Computer Science: Security Issues, Vulnerabilities, and Defense Mechanisms in Multimedia Applications
Table of Contents
Multimedia generally refers to the field that deals with the integration of graphics, texts, audios, and videos among many other forms of media that are computer-controlled. All types of information are typically stored, signified, and communicated digitally . The multimedia is undoubtedly a notable form of assorted media in fine art, and in the broader scope, it is the term used to describe the assimilation of several media formats . Accordingly, multimedia applications define the various platforms which manipulate the collection of the already-mentioned media sources. They are the interface with which humans interact with multimedia data. These applications include any type of information system, remote representations, and the large field of entertainment. As a result, there is no universally agreed approach of classifying infinite applications . Their existence has been enabled in the contemporary era of the multifaceted World Wide Web (WWW), whose advancement to incorporate varied components and technologies has affected the consistent development of web applications . This paper discusses the diverse security issues, vulnerabilities, and defense mechanisms associated with multimedia applications. The paper illuminates a comprehensive survey on evolving and emerging web application vulnerabilities and reveals ways to attack, evade, and detect pattern mechanisms within all crucial web threats.
In the contemporary era of the Internet of Things (IoT), online facilities can be easily accessed by individuals in real-time across the globe . IoT possesses self-configuring abilities grounded on basic and interconnected communication protocols allowing the physical and virtual objects to be identifiable via virtual representation . In spite of wide-ranging geographical locations, social networking sites continuously thrive alongside infinite online shopping sites and internet banking, amongst other global modern web applications . The principal concept behind IoT is to connect the embedded miniature objects to everyday things by transforming them into smart objects . Primary characteristics encompass wireless connectivity , mobility, and embedded sensors, among other technological uses and support for inestimable devices.
IoT constitutes the adoption of most advanced technologies, which, altogether, generate positive aspects such as increased effectiveness and enhanced efficiency . Unfortunately, most web applications are hastily invented and developed by web designers within short periods, which does not support the adoption of robust security architecture . Often, web developers lack the expertise to detect and arrest web vulnerabilities . Subsequently, the popular occurrence of this scenario establishes the biggest security threat against multimedia applications with regard to privacy invasion, denial of service, and unauthenticated access, just to mention a few . In addition, inconsistencies reputable among tools developed upon the WWW generate challenges in delivering viable defensive security  methods for the safe development of multimedia applications . It is vital to comprehend what pertains to social security threats as well as the possible defense mechanisms allied to these multimedia applications. Nevertheless, in the world today, contemporary web applications are progressed under advanced technologies, which have significantly altered their complexity .
Several vulnerabilities have affected numerous web applications in nearly all fields . With the evolution of ages, the internet becomes more unpredictable and dynamic . These web applications are directly connected to the central server, which stores the database and records vital information regarding the applications. Originally, websites did not embrace the authentication of users; thus, attackers would easily access information and manipulate it . However, the information was not too beneficial, given that it was accessible by the public.
Figure 1. Multimedia Applications and Central Server Architecture .
Today, web applications have become crucial elements of various fields such as blogs, information gathering, shopping, social networking, and electronic mail . These applications encompass vital sectors of facilities such as logins, financial transactions, and registration, and accessibility to web content , which necessitate protection against impending threats and attacks .
Some of the most occurring security breaches are related to data confidentiality, the integrity of data, secure access control, and secure user authentication . Other security threats include non-repudiation and availability , as discussed below.
The confidentiality of digital applications is allied to the protection of the user’s identity alongside the freedom from privacy intrusion . Threats associated with confidentiality involve the unauthorized ability to access and disclose confidential and sensitive data. All devices and multimedia applications constantly face the confidentiality breach risk . Poor encryption frameworks and backdoor access loopholes increase the chances of the occurrence.
Data integrity predominantly involves safeguarding meaningful information against access by cybercriminals. It also means protection from errors during transmission and reception to ascertain the delivery of credible and accurate data . Breach of integrity occurs when malignant users alter the information in the communication medium. Information can also be compromised by significant errors caused by channel imperfection, instrumental weaknesses, and electromagnetic disturbances . Thus, multimedia applications can only be protected against integrity breaches by the establishment of a secure interface through the adoption of a secure medium.
Authenticity is significantly associated with guaranteeing network access to legitimate users only. Authentication threats include meddling with sensing and control information to gain unauthorized access to crucial data . Malicious users not only obtain the data but also have the ability to modify it and erase it altogether . Multimedia applications face this threat mainly due to the absence of appropriate techniques that evade spoofing, tag cloning, authentication, and eavesdropping. Furthermore, the occurrence of this breach at the administrative level can interfere with the whole network by making it inaccessible to legitimate users . The occurrence also enhances the flooding of the network and theft of confidential data.
