulating variables
that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file
paths.
Let assume that the web directory structure is shown as below. A relative link can be used from
index.html to any folder in the root directory. To link from hobbies.html to index.html, you must
send a request to tell the browser to move up one level from documents to home_html to find the
file. The relative link is written as: a href = “../index.html”.
Page 6 of 14
Figure: Simplified example of a web directory structure.
4. How to identify if you are vulnerable?
Directory traversal vulnerabilities can be easily identified during the software development
process by strongly emphasizing on security. Path traversal risk arises when applications use
user-controlled data to access files and directories on an application server or other secure
backup file system. The best way to check whether your website or web applications is at
risk of path traversal attacks is by using a Web Vulnerability Scanner. It will scan your
webpages to detect security risks and logical flaws. And it will report the vulnerability and
how to easily fix it.
The following steps are also important to identify if your websites are vulnerable:
Page 7 of 14
➢
Be fully aware of the operating system of your device and how the underlying operating
system will process filenames handed off to it.
➢ Avoid storing sensitive configuration files inside the web root
➢ If you are working on IIS servers, the web root should not be on the system disk, to
prevent recursive traversal back to system directories.
5. How does a Directory Traversal work?
Directory traversal attacks can be easily executed if there are vulnerabilities in the web
application code and the web server configuration.
The following is an example of directory traversal attack that target vulnerabilities in application
code. Applications read data from the file system in many cases. Paths to these files or
directories are taken from user. If a user’s input is not handled carefully, users can read data from
the root directory of the server’s file system. Let’s look at the following examples:Example 1 of vulnerable code:
The above source code is susceptible to directory traversal attacks. If the user provides a
filename such as ../../../../etc/passwd, then the user may be able to access to /etc/passwd file based
on the application’s root directory path.
Example 2 of vulnerable code:
Page 8 of 14
Figure: Simplified example of a Directory Traversal attack.
Page 9 of 14
6. Path Traversal Vulnerable Functionality and Example Source Code
Here is the most dangerous functionality which might be vulnerable to path traversals with
damaging results:
➢ Dynamic template inclusion
➢ File upload
➢ Filesystem management
➢ Serving files from the filesystem
➢ Storing content on the filesystem
6.1. Dynamic Template Inclusion
An attacker could access control of the full path, via a request parameter display. According
to the following code, the attack string here shows what could be used to read the request, get
the value from the parameter, and embed a template file with that name.
Page 10 of 14
6.2. File Upload
In line 18, input is concatenated with strings, and the attacker can access the file system in a
dangerous way.
6.3. File management
Many web applications use and manage files as part of their daily operation. Generic functions
that copy or delete resources without any validating controls are very dangerous. It can cause
developers who didn’t even write the underlying functionality to write features that are
vulnerable.
Page 11 of 14
6.4. Serving files
Webservers are designed to execute files off disk. Writing your own functionality to do the same
thing can be dangerous. In both examples the input is concatenated with a string before being
used to read from the filesystem.
6.5. Storing files on disk
Storing user content on the filesystem may not cause to the disclosure of filesystem contents, but
this could allow the attacker to edit files on disk.
Page 12 of 14
7. Preventing Directory Traversal attacks
There are many different ways to prevent from directory traversal attacks and vulnerabilities.
➢ To prevent from Directory Traversal attacks through user input, Web applications should
filter and validate all inputs.
➢ Escape codes and directory paths should be filtered out to ensure that only safe inputs are
passed to the Web server.
➢ To mitigate the vulnerability on the web server side, use the latest web server software
and by making sure the server is well maintained and patches are applied.
➢ Giving appropriate permissions to directories and files.
➢ Avoid composing file paths by concatenating untrusted data. We should be very careful
whenever we see string + variable + string + variable in application code.
➢ Avoid passing user-supplied input to filesystem APIs altogether.
➢ Use indexes rather than actual portions of file names when templating or using language
files.
➢ Ensure the user cannot access all parts of the path – surround it with your path code.
➢ If we need to pass user-supplied input to filesystem APIs, we should use two layers of
defense should be used together to prevent attacks:
o Programmers should be trained to validate user input from browsers. Ideally, the
validation should compare against a whitelist of permitted values. If that isn’t
possible for the required functionality, then the validation should verify that the
input contains only permitted content, such as purely alphanumeric characters.
o After validating the supplied input, the application should append the input to the
base directory and use a platform filesystem API to canonicalize the path. It
should verify that the canonicalized path starts with the expected base directory.
