This document discusses web security and attacks. It begins with an abstract noting that the web presents problems for both web clients and servers, requiring steps to protect both. Chapter 1 defines web security and discusses general security concepts like privacy, integrity, and availability. It also outlines technical methods to secure systems, like encryption, passwords, firewalls, and monitoring. Chapter 2 defines types of computer attacks like denial of service, man-in-the-middle, and brute force attacks. It also discusses social engineering techniques used to manipulate users into revealing confidential information.

1. Web Security
Web security.
Isidro Beltrán luna
Ismael Velasco miguel
Instituto Tecnológico de Tuxtepec
February 2014

2. Web Security
ABSTRACT
As well as many other areas related to security, the World Wide Web presents two types of
very different problems with different solutions. On one hand, most of us use a web browser
on a regular basis and want to prevent our web clients to execute code in an attack that al-
lows you to take control of our machine. On the other hand they are web servers, to which we
do not want them look compromised by constant attacks. So what is the answer? Well there
is not a single answer. We need to follow a series of steps to protect both clients and servers.
As Server Manager you cannot force your clients to be sure, but you can protect your own
server and applications based on web attacks. Protecting the server also you can prevent
broken clients or users that have visited the hostile actions of attack sites that could damage
your accounts or data hosted on our site, sabotaging it; for example, an attack by scripting
multisite that interacts with the user account to change the password for your account on our
site.

3. Web Security
Keywords
World Wide Web
Scripting
servers

4. Web Security
INTRODUCTION
Absolute security is unprovable, maintain a secure system is to ensure three fundamental
aspects such as: confidentiality where accessible only to authorized agents our system re-
sources, integrity within it our only system resources may be modified by our agent and avail-
ability where the resources of our systems will be available for our authorized agent.
Today security is a very important aspect in any companies or organizations where are han-
dled information of utmost importance, with this reason we decided to conduct our research in
this field because each time there more people engaged in the theft of information to get out
or to sell them to the competition.
With our research we will achieve each and every one of the readers will prevent certain at-
tacks that impairs the integrity, either personal or own company losing useful information.

5. Web Security
METHODOLOGY
The methodology we used was practically a great search for information in books, magazines,
as well as various websites where we have obtained information of great importance for our
work.
CHAPTER 1. WEB SECURITY
1.1. WHAT IS THE WEB SECURITY?
The Internet world and its associated elements are agile mechanisms that provide a wide
range of possibilities for communication, interaction and entertainment, such as elements of
multimedia, forums, chat, mail, communities, virtual libraries and others that can be accessed
by all audiences. However, these elements should contain mechanisms that protect and re-
duce the risk of security hosted and distributed potencializados through the same Internet
service.
Security must set standards that minimize the risks to the information or infrastructure within
any organization. These standards include hours of operation, restrictions on certain places,
user profiles, authorizations, refusals, emergency planning, protocols and everything that a
good level of security minimising the impact on the performance of employees and the Organ-
ization in general and as a main contributor to programmes made by programmers.
Security is designed to protect the assets, which include the following:
• Computational infrastructure: is a fundamental part for storage and information man-
agement, as well as for the very functioning of the organization. The function of com-
puter security in this area is ensuring that the equipment is functioning properly and to
anticipate in case of failures, theft, fire, boycott, natural disasters, failures in the power
supply and any other factor that violates the infrastructure.
• Users: they are people who use the technological structure, area of communications and
managing information. The system must be protected in general that use them may not
call into question the security of the information, nor that the information handled or
stored is vulnerable.

