Home
Add Document
Sign In
Create An Account
TABLE OF CONTENTS CHAPTER NO. TITLE PAGE NO. LIST OF TABLES LIST OF FIGURES LIST OF SYMBOLS AND ABBREVIATIONS
viii TABLE OF CONTENTS CHAPTER NO. TITLE ABSTRACT 1 PAGE NO. iii LIST OF TABLES xiv LIST OF FIGURES xvi LIST OF SYMBOLS AND ABBREVIATIONS ...
Author:
Ashlyn Bradley
0 downloads
2 Views
30KB Size
Report
Download PDF
Recommend Documents
TABLE OF CONTENTS CHAPTER NO. TITLE PAGE NO. LIST OF TABLES LIST OF FIGURES LIST OF SYMBOLS AND ABBREVIATIONS
Table of Contents. List of Tables...4. List of Figures...5. List of abbreviations...6. Executive summary Background...21
TABLE OF CONTENTS. LIST OF FIGURES...ixx. LIST OF TABLES...xii CHAPTER 1. INTRODUCTION... 1
List of Tables. List of Figures
List of Tables. List of Figures
List of symbols and abbreviations
List of Abbreviations and Symbols
List of Tables. List of Figures
Contents. List of Figures and Tables Acknowledgements
List of Figures and Tables
Table of Contents. List of Figures
TABLE OF CONTENTS LIST OF FIGURES
TABLE OF CONTENTS LIST OF TABLES
TABLE OF CONTENTS. LIST OF FIGURES... v. LIST OF TABLES...vii
TABLE OF CONTENTS. Summary.i List of Figures...iii List of Tables...iii
Table of Contents. Inside this issue: List of Tables: List of Figures:
Contents. List of tables
Contents List of Figures
List of figures List of tables Preface and acknowledgments
TABLE OF CONTENTS. Table of Contents... i. List of Figures... ii. List of Tables...iii. Acknowledgements... iv. Executive Summary
LIST OF CONTENTS AND TABLES
LIST OF CONTENTS AND TABLES
LIST OF CONTENTS AND TABLES
LIST OF CONTENTS AND TABLES
viii
TABLE OF CONTENTS CHAPTER NO.
TITLE
ABSTRACT
1
PAGE NO.
iii
LIST OF TABLES
xiv
LIST OF FIGURES
xvi
LIST OF SYMBOLS AND ABBREVIATIONS
xx
INTRODUCTION 1.1
1
ENTERPRISE WEB APPLICATION PARADIGM
1
1.1.1 Web Application Architecture
1
1.1.2 Web Applications
3
1.1.3 Web Application Components
4
1.1.4 Web Functionality
4
1.1.4.1 Server-side functionality
5
1.1.4.2 Client-side functionality
6
1.1.4.3 State and sessions in web applications
7
1.2
HOLISTIC WEB SECURITY
1.3
WEB APPLICATION SECURITY
10
1.3.1 Threat Classification Taxonomy
12
SQL INJECTION
17
1.4.1 Redirecting and Reshaping the Query
17
1.4
8
1.4.1.1 Tautology
18
1.4.1.2 Union query
19
1.4.1.3 Piggy-backed query
20
ix
CHAPTER NO.
1.5
TITLE
PAGE NO.
1.4.2 Error Based Query
21
1.4.3 Injection through Stored Procedure
22
1.4.4 Blind SQL Injection
23
XPATH INJECTION
24
1.5.1 XPath Injection Motivation and Consequences 1.6
1.7
25
CROSS-SITE SCRIPTING ATTACK
26
1.6.1 Persistent XSS Attack
27
1.6.2 Non-Persistent XSS Attack
28
1.6.3 DOM based XSS Attack
30
SESSION HIJACKING
31
1.7.2 Session ID Fixation Attack
31
1.7.3 Browser Hijacking
32
1.7.4 Background XSS Propagation
33
1.7.4.1 Propagation via iframe inclusion
34
1.7.4.2 Propagation via pop under windows 1.8 1.9
2
34
WEB SERVICES FOR WEB APPLICATION SECURITY
35
ORGANIZATION OF THE THESIS
37
LITERATURE REVIEW
39
2.1
INTRODUCTION
39
2.2
VULNERABILITY ANALYSIS AND SCANNER
39
2.2.1 Limitations of the Vulnerability Scanner
41
2.3
THREAT MODELLING
42
2.4
SECURITY PERIMETER
44
x
CHAPTER NO.