Below is an example of Java code to validate the canonical path of a file based on
user input:
File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
// process file
}
Page 13 of 14
8. Conclusion
In this article, we learned how to prevent the path traversal vulnerability. Directory traversal
attacks can occur when the attack surface reaches the construction of a path name and tricks the
code into accessing an unexpected file maliciously. Although path traversal attacks are among
the simpler types of attacks carried out by skilled hackers, they can have a disastrous impact on
your business, especially if personal and financial data records are divulged. It is very important
to check for vulnerabilities in a timely manner; every system needs to be updated from time to
time to prevent a basic attack. Before making it public, we need to check our system’s security
using tools available in the market.
9. References
[1] Micro Focus Fortify Software Security Research Team. (2019) 2018 application security
research update. [Online]. Available: https://www.microfocus.com/media/report/application
security research update report.pdf
[2] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: a static analysis tool for detecting web
application vulnerabilities,” in 2006 IEEE Symposium on Security and Privacy (S P’06), May
2006, pp. 6 pp.–263.
[3] X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao, “A static analysis framework for
detecting sql injection vulnerabilities,” in 31st Annual International Computer Software and
Applications Conference (COMPSAC 2007), vol. 1, July 2007, pp. 87–96.
[4] https://www.contrastsecurity.com/security-influencers/august-2019-appsec-intelligencereport
[5] https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
[6] https://www.csoonline.com/article/3442942/directory-traversal-explained-definitionexamples-and-prevention.html
[7] https://en.wikipedia.org/wiki/Directory_traversal_attack
http://projects.webappsec.org/w/page/13246952/Path%20Traversal
https://www.owasp.org/index.php/Path_Traversal
Page 14 of 14
1
Different Computer security attacks and prevention methods
Table of Contents
Abstract……………………………………………………………………………………………………………………………..3
Introduction about security attacks ……………………………………………………………………………………….4
Project scope ………………………………………………………………………………………………………………………….4
Security attacks targets …………………………………………………………………………………………………………..4
Research about Security attacks ……………………………………………………………………………………………5
Types of passive security attacks……………………………………………………………………………………………..5
Types of active security attacks ……………………………………………………………………………………………….6
Different Computer Security Attacks …………………………………………………………………………………….7
Prevention Methods …………………………………………………………………………………………………………..11
Developemnt……………………………………………………………………………………………………………………..13
Results ……………………………………………………………………………………………………………………………..14
Conclusion ………………………………………………………………………………………………………………………..16
References ………………………………………………………………………………………………………………………..17
2
Abstract
In any application sensitive information or confidential data is common. In
organizations or in web applications many web users or organizational customers lost the
personal information due to the security problems. Hacking is the main problem in computer
applications. In hacking the attackers or hackers first select the target system or target customer
user and apply the multiple security attacks. The security attack is the malware program and in
execution of the security attacks the target user account is accede by hacker or target system lost
the control and hacker get permission on access and finally the damage is target user or system
lost the confidential information. The most common cyber security attacks are malware types of
security attacks, distributed denial of service attacks, Phishing attacks, SQL injection attacks,
cross site scripting attacks and other botnet related security attacks. The hackers created the other
many multiple security attacks and hack the data and misuse the stolen data. By overcoming of
these computer security attacks for each attack the data security regulations or researchers found
the security mitigation methods. In this project will explain about the in detailed information
about the security attacks and security mitigation techniques. Finally prepare the one web
application and in that provide the overall recommended security mitigation techniques for
selected security attack and improve the knowledge of the users.
3
Introduction about security attacks
The cyber attack is cyber criminals created and launched the cyber attack by using
computer system on many numbers of computer systems. The damages of the computer security
or cyber attacks are computer functionality is disable with the cyber security attack. The cyber
criminals launched the cyber-attack by follow of the multiple methods are malware or phishing
or other type of the method for exploit of the cyber-attack on the target system. The categories of
the cyber attacks are two categories like active cyber attacks and passive cyber attacks. The
cyber-attacks do not affect the target system resources and does not disturb the system
functionality is the passive type of security attacks. The system operations are altered with the
cyber security attacks are called the active type of the security attacks. The cyber-attacks are
occurred inside the organizational network system or outside the organization. Inside
organization with security perimeters illegally access the network server data inside network and
misuse the data is the example of inside cyber-attack. The example of the outside organizational
cyber-attack is the denial-of-service attack (Will Morris, 2019).