6. Web Security
• Information: is the main asset. Uses and resides in the computational infrastructure and
is used by the users.
Usually it deals exclusively to ensure the rights of access to data and resources with the tools
of control and identification mechanisms. These mechanisms allow to know that the operators
have only the permissions that were given.
Ilustración 1: el servicio de seguridad y filtrado permite a las organizaciones protegerse de las
amenaza.
1.2 GENERAL CONCEPTS OF SAFETY.
 Privacy: refers to that the information can be known only to authorize individuals.
 Integrity: refers to the security of that information not has been altered, deleted,
reformatted, copied, etc., during the process of transmission or on your own comput-
er's origin.
 Availability: refers to information can be recovered or available at the time that is
needed.
 Information Security: These are actions that are aimed at establishing guidelines to
achieve confidentiality, integrity and availability of information and continuity of opera-
tions to an event that interrupted.

7. Web Security
 Active: A resource with which the company has and that has value can be tangible
(server, desktop, communications equipment) or intangible (information, policies,
standards, procedures).
 Vulnerability: exposure to risk, bug or security hole detected in a program or comput-
er system.
 Threat: any situation or event possible with potential for damage, which may arise in a
system.
 Risk: is a made potential, which in the event occur can negatively impact safety, costs,
programming or the scope of a business or a project process.
 E-mail: e-mail is a network service that allows users to send and receive messages in-
cluding text, images, video, audio, programs, etc. through electronic communication
systems.
Ilustración 2: es importante señalar que existen ataques en distintos tipos de navegadores.
1.3. TECHNICAL TO ENSURE THE SYSTEM.
The most important asset that you have is the information and, therefore, should there be any
techniques that ensure, beyond the physical security that is set on the equipment in which it is

8. Web Security
stored. These techniques gives them the logical security that involves the application of barri-
ers and procedures that protect access to the data and only allow to access them to the per-
sons authorized to do so.
Each type of attack and each system requires a means of protection or more (in the majority
of cases is a combination of several of them)
The following are a series of measures that are considered basic to ensure a type system,
while extraordinary measures are required for specific needs and greater depth:
Use techniques of development that meet safety criteria to use for all software that implant
systems, starting from standards and sufficiently trained and aware with the security person-
nel.
• Implement physical security measures: systems fire, surveillance of the data pro-
cessing centers , protection against flooding, electrical protection systems against
power outages and surge systems, control of access, etc.
• Encode information: cryptology , Cryptography and criptociencia . This should be done
on all those routes that circulate the information that you want to protect, not only on
those most vulnerable. For example, if the data in a very confidential basis is protect-
ed with two levels of firewall, it has encrypted all the way between clients and servers
and the servers themselves, certificates are used and however left unencrypted prints
sent to the network printer, would have a point of vulnerability.
• Passwords difficult to find out, for example, not to be deduced from the personal data
of the individual or by comparison with a dictionary, and they have moved with suffi-
cient frequency. Passwords, in addition, must have the sufficient complexity so an at-
tacker cannot deduce it by means of computer programs. The use of digital certificates
improves security with the simple use of passwords.
• Network surveillance. Networks carry the information, so in addition to being the usual
means of access of the attackers, also are good places to get information without hav-
ing to access the same sources. The network not only circulates the information in
computer files as such, also transported by it: email, phone conversations (VoIP), in-
stant messaging, Internet browsing, reads and writes to database, etc. Therefore, pro-
tect the network is one of the main tasks to prevent data theft. There are measures
ranging from the physical security of the points of entry until the control of connected

9. Web Security
equipment, for example 802.1x. In the case of wireless networks violate the security is
increased and additional measures should be taken.
• Network perimeter security, or DMZ, can generate strong rules of access between us-
ers and not public servants and the published equipment. In this way, the weaker rules
only allow access to certain teams and never to the data, which will be after two levels
of security.
• Repellent or protective technologies: firewall , intrusion detection system AntiSpyWare
, antivirus , keys for software protection etc.
• Maintain information systems with the upgrades that most impact on safety.
• Backup copies and even remote backup system that allow maintaining the information
in two locations asynchronously.
• Control access to information through centralized and maintained permissions (type
Active Directory, LDAP, access control lists, etc.). The means to achieve this are:
• Restrict access (people of the Organization and which aren't) programs and files.
• Ensure that the operators can work but that cannot modify the programs or files that
do not match (without a supervision).
• Ensure that they used data, files and correct programs in/and/by the chosen proce-
dure.
• Ensure that the transmitted information is the same that the recipient has been sent to
which and which not to reach other. And existing systems and alternative emergency
steps of transmission between different points.
• Organize to each employee by computer hierarchy, with different keys, and permis-
sions well established, in each and every one of the systems or used application.
• Constantly update the passwords for access to computer systems, as indicated
above, and even using a program that can help the users to the management of the
large number of passwords that have to manage in today's environments, commonly
known as managers of identity.
• Redundancy and decentralization.