TITLE
PAGE NO.
2.5
THREAT CLASSIFICATION
45
2.6
SQL INJECTION
51
2.6.1 SQL Injection Prevention-Intrusion Detection System
52
2.6.2 Static Approach for the SQL Injection Countermeasures
53
2.6.3 Dynamic Approach for the SQL Injection Countermeasures 2.6.4 Hybrid SQLIA Prevention Approach
55 58
2.6.5 Mutation Based Approach to Detect SQL Injection
60
2.7
XPATH INJECTION
61
2.8
CROSS-SITE SCRIPTING
63
2.8.1 Detection of Cross-Site Scripting Attack by the Client Side Approach
64
2.8.2 Detection of Cross-Site Scripting Attack through Server Side Deployment
67
2.8.3 Prevention of XSS Attack through Static String Analysis 2.9
SESSION HIJACKING
2.10
LIMITATIONS OF THE EXISTING
2.11
3
70 73
APPROACHES
75
OBJECTIVES
77
SYSTEM ARCHITECTURE
79
3.1
INTRODUCTION
79
3.2
WAPS- CIVS ARCHITECTURE
81
3.2.1 User Data Interceptor
83
xi
CHAPTER NO.
4
5
TITLE
PAGE NO.
3.2.2 SQL Injection Preventer
84
3.2.3 XPath Injection Preventer
85
3.2.4 Cross-Site Scripting Preventer
86
3.2.5 Session Hijacking Preventer
88
3.2.6 Error Customizer and Log File Monitor
90
3.3
WAPS- CIVS with Web Services
92
3.4
CHAPTER SUMMARY
93
SQL INJECTION PREVENTION SYSTEM
94
4.1
INTRODUCTION
94
4.2
SQL INJECTION PREVENTER
94
4.2.1 Aspect Oriented Programming
97
4.2.2 Query Interceptor
98
4.2.3 XML Schema Design
99
4.2.4 Syntactic verification Module
102
4.2.5 XML Query Generation Module
103
4.2.6 Customize Error Generation Module
106
4.3
RESULTS AND DISCUSSION
109
4.4
CHAPTER SUMMARY
113
XPATH INJECTION PREVENTER
114
5.1
INTRODUCTION
114
5.2
XPATH INJECTION MOTIVATION AND CONSEQUENCES
5.3
5.4
115
COMMON PREVENTIVE MEASURES FOR XPATH INJECTION
115
XPATH INJECTION PREVENTER
116
5.4.1 XQuery Interception
119
xii
CHAPTER NO.
6
7
TITLE
PAGE NO.
5.4.2 XQuery Analyzer
120
5.4.3 XQuery Validation
121
5.5
RESULTS AND DISCUSSION
125
5.6
CHAPTER SUMMARY
128
CROSS-SITE SCRIPTING PREVENTER ENGINE
130
6.1
INTRODUCTION
130
6.2
CROSS-SITE SCRIPTING PREVENTION ENGINE
131
6.2.1 Interception Module
133
6.2.2 Graph Generation
134
6.2.3 Graph Traversal
139
6.2.4 Blacklist Character Verification
140
6.3
RESULTS AND DISCUSSION
142
6.4
CHAPTER SUMMARY
146
SESSION HIJACKING PREVENTER
148
7.1
INTRODUCTION
148
7.2
SESSION HIJACKING PREVENTER ARCHITECTURE
7.3
7.4
149
PREVENTION OF SESSION ID FIXATION ATTACK
151
7.3.1 Dynamic ID Generation
153
7.3.2 Dynamic Session ID Mapping
154
BROWSER HIJACKING PREVENTION
156
7.4.1 Extracting nonce Value
158
xiii
CHAPTER NO.
