Upload
prateek
View
217
Download
0
Embed Size (px)
Citation preview
8/18/2019 Evaluation of Web Security--modified Document
1/47
Evaluation of Web Security Mechanisms
Using Vulnerability & Attack Injection
Abstract:
Attack injection in web applications allows malicious users to obtain unrestricted access
to private and confidential information. SQL injection is ranked at the top in web application
attack mechanisms used by hackers to steal data from organizations. Hackers can take
advantages due to flawed design! improper coding practices! improper validations of user input!
configuration errors! or other weaknesses in the infrastructure. "his paper proposes a
methodology for the detection of e#ploitations of SQL injection attacks. $hen the user submitsthe SQL %uery at the runtime! the %uery has to be parsed by the independent service for the
correctness of the syntactic structure and user data. "his approach is to prevent all forms of SQL
injections! independent of the target system! independent to platform and &ackend '& server.
Eisting System:
$eb sites need protection in their database to assure security. An SQL injection attacks
interactive web applications that provide database services. "hese applications take user inputs
and use them to create an SQL %uery at run time. (n an SQL injection attack! an attacker might
insert a malicious SQL %uery as input to perform an unauthorized database operation. )sing SQL
injection attacks! an attacker can retrieve or modify confidential and sensitive information from
the database. "here are different types of attacks to attack the web application like !autologies"
#ogically Incorrect $ueries" Union $uery" Store% roce%ure" 'lin% injection Attacks"
!iming injection Attacks( (n e#isting also available several detection method. &ut this method
are not effective and efficient to detect the attacks.
8/18/2019 Evaluation of Web Security--modified Document
2/47
)isa%vantages of eisting system:
• Attacker can steal confidential data of the web application with these attacks resulting
loss of market value of the web application
• (t cannot be detect the attacks efficiently.• (f it is a university web application the attacker will enter and affect or change the
university results and confidential information.
ro*ose% system:
(n proposed system will develop a university web application to detect the attacks *throw
s%l injection.+ and prevent the application using the prevent method *,(-/ for 'etecting SQL
(njection Attacks+. Here we prevent our web application from the tautology attack using the
vi*er method. (n this method will show the efficient detection mechanism and also prevent the
university web application from the attack injection.
A%vantages of *ro*ose% system:
• (t detect the attacks efficiently using viper method .
• 0ind the attacker in the university web application who *attacker+ will enter the
application and change the confidential information */esults! 1rade etc.!+ of university.
•
(t prevent the web application from all types of attacks.
System architecture:
8/18/2019 Evaluation of Web Security--modified Document
3/47
)A!A+#,W )IA-.AM:
8/18/2019 Evaluation of Web Security--modified Document
4/47
Staf Login
Upload Result and timetable
Send Request to CEO
View Request and approval -CEO
Student Login
View Result and Timetable
HO Login
Upload Event
!dmin login
View all details
!tta"#er ete"tion
$revent !tta"#er
USE/ASE )IA-.AM:
8/18/2019 Evaluation of Web Security--modified Document
5/47
SE$UE0/E )IA-.AM:
8/18/2019 Evaluation of Web Security--modified Document
6/47
/#ASS )IA-.AM:
8/18/2019 Evaluation of Web Security--modified Document
7/47
A/!IVI!1 )IA-.AM:
8/18/2019 Evaluation of Web Security--modified Document
8/47
8/18/2019 Evaluation of Web Security--modified Document
9/47
Attacker !y*e:
!autologies:
"his type of attack represent to the SQL manipulation category in which attacker
can inject malicious code into %uery! it is based on the conditional statement. 0or e#ample a
%uery for login2
SL3" 4 0/56 )ser (nfo $H/ )sername78puspendra8 and -assword78 ( 9:;78>8. "he resulting %uery will be2
SL3" 4 0/56 )ser (nfo $H/ )sername 7 ? 5/ >78>8@ and -as sword78 ( 9:;
8/18/2019 Evaluation of Web Security--modified Document
10/47
B5$A'ACS there is an increasing dependency on web applications! ranging from
individuals to large organizations. Almost everything is stored! available or traded on the web.
$eb applications can be personal websites! blogs! news! social networks! web mails! bank
agencies! forums! ecommerce applications! etc. "he omnipresence of web applications in our
way of life and in our economy is so important that it makes them a natural target for malicious
minds that want to e#ploit this new streak.
"he security motivation of web application developers and administrators should reflect
the magnitude and relevance of the assets they are supposed to protect. Although there is an
increasing concern about security *often being subject to regulations from governments and
corporations+! there are significant factors that make securing web applications a difficult task to
achieve2
>. "he web application market is growing fast! resulting in a huge proliferation of web
applications! based on different languages! frameworks! and protocols! largely fueled by
the *apparent+ simplicity one can develop and maintain such applications.
9. $eb applications are highly e#posed to attacks from anywhere in the world! which can be
conducted by using widely available and simple tools like a web browser.
:. (t is common to find web application developers! administrators and power users without
the re%uired knowledge or e#perience in the area of security.
;. $eb applications provide the means to access valuable enterprise assets. 6any times they
are the main interface to the information stored in backend databases! other times they are
the path to the inside of the enterprise network and computers.
Bot surprisingly! the overall situation of web application security is %uite favorable to
attacks. (n fact! estimations point to a very large number of web applications with security
vulnerabilities and! conse%uently! there are numerous reports of successful security breaches and
e#ploitations. 5rganized crime is naturally flourishing in this promising market! if we consider
the millions of dollars earned by such organizations in the underground economy of the web.
System re2uirements:
3ar%4are re2uirements:
8/18/2019 Evaluation of Web Security--modified Document
11/47
• System 2 -entium (, 9.; 1Hz.
• Hard 'isk 2 ;D 1&.
• 0loppy 'rive 2 ;; 6b.
• 6onitor 2 >< ,1A 3olour.
• 6ouse 2
• /am 2 9 6b.
Soft4are re2uirements:
• 5perating system 2 $indows E-FG.
• 3oding Language 2 A,AF9
• (' 2 Betbeans G.;
• 'atabase 2 6CSQL
#A0-UA-E SE/I+I/A!I,0S:
8/18/2019 Evaluation of Web Security--modified Document
12/47
5ava !echnology
ava technology is both a programming language and a platform.