Project scope
This project is useful for the all categories of the users who are using the web
applications, network systems and any internet applications and computer users. This project will
improve the people technical knowledge and awareness about the information security and
computer security attacks and prevention methods.
Security attacks targets
The computer cyber-attacks common infrastructure targets are control systems. In
physical infrastructure using the control devices and control the functionality of the system or
device. The attackers create and apply the security attack on control system, the device lost the
4
control and some times the physical device damaged with the security attacks. The other target is
the energy. The power cities, electrical grids or the house holds or natural gas lines are examples.
The other main target systems are financial systems and telecommunication systems. Due to
computer security attacks financial institutes or banks lost the customers bank information and
financial data. The communication channel abilities are decreased with the computer security
attacks on telecommunication system. The other main target resources are water and other is
transportation field. The accessibility and transport schedule functions are impact due to the
computer security attacks. With hacker computer system control the water infrastructure
equipment functionalities.
Research about Security attacks
Researching about the multiple types of the computer security attacks on two categories
are passive security attacks and active security attacks.
Types of passive security attacks
The attackers target the computer surveillance system and illegally access the
surveillance devices information with security attack and stored the information in one hardware
device. This attack is the computer surveillance system security attack. In network systems the
hackers using the security attacks continuously monitor the network traffic and trying to access
the shared information between the server and client system in network. It is the network
surveillance or network security attack. The hackers using computer security attacks and tapped
the particular people telephone conversations. It is the wiretapping security attack. Without
disturb of the network connection hack the wired network system data by using the computer
security attacks. Using cyber attacks perform the scanning operations on network and identify
the open ports details and services of network is the port scanning security attack (Will Morris,
5
2019). The keylogging security attack, in this attack the attacker records the key board typed
information on hidden place. So user entered the data using key board all information is recorded
in hidden file and it can be hacked by hacker in key logging security attack. By using malware
programming the attacker easy to extract the sensitive information from the human
understandable data file. This attack is the data scraping attack.
For unauthorized access in target system the hacker applies the vulnerability and illegally
access the sensitive data from the system. It is the vulnerability security attack. In
communication system and in between the sender and receiver the hacker hacks the
conversational information with security attack is the eavesdropping security attack. The
authentication system is common in any web application for checking of the login details of the
web users. But using cyber-attacks the hacker diverts the user authentication is the backdoor
security attack.
Types of active security attacks
In some of the software systems by update of the unpatched software systems and hack
the system information. It is example of the unpatched security vulnerability. The attack is the
SQL injection attack. The SQL is the structured query language. In execution of the SQL query
send the invalid input parameters and embedded the malware data in SQL query and execute the
query for the unauthorized access of the data or unauthorized way to delete the data from the
database. The computer virus, worms are example of the computer malicious code. By using this
malicious code create harmful for the target computer system. It is malicious code security
attack. The tampering security attacks is one example of the active security attacks. The
unauthorized privileged access security attacks and computer virus attacks are examples of the
active computer security attacks. The example of the ransomware attacks are active security
6
attacks. In this attack hack the data until paid of the ransom. The example of ransomware attacks
are phishing attacks. The overflow attacks like buffer overflow attacks, stack over flow and heap
overflow attacks are examples of the active security attacks. By using brute force security attack
hack the particular user password information and misuse the password and login into system
illegally. Hacking of password with the brute force security attacks.
The cross-site scripting attack, in this include the malware code in the web page and by
pass of the web user access control system and hack the web user entered data in this security
attack. The denial-of-service attack is example of the active security attack. In denial-of-service
attack heavy requests send to server is web server. The server unable to process the huge number
of requests and the server is shutdown the functions or damaged the server data is called the
denial-of-service attack.
Different Computer Security Attacks
In many computer securities attacks the most famous security attack is the malware
attack. The examples of the malware attacks like vulnerabilities or computer virus attacks. The
malware is injected into system multiple ways. Once the injection of the malware is done. The
hacker able to perform the activities are critical components of the network system not working
and requests can be denied from the components like network servers. The hackers illegally
access the critical or sensitive network information from the network hardware components and
its like network data stolen activity. The network system is disturbed or hanging with the
malware programming and servers do not provide the services to customers. Some times hanging
of the government web sites due to the greater number of requests or data breaches or data theft
events are examples of the malware security attacks (Will Morris, 2019).