TITLE
PAGE NO.
7.4.2 Generate One-Time URL with rnonce Value 7.5
159
BACKGROUND XSS PROPAGATION PREVENTION
161
7.5.1 Preventing XSS propagation
163
7.5.2 Forming Domain Cluster
164
7.5.3 Sub-domain Switching
165
7.6
FILE SYSTEM LOG ENTRY
168
7.7
RESULTS AND DISCUSSION
169
7.7.1 Session ID Fixation Prevention Results
169
7.7.2 Browser Hijacking Prevention Results
172
7.7.3 Background XSS Propagation Prevention Results 7.8
8
CHAPTER SUMMARY
174 178
CONCLUSION AND FUTURE ENTANGLEMENT 180 8.1
SUMMARY
180
8.2
CONTRIBUTIONS OF THIS RESEARCH
183
8.3
JUSTIFICATION FOR THIS STUDY
184
8.4
FUTURE ENHANCEMENTS
185
REFERENCES
187
LIST OF PUBLICATIONS
200
CURRICULUM VITAE
202
xiv
LIST OF TABLES TABLE NO.
TITLE
PAGE NO.
1.1
Web application threats types and issues
13
2.1
Comparison of XSS attacks
72
4.1
SQL keywords / Non-SQL keywords classification
103
4.2
SQL keywords / Non-SQL keywords-tautology query
105
4.3
Comparison of the SQL injection preventer with other methods
110
4.4
Response time analysis with the SQL injection preventer
111
5.1
Comparison of the XPath injection preventer of WAPS-CIVS with the other methods
126
5.2
Response time assessment of the WAPS-CIVS system
127
6.1
Sample blacklist characters
141
6.2
Detection of the XSS attack with various kinds of vulnerability
143
6.3
Comparison of WAPS-CIVS with the other methods
144
6.4
Overhead response time comparison
145
7.1
Comparison of the session ID fixation attack preventer with the static analysis method
7.2
Response time comparison for session ID fixation module
7.3
171
Comparison of the browser hijacking preventer with the static analysis method
7.4
170
172
Response Time Comparison for the session ID fixation module
173
xv
TABLE NO.
7.5
TITLE
Comparison of the Background XSS propagation preventer with the static analysis method
7.6
PAGE NO.
175
Response Time Comparison for the background XSS propagation module
176
xvi
LIST OF FIGURES
FIGURE NO.
TITLE
PAGE NO.
1.1
Three-tier web application architecture
2
1.2
Holistic security approach
8
1.3
Web application attack model
11
1.4
Tautology query – SQL injection
18
1.5
Union query – SQL injection
19
1.6
Piggy back query – SQL injection
20
1.7
Background XSS propagation
34
1.8
Web Service for the web application security
36
2.1
Threat classification Taxonomy
46
2.2
Web application vulnerability by attack technique 2004-2012
50
2.3
Prevention strategies of the SQL injection attacks
52
3.1
System architecture of WAPS-CIVS
82
3.2
Overall view of SQL Injection preventer
85
3.3
XPath injection preventer
86
3.4
Overall representation of cross-site scripting preventer system
87
3.5
Session hijacking preventer
89
3.6
Error customizer and log file module
91
4.1
SQL Injection preventer system architecture
96
4.2
Architecture of aspect oriented programming
98
4.3
SQL statement classification schema
100
4.4
Select statement schema structure
101
4.5
Where schema structure
102
xvii
FIGURE NO.
TITLE
PAGE NO.
