Agent-based Vulnerability Assessment of Government of Kenya Web Applications

Abstract

The growth of the internet in recent times has led to the spread of information crimes in renewed and changing ways. Today almost all organizations including the government of Kenya have improved their performance through allowing more information exchange within and without their organization using web support. Databases are central to the modern websites as they provide necessary data and store critical information such as user credentials etc. these websites have been continuously targeted by highly motivated malicious users to acquire their intentions. Structured Query Language (SQL) injection and Cross Site Scripting Attack (XSS) is perhaps one of the most common application layer attack techniques used by hackers to deface websites, manipulate and/or delete the database contents through inputting unwanted command strings and using session cookies. SQL injection and XSS attacks are ranked as the two top most vulnerability attacks by the Open Web Application Security Project (OWASP) top 10, 2013 vulnerability list and has resulted in massive attacks on a number of websites including the government of Kenya ones recently. Agent orientation is emerging as a dominant research area and also prevails as a new paradigm constructing solutions to problems. Agents provide developers and designers with a way of structuring applications around autonomous and communicative elements In this study, we present a system that uses multi-agents to detect both SQL injection and XSS attacks vulnerabilities on web applications. The system has been developed in Java programming language and using Prometheus methodology as an Agent Oriented Software (AOS). It will specifically target websites in development environment for testing the vulnerabilities before being hosted in the production environment. We have also incorporated the testing of already hosted websites for the two vulnerabilities. Tests against a set of SQL injection and XSS attacks show the effectiveness of the proposed system to be used by web developers and owners of websites.