Defending Against Web Application Vulnerabilities ABSTRACT Web applications have become critical part of business. They hold a treasure trove of data behind their front ends. Now-a day’s attacker are well aware of the valuable information accessible through web applications, so website security has become a major problem today. The number of vulnerabilities has multiplied in recent years. Vulnerabilities like cross site scripting (XSS), sql injection and cross site request forgery (CSRF) has emerged as a major threat to web applications. So, in order to protect web applications from these modern threats, at first vulnerability assessment should be carried out from time to time and also some preventive techniques should be followed to prevent these threats. The motivation of this project is to promote the use of automated tools for vulnerability assessment and to follow preventive techniques in order to make web applications secure. EXISTING SYSTEM: Earlier, we saw how traditional network security solutions do not effectively protect against the common vulnerabilities that exist within a Web application framework. However, because these tools do not adequately protect against Web application vulnerabilities doesn’t mean that there is no defense against these threats. On the contrary, a Web Application Firewall solution provides protection that meets compliance regulations set by one of the most stringent industry security standards there is, the Payment Card Industry Data Security Standard. PROPOSED SYSTEM: Although, web applications development have evolved over the years but modern web threats are still seen as a major challenge in web applications. Today the web applications are protected by traditional network security techniques, like firewall and cryptography- based mechanism. The use of specific secure development techniques can help to mitigate the problem, however they are not always enough. So, in this section we present prevention techniques that should be followed to make web applications even more secure. We will discuss mainly about the preventive techniques for sql injection, cross site scripting (XSS). MODULE DESCRIPTION: Number of Modules After careful analysis the system has been identified to have the following modules: 1. Sql Injection Module. 2. Cross Site Scripting (XSS) Module. 3. Detecting Vulnerabilities Module. 4. Detecting Attacks Module. 1. Sql Injection Module: Injection attacks are the result of a Web application sending untrusted data to the server. The most common attack occurs from malicious code being inserted into a string that is passed along to a SQL Server for execution. This attack, known as SQL Injection, allows the attacker access to data which can be stolen or manipulated. 2. Cross Site Scripting(XSS) Module: Cross-Site Scripting, or XSS, is the most prevalent security flaw that Web applications are vulnerable to. In an XSS attack, the attacker is able to insert malicious code into a Website. When this code is executed in a visitor’s browser it can manipulate the browser to do whatever it wants. Typical attacks include installing malware, hijacking the user’s session, or redirecting a user to another site. 3. Detecting Vulnerabilities Module: 1. White-box analysis. 2. Black-box testing. 3. Limitations of Vulnerability Detection. 1. White-box analysis: Analyze the code without actually executing it looks for potential vulnerabilities. Among other types of software defects. Requires access to the source code or bytecode. Automated tools provide an automatic way for highlighting possible coding errors. Ignore the runtime perspective. 2. Black-box testing: A specialization of Robustness Testing: Analyzes the program execution i the presence of malicious inputs, searching for vulnerabilities. Does NOT require access to the source code or bytecode. Automated tools provide an automatic way to search for vulnerabilities. Avoid a large number of manual tests. Ignore the internals of the application. 3. Limitations of Vulnerability Detection: Consists of identifying deviations from the correct behavior in runtime. 4. Detecting Attacks Module: Consists of identifying deviations from the correct behavior: In runtime. Anomaly detection tools usually require a training phase with non-malicious requests. Signature-based tools look for patterns of a predefined set of rules or signatures. SOFTWARE REQUIREMENTS: Operating System : Windows Technology : Java and J2EE Web Technologies : Html, JavaScript, CSS IDE : My Eclipse Web Server : Tomcat Tool kit : Android Phone Database : My SQL Java Version : J2SDK1.5 HARDWARE REQUIREMENTS: Hardware : Pentium Speed : 1.1 GHz RAM : 1GB Hard Disk : 20 GB Floppy Drive : 1.44 MB Key Board : Standard Windows Keyboard Mouse : Two or Three Button Mouse Monitor : SVGA