The availability of information refers to the pursuit of safeguarding immediate access to resources to authorized users. A chief objective of web services is to deliver data anytime it is required, either in normal or critical scenarios . Multimedia applications get access to lump sum amounts of data , therefore ensuring data availability remains a priority through the evasion of denial of service attacks  and bottleneck scenarios that potentially block information flow, denying data to legitimate users.
Non-repudiation closely relates to the authentication of an authorized party to obtain access to a promised service . The relationship between them is a crucial characteristic of web services, which guarantees trustworthy communication . This potential breach is allied to certain aspects of the IoT. They include ubiquity, pervasiveness, and autonomy . This form of attack leads to the subsequent loss of connection, waste of resources, and the existence of resource constraints.
Cyber-attacks against multimedia applications can be generally categorized into two: active attacks and passive attacks . Active attacks involve attackers who assess and modify the data stream within packages in the network . Active attackers, therefore, add faulty information, impersonate, or modify packets. On the other hand, passive attacks entail the unauthorized assessment and eavesdropping on the packet exchange . As a result, passive attackers collect information they have monitored and eavesdropped from the communication network . The most common cyber-attacks on most multimedia applications on the web are stated and discussed comprehensively.
(Attacks against privacy)
|· Denial of Service
· Altered routing information
· Selective forwarding
· Sybil attack
· Wormhole attack
· Sinkhole attack
· Hello flood attack
· Black whole attack
· Acknowledgment spoofing
· Internet smurf attack
|· Traffic analysis
· Monitor and eavesdropping
· Camouflage adversaries
Table 1. Forms of Security Attacks .
The sinkhole attack entails an active form of network layer attack that takes place during transmission when data is routed . During the attack, data is diverted to a biased node in the network, reducing the initial traffic flow. The phenomenon fools networks and senders that the compromised packet has been delivered at the intended destination . The sinkhole attack can be further manipulated to result in Denial of Service when attackers create a traffic and disruption routing path.
DoS attacks take place both at network and application layers, flooding the network with unwanted data to exhaust network resources. As a result, the network is made inaccessible to authentic users . Sensitive information is breached, potentially causing the entire network to shut down.
Sybil attack is typically intended to attack the network layer by manipulating nodes and multiple identities for a single node. The endeavor compromises the entire system resulting in false information and redundancy . Fake identities are established to generate wrong reports, invade privacy, and increase the traffic load with spam.
This form of attack manipulates the most common assumption adopted by numerous protocols when they receive HELLO packets and believe that the receiver is within the radio range and wrongfully perceived as a neighbor . Attackers who conduct this mischief use a high-powered transmitter to trick the nodes of the network . Attackers cause nodes to perceive malicious nodes as parent nodes, resulting in the loss of substantial data .
Wormhole attack is a severe form of active attack that engages the ability to affect encrypted traffic . This form of attack compromises location detection and cases routing failures by interfering with the type of network. Attackers construct tunnels between two attackers and cause all traffic to be transmitted through them. In the pursuit, attackers usually manipulate packet relays and packet encapsulation.
This is a version of black hole attack, where a single node or multiple ones are arrested by attackers . One node utilizes a selective forwarding attack by dropping malicious packets while other nodes cover the track. The attack causes undetectable interferences leading to packet losses . Subsequently, the integrity of information transferred is biased because it may be incomplete or completely unavailable.
Emerging web application vulnerabilities include ten major classifications , as outlined below.
|Takes place due to the inclusion of user-input data to the interpreter through a mere command.||Attackers have the ability to force the interpreter to conduct queries for accessing crucial information without consent.||Validate the utilization of command interpreters.
Examine source code to affirm the secure utilization of interpreters.
|Maintain a white list that describes input validation.|
|4.2. Broken Authentication and Session Management
|This vulnerability is due to improper execution of application functions such as authentication and session management.||Enables attackers to access passwords, keys, session IDs, and credit card numbers.||Penetration testing and source code analysis.
Regularly review mechanisms of session management.
|Define a proper website policy to check credentials for user.
Generate a set of validation and robust controls for session management.
|4.3. Cross-Site Scripting (XSS)
|XSS describes attacks against web applications as a result of improper sanitization and validation of user-supplied entries.
|Attackers run malicious scripts.
Attackers hijack user session and steal cookies.
|Identify parts of the website applications that require input.
First condition must be verified.
Locate similar strings.
|Perform sanitization on user-injected input.
Maintain a white list and a black list of websites.
Strong input validation.
Adoption of automated scanners.
|4.4. Security Misconfiguration (SMC)
|Web applications and web servers are predisposed.||Omits accurate security strengthening towards portions of the web stack application.||Applications are not updated with the latest patches.
