Web Security M.Tech Synopsis
of 13
description
A M.Tech Synopsis on Web Security Techniques
Transcript of Web Security M.Tech Synopsis
Abstract:
Web Vulnerability Detection and Security MechanismsMECSE2010
WEB VULNEARABILITY DETECTION AND SECURITY MECHANISMS
A Project Synopsis submitted to the
Solapur University, Solapur
For the Degree of
Master of Engineering
In
Computer Science &Engineering
By
Ms. Anjali Sunil Katkar
Under the guidance of
Prof. R. B. Kulkarni
Department of Computer Science & Engineering
Walchand Institute of Technology, Solapur
Walchand Institute of Technology, SolapurYear 2010-2011
CERTIFICATE
This is to certify that Synopsis Report on
WEB VULNEARABILITY DETECTION AND SECURITY MECHANISMS
Submitted By
Ms.Anjali Sunil Katkar
Is hereby approved in partial fulfillment of the degree Master of Engineering in Computer Science and Engg.
Prof .R.B.Kulkarni Prof.Rajesh Argiddi
Guide ME-CSE Cooradinator
Computer Science Engg.,Dept
Prof .Dr. Mrs.S.S.Apte Prof. Dr S.A.Halkude H.O.D Principal
Computer Science Engg.,Dept
Computer Science & EngineeringWalchand Institute of Technology, SolapurYear 2010-2011
Year 2010-2011Table of contents
1. Abstract
42. Introduction
53. Expected Analytical Work 64. Requirement
95. Expected expenses
106. Expected date of schedule
107. Expected date of completion
108. Conclusion
11References
Abstract:
We analyzes the most common security problems of Web applications. Web application or website security is a new concept with many facets. Website security is top of mind for customers conducting business on websites. Website vulnerability detected on the relative predictability of websites to identify security issues. Using a browser and a few simple tricks, hackers can penetrate a website, access the credit card database, and make off with critical data, customer databases or even intranet information and do illegal work . To provide web security which can be used as a secure tool to define access control and security polices for the URLs and cookies, also additionally analyzes the web vulnerability such as Unvalidated Input, Broken access control , Broken Authentication and Sessions management, Cross Site Scripting (XSS), Buffer Overflows, Denial of Service (DoS) Attacks, SQL injection and Insecure Configuration Management Improper Error Handling, parameter modification, cookie modification, directory traversal and unauthorized access etc. The results shows the evaluation of security mechanisms against the attacks and vulnerabilities. Securing the websites against these vulnerability is very difficult and challenging task as day to day new techniques for attacks invented so the study of various types of vulnerabilities and attacks detecting and solution is essential part in internet world. The methodology is based on the idea that vulnerabilities in a web application and attacking them automatically we can assess existing security mechanisms. The security solution can provide to the existing website application or to targeted website while developing .To provide true to life results, this methodology relies on field studies of a large number of vulnerabilities in web applications.Introduction:
There is an increasing dependency on web applications Now a days, ranging from individuals to large organizations. Almost everything is available on the web. Web applications can be personal web sites, blogs, news, social networks, web mails, bank agencies, forums, e-commerce applications, etc. As the global use of web applications makes target for malicious minds. As the web application is popularly used for the information sharing so web application software security is essentially important . Just providing the firewall is not capable of providing security for web application alone. Security is the main problem of the website because all type of users visit the site and can place such applications that are harmful for the websites. So on different types of securing techniques are used to save the website from, the insecure media and that is referred to as the website security. So need security mechanisms for various vulnerability and attack. Also providing access control policies and security policies for URL and cookies. The request processors parse and analyze a request from client and carry out the policies for the request. However, it is very difficult, even impossible, to require all code of all web application. To be written in a secure way considering the cost of program development, code mistakes, and security knowledge of programmers. Also additionally providing security to the existing website. The framework has to provide between the webserver and user to protect from vaaarious types of vulnerabilities and malicious attacks also websites should have proctect from parameter modification and other types of attacks .These website vulnerabilities may have familiar names like SQL Injection and Cross-Site Scripting, or less common monikers like Insufficient Authorization or Predictable Resource Location. The solution cannot resolve all web security problems but at least at the present time, can effectively resolve most practical and common web application level security problem. When securing our networks, we are conditioned to immediately think of firewalls, SSL, Intrusion Detection, and Anti-Virus as components of a complete solution. While they improve certain aspects of security, their impact on protecting the website is marginal. New vulnerabilities require new solutions. Contrary to popular belief, deploying a network firewall will not prevent a hacker from penetrating a gaping hole in your website. To improve the security of the Web, we must dispel this and other widely held misconceptions including:
A website that uses SSL is secure.A firewall protects the website, so its safe from hackers.The vulnerability scanner did not report any website security issues, so its secure.Website security is a developer problem.We conduct annual security assessments on our website, so its secure.
