Information Security for a Web-Based Content Management System Alexandra Raymond raymond6@tcnj.edu Undergraduate Dr. Monisha Pulimood Problem Web-based database systems are vulnerable to a variety of security issues, including SQL injection attacks and other types of malicious input, as well as integrity and privacy problems. Such vulnerabilities can result in security threats that are not only dangerous to the system, but dangerous to users as well, providing attackers with important personal information. With web-based database systems becoming ubiquitous, system and information security has become even more important. This project seeks to develop efficient and effective security measures for the content management system of Unbound, The College of New Jersey's online magazine. Contributors should be able to safely upload articles and other media for validation. With this type of system, integrity of content is also an important issue, ensuring that the contributors have appropriately restricted access privileges and prevent misuse of the editing process. Protection methods will be researched in order to design and implement better security. Background A web-based application like Unbound is prone to an array of security issues, including problems with malicious input that can result in system integrity and information privacy and security issues. One type of vulnerability is SQL injection: a command injection attack on an interactive web-based application that utilizes a database. The attacker uses the user interface to input data embedded with an SQL query that causes the application to execute a query that functions differently than the developer intended. A system vulnerable to command injection attacks is insecure, giving the user potential access to private information. Validating user input, which can be accomplished in a variety of ways, can prevent SQL injection. Other methods of preventing SQL injection are to avoid dynamic SQL statements, verify input data types, set lowest access privilege necessary, and store data securely [3]. Implementing levels of access control is an effective step toward a more secure system. Some types of access control are mandatory, discretionary, and nondiscretionary. In mandatory access control, all objects are assigned a label on a scale of classification, and only subjects with the same or higher levels of clearance can access it. Discretionary access control allows a subject access to objects depending on their identification, while nondiscretionary access control depends on the role or task the subject has been assigned. One model of access control is the Biba model; this model is a type of state machine model that uses two properties for request evaluation and focuses on data integrity. The Bell-LaPadula model also uses two properties, but the focus is instead on data privacy. [6] Approach and Uniqueness The problem will be approached through research on the types of attacks web systems like Unbound are vulnerable to as well methods of preventing these attacks, including access control, authentication, least privilege practices, and secure encryption [6]. Research will also be conducted into maintaining content and system integrity while facilitating the interactivity of the online magazine's content management system. The research will provide the basis for the design and implementation of security measures for the Unbound content management system. Since the system itself is already largely implemented, the focus will be on improving and replacing the temporary and insufficient security measures already in place. The system behind Unbound contributes to the uniqueness of this project. Not only is Unbound's content completely student contributed, the content management system itself was developed by students last year, specifically to create an environment supportive of interactive journalism, where media can be contributed from anywhere in the world. Results and Contribution Security for systems like the Unbound content management system is an important and widespread issue. Developing security measures for Unbound will have applications far beyond the college's online magazine, contributing to system security for many types of web-based systems. In addition, the innovative system makes contributions to the field of online journalism by changing not only how articles and features are presented and accessed by users, but how the content flows behind the scenes, from writers and between editors, all across the web, before it ever reaches the reader. References [1] Andrews, M., and J.A. Whittaker. 2006. How to Break Web Software. Addison-Wesley, Upper Saddle River, NJ. [2] Buehrer, G., B.W. Weide, and P.A.G. Sivilotti. 2005. Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th international workshop on Software engineering and middleware SEM '05. ACM Press. [3] Litwin, P. 2004. Stop SQL Injection Attacks Before They Stop You. MSDN Magazine (Volume 19 Issue 9). Microsoft Corporation. [4] Solomon, M.G., and M. Chapple. 2005. Information Security Illuminated. Jones and Bartlett Publishers, Salisbury, MA. [5] Su, Z., and G. Wassermann. 2006. The essence of command injection attacks in web applications. In Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages POPL '06 (Volume 41 Issue 1). ACM Press.