!he 5ava rogramming #anguage
"he ava programming language is a highlevel language that can be characterized by all of the
following buzzwords2
Simple
Architecture neutral
5bject oriented
-ortable
'istributed
High performance
(nterpreted
6ultithreaded
/obust
'ynamic
Secure
$ith most programming languages! you either compile or interpret a program so that you
can run it on your computer. "he ava programming language is unusual in that a program is
both compiled and interpreted. $ith the compiler! first you translate a program into an
intermediate language called Java byte codes Ithe platformindependent codes interpreted by
the interpreter on the ava platform. "he interpreter parses and runs each ava byte code
instruction on the computer. 3ompilation happens just once@ interpretation occurs each time the
program is e#ecuted.
8/18/2019 Evaluation of Web Security--modified Document
13/47
"he following figure illustrates how this works.
Cou can think of ava bytecodes as the machine code instructions for the Java Virtual Machine
*ava ,6+. very ava interpreter! whether its a development tool or a $eb browser that can run applets!
is an implementation of the ava ,6. ava bytecodes help make Jwrite once! run anywhereK possible.
Cou can compile your program into bytecodes on any platform that has a ava compiler. "he bytecodes
can then be run on any implementation of the ava ,6. "hat means that as long as a computer has a ava
,6! the same program written in the ava programming language can run on $indows 9DDD! a Solaris
workstation! or on an i6ac.
8/18/2019 Evaluation of Web Security--modified Document
14/47
!he 5ava latform
A platform is the hardware or software environment in which a program runs. $eve
already mentioned some of the most popular platforms like $indows 9DDD! Linu#! Solaris! and
6ac5S. 6ost platforms can be described as a combination of the operating system and hardware.
"he ava platform differs from most other platforms in that its a softwareonly platform that runs
on top of other hardwarebased platforms.
"he ava platform has two components2
• "he Java Virtual Machine *ava ,6+
• "he Java Application Programming Interface *ava A-(+
Couve already been introduced to the ava ,6. (ts the base for the ava platform and is
ported onto various hardwarebased platforms.
"he ava A-( is a large collection of readymade software components that provide
many useful capabilities! such as graphical user interface *1)(+ widgets. "he ava A-( is
grouped into libraries of related classes and interfaces@ these libraries are known as
packages. "he ne#t section! $hat 3an ava "echnology 'o! highlights what
functionality some of the packages in the ava A-( provide.
"he following figure depicts a program thats running on the ava platform. As the
figure shows! the ava A-( and the virtual machine insulate the program from the
hardware.
Bative code is code that after you compile it! the compiled code runs on a specific
hardware platform. As a platformindependent environment! the ava platform can be a bit
slower than native code. However! smart compilers! welltuned interpreters! and justintime
8/18/2019 Evaluation of Web Security--modified Document
15/47
bytecode compilers can bring performance close to that of native code without threatening
portability.
What Can Java Technology Do?
"he most common types of programs written in the ava programming language are applets and
applications. (f youve surfed the $eb! youre probably already familiar with applets. An applet
is a program that adheres to certain conventions that allow it to run within a avaenabled
browser.
However! the ava programming language is not just for writing cute! entertaining applets
for the $eb. "he generalpurpose! highlevel ava programming language is also a
powerful software platform. )sing the generous A-(! you can write many types of
programs.
An application is a standalone program that runs directly on the ava platform. A special
kind of application known as a server serves and supports clients on a network. #amples
of servers are $eb servers! pro#y servers! mail servers! and print servers. Another specialized program is a servlet . A servlet can almost be thought of as an applet that runs
on the server side. ava Servlets are a popular choice for building interactive web
applications! replacing the use of 31( scripts. Servlets are similar to applets in that they
are runtime e#tensions of applications. (nstead of working in browsers! though! servlets
run within ava $eb servers! configuring or tailoring the server.
How does the A-( support all these kinds of programs (t does so with packages of
software components that provide a wide range of functionality. very full
implementation of the ava platform gives you the following features2
• !he essentials2 5bjects! strings! threads! numbers! input and output! data structures!
system properties! date and time! and so on.
• A**lets2 "he set of conventions used by applets.
8/18/2019 Evaluation of Web Security--modified Document
16/47
• 0et4orking2 )/Ls! "3- *"ransmission 3ontrol -rotocol+! )'- *)ser 'ata gram
-rotocol+ sockets! and (- *(nternet -rotocol+ addresses.
• Internationali6ation2 Help for writing programs that can be localized for users
worldwide. -rograms can automatically adapt to specific locales and be displayed in the
appropriate language.
• Security2 &oth low level and high level! including electronic signatures! public and
private key management! access control! and certificates.
• Soft4are com*onents2 Mnown as ava&eans"6! can plug into e#isting component
architectures.
• ,bject seriali6ation2 Allows lightweight persistence and communication via /emote
6ethod (nvocation */6(+.
• 5ava )atabase /onnectivity 75)'/!M82 -rovides uniform access to a wide range of
relational databases.
"he ava platform also has A-(s for 9' and :' graphics! accessibility! servers! collaboration!
telephony! speech! animation! and more. "he following figure depicts what is included in the ava
9 S'M.
8/18/2019 Evaluation of Web Security--modified Document
17/47
How Will Java Technology Change My Life?
$e cant promise you fame! fortune! or even a job if you learn the ava programminglanguage. Still! it is likely to make your programs better and re%uires less effort than other
languages. $e believe that ava technology will help you do the following2
• -et starte% 2uickly2 Although the ava programming language is a powerful object
oriented language! its easy to learn! especially for programmers already familiar with 3
or 3NN.
• Write less co%e2 3omparisons of program metrics *class counts! method counts! and so
on+ suggest that a program written in the ava programming language can be four timessmaller than the same program in 3NN.
• Write better co%e2 "he ava programming language encourages good coding practices!
and its garbage collection helps you avoid memory leaks. (ts object orientation! its
ava&eans component architecture! and its wideranging! easily e#tendible A-( let you
reuse other peoples tested code and introduce fewer bugs.
