Evaluation of Web Security--modified Document

8/18/2019 Evaluation of Web Security--modified Document

1/47

Evaluation of Web Security Mechanisms

Using Vulnerability & Attack Injection

Abstract:

Attack injection in web applications allows malicious users to obtain unrestricted access

to private and confidential information. SQL injection is ranked at the top in web application

attack mechanisms used by hackers to steal data from organizations. Hackers can take

advantages due to flawed design! improper coding practices! improper validations of user input!

configuration errors! or other weaknesses in the infrastructure. "his paper proposes a

methodology for the detection of e#ploitations of SQL injection attacks. $hen the user submitsthe SQL %uery at the runtime! the %uery has to be parsed by the independent service for the

correctness of the syntactic structure and user data. "his approach is to prevent all forms of SQL

injections! independent of the target system! independent to platform and &ackend '& server.

Eisting System:

$eb sites need protection in their database to assure security. An SQL injection attacks

interactive web applications that provide database services. "hese applications take user inputs

and use them to create an SQL %uery at run time. (n an SQL injection attack! an attacker might

insert a malicious SQL %uery as input to perform an unauthorized database operation. )sing SQL

injection attacks! an attacker can retrieve or modify confidential and sensitive information from

the database. "here are different types of attacks to attack the web application like !autologies"

#ogically Incorrect $ueries" Union $uery" Store% roce%ure" 'lin% injection Attacks"

!iming injection Attacks( (n e#isting also available several detection method. &ut this method

are not effective and efficient to detect the attacks.


2/47

)isa%vantages of eisting system:

• Attacker can steal confidential data of the web application with these attacks resulting

loss of market value of the web application

• (t cannot be detect the attacks efficiently.• (f it is a university web application the attacker will enter and affect or change the

university results and confidential information.

ro*ose% system:

(n proposed system will develop a university web application to detect the attacks *throw

s%l injection.+ and prevent the application using the prevent method *,(-/ for 'etecting SQL

(njection Attacks+. Here we prevent our web application from the tautology attack using the

vi*er method. (n this method will show the efficient detection mechanism and also prevent the

university web application from the attack injection.

A%vantages of *ro*ose% system:

• (t detect the attacks efficiently using viper method .

• 0ind the attacker in the university web application who *attacker+ will enter the

application and change the confidential information */esults! 1rade etc.!+ of university.

•

(t prevent the web application from all types of attacks.

System architecture:


3/47

)A!A+#,W )IA-.AM:


4/47

Staf Login

Upload Result and timetable

Send Request to CEO

View Request and approval -CEO

Student Login

View Result and Timetable

HO Login

Upload Event

!dmin login

View all details

!tta"#er ete"tion

$revent !tta"#er

USE/ASE )IA-.AM:


5/47

SE$UE0/E )IA-.AM:


6/47

/#ASS )IA-.AM:


7/47

A/!IVI!1 )IA-.AM:


8/47


9/47

Attacker !y*e:

!autologies:

"his type of attack represent to the SQL manipulation category in which attacker

can inject malicious code into %uery! it is based on the conditional statement. 0or e#ample a

%uery for login2

SL3" 4 0/56 )ser (nfo $H/ )sername78puspendra8 and -assword78 ( 9:;78>8. "he resulting %uery will be2

SL3" 4 0/56 )ser (nfo $H/ )sername 7 ? 5/ >78>8@ and -as sword78 ( 9:;


10/47

B5$A'ACS there is an increasing dependency on web applications! ranging from

individuals to large organizations. Almost everything is stored! available or traded on the web.

$eb applications can be personal websites! blogs! news! social networks! web mails! bank

agencies! forums! ecommerce applications! etc. "he omnipresence of web applications in our

way of life and in our economy is so important that it makes them a natural target for malicious

minds that want to e#ploit this new streak.

"he security motivation of web application developers and administrators should reflect

the magnitude and relevance of the assets they are supposed to protect. Although there is an

increasing concern about security *often being subject to regulations from governments and

corporations+! there are significant factors that make securing web applications a difficult task to

achieve2

>. "he web application market is growing fast! resulting in a huge proliferation of web

applications! based on different languages! frameworks! and protocols! largely fueled by

the *apparent+ simplicity one can develop and maintain such applications.

9. $eb applications are highly e#posed to attacks from anywhere in the world! which can be

conducted by using widely available and simple tools like a web browser.

:. (t is common to find web application developers! administrators and power users without

the re%uired knowledge or e#perience in the area of security.

;. $eb applications provide the means to access valuable enterprise assets. 6any times they

are the main interface to the information stored in backend databases! other times they are

the path to the inside of the enterprise network and computers.

Bot surprisingly! the overall situation of web application security is %uite favorable to

attacks. (n fact! estimations point to a very large number of web applications with security

vulnerabilities and! conse%uently! there are numerous reports of successful security breaches and

e#ploitations. 5rganized crime is naturally flourishing in this promising market! if we consider

the millions of dollars earned by such organizations in the underground economy of the web.

System re2uirements:

3ar%4are re2uirements:


11/47

• System 2 -entium (, 9.; 1Hz.

• Hard 'isk 2 ;D 1&.

• 0loppy 'rive 2 ;; 6b.

• 6onitor 2 >< ,1A 3olour.

• 6ouse 2

• /am 2 9 6b.

Soft4are re2uirements:

• 5perating system 2 $indows E-FG.

• 3oding Language 2 A,AF9

• (' 2 Betbeans G.;

• 'atabase 2 6CSQL

#A0-UA-E SE/I+I/A!I,0S:


12/47

5ava !echnology

ava technology is both a programming language and a platform.

