Reverse Proxy Framework using Sanitization Technique for Intrusion Prevention in Database

With the increasing importance of the internet in our day to day life, data security in web application has become very crucial. Ever increasing on line and real time transaction services have led to manifold rise in the problems associated with the database security. Attacker uses illegal and unauthorized approaches to hijack the confidential information like username, password and other vital details. Hence the real time transaction requires security against web based attacks. SQL injection and cross site scripting attack are the most common application layer attack. The SQL injection attacker pass SQL statement through a web applications input fields, URL or hidden parameters and get access to the database or update it. The attacker take a benefit from user provided data in such a way that the users input is handled as a SQL code. Using this vulnerability an attacker can execute SQL commands directly on the database. SQL injection attacks are most serious threats which take users input and integrate it into SQL query. Reverse Proxy is a technique which is used to sanitize the users inputs that may transform into a database attack. In this technique a data redirector program redirects the users input to the proxy server before it is sent to the application server. At the proxy server, data cleaning algorithm is triggered using a sanitizing application. In this framework we include detection and sanitization of the tainted information being sent to the database and innovate a new prototype.Comment: 9 pages, 6 figures, 3 tables; CIIT 2013 International Conference, Mumba

Vulnerability anti-patterns:a timeless way to capture poor software practices (Vulnerabilities)

There is a distinct communication gap between the software engineering and cybersecurity communities when it comes to addressing reoccurring security problems, known as vulnerabilities. Many vulnerabilities are caused by software errors that are created by software developers. Insecure software development practices are common due to a variety of factors, which include inefficiencies within existing knowledge transfer mechanisms based on vulnerability databases (VDBs), software developers perceiving security as an afterthought, and lack of consideration of security as part of the software development lifecycle (SDLC). The resulting communication gap also prevents developers and security experts from successfully sharing essential security knowledge. The cybersecurity community makes their expert knowledge available in forms including vulnerability databases such as CAPEC and CWE, and pattern catalogues such as Security Patterns, Attack Patterns, and Software Fault Patterns. However, these sources are not effective at providing software developers with an understanding of how malicious hackers can exploit vulnerabilities in the software systems they create. As developers are familiar with pattern-based approaches, this paper proposes the use of Vulnerability Anti-Patterns (VAP) to transfer usable vulnerability knowledge to developers, bridging the communication gap between security experts and software developers. The primary contribution of this paper is twofold: (1) it proposes a new pattern template – Vulnerability Anti-Pattern – that uses anti-patterns rather than patterns to capture and communicate knowledge of existing vulnerabilities, and (2) it proposes a catalogue of Vulnerability Anti-Patterns (VAP) based on the most commonly occurring vulnerabilities that software developers can use to learn how malicious hackers can exploit errors in software

Strategic Techniques for Enhancing Web Services Security in Cloud Computing Model

The 21st century has witnessed an integration of enterprise business process with emerging techniques in a quest to maximize opportunities and organisational strength. In spite of these, vulnerabilities and risks still abound due to the integration for an effective operational mechanism. Mitigating against these requires strategic techniques for enhancing web services security. It is on this background that this paper has been presented. A critical study of web services architecture and cloud computing model as an emerging technology has been given a succinct digest. Furthermore, an evaluation of recent trends in web services and cloud computing model security issues were x-rayed. The threat to web services application deployed in cloud computing were identified hence presenting strategic techniques for enhancing web services security as a proactive measure to enhancing enterprise success. This paper concludes by re-iterating the need to understanding various security threats and proactively and dynamically reacting to them. Keywords: Web Services, Cloud Computing, Cross Site Scripting, SQL Injection and Web Securit

Web application penetration testing: an analysis of a corporate application according to OWASP guidelines

During the past decade, web applications have become the most prevalent way for service delivery over the Internet. As they get deeply embedded in business activities and required to support sophisticated functionalities, the design and implementation are becoming more and more complicated. The increasing popularity and complexity make web applications a primary target for hackers on the Internet. According to Internet Live Stats up to February 2019, there is an enormous amount of websites being attacked every day, causing both direct and significant impact on huge amount of people. Even with support from security specialist, they continue having troubles due to the complexity of penetration procedures and the vast amount of testing case in both penetration testing and code reviewing. As a result, the number of hacked websites per day is increasing. The goal of this thesis is to summarize the most common and critical vulnerabilities that can be found in a web application, provide a detailed description of them, how they could be exploited and how a cybersecurity tester can find them through the process of penetration testing. To better understand the concepts exposed, there will be also a description of a case of study: a penetration test performed over a company's web application