7
The multiple types of the malware security attacks are the computer virus replicated itself
and created the damage on the system. The main source for spread of the computer virus from
one to other is exe files execution and copy the data through USB devices. In running of the exe
files the computer virus files are activated and triggered and shows the impact on the system
components and files. The backdoor security attacks are occurred due to the trojan horse
malware content. This is hiding format and not possible to identify this with the general
computer anti-virus tools. The spyware is example of malware attack. The program installed on
target system and after installation in background process hack the system information and
forward to hacker through remote communication.
Now a days the most common and popular security attack called the phishing computer
security attack. Email communication is common in any organization or educational system or
health care system or any field. The phishing attack is related to the email communication and
target the emails of the users for hacking of the users or organizational system sensitive
information. The web users or email users getting many numbers of emails from the many
unknown users. The emails related to lucky draw or any offers related emails. But all the emails
are not reliable and hackers send the fake emails to users for hacking of the user’s personal
information.
For extraction of the people personal data or financial data the attackers send the phishing
attacks with the malware information and email body include the malware information. Once the
user sends any response to email or open or download the hacker send attachments, the malware
of the attachments installed in the user’s system and hacker get permission to access of the user
system personal data. Because of the phishing emails fraud translations happen and many people
lost the financial personal information and organizations also lost the customers critical
8
information. The types of the phishing attacks are spear phishing attack, whaling and pharming
types of phishing attacks. The companies or individual user’s personal data hacking is the main
aim of the spear phishing security attack. In particular company target the company top level
management like CEO or other top level managers accounts and target the stakeholders accounts
and trying to get the target users personal data or organizational sensitive information is main
aim of the whaling phishing attack. Created the fake login web page and hack the web page
entered login data is the example of the pharming phishing security attack.
In network systems and network communication the common security attack is the man
in the middle security attack. The attacker involved in between the two party’s communication
and the attacker act as original participate user in communication and created interruption on the
network traffic and stolen the data from the sender or receiver and perform the unauthorized data
modifications also. The data integrity problems are high with this security attack in the network
systems.
The common security attack in web applications and network systems is the denial-ofservice attack. With continues flood of the requests created the overload problems and bandwidth
problems, due to these problems the web server faced the rendering issue and not possible to
send the response to the customer in browser side and faced the hanging issues or data loss issues
is the denial-of-service attack. In SQL injection security attacks, the main target is the database
system. In some of the SQL queries using the parameters instead of the direct data insert or
update in the database system. The parameter data is infected with the malware and the malware
parameter data with SQL query execution is danger for the database storage data. In execution of
the queries database faced the unwanted changes in storage system and sometimes database
crashed and damaged and lost the overall storage data also. In any web application because of
9
the weak authentication system occurred the password hacking security attacks. In password
hacking using the computer tools guess the password with algorithms and hack the password and
misuse the user accounts, the brute force attack is example of the password attack (Will Morris,
2019).
From trusted websites send the malware content script and it embedded in browser page
and send the data to browser. If the user enter any personal information on the cross site scripting
malware script web page, the hacker easy to get the user provided personal data. For example, in
payment pages or social network login pages faced this cross-site scripting attack problem.
In some of the software tools the hackers internally inject the malicious code and by use
of the software tool installed the rootkit in the system. After rootkit installation on the victim
system, the victim lost the access control on system and hacker get access control and the hacker
is act as administrator rather than the victim user and victims lost the system data with rootkit
security attack.
The internet of things (IoT) devices is used by the users in present condition. The main
benefits of the IoT are provide the automated alerts and functions and many automated home
appliances are example of the IoT devices. For example, CCTV camera system, automated
sensor system and other automated alarm system, automated fire alarm system many examples of
IoT devices. But these devices interact with the other source or device and shared information
due to internet communication channel. In use of the internet in sharing of the data,
automatically security issues are increased in the use of IoT devices.
The access control security attacks are unauthorized access security attacks. In some
systems required the minimum privileges before use of the system. For example, database server
10
operations, the database user must have the minimum privileges. But due to lack of access
control, the hackers get control on the important systems and stolen the system confidential data.