!he 5ava rogramming #anguage

"he ava programming language is a highlevel language that can be characterized by all of the

following buzzwords2

Simple

Architecture neutral

5bject oriented

-ortable

'istributed

High performance

(nterpreted

6ultithreaded

/obust

'ynamic

Secure

$ith most programming languages! you either compile or interpret a program so that you

can run it on your computer. "he ava programming language is unusual in that a program is

both compiled and interpreted. $ith the compiler! first you translate a program into an

intermediate language called Java byte codes Ithe platformindependent codes interpreted by

the interpreter on the ava platform. "he interpreter parses and runs each ava byte code

instruction on the computer. 3ompilation happens just once@ interpretation occurs each time the

program is e#ecuted.


13/47

"he following figure illustrates how this works.

Cou can think of ava bytecodes as the machine code instructions for the Java Virtual Machine

*ava ,6+. very ava interpreter! whether its a development tool or a $eb browser that can run applets!

is an implementation of the ava ,6. ava bytecodes help make Jwrite once! run anywhereK possible.

Cou can compile your program into bytecodes on any platform that has a ava compiler. "he bytecodes

can then be run on any implementation of the ava ,6. "hat means that as long as a computer has a ava

,6! the same program written in the ava programming language can run on $indows 9DDD! a Solaris

workstation! or on an i6ac.


14/47

!he 5ava latform

A platform is the hardware or software environment in which a program runs. $eve

already mentioned some of the most popular platforms like $indows 9DDD! Linu#! Solaris! and

6ac5S. 6ost platforms can be described as a combination of the operating system and hardware.

"he ava platform differs from most other platforms in that its a softwareonly platform that runs

on top of other hardwarebased platforms.

"he ava platform has two components2

• "he Java Virtual Machine *ava ,6+

• "he Java Application Programming Interface *ava A-(+

Couve already been introduced to the ava ,6. (ts the base for the ava platform and is

ported onto various hardwarebased platforms.

"he ava A-( is a large collection of readymade software components that provide

many useful capabilities! such as graphical user interface *1)(+ widgets. "he ava A-( is

grouped into libraries of related classes and interfaces@ these libraries are known as

packages. "he ne#t section! $hat 3an ava "echnology 'o! highlights what

functionality some of the packages in the ava A-( provide.

"he following figure depicts a program thats running on the ava platform. As the

figure shows! the ava A-( and the virtual machine insulate the program from the

hardware.

Bative code is code that after you compile it! the compiled code runs on a specific

hardware platform. As a platformindependent environment! the ava platform can be a bit

slower than native code. However! smart compilers! welltuned interpreters! and justintime


15/47

bytecode compilers can bring performance close to that of native code without threatening

portability.

What Can Java Technology Do?

"he most common types of programs written in the ava programming language are applets and

applications. (f youve surfed the $eb! youre probably already familiar with applets. An applet

is a program that adheres to certain conventions that allow it to run within a avaenabled

browser.

However! the ava programming language is not just for writing cute! entertaining applets

for the $eb. "he generalpurpose! highlevel ava programming language is also a

powerful software platform. )sing the generous A-(! you can write many types of

programs.

An application is a standalone program that runs directly on the ava platform. A special

kind of application known as a server serves and supports clients on a network. #amples

of servers are $eb servers! pro#y servers! mail servers! and print servers. Another specialized program is a servlet . A servlet can almost be thought of as an applet that runs

on the server side. ava Servlets are a popular choice for building interactive web

applications! replacing the use of 31( scripts. Servlets are similar to applets in that they

are runtime e#tensions of applications. (nstead of working in browsers! though! servlets

run within ava $eb servers! configuring or tailoring the server.

How does the A-( support all these kinds of programs (t does so with packages of

software components that provide a wide range of functionality. very full

implementation of the ava platform gives you the following features2

• !he essentials2 5bjects! strings! threads! numbers! input and output! data structures!

system properties! date and time! and so on.

• A**lets2 "he set of conventions used by applets.


16/47

• 0et4orking2 )/Ls! "3- *"ransmission 3ontrol -rotocol+! )'- *)ser 'ata gram

-rotocol+ sockets! and (- *(nternet -rotocol+ addresses.

• Internationali6ation2 Help for writing programs that can be localized for users

worldwide. -rograms can automatically adapt to specific locales and be displayed in the

appropriate language.

• Security2 &oth low level and high level! including electronic signatures! public and

private key management! access control! and certificates.

• Soft4are com*onents2 Mnown as ava&eans"6! can plug into e#isting component

architectures.

• ,bject seriali6ation2 Allows lightweight persistence and communication via /emote

6ethod (nvocation */6(+.

• 5ava )atabase /onnectivity 75)'/!M82 -rovides uniform access to a wide range of

relational databases.

"he ava platform also has A-(s for 9' and :' graphics! accessibility! servers! collaboration!

telephony! speech! animation! and more. "he following figure depicts what is included in the ava

9 S'M.


17/47

How Will Java Technology Change My Life?

$e cant promise you fame! fortune! or even a job if you learn the ava programminglanguage. Still! it is likely to make your programs better and re%uires less effort than other

languages. $e believe that ava technology will help you do the following2

• -et starte% 2uickly2 Although the ava programming language is a powerful object

oriented language! its easy to learn! especially for programmers already familiar with 3

or 3NN.

• Write less co%e2 3omparisons of program metrics *class counts! method counts! and so

on+ suggest that a program written in the ava programming language can be four timessmaller than the same program in 3NN.

• Write better co%e2 "he ava programming language encourages good coding practices!

and its garbage collection helps you avoid memory leaks. (ts object orientation! its

ava&eans component architecture! and its wideranging! easily e#tendible A-( let you

reuse other peoples tested code and introduce fewer bugs.

• )evelo* *rograms more 2uickly2 Cour development time may be as much as twice as

fast versus writing the same program in 3NN. $hy Cou write fewer lines of code and it

is a simpler programming language than 3NN.• Avoi% *latform %e*en%encies 4ith 9; ure 5ava2 Cou can keep your program

portable by avoiding the use of libraries written in other languages. "he >DDO -ure ava

"6 -roduct 3ertification -rogram has a repository of historical process manuals! white

papers! brochures! and similar materials online.