• )evelo* *rograms more 2uickly2 Cour development time may be as much as twice as
fast versus writing the same program in 3NN. $hy Cou write fewer lines of code and it
is a simpler programming language than 3NN.• Avoi% *latform %e*en%encies 4ith 9; ure 5ava2 Cou can keep your program
portable by avoiding the use of libraries written in other languages. "he >DDO -ure ava
"6 -roduct 3ertification -rogram has a repository of historical process manuals! white
papers! brochures! and similar materials online.
• Write once" run any4here2 &ecause >DDO -ure ava programs are compiled into
machineindependent byte codes! they run consistently on any ava platform.
• )istribute soft4are more easily2 Cou can upgrade applets easily from a central server.
Applets take advantage of the feature of allowing new classes to be loaded Jon the fly!Kwithout recompiling the entire program.
8/18/2019 Evaluation of Web Security--modified Document
18/47
,)'/
6icrosoft 5pen 'atabase 3onnectivity *5'&3+ is a standard programming interface for
application developers and database systems providers. &efore 5'&3 became a de facto
standard for $indows programs to interface with database systems! programmers had to use
proprietary languages for each database they wanted to connect to. Bow! 5'&3 has made the
choice of the database system almost irrelevant from a coding perspective! which is as it should
be. Application developers have much more important things to worry about than the synta# that
is needed to port their program from one database to another when business needs suddenly
change.
"hrough the 5'&3 Administrator in 3ontrol -anel! you can specify the particular
database that is associated with a data source that an 5'&3 application program is written to
use. "hink of an 5'&3 data source as a door with a name on it. ach door will lead you to a
particular database. 0or e#ample! the data source named Sales 0igures might be a SQL Server
database! whereas the Accounts -ayable data source could refer to an Access database. "he
physical database referred to by a data source can reside anywhere on the LAB.
"he 5'&3 system files are not installed on your system by $indows P=bit and a :9bit version of this program and each maintains a separate list of 5'&3 data
Sources.
0rom a programming perspective! the beauty of 5'&3 is that the application can be
written to use the same set of function calls to interface with any data source! regardless of the
database vendor. "he source code of the application doesnt change whether it talks to 5racle or
SQL Server. $e only mention these two as an e#ample. "here are 5'&3 drivers available for
several dozen popular database systems. ven #cel spreadsheets and plain te#t files can be
8/18/2019 Evaluation of Web Security--modified Document
19/47
turned into data sources. "he operating system uses the /egistry information written by 5'&3
Administrator to determine which lowlevel 5'&3 drivers are needed to talk to the data source
*such as the interface to 5racle or SQL Server+. "he loading of the 5'&3 drivers is transparent
to the 5'&3 application program. (n a clientFserver environment! the 5'&3 A-( even handles
many of the network issues for the application programmer.
"he advantages of this scheme are so numerous that you are probably thinking there must
be some catch. "he only disadvantage of 5'&3 is that it isnt as efficient as talking directly to
the native database interface. 5'&3 has had many detractors make the charge that it is too slow.
6icrosoft has always claimed that the critical factor in performance is the %uality of the driver
software that is used. (n our humble opinion! this is true. "he availability of good 5'&3 drivers
has improved a great deal recently. And anyway! the criticism about performance is somewhatanalogous to those who said that compilers would never match the speed of pure assembly
language. 6aybe not! but the compiler *or 5'&3+ gives you the opportunity to write cleaner
programs! which means you finish sooner. 6eanwhile! computers get faster every year.
5)'/
(n an effort to set an independent database standard A-( for ava! Sun 6icrosystems
developed ava 'atabase 3onnectivity! or '&3. '&3 offers a generic SQL database access
mechanism that provides a consistent interface to a variety of /'&6S. "his consistent interface
is achieved through the use of JpluginK database connectivity modules! or drivers. (f a database
vendor wishes to have '&3 support! he or she must provide the driver for each platform that the
database and ava run on.
"o gain a wider acceptance of '&3! Sun based '&3s framework on 5'&3. As you
discovered earlier in this chapter! 5'&3 has widespread support on a variety of platforms.
&asing '&3 on 5'&3 will allow vendors to bring '&3 drivers to market much faster than
developing a completely new connectivity solution.
8/18/2019 Evaluation of Web Security--modified Document
20/47
'&3 was announced in 6arch of >PP=. (t was released for a PD day public review that
ended une ! >PP=. &ecause of user input! the final '&3 v>.D specification was released soon
after.
"he remainder of this section will cover enough information about '&3 for you to know what it
is about and how to use it effectively. "his is by no means a complete overview of '&3. "hat
would fill an entire book.
5)'/ -oals
0ew software packages are designed without goals in mind. '&3 is one that! because of
its many goals! drove the development of the A-(. "hese goals! in conjunction with early
reviewer feedback! have finalized the '&3 class library into a solid framework for building
database applications in ava.
"he goals that were set for '&3 are important. "hey will give you some insight as to why
certain classes and functionalities behave the way they do.
"he design goals for '&3 are as follows2
8/18/2019 Evaluation of Web Security--modified Document
21/47
>. SQL Level API
"he designers felt that their main goal was to define a SQL interface for ava. Although
not the lowest database interface level possible! it is at a low enough level for higherlevel
tools and A-(s to be created. 3onversely! it is at a high enough level for application
programmers to use it confidently. Attaining this goal allows for future tool vendors to
JgenerateK '&3 code and to hide many of '&3s comple#ities from the end user .
9. SQL Conformance
SQL synta# varies as you move from database vendor to database vendor. (n an
effort to support a wide variety of vendors! '&3 will allow any %uery statement to be
passed through it to the underlying database driver. "his allows the connectivity module to
handle nonstandard functionality in a manner that is suitable for its users.
:. JDC m!"t #e im$lemental on to$ of common %ata#a"e interface"
"he '&3 SQL A-( must JsitK on top of other common SQL level A-(s. "his goal allows
'&3 to use e#isting 5'&3 level drivers by the use of a software interface. "his interface
would translate '&3 calls to 5'&3 and vice versa.
;. Provi%e a Java interface that i" con"i"tent with the re"t of the Java "y"tem
&ecause of avas acceptance in the user community thus far! the designers feel that they
should not stray from the current design of the core ava system.
8/18/2019 Evaluation of Web Security--modified Document
22/47
Java Program
Compilers
Interpreter
My Program
&ecause more often than not! the usual SQL calls used by the programmer are simple
SL3"s! (BS/"s! 'L"s and )-'A"s! these %ueries should be simple to perform with
'&3. However! more comple# SQL statements should also be possible.