We examine the fundamental components of a website, entry points of Web attacks, attack methodologies, and suggested preventive measures for effective website vulnerability management. Expected Analytical Work:
The Protection phase recognizes two different ways to manage website vulnerabilities:1. It is best to employ generic countermeasure concepts first to help ensure that you choose the technology best suited to your needs rather than one that claims to counter the latest hacking technique. The experiment on our target web site which protects from the known vulnerabilities such as XSS and SQL injection, and so on while developing the website the result shows thats the website doesnt allow the vulnerabilities to attack website.
As shown in above figure the website consisting web application ,application server database to provides services and database to store data and web proxy for protection to the web server . Now a days RIA i.e. Rich Internet Application is provided to web browser such as applets, ActiveX, Ajax, Flash an d silver-light etc The overview of the system is the firewall is provide between user and web server which protects sensitive data ,concurrency, parameter manipulation and session hijacking. The application in web server provides security configuration, unvalidated input and error handling mechanisms etc .Application server provides security by auditing and logging users and authorizing users protecting sensitive data in database.
2. It is very difficult, to require all code of all web applications to be written in a secure way considering the cost of program development, code mistakes, and security knowledge of programmers. So protecting the existing web sites from the various types of vulnerabities and attacks is challenging task as the presence advance technologies and skillful attackers.
Our proposal to have security mechanism software to be placed in between internal and external firewall to protect our web application, which protect against the various types of vulnerability and block the malicious attacks by providing security and access policies.
The followings vulnerabilities frequently used by a hacker to attack web applications, the study of these and implementation of some of these :
Unvalidated Input: The information that displayed from the web browser is not validated by the web application. The a third party can alter the web request and pass incorrect or harmful information to the web browser.
Broken access control : Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. But attacker may be access higher level of authority.
Broken Authentication and Sessions management : when log in to a web application, a unique session is created. If this sessions details are not protected correctly, attacker can steal it and misuse.
Cross Site Scripting (XSS) : It is a vulnerability in web applications, using this attacker can steal users information.
Buffer Overflows: For web applications, an attacker may send a chunk of data which crashes the web application and taken control of some of its processes.
SQL injection : It is code injection technique that exploits a security vulnerability occurring in the database layer of an application.
Improper Error Handling: Error conditions that are expected when operating in normal conditions are not handled properly.
Denial of Service (DoS) Attacks: This is one form of attacked which is in use from the inception of Internet and World Wide Web. In this method, attacker will use the system resources of the web server until other legitimate users cannot use the system. This can eventually cause a web application crash.
Insecure Configuration Management: Each and every server that hosts web applications should be configured to be secured, as they are not fully configured for security before exposing the web application to public.
Parameter modification : when an invalid or a prohibitive parameter of a URL request is transferred to web servers which occurs security problem.Cookie modification : Cookies are created to identify, establish, and maintain valid connection to a unique client or user. The unauthorized users can easily establish a connection with the server by modifying the contents of the authorized user's cookies.Directory traversal : Some information or files which are not designed to expose to users or clients can be obtained easily just by traversing the directory in the address area of Internet browsers.
Unauthorized access confidential data or files: A hacker may break into back-end databases or intercept such data packets in transmission containing confidential data.
Requirement:
Hardware requirements:
PC with Minimum 1 GB free space.