• Write once" run any4here2 &ecause >DDO -ure ava programs are compiled into

machineindependent byte codes! they run consistently on any ava platform.

• )istribute soft4are more easily2 Cou can upgrade applets easily from a central server.

Applets take advantage of the feature of allowing new classes to be loaded Jon the fly!Kwithout recompiling the entire program.


18/47

,)'/

6icrosoft 5pen 'atabase 3onnectivity *5'&3+ is a standard programming interface for

application developers and database systems providers. &efore 5'&3 became a de facto

standard for $indows programs to interface with database systems! programmers had to use

proprietary languages for each database they wanted to connect to. Bow! 5'&3 has made the

choice of the database system almost irrelevant from a coding perspective! which is as it should

be. Application developers have much more important things to worry about than the synta# that

is needed to port their program from one database to another when business needs suddenly

change.

"hrough the 5'&3 Administrator in 3ontrol -anel! you can specify the particular

database that is associated with a data source that an 5'&3 application program is written to

use. "hink of an 5'&3 data source as a door with a name on it. ach door will lead you to a

particular database. 0or e#ample! the data source named Sales 0igures might be a SQL Server

database! whereas the Accounts -ayable data source could refer to an Access database. "he

physical database referred to by a data source can reside anywhere on the LAB.

"he 5'&3 system files are not installed on your system by $indows P=bit and a :9bit version of this program and each maintains a separate list of 5'&3 data

Sources.

0rom a programming perspective! the beauty of 5'&3 is that the application can be

written to use the same set of function calls to interface with any data source! regardless of the

database vendor. "he source code of the application doesnt change whether it talks to 5racle or

SQL Server. $e only mention these two as an e#ample. "here are 5'&3 drivers available for

several dozen popular database systems. ven #cel spreadsheets and plain te#t files can be


19/47

turned into data sources. "he operating system uses the /egistry information written by 5'&3

Administrator to determine which lowlevel 5'&3 drivers are needed to talk to the data source

*such as the interface to 5racle or SQL Server+. "he loading of the 5'&3 drivers is transparent

to the 5'&3 application program. (n a clientFserver environment! the 5'&3 A-( even handles

many of the network issues for the application programmer.

"he advantages of this scheme are so numerous that you are probably thinking there must

be some catch. "he only disadvantage of 5'&3 is that it isnt as efficient as talking directly to

the native database interface. 5'&3 has had many detractors make the charge that it is too slow.

6icrosoft has always claimed that the critical factor in performance is the %uality of the driver

software that is used. (n our humble opinion! this is true. "he availability of good 5'&3 drivers

has improved a great deal recently. And anyway! the criticism about performance is somewhatanalogous to those who said that compilers would never match the speed of pure assembly

language. 6aybe not! but the compiler *or 5'&3+ gives you the opportunity to write cleaner

programs! which means you finish sooner. 6eanwhile! computers get faster every year.

5)'/

(n an effort to set an independent database standard A-( for ava! Sun 6icrosystems

developed ava 'atabase 3onnectivity! or '&3. '&3 offers a generic SQL database access

mechanism that provides a consistent interface to a variety of /'&6S. "his consistent interface

is achieved through the use of JpluginK database connectivity modules! or drivers. (f a database

vendor wishes to have '&3 support! he or she must provide the driver for each platform that the

database and ava run on.

"o gain a wider acceptance of '&3! Sun based '&3s framework on 5'&3. As you

discovered earlier in this chapter! 5'&3 has widespread support on a variety of platforms.

&asing '&3 on 5'&3 will allow vendors to bring '&3 drivers to market much faster than

developing a completely new connectivity solution.


20/47

'&3 was announced in 6arch of >PP=. (t was released for a PD day public review that

ended une ! >PP=. &ecause of user input! the final '&3 v>.D specification was released soon

after.

"he remainder of this section will cover enough information about '&3 for you to know what it

is about and how to use it effectively. "his is by no means a complete overview of '&3. "hat

would fill an entire book.

5)'/ -oals

0ew software packages are designed without goals in mind. '&3 is one that! because of

its many goals! drove the development of the A-(. "hese goals! in conjunction with early

reviewer feedback! have finalized the '&3 class library into a solid framework for building

database applications in ava.

"he goals that were set for '&3 are important. "hey will give you some insight as to why

certain classes and functionalities behave the way they do.

"he design goals for '&3 are as follows2


21/47

>. SQL Level API

"he designers felt that their main goal was to define a SQL interface for ava. Although

not the lowest database interface level possible! it is at a low enough level for higherlevel

tools and A-(s to be created. 3onversely! it is at a high enough level for application

programmers to use it confidently. Attaining this goal allows for future tool vendors to

JgenerateK '&3 code and to hide many of '&3s comple#ities from the end user .

9. SQL Conformance

SQL synta# varies as you move from database vendor to database vendor. (n an

effort to support a wide variety of vendors! '&3 will allow any %uery statement to be

passed through it to the underlying database driver. "his allows the connectivity module to

handle nonstandard functionality in a manner that is suitable for its users.

:. JDC m!"t #e im$lemental on to$ of common %ata#a"e interface"

"he '&3 SQL A-( must JsitK on top of other common SQL level A-(s. "his goal allows

'&3 to use e#isting 5'&3 level drivers by the use of a software interface. "his interface

would translate '&3 calls to 5'&3 and vice versa.

;. Provi%e a Java interface that i" con"i"tent with the re"t of the Java "y"tem

&ecause of avas acceptance in the user community thus far! the designers feel that they

should not stray from the current design of the core ava system.


22/47

Java Program

Compilers

Interpreter

My Program

&ecause more often than not! the usual SQL calls used by the programmer are simple

SL3"s! (BS/"s! 'L"s and )-'A"s! these %ueries should be simple to perform with

'&3. However! more comple# SQL statements should also be possible.