0inally we decided to proceed the implementation using ava Betworking.And for
dynamically updating the cache table we go for 6S Access database.
ava is also unusual in that each java program is both compiled and
interpreted. with a compile you translate a java program into an intermediate language
called java byte codes the platformindependent code instruction is passed and run on
the computer.compilation happens just once@ interpretation occurs each time the
program is e#ecuted. the figure illustrates how this works.
you can think of java byte codes as the machine code instructions for the java
virtual machine *java vm+. every java interpreter! whether its a java development tool
or a web browser that can run java applets! is an implementation of the java vm. the
java vm can also be implemented in hardware.ava byte codes help make Jwrite once!
run anywhereK possible. you can compile your java program into byte codes on my
platform that has a java compiler. the byte codes can then be run any implementation
of the java vm. for e#ample! the same java program can run windows nt! solaris! and
macintosh.
0etbeans:
8/18/2019 Evaluation of Web Security--modified Document
23/47
Bet&eans is an integrated development environment *('+ for developing primarily with
ava! but also with other languages! in particular -H-! 3F3NN! and H"6L
8/18/2019 Evaluation of Web Security--modified Document
24/47
"here is no need to write a main method for your application because the Bet&eans
-latform already contains one. Also! support is provided for persisting user settings across restart
of the application! such as! by default! the size and positions of the windows in the application.
luggability" Service Infrastructure" an% +ile System:
nd users of the application benefit from pluggable applications because these enable
them to install modules into their running applications. Bet&eans modules can be installed!
uninstalled! activated! and deactivated at runtime! thanks to the runtime container. "he Bet&eans
-latform provides an infrastructure for registering and retrieving service implementations!
enabling you to minimize direct dependencies between individual modules and enabling a
loosely coupled architecture *high cohesion and low coupling+.
"he Bet&eans -latform provides a virtual file system! which is a hierarhical registry for
storing user settings! comparable to the $indows /egistry on 6icrosoft $indows systems. (t
also includes a unified A-( providing streamoriented access to flat and hierarchical structures!
such as diskbased files on local or remote servers! memorybased files! and even E6L
documents.
Win%o4 System" Stan%ar%i6e% UI !oolkit" an% A%vance% )ata
8/18/2019 Evaluation of Web Security--modified Document
25/47
provides a generic model for presenting your data. "he Bet&eans #plorer T -roperty Sheet A-(
provides several advanced Swing components for displaying nodes. (n addition to a window
system! the Bet&eans -latform provides many other )(related components! such as a property
sheet! a palette! comple# Swing components for presenting data! a -lugin 6anager! and an
5utput window.
Miscellaneous +eatures" )ocumentation" an% !ooling Su**ort:
"he Bet&eans ('! which is the software development kit *S'M+ of the Bewt&eans
-latform! provides many templates and tools! such as the award winning 6atisse 1)( &uilder
that enables you to very easily design your application8s layout. "he Bet&eans -latform e#poses
a rich set of A-(s! which are tried! tested! and continually being improved. "he community is
helpful and diverse! while a vast library of blogs! books! tutorials! and training materials are
continually being developed and updated in multiple languages by many different people around
the world.
8/18/2019 Evaluation of Web Security--modified Document
26/47
A*ache !omcat:
Apache "omcat *or simply "omcat! formerly also akarta "omcat+ is an open source web
server and servlet container developed by the Apache Software 0oundation *AS0+. "omcat
implements the ava Servlet and the avaServer -ages *S-+ specifications from 5racle
3orporation! and provides a ?pure ava? H""- web server environment for ava code to run.
/om*onent taonomy2
"omcat8s architecture follows the construction of a 6atrushka doll from /ussia. (n other
words! it is all about containment where one entity contains another! and that entity in turn
contains yet another. (n "omcat! a 8container8 is a generic term that refers to any component that
can contain another! such as a Server! Service! ngine! Host! or 3onte#t. 5f these! the Server and
Service components are special containers! designated as "op Level lements as they represent
aspects of the running "omcat instance. All the other "omcat components are subordinate to
these top level elements. "he ngine! Host! and 3onte#t components are officially termed
3ontainers! and refer to components that process incoming re%uests and generate an appropriate
outgoing response.
Bested 3omponents can be thought of as subelements that can be nested inside either
"op Level lements or other 3ontainers to configure how they function. #amples of nestedcomponents include the ,alve! which represents a reusable unit of work@ the -ipeline! which
represents a chain of ,alves strung together@ and a /ealm which helps set up containermanaged
security for a particular container. 5ther nested components include the Loader which is used to
enforce the specification8s guidelines for servlet class loading@ the 6anager that supports session
management for each web application@ the /esources component that represents the web
application8s static resources and a mechanism to access these resources@ and the Listener that
allows you to insert custom processing at important points in a container8s life cycle! such as
when a component is being started or stopped. Bot all nested components can be nested within
every container. A final major component! which falls into its own category! is the 3onnector. (t
represents the connection end point that an e#ternal client *such as a web browser+ can use to
connect to the "omcat container.
8/18/2019 Evaluation of Web Security--modified Document
27/47
Architectural benefits:
"his architecture has a couple of useful features. (t not only makes it easy to manage
component life cycles *each component manages the life cycle notifications for its children+! but
also to dynamically assemble a running "omcat server instance that is based on the information
that has been read from configuration files at startup. (n particular! the server.#ml file is parsed at
startup! and its contents are used to instantiate and configure the defined elements! which are
then assembled into a running "omcat instance. "he server.#ml file is read only once! and edits to
it will not be picked up until "omcat is restarted. "his architecture also eases the configuration
burden by allowing child containers to inherit the configuration of their parent containers. 0or
instance! a /ealm defines a data store that can be used for authentication and authorization of
users who are attempting to access protected resources within a web application. 0or ease of
configuration! a realm that is defined for an engine applies to all its children hosts and conte#ts.
8/18/2019 Evaluation of Web Security--modified Document
28/47
At the same time! a particular child! such as a given conte#t! may override its inherited realm by
specifying its own realm to be used in place of its parent8s realm.
!o* #evel /om*onents:
"he Server and Service container components e#ist largely as structural conveniences. A
Server represents the running instance of "omcat and contains one or more Service children!
each of which represents a collection of re%uest processing components.