Excessive features of application software installed.
Quietly authorized and unaltered user accounts and secret codes.
|Enlargement and production environments with changed protected passwords.
A robust protected isolation between components.
Perform occasional reviews.
|4.5. Insecure Direct Object References (IDOR)
|Occur due to references to the items within internal executions such as files and database keys.||Attackers are given control over references.
Attackers steal vital data regardless of the existence of protection mechanisms.
|Validate that all references to insecure objects have defense mechanisms.||Shield all accessible projects.
|4.6. Un-validated Redirects and Forwards (URF)
|Multimedia applications often redirect users to new websites.
Applications use untrusted data to identify target web pages.
|Attackers redirect malicious web requests to phishing.
|Test the source code for all utilization of redirects and forwards.
Determine if destination URL is incorporated in any value of the target destination for each use.
Crawl the website and check if it produces HTTP response codes.
|Evade use of redirects and forwards.
While utilizing, never encompass user-injected inputs to estimate the target.
Ensure genuine user-input value in case the target destination cannot be avoided.
|4.7. Sensitive Data Exposure (SDE)
|Passwords and cookies are exposed.||Attackers steal extremely crucial data.
Attackers exploit session hijacking and engage in credit card fraud.
|Utilization of fragile and expired cryptographic set of rules.
Find out if information transferred is in pure text form for extended periods.
Conduct web browser-related security-sensitive commands absent.
|Encrypt sensitive data.
Avoid the accumulation of security-sensitive information.
Passwords must be kept with a set of rules.
Follow tough procedures and utilize durable keys.
|4.8. Missing Function Level Access Control (MFLAC)
|Improper validation of access rights.||Attackers craft counterfeit requests.
|Verify whether GUI displays navigation to illicit operations.
Confirm if authorization and authentication mechanisms check disappears at the webserver side.
Confirm proper execution of web server-side verifications.
|Handle rights and ascertain users can review without problems.
Implementation mechanisms must deny possible access.
Verify that corresponding assertions fall in an appropriate state.
|4.9. Known Vulnerability Components (UKVC)
|Web applications integrating components such as libraries and numerous modules.
Weakened defensive measures of web applications.
|Attackers exploit vulnerable content.
Loss of private data.
|Locate the repositories and retain side by side project dispatching lists for any perceivable weaknesses.||Do not utilize components that cannot be updated.
Discover all the latest versions of the components and their dependencies.
Launch security policies, such as satisfactory licenses and safety checks.
Install multiple security bindings around the boundary of components.
|4.10. Cross-Site Request Forgery (CSRF)
|Attacks that enable attackers to run malicious actions in the stead of legitimate users.||Compromised data and corresponding functions.||Observe if some web link and form is running short of random values of token.
Verify multiple steps of transaction.
|Insertion of a random token in every web request.
The tokens must be exclusive per session of the authorized user.
Table 2. Emerging Web Application Vulnerabilities .
Web multimedia applications can be accessed via numerous domains  due to their adopted nature of having multiple user regimes . As such, these applications require robust security frameworks that allow users to be confident in the services and data provided. Moreover, it is vital for security frameworks to differentiate between machines and human users. Any multimedia company embracing IoT applies defense mechanisms in the fields of encryption algorithms , trust controls, access controls, lightweight public chief management, and resource constraints . The security of multimedia applications is essential, particularly because they are excessively manipulated in humans’ daily lives, whether in business, health, or education sectors . As a result, most multimedia applications have adopted a security system categorized in three inter-related stages; authentication phase, session management stage, and finally, the data access-control phase.
This stage acts as the frontier of defense against malicious access. It is typically the login page that verifies a user’s account. At this point, the user must authenticate themselves by inputting the password for a particular web-application, as shown below . The inclusion of this phase ensures any application compares the details by the user to the initial information logged in by the user. Applications then allow access when information is correct; in case the data entered is wrong, the user will not access the account. Nevertheless, in the practical world, the authentication phase constitutes the weakest connection  because it facilitates attackers to gain unauthorized access. Some of the flaws associated with this phase include the evolution of ghastly passwords, which can easily be cracked , the existence of brute-force logins, and the existence of insecure storage of record.
Figure 2. Authentication Phase .
Ghastly passwords can be prevented first by the inclusion of a system that rejects setting obvious passwords from basic data put in the personal information slot. The second provision by multimedia applications to evade ghastly passwords is through the inclusion of a system that suggests the minimum length of passwords, highlighting the degree of strength depending on the types of characters chosen . On the other hand, in the mission to combat brute-force logins, multimedia applications are fashioned to provide three login attempts . Finally, to guarantee secure storage for records, web applications are fashioned with highly effective encryption techniques that are periodically changed.