0inally we decided to proceed the implementation using ava Betworking.And for

dynamically updating the cache table we go for 6S Access database.

ava is also unusual in that each java program is both compiled and

interpreted. with a compile you translate a java program into an intermediate language

called java byte codes the platformindependent code instruction is passed and run on

the computer.compilation happens just once@ interpretation occurs each time the

program is e#ecuted. the figure illustrates how this works.

you can think of java byte codes as the machine code instructions for the java

virtual machine *java vm+. every java interpreter! whether its a java development tool

or a web browser that can run java applets! is an implementation of the java vm. the

java vm can also be implemented in hardware.ava byte codes help make Jwrite once!

run anywhereK possible. you can compile your java program into byte codes on my

platform that has a java compiler. the byte codes can then be run any implementation

of the java vm. for e#ample! the same java program can run windows nt! solaris! and

macintosh.

0etbeans:


23/47

Bet&eans is an integrated development environment *('+ for developing primarily with

ava! but also with other languages! in particular -H-! 3F3NN! and H"6L


24/47

"here is no need to write a main method for your application because the Bet&eans

-latform already contains one. Also! support is provided for persisting user settings across restart

of the application! such as! by default! the size and positions of the windows in the application.

luggability" Service Infrastructure" an% +ile System:

nd users of the application benefit from pluggable applications because these enable

them to install modules into their running applications. Bet&eans modules can be installed!

uninstalled! activated! and deactivated at runtime! thanks to the runtime container. "he Bet&eans

-latform provides an infrastructure for registering and retrieving service implementations!

enabling you to minimize direct dependencies between individual modules and enabling a

loosely coupled architecture *high cohesion and low coupling+.

"he Bet&eans -latform provides a virtual file system! which is a hierarhical registry for

storing user settings! comparable to the $indows /egistry on 6icrosoft $indows systems. (t

also includes a unified A-( providing streamoriented access to flat and hierarchical structures!

such as diskbased files on local or remote servers! memorybased files! and even E6L

documents.

Win%o4 System" Stan%ar%i6e% UI !oolkit" an% A%vance% )ata


25/47

provides a generic model for presenting your data. "he Bet&eans #plorer T -roperty Sheet A-(

provides several advanced Swing components for displaying nodes. (n addition to a window

system! the Bet&eans -latform provides many other )(related components! such as a property

sheet! a palette! comple# Swing components for presenting data! a -lugin 6anager! and an

5utput window.

Miscellaneous +eatures" )ocumentation" an% !ooling Su**ort:

"he Bet&eans ('! which is the software development kit *S'M+ of the Bewt&eans

-latform! provides many templates and tools! such as the award winning 6atisse 1)( &uilder

that enables you to very easily design your application8s layout. "he Bet&eans -latform e#poses

a rich set of A-(s! which are tried! tested! and continually being improved. "he community is

helpful and diverse! while a vast library of blogs! books! tutorials! and training materials are

continually being developed and updated in multiple languages by many different people around

the world.


26/47

A*ache !omcat:

Apache "omcat *or simply "omcat! formerly also akarta "omcat+ is an open source web

server and servlet container developed by the Apache Software 0oundation *AS0+. "omcat

implements the ava Servlet and the avaServer -ages *S-+ specifications from 5racle

3orporation! and provides a ?pure ava? H""- web server environment for ava code to run.

/om*onent taonomy2

"omcat8s architecture follows the construction of a 6atrushka doll from /ussia. (n other

words! it is all about containment where one entity contains another! and that entity in turn

contains yet another. (n "omcat! a 8container8 is a generic term that refers to any component that

can contain another! such as a Server! Service! ngine! Host! or 3onte#t. 5f these! the Server and

Service components are special containers! designated as "op Level lements as they represent

aspects of the running "omcat instance. All the other "omcat components are subordinate to

these top level elements. "he ngine! Host! and 3onte#t components are officially termed

3ontainers! and refer to components that process incoming re%uests and generate an appropriate

outgoing response.

Bested 3omponents can be thought of as subelements that can be nested inside either

"op Level lements or other 3ontainers to configure how they function. #amples of nestedcomponents include the ,alve! which represents a reusable unit of work@ the -ipeline! which

represents a chain of ,alves strung together@ and a /ealm which helps set up containermanaged

security for a particular container. 5ther nested components include the Loader which is used to

enforce the specification8s guidelines for servlet class loading@ the 6anager that supports session

management for each web application@ the /esources component that represents the web

application8s static resources and a mechanism to access these resources@ and the Listener that

allows you to insert custom processing at important points in a container8s life cycle! such as

when a component is being started or stopped. Bot all nested components can be nested within

every container. A final major component! which falls into its own category! is the 3onnector. (t

represents the connection end point that an e#ternal client *such as a web browser+ can use to

connect to the "omcat container.


27/47

Architectural benefits:

"his architecture has a couple of useful features. (t not only makes it easy to manage

component life cycles *each component manages the life cycle notifications for its children+! but

also to dynamically assemble a running "omcat server instance that is based on the information

that has been read from configuration files at startup. (n particular! the server.#ml file is parsed at

startup! and its contents are used to instantiate and configure the defined elements! which are

then assembled into a running "omcat instance. "he server.#ml file is read only once! and edits to

it will not be picked up until "omcat is restarted. "his architecture also eases the configuration

burden by allowing child containers to inherit the configuration of their parent containers. 0or

instance! a /ealm defines a data store that can be used for authentication and authorization of

users who are attempting to access protected resources within a web application. 0or ease of

configuration! a realm that is defined for an engine applies to all its children hosts and conte#ts.


28/47

At the same time! a particular child! such as a given conte#t! may override its inherited realm by

specifying its own realm to be used in place of its parent8s realm.

!o* #evel /om*onents:

"he Server and Service container components e#ist largely as structural conveniences. A

Server represents the running instance of "omcat and contains one or more Service children!

each of which represents a collection of re%uest processing components.