10. Web Security
Ilustración 3: para asegurar el sistema existen diferentes técnicas como las mencionadas
anteriormente.
1.4. SAFETY TIPS.
• Child pornography: Avoid hosting, publish, or transmit information, messages,
graphics, drawings, sound files, images, photographs, recordings or software that di-
rectly or indirectly in sexual activities with minors, in accordance with international or
national legislation, such as Act 679 of 2001 and the 2002 Decree 1524 or that clarify
it, modify or add or all laws prohibiting it.
• Control of viruses and malicious code: Always have an updated antivirus in your
computer (s), try running it periodically, in the same way, have elements (pop-up win-
dow) pop up blockers and anti-spyware on your computer.
• Avoid visiting untrusted sites or install software of dubious origin.
• Most of the peer-to-peer applications contains programs spies that are installed with-
out you realizing. Make sure that the updates are applied in operating systems and
browsers Web on a regular basis.
• If its programs or the work performed in your computer do not require Java support,
ActiveX, Multimedia Autoplay or auto running programs, disable these. If required, ob-
tain and configure personal firewall, this will reduce the risk of exposure.
Email:
• Do not post your email account on untrusted sites.

11. Web Security
• Do not give your email account since any action shall be your responsibility.
• Do not report confidential or personal information through email.
• If a user receives a message with a warning about your bank account, must not an-
swer it
• Never respond to a HTML email with embedded forms.
• If you enter the key on an untrusted site, make sure to change it immediately for your
safety and in compliance with the duty of care that assists him as holder of the same.
Spam control:
• Never click on links inside the email even if they seem legitimate. Directly enter the
URL of the site in a new browser window
• For sites that indicate to be safe, check your SSL certificate.
• Do not I forward email chains, prevents congestions in networks and mail, as well as
the theft of information content in the headlines.
• Control of social engineering.
• Do not report confidential information you or of persons that surround it.
• Do not talk to strangers for work or personal issues that can compromise information.
• Use the right communication channels to disseminate the information.
Control of phishing:
• If a user receives an email, call, or text message with a warning about your bank ac-
count, not to answer it.
• For sites that indicate to be safe, check your SSL certificate.
• Validate with the entity with whom has a service, if the message received by mail is
valid.
Theft of passwords:
• Change your passwords frequently, at least every 30 days.
• Use strong passwords: easy to remember and hard to guess.
• Avoid setting very small passwords, it is recommended that it is at least a length of 10
characters, combined with numbers and special characters.
• Do not send key information through email or other means that is not encrypted.

