Docstoc

Abstract

Document Sample
Abstract Powered By Docstoc
					                                  ABSTRACT




        In web application Vulnerability we propose a methodology to inject realistic
attacks in Web applications. The methodology is based on the idea that by injecting
realistic vulnerabilities in a Web application and attacking them automatically we
can assess existing security mechanisms. To provide true to life results, this
methodology relies on field studies of a large number of vulnerabilities in Web
applications. The paper also describes a set of tools implementing the proposed
methodology. They allow the automation of the entire process, including gathering
results and analysis. We used these tools to conduct a set of experiments to
demonstrate the feasibility and effectiveness of the proposed methodology. The
experiments include the evaluation of coverage and false positives of an intrusion
detection system for SQL injection and the assessment of the effectiveness of two
Web application vulnerability scanners. Results show that the injection of
vulnerabilities and attacks is an effective way to evaluate security mechanisms and
tools.




                                                                                   iv

				
DOCUMENT INFO
Description: Web application vulnerability ch-1 INTRODUCTION 2 V.V.P.(IT) 1.1 What is Web Applications? Over the past decade or so, the web has been embraced by millions of businesses as an inexpensive channel to communicate and exchange information with prospects and transactions with customers. In particular, the web provides a way for marketers to get to know the people visiting their sites and start communicating with them. One way of doing this is asking web visitors to subscribe to newsletters, to submit an application form when requesting information on products or provide details to customize their browsing experience when next visiting a particular website. The web is also an excellent sales channel for a myriad of organizations, large or small: with over 1 billion Internet users today (source: Computer Industry Almanac, 2006), US e-commerce spending accounted for $102.1 billionin 2006 (Source: comScore Networks, 2007). All this data must be somehow captured, stored, processed and transmitted to be used immediately or at a later date. Web applications, in the form of submit fields, enquiry and login forms, shopping carts, and content management systems, are those website widgets that allow this to happen. They are, therefore, fundamental tobusinesses for leveraging their online presence thus creating long-lasting and profitable relationships with prospects and customers. No wonder web applications have become such a ubiquitous phenomenon. However, due to their highly technical and complex nature, web applications are a widely unknown and a grossly misunderstood fixture in our everyday cyber-life 1.2 Howdo web applications work? The figure below details the three-layered web application model. The first layer is normally a web browser or the user interface; the second layer is the dynamic content generation technology tool such as Java servlets (JSP) or Active Server Pages (ASP), and the third layer is the database containing content (e.g., ne