In user accounts hijacking spoof, the identity details of the target user and apply the identity
stolen security attacks and hack the target user account in user accounts hijacking security
attacks. In cloud computing domain many cloud users lost the accounts information and lost the
storage data from the cloud server.
Prevention Methods
In prevention of the computer security attacks the list of available prevention methods are
training of the employees in organization or train of the web users about the secure usage of the
any internet or online applications. The organizations need to conduct the more security training
programs for employees in the organization. In training sessions provide the recommendations
about secure usage of the online web sites and improve the knowledge about the spam or
phishing email attacks. Provide detailed information to employees or users about the malware
programming and recognition of the untrusted sites information. The lack of knowledge of the
people awareness is main reason for improvement of the computer security attacks. So, the web
usage users or employees must be cross check the clicked links and research about the links like
that are secured or unsecured or any fake links created by hacker. In companies before sending
of the sensitive information to any other receiver, once confirmation with the receiver and with
phone conversation ask the person really need the sensitive information and confirm with the
request details from receiver, once verification done, its reliable and valid, then only send the
sensitive and critical information to receiver (Alex Tyler , 2018).
Any time the computer system users must be keep the computer with the updated
software patches and prevent the usage of the legacy applications and old software patches in the
11
computer system. Because with updated software patches improved the computer system
security and if any malware programming included in computer system that can be detected with
the updated anti-virus tools and many common security problems overcome with the software
updates.
The end point protection is most important in business operations. The end user’s
personal data safety is important for the organization. For end point protection organizations
maintain the end point security techniques and tools in the organizational network system and
communication.
The other security attacks mitigation method is installation of the firewalls in the
computer system or network system. The firewall is the set of rules and according to the rules,
the network traffic is filtered automatically and if any malware or malicious packets of data or
requests in the network traffic, that detected with the firewall system and overcome the intruder
actions in the network communication system using firewalls. The hardware and software both
categories of firewalls available in market. According to the customer or organizational
requirement select the suitable firewall and installed in computer or network and keep maintain
the system data safe from the computer security attacks (Alex Tyler , 2018).
The data backup is most important. The organizations using the data backup tools and
every 3 months or 6 months automatically backup the data and overcome the data loss or data
theft issues and if any data loss issues happen, using the data recovery software tools or
techniques recovered lost information from the backup site.
The efficient control access is essential on the any computer system or network system.
For this the organizations implement the authentication operation like multi factor authentication
12
and verify the user identity with multiple levels of the verification and check the user authority
with the privileged access system and allow only the right users in computer or network and
overcome the illegal resource or data access problems or system access problems in the computer
or network systems. In cloud computing by developemnt of the access control system possible
the access management of the resources and cloud user’s data and overcome the illegal data
access problems in the cloud computing platform and applications.
In before use of the any WIFI or wireless network like public or private network the users
must be think before connect and use of the WIFI. Because in many public WIFI networks no
protection and hackers easy to hack the public WIFI connected user’s information and users lost
the personal data. The password security is most important for each and every user. If the
password is not secured, the unknown users using guessing tools guess the password and misuse
the accounts data. In prevention of the password security attacks, the user must be creating the
strong password with 12 letters length, include of the letters, numbers, symbols, special
characters-, upper- and lower-case letter combination. In every month mandatory to change the
password for better security of the password and user accounts also.
Developemnt
In this project researched about the different computer security attacks and explained in
detailed in above sections. For people awareness implemented website and provided the overall
useful information about the computer security attacks and prevention methods on that websites.
If any computer user wants to know about the security attacks and prevention techniques, go to
google search and search about the information. But any one web site does not provide the full
information about the clear information about the computer security attacks. So, in this project
included the overall my gathered information on website and web users able to access the web
13
page without any registration and login and simply go to search page and search about the
security attack or user can select the particular security attack information on drop down box.
Once click on search, the user will get the overall information about the searched security attack
and preventive methods also. This tool is very useful for the computer and web user’s awareness
about the security.
Figure 1: System Development
In developed system above diagram the web user open the web page and send the query
in search box and after click on the button get the detailed report about the selected security
attack and recommendations for violation of the attack.
Results
The web pages user interface screens are
14
The home page with search button
Figure 1: Search Page
After user click on the search button of above screen the user get the response. For example, user
search about the denial-of-service attack. The information results screen is
15
Figure 2: Search Result Page
By click on the back button again user will go to the home search page and user will search
about the other security attack content. By click on the 1 ,2 numbers those are page numbers.