12. Web Security
Ilustración 4: para que nuestra información no se vea amenazada evitar páginas inseguras.

13. Web Security
CHAPTER 2. ATTACKS AND VULNERABILITIES.
2.1 COMPUTER ATTACK
A computer attack is a method by which an individual, using a System computer tries to take
control, destabilize or damage other system computer (computer, private network, etcetera).
There are various types of cyber-attacks. Some are:
• Denial of service attack , also called DoS attack (Denial of Service), is an attack on a
system of computers or network that causes that a service or resource is inaccessible
to legitimate users, normally causing loss of network connectivity due to the consump-
tion of the bandwidth of the network of the victim or the computer of the victim system
resources overload.
• Man in the middle, sometimes abbreviated MitM, is a situation where an attacker mon-
itors (usually by a Tracker-port) a communication between two parties and falsifies the
exchanges to impersonate one.
• REPLAY attacks a form of network, attack in which a data transmission valid is mali-
ciously or fraudulently repeated or delayed. It is carried out by the author or by an ad-
versary who intercepts the information and retransmits it, possibly as part of a masked
attack.
• Zero-day attack , attack against a computer, from which is exploit certain vulnerabili-
ties, or security holes of some program or programs until they are known, or that, once
posted the existence of the vulnerability, is conducted the attack before the publication
of the patch than the solvent.
• Attack by brute force. It is not necessarily a procedure that should be performed by
computer processes, although this system would save time, energy and efforts. Brute
force attack system, tries to recover a key testing all possible combinations until you
find one that seeks, and which allows access to the system, program or file in study

14. Web Security
2.2. SOCIAL ENGINEERING.
Social engineering is the practice of obtaining information confidential through the manipula-
tion of users legitimate. It is a technique that can be used by certain people, such as private
investigators, criminals, or rogue computer, information, access or privileges in information
systems which allow them to perform some act that harms or expose the person or body
committed to risk or abuses.
The principle that underpins the social engineering is that in any system "users are the weak
link". In practice, a social engineer will commonly use the phone or Internet to mislead people,
pretending to be, for example, an employee of a bank or any other company, a co-worker, a
technician or a client. Via the Internet or the website is used, in addition, the submission of
applications for renewal of permits access to websites or memos false seeking answers and
even the famous chains, thus leading to reveal sensitive information, or to violate the typical
security policies. With this method, the social engineers they take advantage of the natural
tendency of people react predictably in certain situations, for example providing financial de-
tails an apparent official of a Bank rather than having to find security holes in computer sys-
tems.
Perhaps most simple but very effective attack is to mislead a user to think that a system ad-
ministrator is requesting a password for several legitimate purposes. Systems of Internet us-
ers frequently receive messages requesting passwords or information of credit card, with the
reason of "create an account", "reset configuration", or other benign; operation to this kind of
attacks they are called phishing (pronounced like "fishing", fishing). Users of these systems
should be warned early and often that they not disclose passwords or other sensitive infor-
mation to people who claim to be administrators. In fact, computer systems administrators
rarely (or never) need to know the password of users to carry out their tasks. However even
this type of attack may not be necessary in a survey carried out by the company Boixnet, 90%
of the employees of Waterloo Station Office of London revealed their passwords in Exchange
for a cheap pen.
Another contemporary example of a social engineering attack is the use of attachments in e-
mails , offering, for example, "intimate" photos of some famous person or a "free" program
(often seemingly from some well-known person) but running malicious code (for example, to

15. Web Security
use the victim machine to send massive amounts of Spam). Now, once the malicious e-mails
first take software providers to disable the execution Automatic attachments, users must acti-
vate these files explicitly for malicious action to occur. Many users, however, open almost
blindly any attachment received, thus making the attack.
Social engineering also applies to the Act of handling face to face to gain access to computer
systems. Another example is the knowledge about the victim, through the introduction of typi-
cal logical, common passwords or knowing your past and present; answering the question:
what password would I if it were the victim?
The main defense against social engineering is to educate and train users in the use of secu-
rity policies and ensure that they are followed.
One of the most famous of recent social engineers is Kevin Mitnick. In his opinion, social en-
gineering is based on these four principles:
1. All want to help.
2. The first movement is always trusted the other.
3. We do not like to say no.
4. All we like us praise.
2.3. SQL INJECTION
SQL injection is a method of infiltration of exploit code that relies on a computer vulnerability
present in an application-level validation of entries to query a database.
The origin of the vulnerability lies in the incorrect checking or filtering of the variables used in
a program that contains either generated code SQL. It is, in fact, a mistake of a more general
class of vulnerabilities that can occur in any programming language or script that is embed-
ded inside another.
Referred to as SQL injection, without distinction, to the type of vulnerability, infiltration meth-
od, the fact of embedding SQL exploit code and embed code portion.