The session management stage defines the technique particularly utilized by web designers and developers. This phase ensures that users do not have to input their information regarding their logins ever again . This stage identifies a user amid variant requests and gathers all the information concerning the position of a user’s interaction with the multimedia application . The data is stored in the web server in the form of tokens, where each session bears a distinct session identifier (ID). This phase contains essential information such as the password and user name, among other account details . A major flaw observed in this phase is the defect in token generation as a consequence of weak encryption techniques.
To overcome the defect in token generation, multimedia applications manipulate a 2-phase approach solution. In the first phase, web applications modify specific values of tokens, such as session token identifier that is submitted and checked for validation . This phase detects any session management flaw of web application, identifying any weak tokens. The second phase then relates after the user was successful in accessing the account via token ID. The token is fractured into smaller sub-tokens from which information is filtered out . If the information revealed is essential, the large set of tokens are inserted between original token ID. Random code generation procedure is performed into the token value which is now encrypted via robust cryptographic mechanisms.
This stage basically hosts the procedure of two major activities. The first one involves access-control of variant users, while the second activity involves data storage accessibility . Both phases work in unison to confirm the user’s identity and verify specific user rights which facilitates the user to access information from the multimedia application. A flaw associated with this stage particularly encompasses the occurrence of SQL injection.
The defense mechanism employed to counter SQL injection is intended to eliminate the problem by removing it through Csql and Ssql analyzer . The security provisions of applications are interrelated with each other. Originally, verification of session management and authentication ensures that the security of data access-control is maintained . The phenomenon can reduce chances of SQL attacks on the web applications. To avoid imminent attack, it is recommended to have the query analyzer at the client and server sides represented as CSQL and SSQL respectively. The former verifies inserted record forward to the latter one, which will be more efficient. SSQL will first verify user’s input areas, after which user can log in to the account . Following the successful login, SSQL analyzer checks the origin and consequences of requested data to approximate the repercussions on multimedia applications. If the probability suggests more negative effects, then block that account.
Figure 3. User login Procedure .
The IoT provides the explicit opportunity to connect billions of devices via the development of multimedia web applications irrespective of time and place in the WWW . These applications continually redefine the physical word communication amidst humans, necessitating proper privacy and security mechanisms in all networks. Web application attacks demand consideration of different factors and the manipulation of different defense mechanisms . Security attacks are classified depending on the different network layers on which the attacks occur. Loopholes in security are often leveraged by attackers and hackers who conduct malicious activities such as leaking confidential information, engaging in financial frauds, circulating false data, and locking the system from administrators . Whereas some security attacks are more predominant in different layers of protocol levels, the defense mechanisms required may not be always the same.
Explicit vulnerabilities disclosed by this paper present a considerably wide range, but there exist several potential threats a web application user must accord and monitor for particular platforms . Indeed, the absence of appropriate and effective defense mechanisms imminently impacts the usability of web applications on considerable scales . Additionally, data forms a vital asset in the contemporary era, thus, security threats and attacks cause violation of integrity of information which consequently results in economical loses . Nevertheless, a multimedia application developer and web user must explore beyond the mentioned weaknesses and threats informed by the paper. Besides, factors which can generally affect the ultimate safety of web applications are unlimited.
- Pavithra A, Aathilingam M, Prakash SM. Multimedia and its applications. International journal for research & development in technology. 2018; 5:271-6.
- Steinmetz R, Nahrstedt K. Multimedia applications. InMultimedia Applications 2004 (pp. 197-214). Springer, Berlin, Heidelberg.
- Gupta S, Gupta BB. Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challenges. International Journal of Cloud Applications and Computing (IJCAC). 2017 Jul 1; 7(3):1-43.
- Ahanger TA, Aljumah A. Internet of Things: A comprehensive study of security issues and defense mechanisms. IEEE Access. 2018 Nov 1; 7:11020-8.
- S, Adhikari S. A survey of security attacks, defenses and security mechanisms in wireless sensor network. International Journal of Computer Applications. 2015; 131(17):28-35.
- Santi Phithakkitnukoon, Ram Dantu & Enkh-Amgalan Baatarjav: VoIP Security — Attacks and Solutions, Information Security Journal: A Global Perspective. 2008; 17(3): 114-123. DOI: 10.1080/19393550802308618
- Yousaf K, Iftikhar A, Javed A, Tahir A. Explore and Exploit Security Flaws in Web Applicationsfor Implementing Efficient Security Provision Techniques. International Journal of Information and Education Technology. 2012 Apr 1; 2(2):143.