User click on the numbers and continuously read the search result information and get
knowledge about the particular security attack and preventive methods.
Conclusion
This project is providing the clear information about the different computer security
attack and explained about the active and passive cyber security attacks with overview
information. Each and every security attack clearly explained and provided the presentational
solutions for each attack and this project is very useful for the any computer user and user
sensitive data safety.
16
References
Alex Tyler . (2018). 10 essential steps for preventing cyber attacks on your company. Available
at: https://www.itproportal.com/features/10-essential-steps-for-preventing-cyber-attackson-your-company/.
Will Morris. (2019). 8 Types of Security Attacks and How to Prevent Them. Available at:
https://managewp.com/blog/security-attacks.
17
Path Traversal Attack and Prevention
Course: CS572AH2 Computer Security
Semester: Spring 2021
Instructor: Dr. Michael A. Filippov
Prepared by: Nang Bo Lar
Date: 05/02/2021
Page 1 of 14
1. Executive summary
Nowadays, web application usage has become very popular and software vulnerabilities
affecting web applications are becoming more and more prevalent and devastating. The most
common vulnerability for web applications is to accept a filesystem path as a request
parameter, and then perform some action on the specified path. For example, retrieving a file
and returning it to the user, or may be even writing or deleting a file. This can allow attackers
to access files that they should not be able to access, such as source code, configuration and
critical system files. Between 2016 and 2017, the number of vulnerabilities published to the
National Vulnerability Database (NVD) increased by 127 percent with web application
vulnerabilities making up 51 percent of all disclosed vulnerabilities for 2017.
This paper presents:
➢
➢
➢
➢
➢
Introduction to basic concepts of Directory traversal or a path traversal attack.
What an attacker can do if your website is vulnerable.
Understand the directory traversal attack or path traversal attack with examples.
How to identify if you are vulnerable.
Preventing Directory Traversal attacks.
Key – vulnerability, security, web, application, directory, path, traversal
Page 2 of 14
Table of Contents
1. Executive Summary ………………………………………………………………………………………………………………..2
2. Introduction ……………………………………………………………………………………………………………………………4
3. Directory Traversal Attack………………………………………………………………………………………………………6
4. How to identify if you are vulnerable………………………………………………………………………………………..7
5. How does a Directory Traversal work? ……………………………………………………………………………………8
6. Path Traversal Vulnerable Functionality and Example Source Code ………………………………………10
6.1 Dynamic template inclusion………………………………………………………………………………………..10
6.2 File Upload………………………………………………………………………………………………………………..11
6.3 Filesystem management………………………………………………………………………………………………11
6.4 Serving files from the filesystem………………………………………………………………………………….12
6.5 Storing content on the filesystem………………………………………………………………………………….12
7. Preventing Directory Traversal attacks ………………………………………………………………………………….13
8. Conclusion …………………………………………………………………………………………………………………………….14
9. References …………………………………………………………………………………………………………………………….14
Page 3 of 14
2. Introduction
Directory traversal or a path traversal attack is a web security vulnerability that allows an
attacker to read arbitrary files on the server that is running an application and access other
locations in the server’s file system that should not be accessible to a regular user, even one who
is logged in. In some cases, an attacker might be able to write to arbitrary files on the server,
allowing them to modify application data or behavior, and ultimately take full control of the
server. This might contain application source code or configuration and critical system files.
Figure: An example of path traversal attack.
Page 4 of 14
According to a study done by Contrast Security, the Directory Traversal vulnerability is one of
the most common attacks nowadays (August 2019). The most common attacks are SQL injection
and cross-site scripting and path traversal. Path transversal accounted for 17 percent of all
attacks, targeting 69 percent of web applications. Path traversal was also one of the top ten most
dangerous software errors, according to a report published by MITRE last month, based on about
25,000 CVEs from the past two years.
Figure: Likelihood of Custom Code Attacks by Vector
Figure: Change in Percent of Applications Targeted July to August
Page 5 of 14
Figure: Attacks Per Application
3. Directory traversal attack
By using directory traversal attack method, an attacker can make use of this vulnerability to
access files and directories that are stored outside the web root folder by manipulating variables
that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file
paths.