Server: A Server represents the entire "omcat instance and is a singleton within a ava ,irtual
6achine! and is responsible for managing the life cycle of its contained services. "he following
image depicts the key aspects of the Server component. As shown! a Server instance is
configured using the server.#ml configuration file. "he root element of this file is UServerV and
represents the "omcat instance. (ts default implementation is provided using
org.apache.catalina.core.StandardServer! but you can specify your own custom implementation
through the class Bame attribute of the UServerV element.
A key aspect of the Server is that it opens a server socket on port DD< *the default+ to
listen a shutdown command *by default! this command is the te#t string SH)"'5$B+. $hen
this shutdown command is received! the server gracefully shuts itself down. 0or security reasons!
the connection re%uesting the shutdown must be initiated from the same machine that is running
this instance of "omcat. A Server also provides an implementation of the ava Baming and
8/18/2019 Evaluation of Web Security--modified Document
29/47
'irectory (nterface *B'(+ service! allowing you to register arbitrary objects *such as data
sources+ or environment variables! by name. At runtime! individual components *such as
servlets+ can retrieve this information by looking up the desired object name in the server8s B'(
bindings. $hile a B'( implementation is not integral to the functioning of a servlet container! it
is part of the ava specification and is a service that servlets have a right to e#pect from their
application servers or servlet containers. (mplementing this service makes for easy portability of
web applications across containers. $hile there is always just one server instance within a ,6!
it is entirely possible to have multiple server instances running on a single physical machine!
each encased in its own ,6. 'oing so insulates web applications that are running on one ,6
from errors in applications that are running on others! and simplifies maintenance by allowing a
,6 to be restarted independently of the others. "his is one of the mechanisms used in a shared
hosting environment *the other is virtual hosting! which we will see shortly+ where you need
isolation from other web applications that are running on the same physical server.
Service:
$hile the Server represents the "omcat instance itself! a Service represents the set of
re%uest processing components within "omcat. A Server can contain more than one Service!
where each service associates a group of 3onnector components with a single ngine. /e%uests
from clients are received on a connector! which in turn funnels them through into the engine!
which is the key re%uest processing component within "omcat. "he image shows connectors for
H""-! H""-S! and the Apache Serv -rotocol *A-+. "here is very little reason to modify this
element! and the default Service instance is usually sufficient.
8/18/2019 Evaluation of Web Security--modified Document
30/47
A hint as to when you might need more than one Service instance can be found in the above
image. As shown! a service aggregates connectors! each of which monitors a given (- address
and port! and responds in a given protocol. An e#ample use case for having multiple services!
therefore! is when you want to partition your services *and their contained engines! hosts! and
web applications+ by (- address andFor port number.
0or instance! you might configure your firewall to e#pose the connectors for one service
to an e#ternal audience! while restricting your other service to hosting intranet applications thatare visible only to internal users. "his would ensure that an e#ternal user could never access your
(ntranet application! as that access would be blocked by the firewall. "he Service! therefore! is
nothing more than a grouping construct. (t does not currently add any other value to the
proceedings.
8/18/2019 Evaluation of Web Security--modified Document
31/47
/onnectors:
A 3onnector is a service endpoint on which a client connects to the "omcat container. (t
serves to insulate the engine from the various communication protocols that are used by clients!
such as H""-! H""-S! or the Apache Serv -rotocol *A-+. "omcat can be configured to work
in two modesIStandalone or in 3onjunction with a separate web server. (n standalone mode!
"omcat is configured with H""- and H""-S connectors! which make it act like a fullfledged
web server by serving up static content when re%uested! as well as by delegating to the 3atalina
engine for dynamic content. 5ut of the bo#! "omcat provides three possible implementations of
the H""-F>.> and H""-S connectors for this mode of operation. "he most common are the
standard connectors! known as 3oyote which are implemented using standard ava (F5
mechanisms. Cou may also make use of a couple of newer implementations! one which uses the
nonblocking B(5 features of ava >.;! and the other which takes advantage of native code that is
optimized for a particular operating system through the Apache -ortable /untime *A-/+. Bote
that both the 3onnector and the ngine run in the same ,6.
(n fact! they run within the same Server instance. (n conjunction mode! "omcat plays a
supporting role to a web server! such as Apache httpd or 6icrosoft8s ((S. "he client here is the
web server! communicating with "omcat either through an Apache module or an (SA-( 'LL.
$hen this module determines that a re%uest must be routed to "omcat for processing! it will
communicate this re%uest to "omcat using A-! a binary protocol that is designed to be more
efficient than the te#t based H""- when communicating between a web server and "omcat. 5n
8/18/2019 Evaluation of Web Security--modified Document
32/47
the "omcat side! an A- connector accepts this communication and translates it into a form that
the 3atalina engine can process.
(n this mode! "omcat is running in its own ,6 as a separate process from the web
server. (n either mode! the primary attributes of a 3onnector are the (- address and port on which
it will listen for incoming re%uests! and the protocol that it supports. Another key attribute is the
ma#imum number of re%uest processing threads that can be created to concurrently handle
incoming re%uests. 5nce all these threads are busy! any incoming re%uest will be ignored until a
thread becomes available. &y default! a connector listens on all the (- addresses for the given
physical machine *its address attribute defaults to D.D.D.D+. However! a connector can be
configured to listen on just one of the (- addresses for a machine. "his will constrain it to accept
connections from only that specified (- address. Any re%uest that is received by any one of a
service8s connectors is passed on to the service8s single engine. "his engine! known as 3atalina! is
responsible for the processing of the re%uest! and the generation of the response. "he engine
returns the response to the connector! which then transmits it back to the client using the
appropriate communication protocol.
8/18/2019 Evaluation of Web Security--modified Document
33/47
S$# Server =>
6icrosoft SQL Server is a relational database management system developed by
6icrosoft. As a database! it is a software product whose primary function is to store and retrieve
data as re%uested by other software applications! be it those on the same computer or those
running on another computer across a network *including the (nternet+. "here are at least a dozen
different editions of 6icrosoft SQL Server aimed at different audiences and for different
workloads *ranging from small applications that store and retrieve data on the same computer! to
millions of users and computers that access huge amounts of data from the (nternet at the same
time+. "rue to its name! 6icrosoft SQL Server8s primary %uery languages are "SQL and ABS(
SQL.