1 to 2 GB RAM.Software requirements:
JAVA 1.7.0, Java Virtual Machine (Open source Software)
Operating system support:
Will be supported by Windows Xp/Vista/7.
Expected Expenses:
No any other Hardware requirement than PC and no software expenses as using open source software. Working on coding for 3 months (90 days) .3 hrs a day, 1 hrs cost :10$
2 X 90 = 270 hrs
270 X 100 =27000 Rs.
Expected Schedule:
Time Period Work to be completed
Dissertation Phase I
Analysis & Design of Project
Dissertation Phase II
Implementation & Result Analysis
Time PeriodWork to be Completed
15 days (till Aug 20)Requirement Analysis
15 days (till Sept 10)Data Gathering
15 days (till Sept 20 end)Data Analysis
2 Months(till Nov 20 end)Designing
4 Months(till Apr 21 end)Coding & Implementation
1 Month (till May 28 end)Testing & Debugging
Expected Date Of Completion:
Date of completion may vary depending upon the various features and testing, but it is expected to be completed by around the month of April May 2011.
Conclusion:
The internet and web becoming vulnerable as the advanced in technologies and skills are put for wrong reasons, the hacker attacks in much advance and complex .So the solution has to provide for the various types of vulnerabilities. We focus on the test in web vulnerability detection, and present solution to make the detection more efficient. Our proposal to provide security to existing websites and additionally also we developed a target web site which provides security against the known vulnerabilities such as Unvalidated Input, Broken access control , Broken Authentication and Sessions management, Cross Site Scripting (XSS), Buffer Overflows, Denial of Service (DoS) Attacks, SQL injection and Insecure Configuration Management Improper Error Handling, parameter modification, cookie modification, directory traversal and unauthorized access etc , the result shows that can detect almost all the pages that may contains vulnerabilities in the target web site and provide the solution on that web sites. Although our solution cannot resolve all web security problems but at least at the present time, can effectively resolve most practical and common web application level security problem.Reference:1. A Web Security Solution Based On XML Technology
Teng Lv; Ping Yan; Communication Technology, 2006. ICCT '06. International Conference on Digital Object Identifier: 10.1109/ICCT.2006.341975 Publication Year: 2006 , Page(s): 1 - 4 2.Vulnerability & attack injection for web applicationsFonseca, J.; Vieira, M.; Madeira, H.; Dependable Systems & Networks, 2009. DSN '09. IEEE/IFIP International Conference on Digital Object Identifier: 10.1109/DSN.2009.5270349 Publication Year: 2009 , Page(s): 93 102
3.The Web Attacker Perspective - A Field Study
Fonseca, Jose; Vieira, Marco; Madeira, Henrique; Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on Digital Object Identifier: 10.1109/ISSRE.2010.21 Publication Year: 2010 , Page(s): 299 308
4.http://www.emate-econtent.org/security/top-10-web-security-threats-part-1/
5. http://www.emate-econtent.org/security/top-10-web-security-threats-part-2/
Implementation Details:
The objective is to build a real time website with following fundamentals
1) At the time of Registration, A user must provide a valid email ID. Upon registration, an automated mail will be sent to the user. Only after clicking the mail, his account should be activated.
2) Only one instance of email ID can be used for registration. This eliminates the spam attack.
3) User needs to change his password after every specific period of time for secured transaction.
4) User's password should not be saved , rather a hash must be generated and database must contain only the hash of the password.
5) At the time of registration, user must answer predifined captcha question, if unable, the user will be marked as Spam.
6) User profile should be encrypted with AES encryption
7) The site must specify roles based on Admin, Authenticated User, Guest. Sessions should have different permission accordingly.
8) The site will be provided with a Firewall system to block specific IP addresses.
9) The site should provide on the fly content management: i.e. user can create content and edit it. other users may comment on the site.
10) The website should have a cookie management and should filter the cookies based on priority.
11) The site should have rules so that user with specific points can access specific part of the site.
The site must be developed with Drupal7x, which is a content management software with front end as Php and backend as MySql.
client
12 | Page