Let assume that the web directory structure is shown as below. A relative link can be used from
index.html to any folder in the root directory. To link from hobbies.html to index.html, you must
send a request to tell the browser to move up one level from documents to home_html to find the
file. The relative link is written as: a href = “../index.html”.
Page 6 of 14
Figure: Simplified example of a web directory structure.
4. How to identify if you are vulnerable?
Directory traversal vulnerabilities can be easily identified during the software development
process by strongly emphasizing on security. Path traversal risk arises when applications use
user-controlled data to access files and directories on an application server or other secure
backup file system. The best way to check whether your website or web applications is at
risk of path traversal attacks is by using a Web Vulnerability Scanner. It will scan your
webpages to detect security risks and logical flaws. And it will report the vulnerability and
how to easily fix it.
The following steps are also important to identify if your websites are vulnerable:
Page 7 of 14
➢
Be fully aware of the operating system of your device and how the underlying operating
system will process filenames handed off to it.
➢ Avoid storing sensitive configuration files inside the web root
➢ If you are working on IIS servers, the web root should not be on the system disk, to
prevent recursive traversal back to system directories.
5. How does a Directory Traversal work?
Directory traversal attacks can be easily executed if there are vulnerabilities in the web
application code and the web server configuration.
The following is an example of directory traversal attack that target vulnerabilities in application
code. Applications read data from the file system in many cases. Paths to these files or
directories are taken from user. If a user’s input is not handled carefully, users can read data from
the root directory of the server’s file system. Let’s look at the following examples:Example 1 of vulnerable code:
The above source code is susceptible to directory traversal attacks. If the user provides a
filename such as ../../../../etc/passwd, then the user may be able to access to /etc/passwd file based
on the application’s root directory path.
Example 2 of vulnerable code:
Page 8 of 14
Figure: Simplified example of a Directory Traversal attack.
Page 9 of 14
6. Path Traversal Vulnerable Functionality and Example Source Code
Here is the most dangerous functionality which might be vulnerable to path traversals with
damaging results:
➢ Dynamic template inclusion
➢ File upload
➢ Filesystem management
➢ Serving files from the filesystem
➢ Storing content on the filesystem
6.1. Dynamic Template Inclusion
An attacker could access control of the full path, via a request parameter display. According
to the following code, the attack string here shows what could be used to read the request, get
the value from the parameter, and embed a template file with that name.
Page 10 of 14
6.2. File Upload
In line 18, input is concatenated with strings, and the attacker can access the file system in a
dangerous way.
6.3. File management
Many web applications use and manage files as part of their daily operation. Generic functions
that copy or delete resources without any validating controls are very dangerous. It can cause
developers who didn’t even write the underlying functionality to write features that are
vulnerable.
Page 11 of 14
6.4. Serving files
Webservers are designed to execute files off disk. Writing your own functionality to do the same
thing can be dangerous. In both examples the input is concatenated with a string before being
used to read from the filesystem.
6.5. Storing files on disk
Storing user content on the filesystem may not cause to the disclosure of filesystem contents, but
this could allow the attacker to edit files on disk.
Page 12 of 14
7. Preventing Directory Traversal attacks
There are many different ways to prevent from directory traversal attacks and vulnerabilities.
➢ To prevent from Directory Traversal attacks through user input, Web applications should
filter and validate all inputs.
➢ Escape codes and directory paths should be filtered out to ensure that only safe inputs are
passed to the Web server.
➢ To mitigate the vulnerability on the web server side, use the latest web server software
and by making sure the server is well maintained and patches are applied.
➢ Giving appropriate permissions to directories and files.
➢ Avoid composing file paths by concatenating untrusted data. We should be very careful
whenever we see string + variable + string + variable in application code.
➢ Avoid passing user-supplied input to filesystem APIs altogether.
➢ Use indexes rather than actual portions of file names when templating or using language
files.
➢ Ensure the user cannot access all parts of the path – surround it with your path code.
➢ If we need to pass user-supplied input to filesystem APIs, we should use two layers of
defense should be used together to prevent attacks:
o Programmers should be trained to validate user input from browsers. Ideally, the
validation should compare against a whitelist of permitted values. If that isn’t
possible for the required functionality, then the validation should verify that the
input contains only permitted content, such as purely alphanumeric characters.
o After validating the supplied input, the application should append the input to the
base directory and use a platform filesystem API to canonicalize the path. It
should verify that the canonicalized path starts with the expected base directory.