16. Web Security
It is said that there is or was a SQL injection when, somehow, is inserted, or "injects" SQL
code invasive within the scheduled SQL code to alter the normal operation of the program
and to make running the portion of "invasive" code embedded, in the database.
This kind of intrusion usually is harmful, malicious or spyware, is therefore a problem of com-
puter security, and should be taken into account by the Programmer of the application in or-
der to prevent it. A program made with carelessness, indifference or ignorance of the prob-
lem, it may prove to be vulnerable, and the security of the system (database) can be eventu-
ally compromised.
Intrusion occurs during the execution of the vulnerable program, whether it is in computers
desktop or in sites Web , in this latter case obviously running in the Server which hosts them.
Vulnerability can occur automatically when a program "weapon carelessly" one SQL state-
ment in runtime , either during the development phase, when the programmer express the
SQL statement to execute in unprotected form. In any case, provided that the programmer
need and make use of parameters entered by the user, in order to consult a database; is,
precisely, within the parameters where the intruder SQL code can be incorporated.
To execute the query on the database the code SQL injected will also run and could do a
number of things, how to insert records, modify or delete data, authorize access e, even run
another type of malicious code on the computer.
For example, assume that the following code resides in a web application and there is a pa-
rameter "username" that contains the name of the user to consult, a SQL injection could
cause follows:
The original and most vulnerable SQL code is:
Query: = "SELECT * FROM My Table WHERE name = '" + username + "';"

17. Web Security
Ilustración 5: el proceso de la inyección SQL
2.4 SPOOFING.
Spoofing, in terms of Security of networks refers to the use of techniques of phishing usually
with malicious applications or research.
Spoofing attacks can be classified depending on the technology used. Among them are the IP
spoofing (perhaps the best-known), ARP spoofing, DNS spoofing, Web spoofing or email
spoofing, although in general can include spoofing within any network technology susceptible
to identity theft.

18. Web Security
Ilustración 6: a través de la dirección ip podemos atacar a nuestra victima
IP Spoofing
IP spoofing. Basically consists in replacing the IP address TCP/IP source of a package by
another address IP to which you want to impersonate. This is usually achieved through
programmes aimed at this and can be used for any Protocol within TCP/IP as ICMP, UDP or
TCP. It must be taken into account that the responses of the host that get altered packets will
be directed to the fake IP. For example, if we send a ping (package "echo ReQuest")
suplantado, la respuesta será recibida por el host al que pertenece la IP legalmente. Este tipo
de spoofing unido al uso de peticiones origen de un paquete icmpbroadcast a diferentes
redes es usado en un tipo de ataque de flood conocido como ataque Smurf. Para poder
realizar Suplantación de IP en sesiones TCP, se debe tener en cuenta el comportamiento de
dicho protocolo con el envío de paquetes SYN y ACK con su SYN específico y teniendo en
cuenta que el propietario real de la IP podría (si no se le impide de alguna manera) cortar la
conexión en cualquier momento al recibir paquetes sin haberlos solicitado. También hay que
tener en cuenta que los enrutadores actuales no admiten el envío de paquetes con IP origen
no perteneciente a una de las redes que administra (los paquetes suplantados no
sobrepasarán el enrutador).

