Question

• Discuss what web applications are and how they differ from other operating system based applications (include the role of IIS) Also, explore at least three vulnerabilities to utilizing web applications on a web server.

200 words or more, please.

Answer 1

Web application and Role of IIS:

Web application is an application that runs on web browser and uses web server . It can be accessed anywhere and anytime around the world by using Internet. For this IIS is needed. IIS stands for Internet Information Services . It plays a very important role in the fuctioning of the web application. IIS is a adaptable web server from Microsoft which runs on Windows OS systems in order to serve the requested HTML pages or files.It accepts the request of remote client and gives back the response accordingly. This provides the basic functionality of sharing and delivering the information across Local Area Network(LAN) and Wide Area Network (WAN).IIS supports various protocols such as HTTP, HTTPS,SMTP,FTP. It works of variety of standard languages such as HTML(Hyper Text Markup Language).

1. HTTP(Hypertext Transfer Protocol)-Communication Protocol used to exchange Information users and web server.
2. HTTP((Hypertext Transfer Protocol Secure)- Same Like HTTP but more secure.It uses transport layer security for encryption of information.
3. SMTP(Simple Mail Transfer Protocol)- Used to send and receive mails.
4. FTP(File Transfer Protocol)- Used for File Transfer.

So ,basically IIS makes use of these protocols in order to get the HTML pages and other files which are requested by the user .

Difference between Web application and OS based Application:

1. OS based applications can be only accessed from the system on which is installed whereas Web Application can be accessed from anywhere using Internet.

2.OS based applications can directly functions on the system on which it is installed whereas Web Application needs IIS Server in order to run the application.

3.It is bit specific i.e if the application is designed for a 32-bit OS it will not work on 64-bit OS whereas Web Application does not depend on the system type.

4. Examples of OS applications:MS word,MS Excel ,Adobe Photoshop.

Examples of Web Applications:Chrome, Firefox,Internet Explorer.

Vulnerabilities to utilizing web applications on a web server.

1.SQL Injection

It is an application security weakness that allows attackers to control an application’s database by letting them to access or delete data or change an application’s data-driven behavior, and do other undesirable things by tricking the application into sending unexpected SQL commands. It happens when an application fails to sanitize the untrusted data like data in the web form fields.

Classes of SQL injection:

1. Inband: Data is extracted using the same channel that is used to inject the SQL code i.e the retrieved data is presented directly in the application web page.
2. Out-of-band: Data is retrieved using a different channel For eg :An email with the results of the query is generated and sent to the tester.
3. Inferential or Blind: There is no actual transfer of data, but the tester is able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server.

2.Cross Site Scripting (XSS)

This attack is   a type of injection, in which malicious scripts are injected into otherwise trusted websites. It generally occurs when an attacker uses a web application to send malicious code, in the form of a browser side script, to a different end user.The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.The actual attack occurs when the victim visits the web page or web application that executes the malicious code.

Categories of XSS attacks

1. Stored attacks : In this attack ,the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc.
2. Reflected attacks: In this attack,the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request.
3. The Document Object Model (DOM) based attacks:The Document Object Model (DOM) is an application programming interface (API) for valid HTML and well-formed XML documents. It defines the logical structure of documents and the way a document is accessed and manipulated. Attacker can make use of it.

3. Format String

Format strings are used quite often in functions such as printf and scanf.The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application.In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.It  alters the flow of an application. They use string formatting library features to access other memory space.Vulnerabilities occur when user supplied data is deployed directly as formatting string input for certain C/C++ functions (e.g., fprintf, printf, sprintf, setproctitle, syslog, ...).