S$# Server Architecture )iagram:
SQL Server 9DD< *formerly codenamed ?Cukon?+ was released in 5ctober 9DD
8/18/2019 Evaluation of Web Security--modified Document
34/47
0or this purpose! it defined an #ml data type that could be used either as a data type in database
columns or as literals in %ueries.
E6L columns can be associated with ES' schemas@ E6L data being stored is verified
against the schema. E6L is converted to an internal binary data type before being stored in the
database. Specialized inde#ing methods were made available for E6L data. E6L data is %ueried
using EQuery@ SQL Server 9DD< added some e#tensions to the "SQL language to allow
embedding EQuery %ueries in "SQL. (n addition! it also defines a new e#tension to EQuery!
called E6L '6L! that allows %uerybased modifications to E6L data. SQL Server 9DD< also
allows a database server to be e#posed over web services using "abular 'ata Stream *"'S+
packets encapsulated within S5A- *protocol+ re%uests. $hen the data is accessed over web
services! results are returned as E6L.
3ommon Language /untime *3L/+ integration was introduced with this version!
enabling one to write SQL code as 6anaged 3ode by the 3L/. 0or relational data! "SQL has
been augmented with error handling features *tryFcatch+ and support for recursive %ueries with
3"s *3ommon "able #pressions+. SQL Server 9DD< has also been enhanced with new
inde#ing algorithms! synta# and better error recovery systems. 'ata pages are checksummed for
better error resiliency! and optimistic concurrency support has been added for better
performance. -ermissions and access control have been made more granular and the %uery
processor handles concurrent e#ecution of %ueries in a more efficient way. -artitions on tables
and inde#es are supported natively! so scaling out a database onto a cluster is easier.
SQL 3L/ was introduced with SQL Server 9DD< to let it integrate with the .B"
0ramework. SQL Server 9DD< introduced ?6A/S? *6ultiple Active /esults Sets+! a method of
allowing usage of database connections for multiple purposes. SQL Server 9DD< introduced
'6,s *'ynamic 6anagement ,iews+! which are specialized views and functions that return
server state information that can be used to monitor the health of a server instance! diagnose problems! and tune performance. Service -ack > *S->+ of SQL Server 9DD< introduced 'atabase
6irroring!a high availability option that provides redundancy and failover capabilities at the
database level. 0ailover can be performed manually or can be configured for automatic failover.
8/18/2019 Evaluation of Web Security--modified Document
35/47
S1S!EM S!U)1
+EASI'I#I!1 S!U)1
"he feasibility of the project is analyzed in this phase and business proposal is put
forth with a very general plan for the project and some cost estimates. 'uring system analysis the
feasibility study of the proposed system is to be carried out. "his is to ensure that the proposed
system is not a burden to the company. 0or feasibility analysis! some understanding of the major
re%uirements for the system is essential.
"hree key considerations involved in the feasibility analysis are
♦ 35B56(3AL 0AS(&(L("C
♦ "3HB(3AL 0AS(&(L("C
♦ S53(AL 0AS(&(L("C
E/,0,MI/A# +EASI'I#I!1
"his study is carried out to check the economic impact that the system will have on the
organization. "he amount of fund that the company can pour into the research and development
of the system is limited. "he e#penditures must be justified. "hus the developed system as well
within the budget and this was achieved because most of the technologies used are freely
available. 5nly the customized products had to be purchased.
!E/30I/A# +EASI'I#I!1
"his study is carried out to check the technical feasibility! that is! the technical
re%uirements of the system. Any system developed must not have a high demand on the available
technical resources. "his will lead to high demands on the available technical resources. "his
will lead to high demands being placed on the client. "he developed system must have a modestre%uirement! as only minimal or null changes are re%uired for implementing this system.
8/18/2019 Evaluation of Web Security--modified Document
36/47
S,/IA# +EASI'I#I!1
"he aspect of study is to check the level of acceptance of the system by the user. "his
includes the process of training the user to use the system efficiently. "he user must not feel
threatened by the system! instead must accept it as a necessity. "he level of acceptance by the
users solely depends on the methods that are employed to educate the user about the system and
to make him familiar with it. His level of confidence must be raised so that he is also able to
make some constructive criticism! which is welcomed! as he is the final user of the system.
8/18/2019 Evaluation of Web Security--modified Document
37/47
8/18/2019 Evaluation of Web Security--modified Document
38/47
"he procedure level testing is made first. &y giving improper inputs! the errors occurred are
noted and eliminated. "his is the final step in system life cycle. Here we implement the tested
errorfree system into reallife environment and make necessary changes! which runs in an online
fashion. Here system maintenance is done every months or year based on company policies! and
is checked for errors like runtime errors! long run errors and other maintenances like table
verification and reports.
U0I! !ES!I0-
)nit testing verification efforts on the smallest unit of software design! module. "his is
known as J6odule "estingK. "he modules are tested separately. "his testing is carried out during
programming stage itself. (n these testing steps! each module is found to be working
satisfactorily as regard to the e#pected output from the module.
I0!E-.A!I,0 !ES!I0-
(ntegration testing is a systematic techni%ue for constructing tests to uncover error
associated within the interface. (n the project! all the modules are combined and then the entire
programmer is tested as a whole. (n the integrationtesting step! all the error uncovered is
corrected for the ne#t testing steps.
8/18/2019 Evaluation of Web Security--modified Document
39/47
#iterature Survey
!itle: -recise Alias Analysis for Static 'etection of $eb Application ,ulnerabilities
Author: B. ovanovic ! 3. Mruegel and . Mirda
)escri*tion: "he number and the importance of web applications have increased rapidly over the
last years. At the same time! the %uantity and impact of security vulnerabilities in such
applications have grown as well. Since manual code reviews are timeconsuming! errorprone
and costly! the need for automated solutions has become evident. (n this paper! we address the
problem of vulnerable web applications by means of static source code analysis. "o this end! we
present a novel! precise alias analysis targeted at the uni%ue reference semantics commonly
found in scripting languages. 6oreover! we enhance the %uality and %uantity of the generated
vulnerability reports by employing a novel! iterative twophase algorithm for fast and precise
resolution of file inclusions.$e integrated the presented concepts into
-i#yWXciteYjovanovicD=2pi#yZshort[! a highprecision static analysis tool aimed at detecting
crosssite scripting vulnerabilities in -H- scripts. "o demonstrate the effectiveness of our
techni%ues! we analyzed three web applications and discovered >D= vulnerabilities. &oth the high
analysis speed as well as the low number of generated false positives show that our techni%ues
can be used for conducting effective security audits.