4.6
Tree Structure with the result set
104
4.7
Tautology SQL query tree structure
105
4.8
Valuable result set
107
4.9
Log file
108
4.10
Generalized (customized) error
108
4.11
Comparison of the SQL injection preventer with other methods
111
4.12
Comparison graph for the response time of the system
112
5.1
XPath injection preventer system architecture
118
5.2
XML file for the tautology query
121
5.3
XML Schema definitions
122
5.4
XML tree structure of the XML file
123
5.5
XML file validation through SAX
124
5.6
Log file
124
5.7
Comparison of XPath injection preventer with other the methods
126
5.8
Response time analysis graph
128
6.1
Cross-site scripting prevention engine architecture
132
6.2
Servlet filter mapping
134
6.3
Script in the HTTP request
135
6.4
Graph generated for a HTTP request
136
6.5
Script in the HTTP response
137
6.6
Graph generated for a HTTP response
138
6.7
Adjacency Matrix for the HTTP request and
6.8
HTTP response
140
Comparison of the WAPS with the other methods
145
xviii
FIGURE NO.
6.9
TITLE
PAGE NO.
Response Time comparison between the WAPS-CIVS with the XSS prevention system and without the XSS prevention system
146
7.1
Session hijacking preventer architecture
150
7.2
Session ID fixation preventer engine
151
7.3
Database for session Cookies
153
7.4
Dynamic session ID mapping
154
7.5
Attacker httponly cookies
155
7.6
Original session ID crafted link
155
7.7
Prevent session ID fixation attack
156
7.8
Browser hijacking attack on Google page
157
7.9
Browser hijacking prevention system
157
7.10
One-time URL with rnonce value
159
7.11
Database for nonce value with a single user session
160
7.12
Server errors for the browser hijacking attack
161
7.13
Background XSS propagation prevention system
162
7.14
Popup window attack with user information
164
7.15
Domain cluster information
165
7.16
Selecting target domain for sub-domain switching
166
7.17
Preventing background XSS propagation
167
7.18
Sample file system log entry
168
7.19
Comparison of WAPS-CIVS with the static analysis method
7.20
Response time evaluation of the session ID fixation prevention module
7.21
170
171
Comparison of the WAPS-CIVS (Session ID fixation preventer) with the static analysis method
173
xix
FIGURE NO.
7.22
TITLE
PAGE NO.
Response time evaluation of the browser hijacking prevention module
7.23
174
Comparison of the WAPS-CIVS (Background XSS Propagation preventer) with the static analysis method
176
7.24
Response time evaluation background XSS propagation
177
7.25
Entire session hijacking prevention module’s response time assessment
178
xx
LIST OF SYMBOLS AND ABBREVIATIONS Symbols
ai,j
–
Adjacency Matrix with i row and j column
E
–
Edge
G
–
Graph
n
–
Number of Vertices
V
–
Vertex
Abbreviations
AJAX
–
Asynchronous javascript and XML
AMNESIA
–
Analysis and monitoring for neutralizing SQL injection attacks
ANSI /ISO
–
American national standards institute / international organization for standardization
AOP
–
Aspect oriented programming
API
–
Application programming interface
ASP
–
Active server page
AVDL
–
Application vulnerability description language
CERT
–
Centre of internet security
CFL
–
Context – free language
COBIT
–
Control objectives for information and related technology
CORBA
–
Common object request broker architecture
CVE
–
Common vulnerabilities and exposure
xxi
CWE
–
Common weakness enumeration
DFS
–
Depth-first search
DMZ
–
Demilitarized zone
DOM
–
Document object model
DoS
–
Denial of service
DDoS
–- Distributed denial of service
ERP
–
Enterprise resource planning
FSA
–
Final state automata
HTML
–
Hyper text markup language
HTTP
–
Hyper text transfer protocol
HTTPS
–