Server: A Server represents the entire "omcat instance and is a singleton within a ava ,irtual

6achine! and is responsible for managing the life cycle of its contained services. "he following

image depicts the key aspects of the Server component. As shown! a Server instance is

configured using the server.#ml configuration file. "he root element of this file is UServerV and

represents the "omcat instance. (ts default implementation is provided using

org.apache.catalina.core.StandardServer! but you can specify your own custom implementation

through the class Bame attribute of the UServerV element.

A key aspect of the Server is that it opens a server socket on port DD< *the default+ to

listen a shutdown command *by default! this command is the te#t string SH)"'5$B+. $hen

this shutdown command is received! the server gracefully shuts itself down. 0or security reasons!

the connection re%uesting the shutdown must be initiated from the same machine that is running

this instance of "omcat. A Server also provides an implementation of the ava Baming and


29/47

'irectory (nterface *B'(+ service! allowing you to register arbitrary objects *such as data

sources+ or environment variables! by name. At runtime! individual components *such as

servlets+ can retrieve this information by looking up the desired object name in the server8s B'(

bindings. $hile a B'( implementation is not integral to the functioning of a servlet container! it

is part of the ava specification and is a service that servlets have a right to e#pect from their

application servers or servlet containers. (mplementing this service makes for easy portability of

web applications across containers. $hile there is always just one server instance within a ,6!

it is entirely possible to have multiple server instances running on a single physical machine!

each encased in its own ,6. 'oing so insulates web applications that are running on one ,6

from errors in applications that are running on others! and simplifies maintenance by allowing a

,6 to be restarted independently of the others. "his is one of the mechanisms used in a shared

hosting environment *the other is virtual hosting! which we will see shortly+ where you need

isolation from other web applications that are running on the same physical server.

Service:

$hile the Server represents the "omcat instance itself! a Service represents the set of

re%uest processing components within "omcat. A Server can contain more than one Service!

where each service associates a group of 3onnector components with a single ngine. /e%uests

from clients are received on a connector! which in turn funnels them through into the engine!

which is the key re%uest processing component within "omcat. "he image shows connectors for

H""-! H""-S! and the Apache Serv -rotocol *A-+. "here is very little reason to modify this

element! and the default Service instance is usually sufficient.


30/47

A hint as to when you might need more than one Service instance can be found in the above

image. As shown! a service aggregates connectors! each of which monitors a given (- address

and port! and responds in a given protocol. An e#ample use case for having multiple services!

therefore! is when you want to partition your services *and their contained engines! hosts! and

web applications+ by (- address andFor port number.

0or instance! you might configure your firewall to e#pose the connectors for one service

to an e#ternal audience! while restricting your other service to hosting intranet applications thatare visible only to internal users. "his would ensure that an e#ternal user could never access your

(ntranet application! as that access would be blocked by the firewall. "he Service! therefore! is

nothing more than a grouping construct. (t does not currently add any other value to the

proceedings.


31/47

/onnectors:

A 3onnector is a service endpoint on which a client connects to the "omcat container. (t

serves to insulate the engine from the various communication protocols that are used by clients!

such as H""-! H""-S! or the Apache Serv -rotocol *A-+. "omcat can be configured to work

in two modesIStandalone or in 3onjunction with a separate web server. (n standalone mode!

"omcat is configured with H""- and H""-S connectors! which make it act like a fullfledged

web server by serving up static content when re%uested! as well as by delegating to the 3atalina

engine for dynamic content. 5ut of the bo#! "omcat provides three possible implementations of

the H""-F>.> and H""-S connectors for this mode of operation. "he most common are the

standard connectors! known as 3oyote which are implemented using standard ava (F5

mechanisms. Cou may also make use of a couple of newer implementations! one which uses the

nonblocking B(5 features of ava >.;! and the other which takes advantage of native code that is

optimized for a particular operating system through the Apache -ortable /untime *A-/+. Bote

that both the 3onnector and the ngine run in the same ,6.

(n fact! they run within the same Server instance. (n conjunction mode! "omcat plays a

supporting role to a web server! such as Apache httpd or 6icrosoft8s ((S. "he client here is the

web server! communicating with "omcat either through an Apache module or an (SA-( 'LL.

$hen this module determines that a re%uest must be routed to "omcat for processing! it will

communicate this re%uest to "omcat using A-! a binary protocol that is designed to be more

efficient than the te#t based H""- when communicating between a web server and "omcat. 5n


32/47

the "omcat side! an A- connector accepts this communication and translates it into a form that

the 3atalina engine can process.

(n this mode! "omcat is running in its own ,6 as a separate process from the web

server. (n either mode! the primary attributes of a 3onnector are the (- address and port on which

it will listen for incoming re%uests! and the protocol that it supports. Another key attribute is the

ma#imum number of re%uest processing threads that can be created to concurrently handle

incoming re%uests. 5nce all these threads are busy! any incoming re%uest will be ignored until a

thread becomes available. &y default! a connector listens on all the (- addresses for the given

physical machine *its address attribute defaults to D.D.D.D+. However! a connector can be

configured to listen on just one of the (- addresses for a machine. "his will constrain it to accept

connections from only that specified (- address. Any re%uest that is received by any one of a

service8s connectors is passed on to the service8s single engine. "his engine! known as 3atalina! is

responsible for the processing of the re%uest! and the generation of the response. "he engine

returns the response to the connector! which then transmits it back to the client using the

appropriate communication protocol.


33/47

S$# Server =>

6icrosoft SQL Server is a relational database management system developed by

6icrosoft. As a database! it is a software product whose primary function is to store and retrieve

data as re%uested by other software applications! be it those on the same computer or those

running on another computer across a network *including the (nternet+. "here are at least a dozen

different editions of 6icrosoft SQL Server aimed at different audiences and for different

workloads *ranging from small applications that store and retrieve data on the same computer! to

millions of users and computers that access huge amounts of data from the (nternet at the same

time+. "rue to its name! 6icrosoft SQL Server8s primary %uery languages are "SQL and ABS(

SQL.