Below is an example of Java code to validate the canonical path of a file based on
user input:
File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
// process file
}
Page 13 of 14
8. Conclusion
In this article, we learned how to prevent the path traversal vulnerability. Directory traversal
attacks can occur when the attack surface reaches the construction of a path name and tricks the
code into accessing an unexpected file maliciously. Although path traversal attacks are among
the simpler types of attacks carried out by skilled hackers, they can have a disastrous impact on
your business, especially if personal and financial data records are divulged. It is very important
to check for vulnerabilities in a timely manner; every system needs to be updated from time to
time to prevent a basic attack. Before making it public, we need to check our system’s security
using tools available in the market.
9. References
[1] Micro Focus Fortify Software Security Research Team. (2019) 2018 application security
research update. [Online]. Available: https://www.microfocus.com/media/report/application
security research update report.pdf
[2] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: a static analysis tool for detecting web
application vulnerabilities,” in 2006 IEEE Symposium on Security and Privacy (S P’06), May
2006, pp. 6 pp.–263.
[3] X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao, “A static analysis framework for
detecting sql injection vulnerabilities,” in 31st Annual International Computer Software and
Applications Conference (COMPSAC 2007), vol. 1, July 2007, pp. 87–96.
[4] https://www.contrastsecurity.com/security-influencers/august-2019-appsec-intelligencereport
[5] https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
[6] https://www.csoonline.com/article/3442942/directory-traversal-explained-definitionexamples-and-prevention.html
[7] https://en.wikipedia.org/wiki/Directory_traversal_attack
http://projects.webappsec.org/w/page/13246952/Path%20Traversal
https://www.owasp.org/index.php/Path_Traversal
Page 14 of 14
COURSE RESEARCH PROJECT
Students are required to produce a term project, building upon and complementing the material covered in
class. Projects must culminate with the submission of a final report.
A set of sample projects from previous years is included on Canvas. You should devise your own
comparable project. All projects must be approved by the instructor. Students must submit a proposal of one
to three pages in length. The proposal should clearly describe the project to be undertaken, including the
topic to be covered, any investigation, development, or experimentation to be conducted, the expected
results. Proposals will be reviewed and must be approved by the instructor.
REPORT GUIDELINES
Each project will result in a detailed 10-15-page written report. The project report should be neat, readable,
and self-contained. Also, it should be written with the readers in mind. Any class member should be able to
understand your report, and benefit from the results you obtain. Therefore, you should include adequate
references and/or background materials and you should use tables, diagrams, graphs, figures, and portions
of printouts to enhance readers’ comprehension of your project.
The following format is suggested. You don’t have to follow it exactly. Some sections may not be
needed, or additional sections may be necessary. In all cases, please type and paginate your report!
1.
2.
3.
4.
5.
6.
7.
8.
9.
Abstract. It comes first in your report, but you write it last.
Summary. Gives succinct information on the purpose, methods, results and conclusions reported.
Introduction. Include background material and discuss the scope and limitations of your project.
Discussion. The body of your report. This includes the methodology used. Be sure to fully describe
any figures, tables or diagrams you include.
Results.
Conclusions.
Recommendations, especially for future work and unsolved problems.
References must always be included., annotated if possible.
Appendices, including supporting material as needed.
Do not submit complete computer outputs. Relevant excerpts from program listings or output should be
included but reduced to the size of the rest of the report and containing either as figures or tables in the text
or as an appendix.
GENERAL GUIDELINES
The format for written reports and copies of presentation slides is 8.5 x 11″ white paper, stapled in the upper
left corner. Submit a copy of a report or set of presentation slides. In addition, attach an electronic copy of
your report to an e-mail sent to your instructor. The file will be uploaded to Canvas.
Grading of written reports and presentations will be based upon substantive content, appropriate
organization and use of allotted size, and effectiveness of the presentation or report. Multiple errors in
grammar and spelling are unprofessional and detract from the clarity of your report or presentation and will
be graded accordingly, so use a spell checker!
Plagiarism is stealing or passing off the ideas or words of another as one’s own — using material
without crediting the source. This is prohibited behavior and will not be tolerated. Take the time to properly
cite material written by someone else — include references, put verbatim quotes in quotation marks, and do
not paraphrase excessively. If you have questions about this, ask your instructor.

Purchase answer to see full
attachment