Secure hyper text transfer protocol
ID
–
Identifier
IDS
–
Intrusion detection system
IIS
–
Internet information services
ISO
–
International organization for standardization
ISP
–
Internet service provider
ISPAWAD
–
Integrated security and performance aspects for web based applications
JDBC
–
Java database connectivity
JSP
–
Java server page
LDAP
–
Light weight directory access protocol
MD5
–
Message digest 5
MSIL
–
Microsoft intermediate language
MUSIC
–
MUtation-based SQL injection vulnerabilities checking
OTC
–
One time cookie
OWASP
–
Open web application security project
PCI /DSS
–
Payment Card industry / data security standard
PHP
–
Hypertext PRE-PROCESSOR
PKI
–
Public key infrastructure
PQL
–
Program query language
xxii
RDBMS
–
Relational database management system
RFID
–
Radio frequency identification
RUP
–
Rational unified process
S2XS2
–
Server side cross site scripting
SANIA
–
Semantic analysis for automated testing against SQL injection
SAX
–
Simple application programming interface for XML
SDLC
–
Software development life cycle
SID
–
Session identifier
SOAP
–
Simple object application protocol
SQL – IF
–
SQL injection free
SQL
–
Structured query language
SQLIA
–
SQL injection attack
SSI
-
Server side include
SSL
–
Secure socket layer
TCP/IP
–
Transfer control protocol / internet protocol
TLS
–
Transport layer security
URL
–
Uniform resource locator
VBScript
–
Visual basic script
WAPS-CIVS –
Web applications secure system from code injection vulnerabilities through web services
WASC
–
Web application security consortium
WRAPS
–
Web referral architecture for privileged service
W3C
-
World wide web consortium
WWW
–
World wide web
XML
–
eXtensible markup language
XPath
–
XML path language
XQuery
–
XML query language
XSS
–
Cross-site scripting
Suggest Documents
TABLE OF CONTENTS CHAPTER NO. TITLE PAGE NO. LIST OF TABLES LIST OF FIGURES LIST OF SYMBOLS AND ABBREVIATIONS
Read more
Table of Contents. List of Tables...4. List of Figures...5. List of abbreviations...6. Executive summary Background...21
Read more
TABLE OF CONTENTS. LIST OF FIGURES...ixx. LIST OF TABLES...xii CHAPTER 1. INTRODUCTION... 1
Read more
List of Tables. List of Figures
Read more
List of Tables. List of Figures
Read more
List of symbols and abbreviations
Read more
List of Abbreviations and Symbols
Read more
List of Tables. List of Figures
Read more
Contents. List of Figures and Tables Acknowledgements
Read more
List of Figures and Tables
Read more
Table of Contents. List of Figures
Read more
TABLE OF CONTENTS LIST OF FIGURES
Read more
TABLE OF CONTENTS LIST OF TABLES
Read more
TABLE OF CONTENTS. LIST OF FIGURES... v. LIST OF TABLES...vii
Read more
TABLE OF CONTENTS. Summary.i List of Figures...iii List of Tables...iii
Read more
Table of Contents. Inside this issue: List of Tables: List of Figures:
Read more
Contents. List of tables
Read more
Contents List of Figures
Read more
List of figures List of tables Preface and acknowledgments
Read more
TABLE OF CONTENTS. Table of Contents... i. List of Figures... ii. List of Tables...iii. Acknowledgements... iv. Executive Summary
Read more
LIST OF CONTENTS AND TABLES
Read more
LIST OF CONTENTS AND TABLES
Read more
LIST OF CONTENTS AND TABLES
Read more
LIST OF CONTENTS AND TABLES
Read more
×
Report "TABLE OF CONTENTS CHAPTER NO. TITLE PAGE NO. LIST OF TABLES LIST OF FIGURES LIST OF SYMBOLS AND ABBREVIATIONS"
Your name
Email
Reason
-Select Reason-
Pornographic
Defamatory
Illegal/Unlawful
Spam
Other Terms Of Service Violation
File a copyright complaint
Description
×
Sign In
Email
Password
Remember me
Forgot password?
Sign In
Login with Google
Login with Facebook