8/18/2019 Evaluation of Web Security--modified Document
40/47
!itle:
Fault Injection for Formal Testing of Fault Tolerance
Author: D. Avresky , J. Arlat , J.C. Laprie and . Crou!et
)escri*tion:
"his study addresses the use of fault injection for e#plicitly removing
designFimplementation faults in comple# faulttolerance algorithms and mechanisms *0"A6+!
viz! faulttolerance deficiency faults. A formalism is introduced to represent the 0"A6 by a set
of assertions. "his formalism enables an e#ecution tree to be generated! where each path from the
root to a leaf of the tree is a welldefined formula. "he set of welldefined formulas constitutes a
useful framework that fully characterizes the test se%uence. "he input patterns of the test
se%uence *fault and activation domains+ then are determined to fewer specific structural criteria
over the e#ecution tree *activation of proper sets of paths+. "his provides a framework for
generating a functional deterministic test for programs that implement comple# 0"A6. "his
methodology has been used to e#tend a debugging tool aimed at testing fault tolerance protocols
developed by &)LL 0rance. (t has been applied successfully to the injection of faults in the
interreplica protocol that supports the applicationlevel faulttolerance features of the
architecture of the S-/("funded 'elta; project. "he results of these e#periments are analyzed
in detail. (n particular! even though the target protocol had been independently verified formally!the application of the proposed testing strategy revealed two faulttolerance deficiency faults
8/18/2019 Evaluation of Web Security--modified Document
41/47
!itle:
1eneration of an rror Set that mulates Software 0aults
Author:
. 3hristmansson and /. 3hillarege
)escri*tion:
A significant issue in fault injection e#periments is that the injected faults are
representative of software faults observed in the field. Another important issue is the time used!
as we want e#periments to be conducted without e#cessive time spent waiting for the
conse%uences of a fault. An approach to accelerate the failure process would be to inject errors
instead of faults! but this would re%uire a mapping between representative software faults and
injectable errors. 0urthermore! it must be assured that the injected errors emulate software faults
and not hardware faults. "hese issues were addressed in a study of software faults encountered in
one release of a large (&6 operating system product. "he key results are2 A general procedure
that uses field data to generate a set of injectable errors! in which each error is defined by2 error
type! error location and injection condition. "he procedure assures that the injected errors
emulate software faults and not hardware faults. "he faults are uniformly distributed *>.:G fault
per module+ over the affected modules. "he distribution of error categories in the (&6 operating
system and the distribution of errors in the "andem 1uardianPD operating system reported
previously were compared and found to be similar. "his result adds a flavor of generality to the
field data presented in the current paper
8/18/2019 Evaluation of Web Security--modified Document
42/47
!itle:
"esting and 3omparing $eb ,ulnerability Scanning "ools for SQLi and ESS Attacks
Author:
J. Fonseca , ". #ieira and $. "adeira
)escri*tion:
$eb applications are typically developed with hard time constraints and are often
deployed with security vulnerabilities. Automatic web vulnerability scanners can help to locate
these vulnerabilities and are popular tools among developers of web applications. "heir purpose
is to stress the application from the attacker8s point of view by issuing a huge amount of
interaction within it. "wo of the most widely spread and dangerous vulnerabilities in web
applications are SQL injection and cross site scripting *ESS+! because of the damage they may
cause to the victim business. "rusting the results of web vulnerability scanning tools is of utmost
importance. $ithout a clear idea on the coverage and false positive rate of these tools! it is
difficult to judge the relevance of the results they provide. 0urthermore! it is difficult! if not
impossible! to compare key figures of merit of web vulnerability scanners. (n this paper we
propose a method to evaluate and benchmark automatic web vulnerability scanners using
software fault injection techni%ues. "he most common types of software faults are injected in the
web application code which is then checked by the scanners. "he results are compared by
analyzing coverage of vulnerability detection and false positives. "hree leading commercial
scanning tools are evaluated and the results show that in general the coverage is low and the
percentage of false positives is very high
8/18/2019 Evaluation of Web Security--modified Document
43/47
!itle:
Eception2 Software 0ault (njection and 6onitoring in -rocessor 0unctional )nits
Author:
. 3arreira ! H. 6adeira and .1. Silva
)escri*tion:"his paper presents Eception! a software fault injection and monitoring environment. Eception
uses the advanced debugging and performance monitoring features e#isting in most of the
modern processors to inject more realistic faults by software! and to monitor the activation of the
faults and their impact on the target system behaviour in detail. 0aults are injected with minimum
interference with the target application. "he target application is not modified! no software traps
are inserted! and it is not necessary to e#ecute it in special trace mode *the application is
e#ecuted at full speed+. Eception provides a comprehensive set of fault triggers! including spatial
and temporal fault triggers! and triggers related to the manipulation of data in memory. 0aults
injected by Eception can affect any process running on the target system including the operating
system. Sets of faults can be defined by the user according to several criteria! including the
emulation of faults in specific target processor functional units. -resently! Eception has been
implemented on a parallel machine build around the -ower-3 =D> processor running the -A/(Eoperating system. #periment results are presented showing the impact of faults on several
parallel applications running on a commercial parallel system. (t is shown that up to G:O of the
faults! depending on the processor functional unit affected! can cause the application to produce
wrong results. "he results show that the impact of faults heavily depends on the application and
the specific processor functional unit affected by the fault.
8/18/2019 Evaluation of Web Security--modified Document
44/47
References
>. ?Sarbanes5#ley Act?! 9DD9
9. Payment ard Industry !PI" #ata $ecurity $tandard ! 9D>D
:. S. 3hristey and /. 6artin Vulnerability %ype #istributions in V& ! 9DDG
'. S. \anero ! L. 3arettoni and 6. \anchetta ?Automatic 'etection of $eb ApplicationSecurity 0laws?! 9DD<
>
P. ?"he -rivacy /ights 3learinghousewww.privacyrights.orgFdatabreach! Accessed > 6ay
9D>:?! 9D>9
>D. 6. 0ossi ?Symantec (nternet Security "hreat /eport2 "rends for 9D>D?! 9D>>
>>. 6. 0ossi ?Symantec /eport on the )nderground conomy! Symantec Security /esponse?!