S$# Server Architecture )iagram:

SQL Server 9DD< *formerly codenamed ?Cukon?+ was released in 5ctober 9DD


34/47

0or this purpose! it defined an #ml data type that could be used either as a data type in database

columns or as literals in %ueries.

E6L columns can be associated with ES' schemas@ E6L data being stored is verified

against the schema. E6L is converted to an internal binary data type before being stored in the

database. Specialized inde#ing methods were made available for E6L data. E6L data is %ueried

using EQuery@ SQL Server 9DD< added some e#tensions to the "SQL language to allow

embedding EQuery %ueries in "SQL. (n addition! it also defines a new e#tension to EQuery!

called E6L '6L! that allows %uerybased modifications to E6L data. SQL Server 9DD< also

allows a database server to be e#posed over web services using "abular 'ata Stream *"'S+

packets encapsulated within S5A- *protocol+ re%uests. $hen the data is accessed over web

services! results are returned as E6L.

3ommon Language /untime *3L/+ integration was introduced with this version!

enabling one to write SQL code as 6anaged 3ode by the 3L/. 0or relational data! "SQL has

been augmented with error handling features *tryFcatch+ and support for recursive %ueries with

3"s *3ommon "able #pressions+. SQL Server 9DD< has also been enhanced with new

inde#ing algorithms! synta# and better error recovery systems. 'ata pages are checksummed for

better error resiliency! and optimistic concurrency support has been added for better

performance. -ermissions and access control have been made more granular and the %uery

processor handles concurrent e#ecution of %ueries in a more efficient way. -artitions on tables

and inde#es are supported natively! so scaling out a database onto a cluster is easier.

SQL 3L/ was introduced with SQL Server 9DD< to let it integrate with the .B"

0ramework. SQL Server 9DD< introduced ?6A/S? *6ultiple Active /esults Sets+! a method of

allowing usage of database connections for multiple purposes. SQL Server 9DD< introduced

'6,s *'ynamic 6anagement ,iews+! which are specialized views and functions that return

server state information that can be used to monitor the health of a server instance! diagnose problems! and tune performance. Service -ack > *S->+ of SQL Server 9DD< introduced 'atabase

6irroring!a high availability option that provides redundancy and failover capabilities at the

database level. 0ailover can be performed manually or can be configured for automatic failover.


35/47

S1S!EM S!U)1

+EASI'I#I!1 S!U)1

"he feasibility of the project is analyzed in this phase and business proposal is put

forth with a very general plan for the project and some cost estimates. 'uring system analysis the

feasibility study of the proposed system is to be carried out. "his is to ensure that the proposed

system is not a burden to the company. 0or feasibility analysis! some understanding of the major

re%uirements for the system is essential.

"hree key considerations involved in the feasibility analysis are

♦ 35B56(3AL 0AS(&(L("C

♦ "3HB(3AL 0AS(&(L("C

♦ S53(AL 0AS(&(L("C

E/,0,MI/A# +EASI'I#I!1

"his study is carried out to check the economic impact that the system will have on the

organization. "he amount of fund that the company can pour into the research and development

of the system is limited. "he e#penditures must be justified. "hus the developed system as well

within the budget and this was achieved because most of the technologies used are freely

available. 5nly the customized products had to be purchased.

!E/30I/A# +EASI'I#I!1

"his study is carried out to check the technical feasibility! that is! the technical

re%uirements of the system. Any system developed must not have a high demand on the available

technical resources. "his will lead to high demands on the available technical resources. "his

will lead to high demands being placed on the client. "he developed system must have a modestre%uirement! as only minimal or null changes are re%uired for implementing this system.


36/47

S,/IA# +EASI'I#I!1

"he aspect of study is to check the level of acceptance of the system by the user. "his

includes the process of training the user to use the system efficiently. "he user must not feel

threatened by the system! instead must accept it as a necessity. "he level of acceptance by the

users solely depends on the methods that are employed to educate the user about the system and

to make him familiar with it. His level of confidence must be raised so that he is also able to

make some constructive criticism! which is welcomed! as he is the final user of the system.


37/47


38/47

"he procedure level testing is made first. &y giving improper inputs! the errors occurred are

noted and eliminated. "his is the final step in system life cycle. Here we implement the tested

errorfree system into reallife environment and make necessary changes! which runs in an online

fashion. Here system maintenance is done every months or year based on company policies! and

is checked for errors like runtime errors! long run errors and other maintenances like table

verification and reports.

U0I! !ES!I0-

)nit testing verification efforts on the smallest unit of software design! module. "his is

known as J6odule "estingK. "he modules are tested separately. "his testing is carried out during

programming stage itself. (n these testing steps! each module is found to be working

satisfactorily as regard to the e#pected output from the module.

I0!E-.A!I,0 !ES!I0-

(ntegration testing is a systematic techni%ue for constructing tests to uncover error

associated within the interface. (n the project! all the modules are combined and then the entire

programmer is tested as a whole. (n the integrationtesting step! all the error uncovered is

corrected for the ne#t testing steps.


39/47

#iterature Survey

!itle: -recise Alias Analysis for Static 'etection of $eb Application ,ulnerabilities

Author: B. ovanovic ! 3. Mruegel and . Mirda

)escri*tion: "he number and the importance of web applications have increased rapidly over the

last years. At the same time! the %uantity and impact of security vulnerabilities in such

applications have grown as well. Since manual code reviews are timeconsuming! errorprone

and costly! the need for automated solutions has become evident. (n this paper! we address the

problem of vulnerable web applications by means of static source code analysis. "o this end! we

present a novel! precise alias analysis targeted at the uni%ue reference semantics commonly

found in scripting languages. 6oreover! we enhance the %uality and %uantity of the generated

vulnerability reports by employing a novel! iterative twophase algorithm for fast and precise

resolution of file inclusions.$e integrated the presented concepts into

-i#yWXciteYjovanovicD=2pi#yZshort[! a highprecision static analysis tool aimed at detecting

crosssite scripting vulnerabilities in -H- scripts. "o demonstrate the effectiveness of our

techni%ues! we analyzed three web applications and discovered >D= vulnerabilities. &oth the high

analysis speed as well as the low number of generated false positives show that our techni%ues

can be used for conducting effective security audits.