Web Portal for Home Buyer’s Selections

Customer satisfaction is one of the most important factors in home building industry for a successful business. Furthermore, customer service is the most important component affecting home buyer satisfaction. Visiting a design center usually takes 5--7 hours for each customer to select all the interior options for the whole house. Time would be saved and frustration avoided if the options could be reviewed beforehand. The goal of this project is to implement a customer portal for home buyers to select options for their homes. Before the web portal can be implemented, a literature review is required about the technologies needed for the implementation. Several technologies are researched about web application framework, application programming interface, user interface design and security. This thesis presents a design and implementation for a web portal using modern technologies. React is selected from the frameworks for the implementation because of its performance and suitability for small projects. In addition, Web API is used as the application programming interface due to its evolvability, flexibility, performance and ease of use. User interface design tips and guidelines are given about website design, navigation and page design. The page navigation guidelines proved to be the most useful of the tips for this project. The security part of this project reviews common security risks, access control, token-based authentication and single sign-on. The technologies selected for the implementation proved to be appropriate for this project. Thus, they can be recommended for anyone implementing a web application.Asiakastyytyväisyys on yksi tärkeimmistä tekijöistä liiketoiminnalle kotien rakentamisessa. Asiakaspalvelu on tärkein kodinostajan tyytyväisyyteen vaikuttava asia. Asiakkaiden vierailuun suunnittelukeskussa ja taloon kuuluvien lisävarusteiden valintaan saattaa kulua aikaa viidestä seitsemään tuntia. Aikaa säästettäisiin ja turhautumiselta vältyttäisiin, jos lisävarusteita voisi tarkastella etukäteen. Tämän hankkeen tavoitteena on kehittää asiakasportaali kodinostajille talon lisävarusteiden valintaan. Ennen kuin verkkoportaali voidaan toteuttaa, siihen tarvittavista tekniikoista täytyy tehdä kirjallisuustutkimus. Useita tekniikoita tutkittiin liittyen web-sovelluskehykseen, ohjelmointirajapintoihin, käyttöliittymäsuunnitteluun ja tietoturvaan. Tämä tutkielma esittelee suunnitelman ja toteutuksen verkkoportaalille käyttäen nykyaikaisia tekniikoita. Toteutukseen valitaan sovelluskehyksistä React johtuen sen suorituskyvystä ja sopivuudesta pieniin projekteihin. Ohjelmointirajapinnoista toteutukseen valitaan Web API, koska se on helposti jatkokehitettävä, joustava, suorituskykyinen ja helppokäyttöinen. Käyttöliittymäsuunnittelusta annetaan ohjeita ja vinkkejä verkkosivuston suunnitteluun, navigointiin ja verkkosivun suunnitteluun. Verkkosivun navigointiin liittyvät ohjeet osoittautuivat hyödyllisimmiksi käsitellyistä vinkeistä. Tietoturva osio käsittelee yleisiä tietoturvauhkia, pääsyn hallintaa, tietuepohjaista todennusta ja kertakirjautumista. Toteutukseen valitut tekniikat havaittiin sopivaksi tähän projektiin, ja niitä voi suositella myös muihin verkkosovelluksiin

Exploitation of Vulnerabilities in Cloud-Storage

The paper presents the vulnerabilities of cloudstorage and various possible attacks exploiting thesevulnerabilities that relate to cloud security, which is one of thechallenging features of cloud computing. The attacks areclassified into three broad categories of which the socialnetworking based attacks are the recent attacks which areevolving out of existing technologies such as P2P file sharing.The study is extended to available defence mechanisms andcurrent research areas of cloud storage. Based on the study,simple cloud storage is implemented and the major aspectssuch as login mechanism, encryption techniques and keymanagement techniques are evaluated against the presentedattacks. The study proves that the cloud storage consumers arestill dependent on the trust and contracts agreed with theservice provider and there is no hard way of proven defensemechanisms against the attacks. Further down, the emergingtechnologies could possibly break down all key basedencryption mechanisms