9DD
>9. /. /ichardson and S. -eters ?9D>DF9D>> 3S( 3omputer 3rime T Security Survey?! 9D>>
>:. '. Avresky ! . Arlat ! .3. Laprie and C. 3rouzet ?0ault (njection for 0ormal "esting of 0ault
"olerance?! I&&& %rans. -eliability! vol. ;PP=
Abstract ] 0ull "e#t2 -'0 *>9DDM&+
>;. '. -owell and /. Stroud ?3onceptual 6odel and Architecture of 6A0"(A?! 9DD:
>PP
>=. . 0onseca and 6. ,ieira ?6apping Software 0aults with $eb Security
,ulnerabilities?! Proc. I&&&/I0IP Int12l. onf. #ependable $ystems and (etorks! 9DD
Abstract ] 0ull "e#t2 -'0 *9D
8/18/2019 Evaluation of Web Security--modified Document
45/47
>G. . 0onseca ! 6. ,ieira and H. 6adeira ?"raining Security Assurance "eams using
,ulnerability (njection?! Proc. I&&& Pacific -im #ependable omputing onf.! 9DD
Abstract ] 0ull "e#t2 -'0 *9GDM&+ ] 0ull "e#t2 H"6L
>. . Arlat ! A. 3ostes ! C. 3rouzet ! .3. Laprie and '. -owell ?0ault (njection and'ependability valuation of 0ault"olerant Systems?! I&&& %rans. omputers! vol. ;9! no. !
pp.P>: P9: >PP:
Abstract ] 0ull "e#t2 -'0 *>>DDM&+
>P. /. (yer ?#perimental valuation?! Proc. I&&& $ymp. 0ault %olerant omputing ! pp.>><>:9 >PP<
9D. . 3arreira ! H. 6adeira and .1. Silva ?Eception2 Software 0ault (njection and 6onitoring
in -rocessor 0unctional )nits?! I&&& %rans. $oftare &ng.! vol. 9;! no. 9! >PP
9>. '.". Stott ! &. 0loering ! '. &urke ! \. Malbarczpk and /.M. (yer ?B0"A-2 A 0ramework
for Assessing 'ependability in 'istributed Systems with Lightweight 0ault (njectors?! Proc.omputer Performance and #ependability $ymp.! 9DDD
Abstract ] 0ull "e#t2 -'0 *>D;M&+
99. . 3hristmansson and /. 3hillarege ?1eneration of an rror Set that mulates Software
0aults?! Proc. I&&& 0ault %olerant omputing $ymp.! >PP=
Abstract ] 0ull "e#t2 -'0 *P9DM&+
9:. H 6adeira ! 6. ,ieira and '. 3osta ?5n the mulation of Software 0aults by Software 0ault
(njection?! Proc. I&&&/I0IP Int333l onf. #ependable $ystem and (etorks! 9DDD
Abstract ] 0ull "e#t2 -'0 *::9M&+
9;. . 'ur^^es and H. 6adeira ?mulation of Software 0aults2 A 0ield 'ata Study and a
-ractical Approach?! I&&& %rans. $oftare &ng.! vol. :9! no. >>! pp.;P =G 9DD=
Abstract ] 0ull "e#t2 -'0 *
8/18/2019 Evaluation of Web Security--modified Document
46/47
9=. . 0onseca ! 6. ,ieira and H. 6adeira ?"esting and 3omparing $eb ,ulnerability Scanning
"ools for SQLi and ESS Attacks?! Proc. I&&& Pacific -im Int12l $ymp. #ependable omputing !
9DDG
Abstract ] 0ull "e#t2 -'0 *;G9M&+ ] 0ull "e#t2 H"6L
9G. ?$eb ,ulnerability Scanners 3omparison?! 9DDP
9. 6. &uchler ! . 5udinet and A. -retschner ?SemiAutomatic Security "esting of $eb
Applications from a Secure 6odel?! Proc. Int12l onf. $oftare $ecurity and -eliability! 9D>9
Abstract ] 0ull "e#t2 -'0 *;! no. :! >PPG
Abstract ] 0ull "e#t2 -'0 *>9;M&+
:9. ?isc.sans.orgFdiary.htmlstoryid7:9:! accessed > 6ay 9D>:?! 9DD
::. ?www.ntamonitor.comFpostsF9D>>FD:FD>testsZshowZ
riseZinZnumberZofZvulnerabilitiesZaffectingZwebZapplicationsZ
withZs%lZinjectionZandZ#ssZmostZcommonZflaws.html?! 9D>>
:;. ?pt.php.net! accessed >^^6ay 9D>:?! 9DDG
:
8/18/2019 Evaluation of Web Security--modified Document
47/47
:P. (. lia ! . 0onseca and 6. ,ieira ?3omparing SQLi 'etection "ools )sing Attack (njection2
An #perimental Study?! Proc. I&&& Int12l $ymp. $oftare -eliability &ng.! 9D>D
Abstract ] 0ull "e#t2 -'0 *GG>M&+ ] 0ull "e#t2 H"6L
;D. A. /iancho ?6oth! &onsai(nformation Security?! 9DDP
;>. &. Livshits ?Stanford Securi&ench?! 9DD<
;9. . 1rossman ?SQLi! ye of the Storm?! %he $ecurity J.! vol. 9=! pp.G >D 9DDP
;:. &. 'amele ?S%lmap2 Automatic SQLi "ool?! 9DDP
;;. ?"iki$iki! tikiwiki.org! Accessed >^^6ay 9D>:?! 9DD
;^^6ay 9D>:?! 9DD
;=. ?avasource.net! 9DD! javasource.netFopensourceFcrawlers! Accessed >^^6ay 9D>:?!
;G. C.$. Huang ! S.M. Huang ! ".-. Lin and 3.H. "sai ?$eb Application Security Assessment by 0ault (njection and &ehavior 6onitoring?! Proc. Int12l onf. ,orld ,ide ,eb! pp.>; >