icegov2012 proceedings
icegov2012 proceedings
icegov2012 proceedings
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
include but not limited to: payment of tax, record keeping<br />
(financial records, medical records, intellectual property<br />
information, trade secrets and other citizens’ personal data) etc.<br />
Making some of these services available online presents a better<br />
and easy way of government-citizens’ relationship, most<br />
especially on discharging obligations within and across the<br />
parties. However, the concern now is the fear of adequate<br />
technical capability or awareness of susceptibility of the design of<br />
such platforms (websites) without given cognizance for avoidance<br />
of common programming errors which may jeopardize successful<br />
operation of the websites. A website is said to be vulnerable when<br />
it has the propensity for infiltration which may be as a result of<br />
flaws within the codes that made up the website, this is referred to<br />
application level [4] or server side attacks. Other issues of concern<br />
have to do with some underlying technicalities that can prevent<br />
unforeseen circumstances that may befall the successful operation<br />
of the websites.<br />
It has been reported in literature that dynamic web applications<br />
contain a wide range of input validation vulnerabilities such as<br />
cross site scripting [5][6][7][8][9] and SQL injection<br />
[10][11][12][13][14]. Because of the web popularity relative to<br />
the number of millions of Internet users, the internet has become<br />
prime targets for attackers [15] and today they are motivated by<br />
financial gains rather than just being destructive, Symantec (2007)<br />
as cited in [1]. Attacks against web applications constitute more<br />
than 60% of the total attack attempts observed on the Internet as<br />
showed in a report [16]. Also, in the study carried out by [6] it<br />
was reported that 82% of the e-government websites around the<br />
globe were vulnerable to Cross Site Scripting (XSS) and Structure<br />
Query Language injection (SQLi). It was further discovered in the<br />
study that 90% of European, 85% of Asian, 76% of the North<br />
American and 49% of African government websites are<br />
vulnerable to common web application attacks [6]. Apart from the<br />
specified web application attacks earlier mentioned, denial of<br />
service (DoS), unauthorized access to networks, theft of employee<br />
or customer information, online financial fraud etc are also known<br />
prevalent attacks [1].<br />
Furthermore, SQL injection and cross-site scripting may be used<br />
by attackers to alter back-end tables from databases and to launch<br />
phishing attacks on vulnerable servers. Most website owners fail<br />
to validate their application for common flaws and until now,<br />
there is no study that has provided empirical data on how<br />
vulnerable the Nigerian government websites are. It is in this<br />
context that this research is necessitated in order to create<br />
awareness for the government and its bodies on vulnerability level<br />
of their websites and the need to take necessary action. It also<br />
presents some policy suggestions to safeguard possible<br />
occurrences and to present measures to avert continued<br />
susceptibility.<br />
2.0 WEB APPLICATION SECURITY<br />
Web applications have become fertile ground for cyber attackers,<br />
attempting to penetrate systems and misuse private data. Cenzic, a<br />
web security firm, reported that almost 90% of web-related flaws<br />
were caused by web application vulnerabilities with the three<br />
most common types being: SQL injection, Cross-site Scripting,<br />
and Authentication vulnerabilities. The SAN Institute, a<br />
worldwide security organization, reported cross-site scripting,<br />
SQL injection and cross site forgery as major web vulnerabilities<br />
in 2007 [18]. It was further reported that, XSS is the most<br />
237<br />
dangerous and easily found web application security issue that can<br />
cause varieties of issues which may include defacement of web<br />
sites, insertion of hostile content, phishing attacks and allow<br />
hackers to take over a user’s browser. Details of these attacks<br />
shall be discussed in following sections.<br />
2.1 Cross site scripting (XSS)<br />
Cross site scripting is a vulnerability that allows an attacker to bypass<br />
client-side security mechanisms normally imposed on web<br />
content by the browsers. By finding ways of injecting malicious<br />
scripts, usually in the form of JavaScript, VBScript, ActiveX,<br />
HTML or Flash into a vulnerable application, an attacker may<br />
gain privileges to sensitive page-content of the web pages [19]<br />
Because a browser cannot know if the script should be trusted or<br />
not, it will execute the script in the user context and give attacker<br />
access to cookies or session tokens retained by the browser.<br />
Common attack vectors are search applications which reflect the<br />
search string, and parameters supplied in the URL.<br />
2.2 Structured query language injection<br />
(SQLi)<br />
An SQL injection attack consists of insertion or "injection" of a<br />
SQL query via the input data from the client to the application<br />
without proper filtering of dangerous script characters. A<br />
successful SQL injection exploit can read sensitive data from the<br />
database, modify database data (Insert/Update/Delete), execute<br />
administration operations on the database (such as shutdown the<br />
DBMS), recover the content of a given file existing on the DBMS<br />
file system and, in some cases, issue commands to the operating<br />
system [18][19].<br />
2.3 Cookie manipulation<br />
A cookie is a small piece of information usually created by the<br />
web server and stored in the web browser. Each time the user<br />
access the web server, this data is passed back to the server. The<br />
cookie contains information used by web applications to persist<br />
and pass variables back and forth between the browser and the<br />
web application. Client-side cookies can be persistent i.e. files<br />
stored on the client computer until an expiry date; or session i.e.<br />
files kept in the memory of the client computer until the session is<br />
ended. As a result of the cookie structure and their usage, all data<br />
stored in a client-side cookie could be easily read and<br />
manipulated.<br />
2.4 Unencrypted password<br />
One of the security features employed in a web application is<br />
password. Sensitive data such as credit card numbers, social<br />
security numbers sent into the server without using encrypted<br />
connection such as secure socket layer (SSL), can be intercepted<br />
by hackers. Encrypting the transmission of data makes it difficult<br />
to intercept sensitive information as it travels between two parties.<br />
3.0 METHODOLOGY<br />
The research was carried out on 64 Nigerian e-government<br />
websites randomly selected to determine their common web<br />
security issues. An advanced Google search feature was employed<br />
to elicit websites with a sub-domain of ‘.gov.ng’ and with a ‘php<br />
& html’ extension [6] Google retrieved a number of results but<br />
priority was given to the websites with the highest page rank, this