40/47

!itle:

Fault Injection for Formal Testing of Fault Tolerance

Author: D. Avresky , J. Arlat , J.C. Laprie and . Crou!et

)escri*tion:

"his study addresses the use of fault injection for e#plicitly removing

designFimplementation faults in comple# faulttolerance algorithms and mechanisms *0"A6+!

viz! faulttolerance deficiency faults. A formalism is introduced to represent the 0"A6 by a set

of assertions. "his formalism enables an e#ecution tree to be generated! where each path from the

root to a leaf of the tree is a welldefined formula. "he set of welldefined formulas constitutes a

useful framework that fully characterizes the test se%uence. "he input patterns of the test

se%uence *fault and activation domains+ then are determined to fewer specific structural criteria

over the e#ecution tree *activation of proper sets of paths+. "his provides a framework for

generating a functional deterministic test for programs that implement comple# 0"A6. "his

methodology has been used to e#tend a debugging tool aimed at testing fault tolerance protocols

developed by &)LL 0rance. (t has been applied successfully to the injection of faults in the

interreplica protocol that supports the applicationlevel faulttolerance features of the

architecture of the S-/("funded 'elta; project. "he results of these e#periments are analyzed

in detail. (n particular! even though the target protocol had been independently verified formally!the application of the proposed testing strategy revealed two faulttolerance deficiency faults


41/47

!itle:

1eneration of an rror Set that mulates Software 0aults

Author:

. 3hristmansson and /. 3hillarege

)escri*tion:

A significant issue in fault injection e#periments is that the injected faults are

representative of software faults observed in the field. Another important issue is the time used!

as we want e#periments to be conducted without e#cessive time spent waiting for the

conse%uences of a fault. An approach to accelerate the failure process would be to inject errors

instead of faults! but this would re%uire a mapping between representative software faults and

injectable errors. 0urthermore! it must be assured that the injected errors emulate software faults

and not hardware faults. "hese issues were addressed in a study of software faults encountered in

one release of a large (&6 operating system product. "he key results are2 A general procedure

that uses field data to generate a set of injectable errors! in which each error is defined by2 error

type! error location and injection condition. "he procedure assures that the injected errors

emulate software faults and not hardware faults. "he faults are uniformly distributed *>.:G fault

per module+ over the affected modules. "he distribution of error categories in the (&6 operating

system and the distribution of errors in the "andem 1uardianPD operating system reported

previously were compared and found to be similar. "his result adds a flavor of generality to the

field data presented in the current paper


42/47

!itle:

"esting and 3omparing $eb ,ulnerability Scanning "ools for SQLi and ESS Attacks

Author:

J. Fonseca , ". #ieira and $. "adeira

)escri*tion:

$eb applications are typically developed with hard time constraints and are often

deployed with security vulnerabilities. Automatic web vulnerability scanners can help to locate

these vulnerabilities and are popular tools among developers of web applications. "heir purpose

is to stress the application from the attacker8s point of view by issuing a huge amount of

interaction within it. "wo of the most widely spread and dangerous vulnerabilities in web

applications are SQL injection and cross site scripting *ESS+! because of the damage they may

cause to the victim business. "rusting the results of web vulnerability scanning tools is of utmost

importance. $ithout a clear idea on the coverage and false positive rate of these tools! it is

difficult to judge the relevance of the results they provide. 0urthermore! it is difficult! if not

impossible! to compare key figures of merit of web vulnerability scanners. (n this paper we

propose a method to evaluate and benchmark automatic web vulnerability scanners using

software fault injection techni%ues. "he most common types of software faults are injected in the

web application code which is then checked by the scanners. "he results are compared by

analyzing coverage of vulnerability detection and false positives. "hree leading commercial

scanning tools are evaluated and the results show that in general the coverage is low and the

percentage of false positives is very high


43/47

!itle:

Eception2 Software 0ault (njection and 6onitoring in -rocessor 0unctional )nits

Author:

. 3arreira ! H. 6adeira and .1. Silva

)escri*tion:"his paper presents Eception! a software fault injection and monitoring environment. Eception

uses the advanced debugging and performance monitoring features e#isting in most of the

modern processors to inject more realistic faults by software! and to monitor the activation of the

faults and their impact on the target system behaviour in detail. 0aults are injected with minimum

interference with the target application. "he target application is not modified! no software traps

are inserted! and it is not necessary to e#ecute it in special trace mode *the application is

e#ecuted at full speed+. Eception provides a comprehensive set of fault triggers! including spatial

and temporal fault triggers! and triggers related to the manipulation of data in memory. 0aults

injected by Eception can affect any process running on the target system including the operating

system. Sets of faults can be defined by the user according to several criteria! including the

emulation of faults in specific target processor functional units. -resently! Eception has been

implemented on a parallel machine build around the -ower-3 =D> processor running the -A/(Eoperating system. #periment results are presented showing the impact of faults on several

parallel applications running on a commercial parallel system. (t is shown that up to G:O of the

faults! depending on the processor functional unit affected! can cause the application to produce

wrong results. "he results show that the impact of faults heavily depends on the application and

the specific processor functional unit affected by the fault.


44/47

References

>. ?Sarbanes5#ley Act?! 9DD9

9. Payment ard Industry !PI" #ata $ecurity $tandard ! 9D>D

:. S. 3hristey and /. 6artin Vulnerability %ype #istributions in V& ! 9DDG

'. S. \anero ! L. 3arettoni and 6. \anchetta ?Automatic 'etection of $eb ApplicationSecurity 0laws?! 9DD<

>

P. ?"he -rivacy /ights 3learinghousewww.privacyrights.orgFdatabreach! Accessed > 6ay

9D>:?! 9D>9

>D. 6. 0ossi ?Symantec (nternet Security "hreat /eport2 "rends for 9D>D?! 9D>>

>>. 6. 0ossi ?Symantec /eport on the )nderground conomy! Symantec Security /esponse?!