19. Web Security
ARP Spoofing
Phishing by chart forgery ARP. The construction of frames modified in order to distort the ARP
(list IP-MAC) table of a victim and force it to send packets to an attacker host rather than to its
legitimate destination request and ARP response.
The Protocol Ethernet works by MAC addresses, not by IP addresses. ARP is the Protocol
responsible for translating IP addresses to MAC addresses so that communication can be
established; so when a host wants to communicate with an IP broadcasts an ARP-Request
frame to the address of Broadcast asking the host MAC holder of the IP you want to
communicate. The computer with the requested IP responds with an ARP-Reply indicating
your MAC. Routers and hosts keep a local table with the IP-MAC relationship called ARP
table. The ARP table can be distorted by an attacker computer issued frames ARP-REPLY
with your MAC including destination valid for a specific IP, as for example the of a router, in
this way the information directed to the router would pass the attacker computer who can
scan such information and redirect if so desired. The ARP protocol works at the level of data-
binding of OSI, for which this technique only can be used on LANs or in any case on the part
of the network that is prior to the first router. One way to protect yourself from this technique is
using tables ARP static (provided that the IP network are fixed), which can be difficult in large
nets.
Other forms of protection include using ARP tables change detection programs (as Arpwatch)
and using the safety of port of the switches to prevent changes in MAC addresses.
DNS Spoofing
Phishing by domain name. It's the distortion of a relationship "Domain-IP name" before a
name resolution query, i.e., resolving an IP address false a certain name DNS or vice versa.
This can be achieved by falsifying entries in the relation name domain-IP of a server DNS,
through any vulnerability in the specifically or by its trust towards unreliable servers. Falsified
entries in a DNS server are susceptible of being infected (poison) the DNS cache of another
different server (DNS Poisoning)).
Web Spoofing
Impersonation of a real web page (not to be confused with phishing). It routes the connection
of a victim through a fake page to other WEB sites in order to gather information from the

20. Web Security
victim (view websites, information forms, passwords etc.). The fake web page acts as a of
proxy, requesting the information required by the victim to each original server and skipping
even the protection SSL. The attacker can modify any information from and to any server that
the victim go. The victim can open the false by any type of deception website, even opening a
simple link. Web spoofing is hardly detectable; perhaps the best measure is a plugin from the
browser at all times showing the visited server IP: If the IP never changes when you visit
different WEB pages means that we are probably suffering from this type of attack. This
attack is done by implementation of code which will rob us information. Ghost pages on which
these codes are injected to get information of the victims are usually made.
E-mail Spoofing
Spoofing in email of the address of electronic mail of other persons or entities. This technique
is used regularly for the sending of e-mail messages hoax as a perfect supplement for the use
of phishing and SPAM it is as simple as the use of a server SMTP configured for this purpose.
To protect yourself you should check the IP of the sender (to find out if that ip actually belongs
to the Agency indicating in the message) and the address of the server SMTP used.
GPS Spoofing
An attack of GPS spoofing attempts to mislead a recipient of GPS transmitting a slightly more
powerful than the received signal from the satellites of the GPS system, structured to
resemble a normal set of GPS signals. However, these signals are modified in such a way
that will cause the receiver determines a different position to the real, specifically determined
by the attacking signal somewhere. Because the GPS system works by measuring the time it
takes for a signal traveling between the satellite and the receiver, a successful spoofing
requires the attacker to know precisely where the target is such that the false signal can be
structured with the appropriate delay.
An attack of GPS spoofing begins with the transmission of a slightly more powerful signal that
delivers the correct position and then begins to slowly drift to the position desired by the
attacker, since if done too quickly attacked receiver you will lose fixation in the signal, at which
time spoofing attack would only run as an attack of disturbance .

21. Web Security
RESULTS
At the conclusion of the investigation of our article, we obtained all the information and
knowledge necessary for anyone to surf the web is even aware of the dangers that exist in
navigate. In the same way we made them get a set of instructions so that your personal
information not be used for profit and note indications for surfing the web.

22. Web Security
REFERENCES
lockhart. (2011) security hacks.
Jean paul garcia muran. (2011). Hacking y seguridad en internet.
Mikel gastesi. (2010). Farude online.
Misha glenny. (2008). El lado oscuro de la red.
Sebastien baudru. (2005). Seguridad informatica ethical hacking.