Defending against We..

advertisement
Defending Against Web Application
Vulnerabilities
ABSTRACT
Web applications have become critical part of business. They hold a treasure trove of
data behind their front ends. Now-a day’s attacker are well aware of the valuable
information accessible through web applications, so website security has become a major
problem today. The number of vulnerabilities has multiplied in recent years.
Vulnerabilities like cross site scripting (XSS), sql injection and cross site request forgery
(CSRF) has emerged as a major threat to web applications. So, in order to protect web
applications from these modern threats, at first vulnerability assessment should be carried
out from time to time and also some preventive techniques should be followed to prevent
these threats. The motivation of this project is to promote the use of automated tools for
vulnerability assessment and to follow preventive techniques in order to make web
applications secure.
EXISTING SYSTEM:
Earlier, we saw how traditional network security solutions do not effectively protect against the
common vulnerabilities that exist within a Web application framework. However, because these
tools do not adequately protect against Web application vulnerabilities doesn’t mean that there is
no defense against these threats. On the contrary, a Web Application Firewall solution provides
protection that meets compliance regulations set by one of the most stringent industry security
standards there is, the Payment Card Industry Data Security Standard.
PROPOSED SYSTEM:
Although, web applications development have evolved over the years but modern web
threats are still seen as a major challenge in web applications. Today the web applications
are protected by traditional network security techniques, like firewall and cryptography-
based mechanism. The use of specific secure development techniques can help to
mitigate the problem, however they are not always enough. So, in this section we present
prevention techniques that should be followed to make web applications even more
secure. We will discuss mainly about the preventive techniques for sql injection, cross
site scripting (XSS).
MODULE DESCRIPTION:
Number of Modules
After careful analysis the system has been identified to have the following modules:
1. Sql Injection Module.
2. Cross Site Scripting (XSS) Module.
3. Detecting Vulnerabilities Module.
4. Detecting Attacks Module.
1. Sql Injection Module:
Injection attacks are the result of a Web application sending untrusted data to the server.
The most common attack occurs from malicious code being inserted into a string that is
passed along to a SQL Server for execution. This attack, known as SQL Injection, allows
the attacker access to data which can be stolen or manipulated.
2. Cross Site Scripting(XSS) Module:
Cross-Site Scripting, or XSS, is the most prevalent security flaw that Web applications
are vulnerable to. In an XSS attack, the attacker is able to insert malicious code into a
Website. When this code is executed in a visitor’s browser it can manipulate the browser
to do whatever it wants. Typical attacks include installing malware, hijacking the user’s
session, or redirecting a user to another site.
3. Detecting Vulnerabilities Module:
1. White-box analysis.
2. Black-box testing.
3. Limitations of Vulnerability Detection.
1. White-box analysis:


Analyze the code without actually executing it looks for potential vulnerabilities.
Among other types of software defects.

Requires access to the source code or bytecode.

Automated tools provide an automatic way for highlighting possible coding
errors.

Ignore the runtime perspective.
2. Black-box testing:

A specialization of Robustness Testing: Analyzes the program execution i
the presence of malicious inputs, searching for vulnerabilities.

Does NOT require access to the source code or bytecode.

Automated tools provide an automatic way to search for vulnerabilities.

Avoid a large number of manual tests.

Ignore the internals of the application.
3. Limitations of Vulnerability Detection:

Consists of identifying deviations from the correct behavior in runtime.
4. Detecting Attacks Module:

Consists of identifying deviations from the correct behavior: In runtime.

Anomaly detection tools usually require a training phase with non-malicious
requests.

Signature-based tools look for patterns of a predefined set of rules or signatures.
SOFTWARE REQUIREMENTS:
Operating System
: Windows
Technology
: Java and J2EE
Web Technologies
: Html, JavaScript, CSS
IDE
: My Eclipse
Web Server
: Tomcat
Tool kit
: Android Phone
Database
: My SQL
Java Version
: J2SDK1.5
HARDWARE REQUIREMENTS:
Hardware
:
Pentium
Speed
:
1.1 GHz
RAM
:
1GB
Hard Disk
:
20 GB
Floppy Drive
:
1.44 MB
Key Board
:
Standard Windows Keyboard
Mouse
:
Two or Three Button Mouse
Monitor
:
SVGA
Download