9DD

>9. /. /ichardson and S. -eters ?9D>DF9D>> 3S( 3omputer 3rime T Security Survey?! 9D>>

>:. '. Avresky ! . Arlat ! .3. Laprie and C. 3rouzet ?0ault (njection for 0ormal "esting of 0ault

"olerance?! I&&& %rans. -eliability! vol. ;PP=

Abstract ] 0ull "e#t2 -'0 *>9DDM&+

>;. '. -owell and /. Stroud ?3onceptual 6odel and Architecture of 6A0"(A?! 9DD:

>PP

>=. . 0onseca and 6. ,ieira ?6apping Software 0aults with $eb Security

,ulnerabilities?! Proc. I&&&/I0IP Int12l. onf. #ependable $ystems and (etorks! 9DD

Abstract ] 0ull "e#t2 -'0 *9D


45/47

>G. . 0onseca ! 6. ,ieira and H. 6adeira ?"raining Security Assurance "eams using

,ulnerability (njection?! Proc. I&&& Pacific -im #ependable omputing onf.! 9DD

Abstract ] 0ull "e#t2 -'0 *9GDM&+ ] 0ull "e#t2 H"6L

>. . Arlat ! A. 3ostes ! C. 3rouzet ! .3. Laprie and '. -owell ?0ault (njection and'ependability valuation of 0ault"olerant Systems?! I&&& %rans. omputers! vol. ;9! no. !

pp.P>: P9: >PP:

Abstract ] 0ull "e#t2 -'0 *>>DDM&+

>P. /. (yer ?#perimental valuation?! Proc. I&&& $ymp. 0ault %olerant omputing ! pp.>><>:9 >PP<

9D. . 3arreira ! H. 6adeira and .1. Silva ?Eception2 Software 0ault (njection and 6onitoring

in -rocessor 0unctional )nits?! I&&& %rans. $oftare &ng.! vol. 9;! no. 9! >PP

9>. '.". Stott ! &. 0loering ! '. &urke ! \. Malbarczpk and /.M. (yer ?B0"A-2 A 0ramework

for Assessing 'ependability in 'istributed Systems with Lightweight 0ault (njectors?! Proc.omputer Performance and #ependability $ymp.! 9DDD

Abstract ] 0ull "e#t2 -'0 *>D;M&+

99. . 3hristmansson and /. 3hillarege ?1eneration of an rror Set that mulates Software

0aults?! Proc. I&&& 0ault %olerant omputing $ymp.! >PP=

Abstract ] 0ull "e#t2 -'0 *P9DM&+

9:. H 6adeira ! 6. ,ieira and '. 3osta ?5n the mulation of Software 0aults by Software 0ault

(njection?! Proc. I&&&/I0IP Int333l onf. #ependable $ystem and (etorks! 9DDD

Abstract ] 0ull "e#t2 -'0 *::9M&+

9;. . 'ur^^es and H. 6adeira ?mulation of Software 0aults2 A 0ield 'ata Study and a

-ractical Approach?! I&&& %rans. $oftare &ng.! vol. :9! no. >>! pp.;P =G 9DD=

Abstract ] 0ull "e#t2 -'0 *


46/47

9=. . 0onseca ! 6. ,ieira and H. 6adeira ?"esting and 3omparing $eb ,ulnerability Scanning

"ools for SQLi and ESS Attacks?! Proc. I&&& Pacific -im Int12l $ymp. #ependable omputing !

9DDG

Abstract ] 0ull "e#t2 -'0 *;G9M&+ ] 0ull "e#t2 H"6L

9G. ?$eb ,ulnerability Scanners 3omparison?! 9DDP

9. 6. &uchler ! . 5udinet and A. -retschner ?SemiAutomatic Security "esting of $eb

Applications from a Secure 6odel?! Proc. Int12l onf. $oftare $ecurity and -eliability! 9D>9

Abstract ] 0ull "e#t2 -'0 *;! no. :! >PPG

Abstract ] 0ull "e#t2 -'0 *>9;M&+

:9. ?isc.sans.orgFdiary.htmlstoryid7:9:! accessed > 6ay 9D>:?! 9DD

::. ?www.ntamonitor.comFpostsF9D>>FD:FD>testsZshowZ

riseZinZnumberZofZvulnerabilitiesZaffectingZwebZapplicationsZ

withZs%lZinjectionZandZ#ssZmostZcommonZflaws.html?! 9D>>

:;. ?pt.php.net! accessed >^^6ay 9D>:?! 9DDG

:


47/47

:P. (. lia ! . 0onseca and 6. ,ieira ?3omparing SQLi 'etection "ools )sing Attack (njection2

An #perimental Study?! Proc. I&&& Int12l $ymp. $oftare -eliability &ng.! 9D>D

Abstract ] 0ull "e#t2 -'0 *GG>M&+ ] 0ull "e#t2 H"6L

;D. A. /iancho ?6oth! &onsai(nformation Security?! 9DDP

;>. &. Livshits ?Stanford Securi&ench?! 9DD<

;9. . 1rossman ?SQLi! ye of the Storm?! %he $ecurity J.! vol. 9=! pp.G >D 9DDP

;:. &. 'amele ?S%lmap2 Automatic SQLi "ool?! 9DDP

;;. ?"iki$iki! tikiwiki.org! Accessed >^^6ay 9D>:?! 9DD

;^^6ay 9D>:?! 9DD

;=. ?avasource.net! 9DD! javasource.netFopensourceFcrawlers! Accessed >^^6ay 9D>:?!

;G. C.$. Huang ! S.M. Huang ! ".-. Lin and 3.H. "sai ?$eb Application Security Assessment by 0ault (njection and &ehavior 6onitoring?! Proc. Int12l onf. ,orld ,ide ,eb! pp.>; >

Documents

Evaluation of Web Security--modified Document