Network Application Protocols
Introduction
A number of application protocols aids communication across the internet. According to Dowd and McDonald (2006), some of the network protocols used include Hypertext Transfer Protocol (HTTP), which is used for web browsing, File Transfer Protocol (FTP), which is used for transferring files and Simple Mail Transfer Protocol (SMTP), which is used for sending and receiving e-mail. The list of application protocols used across the internet is long, and only a few are going to be discussed here.
Auditing Application Protocols
Auditing is essential to ensure that the protocols used do not present avenues for attacks (Jackson, 2010). Certain procedures are followed when auditing an application protocol. One of the very first steps is to make sure that the documentation is fully understood. According to Dowd and McDonald (2006), reading the documentation makes the auditor to be aware of the areas where problems may arise and how to deal with them. Secondly, it becomes important to know the elements of unknown protocols. This can be done using several approaches such as packet sniffers, reinitiating the connection several times, replaying messages, and reverse engineering the application (Dowd and McDonald, 2006).
Hypertext Transfer Protocol
Hypertext transfer protocol is the main protocol behind the World Wide Web (Wong, 2009). HTTP becomes useful since it provides a standardized way for computers to communicate with each other. According to Dowd and McDonald (2006), is utilized to serve both the dynamic and static content from servers to clients. That is mainly the web browsers. Since it uses the text-based protocol, it has much security vulnerability associated with C/C++ HTTP implementations. Certain aspects of HTTP protocol expose it to vulnerabilities. Folded headers present certain vulnerabilities in HTTP protocols. If a HTTP server supports this type of header, there could be problems in making assumptions about the maximum size of the header. Additionally, some additional features in HTTP servers may present security problems. According to Dowd and McDonald (2006), developers may sometimes fail to provide security for the additional features. The HTTP protocol has many utility functions that can also have some security implications. Having multiple layers of functions take variable arguments makes codes susceptible to a format string attack, which appears in logging utility functions.
Internet Security Association and Key Management Protocol (ISAKMP)
This type of protocol is developed to allow parties authenticate each other and securely derive an encryption key, which can be used for future subsequent encrypted communications. This type of protocol has been developed due to the need of having secure lines of communications between different parties.
Abstract Syntax Notation
The abstract notation syntax is a notational format that is used in a machine independent format. According to Dowd and McDonald (2006), the abstract syntax notation is used as a building block in most major protocols, which include certificate and key encoding used in SSL and ISAKMP. Additionally, it is used in other protocols such as the Simple Network Management Protocol (SNMP) and the Lightweight Directory Access Protocol (LDAP).
Domain Name System
This is a form of naming scheme used to identify the computers on the Internet. This system allows domain names to be matched to IP addresses and used to key data used in interpretation email addresses.
Web Application
Web application use web browsers as clients. According to Dowd and McDonald (2006), web applications have increased use of HTTP as a communications protocol. However, despite the increase in use of HTTP protocol in web applications, the number of security concerns has increased.
Web Technology Overview
General principles in web technology include an understanding of World Wide Web, Hypertext Markup Language, and Hypertext Transport Protocol. Static content is another aspect used in web technology. Static content is a process that involves a web server retrieving a file and sending it to a network as the HTTP response (Dowd and McDonald, 2006). A common Gateway Interface (CGI) is a mechanism that is used to make web content. Developers customize server’s behavior using API’s.
HTTP
HTTP protocol is the most common protocol used in the communication across networks among computers. It is normally used as a response and a request protocol, which are performed over TCP connections
Architecture
Web applications architecture consists of multiple tiers. These tiers include client tier, web tier, business tier and data tier.
Problem Areas
A common problem area is client visibility. Users can have total visibility into the client side of the web application. Thus, attackers can easily launch attacks.
Common Vulnerabilities
SQL Injection
This is one of the vulnerabilities that affects web applications. In this attack, the attacker inputs a SQL query-using user input, which make them capable of inserting their own SQL commands.
OSL and File System Interaction
Interactions between the operating system and file system increase security vulnerabilities. During execution of programs, developers may make security mistakes in calling a separate program. If using user-supplied input in constructing a pathname, the constructed path can be vulnerable to a path traversal attack.
XML Injection
According to Dowd and McDonald (2006), XML injection involves the insertion of XML metacharacters into XML data with the goal of manipulating the XML document.
XPath Injection
XPath injection is caused by the very large XML configuration file that has instructions for page transitions.
Cross-Site Scripting
Cross-site scripting involves researchers flooding mailing lists that present low risk attacks. This is made possible since web-based applications allow users to provide HTML. Thus, attackers can be able to launch attacks indirectly against another client of the website.
References
Dowd, M., & McDonald, J. (2006). The art of software security assessment: Identifying and preventing software vulnerabilities. Harlow: Addison-Wesley.
Jackson, C. (2010). Network Security Auditing. Indianapolis: Cisco Press.
Wong, C. (2009). HTTP Pocket Reference: Hypertext Transfer Protocol. Sebastopol, Calif.: O'Reilly Media, Inc.