A Prototype System to Scrutinize PHP Code Injection Attacks

INTRODUCTION The web environment is growing rapidly and number of crimes committed on web is also growing. Day by day web application are growing in the area of banking, business, healthcare, educational, and other critical infrastructure but due to adhoc nature of web application development and due to design complexity of web application it is difficult to attain foolproof web security. To provide a powerful awareness document for web application security Open Web Application Security Project (OWASP) [1] was formed in 2001. OWASP is an open community and nonprofit organization which is dedicated to finding and fighting the causes of insecure software. The mission of OWASP is to make application security noticeable, so that people and organizations can make informed decisions about true application security risks. OWASAP top 10 most common web application security vulnerabilities are rewritten every three years. Code Injection Attack is a common type of web application vulnerability, which may occur due to improper handling of the user’s input. The common type of code injection attacks are SQL Injection, Cross Site Scripting and PHP injection. In previous years some well known sites such as Twitter, Facebook, MySpace, and Orkut have been affected by code injection attacks [1]. Currently, these attacks are becoming the most common publicly reported security vulnerability, with some researchers claiming that as many as 68% of websites are likely prone to these attacks. To conduct the SQL injection attack [2] attacker injects malicious text string, most often a database query, into an available web form that is eventually executed by the database. The query inserted by attacker may impair the database by retrieving unauthorized data, altering the sensitive data or erasing the data. SQL Injection attacks have been rated first in the OWASP Top 10 web application vulnerabilities in 2010. To conduct Cross Site Scripting (XSS) attack an attacker may insert tricky script code into available web forms which may read and display the current cookie values or redirect the user to another web page. Cross Site Scripting (XSS) attack is ranked first on the OWASP Top 10 Web application vulnerabilities in 2007. PHP code injection refers to types of code injection attacks which allow an attacker to supply code to the server side scripting engine. In some case it is also referred as Shell Injection Attack.

PHP CODE INJECTION ATTACK ON VULNERABLE WEB APPLICATION A. Overview PHP code injection attack exploits an application which uses input to formulate commands that are executed by the operating system. Through this attack attacker may able to execute system commands if the PHP interpreter allows system ( ) or similar functions. The severity of the attack depends on the access level of the user account under which the process is running which executes the command. Currently advance web applications uses operating system features and external programs to perform the function like dynamically creation of folder to store multimedia data such as photograph and signature of end user. PHP injection attacks occur when input is incorporated into a string to be interpreted by the shell. One of the common examples of executing the operating system command is on line registration in which web application required dynamic folders creation by the candidate login name to store their scanned photograph and signature.

B. Attack Scenario An attack scenario is an effective means of specifying and describing the ways an attacker might exploit the vulnerabilities. Matt Bishop [3] defined attack scenario as, “an attack is an action that might cause a potential violation of security in the system”. An attack can also be classified on the basis of victim i.e. The person, or software, and the person who executes such action is called an attacker. A scenario is a synthetic description of an event or series of actions and events. It is an outline of entrances, action and exits. An attack scenario has been defined in [4] as an attack situation describing the actors of an information system and their secure capabilities as well as possible attackers and their goals. A typical web attack scenario comprises of the possible attacks to a web application, a possible attacker, and the web resources that are attacked and the actors of the system related to the attack together with their secure capabilities. An attacker is presented as an actor who aims to break the security of the system. The attacker intentions are modeled as goals and tasks.

WEB FORENSICS ANALYSIS OF PHP CODE INJECTION ATTACK Web forensics is the use of science and technology to investigate and establish facts to facilitate decisive action in cyber space. The objective of the web forensic is to discover and analyze digital evidences to prove the occurrence of criminal incident activity in cyber space. In the web environment system, logs are an important resource for evidence gathering. However, logs were initially created for trouble shooting, and are not purposefully designed for digital forensics. The present Web server log may not show if an attack was successful or unsuccessful and the extent of damage done by it. The available log are also incapable to record the code/data injected by user in to web forms, which is an important source of evidence in the investigation process of code injection attack. Therefore a tool is designed and developed for capturing code/data which is fired by user/ attacker. Web forensic analysis of this PHP code injection attack takes place in two principal phases. Evidences gathering phase to collect evidences through developed logging system. Another phase is analysis of gathered evidences through domain dictionary based evidence tagging. A. Evidence Gathering for PHP Code Injection Attack In web application code can be injected from three entry point: normal web form used for entering information, by query string pass through URL and modify user agent HTTP header of browser. The developed logs captures the evidences of code injection from all these three possible modes.

B. Evidence Analysis for PHP Code Injection Attack The captured end user activity in developed HTTP log has been classified into two categories: litigate activities which do not belong to attacker and attacker activities which are suspicious. Manual tagging of this information is a tedious and time consuming task due to the enormous of information that is generated in the log file whenever a user submit a request to a web server. Hence there is a need for automated system which effectively scrutinizes the vulnerable string/code. In the normal logging system type and nature of activity is not clear by looking at captured log therefore an evidence tagging through domain dictionary is developed that shall be helpful in identifying and segregating the code injection attack from the rest. In this work, rule based strategy is applied to tag the suspicious activity of the attacker in the captured logs. One of the advantage of the rule based system is that it yields a very little false positive as the rules will usually look for specific and well known attack string for code injection attacks. To support investigation a domain dictionary is constructed which contain regular expression [5] for vulnerable code. The implemented module extracts each entry from developed HTTP log and tag the end user evidences. To tag the particular type of code injection attack in HTTP log a regular expression based searching technique is implemented which match the evidences of injected malicious code with symptom of vulnerable code stored in domain dictionary.

CONCLUSION AND FUTURE WORK This paper has explored a contemporary PHP code injection attacks and develops a prototype system to scrutinize such attacks. The work presented in this paper identified the problems of evidence gathering and analysis in the context of code injection attack. A prototype system has been developed which successfully gathers and analyzes the evidences subjected to code injection attack. There are a few improvements that may be addressed in the future in the current work developed for code injection attack. Firstly, the investigation system may be operated on-line in real-time. Secondly, the privacy preservation of the end user data is an important issue in investigating code injection attacks. The real time captured data may also contain the valuable information of end user which needs to be protected and not shared. Hence, a comprehensive strategy should be developed to preserve the privacy of end user by enforcing encoding/decoding mechanism in the captured log data.