web application scanner

8/9/2019 Web Application Scanner

1/73

WEB APPLICATION SCANNER

A PROJECT REPORT

Submitted by

OMAR FAROOQ.M (22506205304)

TAMJEED AHMED.J (22506205057)

in partial fulfillment for the award of the degree

of

BACHELOR OF TECHNOLOGY

in

INFORMATION TECHNOLOGY

LOYOLA INSTITUTE OF TECHNOLOGY, CHENNAI

ANNA UNIVERSITY:: CHENNAI 600 025

APRIL 2010


2/73

ANNA UNIVERSITY : CHENNAI 600 025

BONAFIDE CERTIFICATE

Certified that this project report WEB APPLICATION SCANNER is the

bonafide work of OMARFAROOQ.M (22506205304), TAMJEEDAHMED.J

(22506205057 ), who carried out the project work under my supervision.

SIGNATURE SIGNATURE

Mr.S.Suresh MS Mr.P.Satish kumar M.EHead of the Department LecturerInformation Technology, Dept of Computer Science

Loyola Institute Of Technology, and Engineering,Palanchur, Chennai - 602 103. Loyola Institute Of Technology,

Palanchur, Chennai - 602 103.

Submitted for University Examination held on .04.10

INTERNAL EXAMINER EXTERNAL EXAMINER


3/73

ACKNOWLEDGEMENT

With deep sense of gratitude, we wish to acknowledge the support and help

extended by all the many people for the successful accomplishment of this work.

First of all, we thank the almighty for giving us the courage to complete this

project.

We owe a special dept of gratitude to Rev. Fr. Dr. ARUL RAJ OMI, our

chairman, Rev. Sr. JEHANI DMI, our secretary, and Sr. SANDHYA DMI, our

administrator for giving motivation in all aspects.

We express our sincere thanks to our respected director and our beloved

principal Dr.N.K.BALUCHAMY, Ph.D., for providing us with adequate

infrastructure and congenial academic environment.

We express our gratitude to, Head of Department of Information Technology

MR.S.SURESH, M.S., whose guidance and encouragement has helped us in

completing this project work. We extend our sincere thanks to our Project

coordinator and internal guide. Mr.P.SATISH KUMAR M.E for giving the

confidence to complete the project successfully by providing the valuable

suggestions and interest at every stage of the project.

We would be failing in our duty if we dont mention the wholehearted

support and technical assistance extended to us by staff members and lab assistants

of our department.


4/73

TABLE OF CONTENTS

CHAPTER NO TITLE PAGE NO

ABSTRACT VI

LIST OF FIGURES VII

LIST OF SYMBOLS/ABBREVIATIONS VIII

1 INTRODUCTION 1

1.1 PROJECT OVERVIEW 1

1.2 EXISTING SYSTEM 11.3 PROPOSED SYSTEM 2

2 PROJECT DESCRIPTION 4

2.1 LITERATURE REVIEW 4

2.2 MODULE DESCRIPTION 5

2.2.1 USER MANAGEMENT 5

2.2.2 CLIENT ACCOUNT LEVEL DATA 5

2.2.3 SERVICE LEVEL DATA 6

2.2.4 GATHERING DATA FROM APPLICATION 6

2.2.5 SCANNING APPLICATION 6

2.2.6 TRACKING ATTACK 7

2.2.7 MAINTAIN LOGS AND REPORTS 7

2.3 METHODOLOGY 7

2.3.1 BYTE CODE ENGINEERING 7

2.3.2 JAVA CLASS FILE FORMAT 9

2.3.3 BYTE CODE INSTRUCTION SET 10

2.3.4 THE BCEL-API 12


5/73

3 SYSTEM REQUIREMENT 15

3.1 REQUIREMENTS SPECIFICATION 15

3.1.1 HARDWARE REQUIREMENT 15

3.1.2 SOFTWARE REQUIREMENT 15

3.2 TECHNOLOGIES 15

3.2.1 SERVLETS

16

3.2.2 JSP 18

3.2.3 JAVASCRIPT 20

4 SYSTEM DESIGN 21

4.1 ARCHITECTURAL DESIGN 21

4.1.1 ARCHITECTURAL STYLES 22

4.2 DATA FLOW MODEL 24

4.2.1 LEVEL 0 DFD 24



4.3 INTERFACE DESIGN 25

5 ATTACKS 275.1 SQL INJECTION 27

5.2 CROSS SITE SCRIPTING 30

6 TESTING 35

6.1 VALIDATION TESTING

35

6.2 OUTPUT TESTING 36

6.2.1 DEVIATION 36

6.3 SYSTEM TESTING 36

6.4 ACCEPTANCE TESTING 37

7 SCREENSHOTS 38

8 CONCLUSION


6/73

49 8.1 FUTURE ENHANCEMENTS

49

APPENDICES 50

REFERENCE 63

ABSTRACT

Software assurance tools are a fundamental resource for providing an

assurance argument for todays software applications throughout the software

development lifecycle (SDLC). Software requirements, design models, source

code, and executable code are analyzed by tools in order to determine if an

application is secure. This project constitutes a specification for a particular type of

software assurance tool, which is referred to here as a web application security

scanner. A Web application security scanner is an automated program that

examines web applications for potential security vulnerabilities. In addition to

searching for web application-specific vulnerabilities, this tool also look for

software coding errors and maintains a log.

This tool can detect vulnerabilities of the finalized release candidate before

shipping. It simulates a malicious user by attacking and probing, and seeing what

results are not parts of the expected result set. As a dynamic testing tool, it is not

language dependent. A web application scanner is able to scan JAVA/JSP, PHP or

any other engine driven web application.


7/73

LIST OF FIGURES

FIG.NO TITLE

PAGE NO

2.3.2 Java class file format 10

4.1 Architectural diagram of WEB APPLICATION 23

SCANNER

4.2.1 Level 0 DFD 24



5.2 CROSS-SITE SCRIPTING 33


8/73

LIST OF SYMBOLS/ ABBREVATIONS

J2EE : Java 2 Enterprise Edition is a programming platform part of the

Java Platformfor developing and running distributed multitier architecture

Java applications, based largely on modular software components running

on an application server.

CSS:Casecading style sheet used for designing the HTML content.

HTML: Hypertext Markup Language is a markup language used to designstatic webpages.

HTTP: Hypertext Transfer Protocol is a transaction oriented client/serverprotocol between web browser & a Web Server.

HTTPS: Secure Hypertext Transfer Protocol is a HTTP over SSL (securesocket layer).

TCP/IP: Transmission Control Protocol/Internet Protocol, the suite of

communication protocols used to connect hosts on the Internet. TCP/IP uses

several protocols, the two main ones being TCP and IP.

Dhtmlx: DHTMLX is a JavaScript library which unites numerous products

for creation of rich UI for web applications. The whole interface and

browser-side work of the application can be built merely by using DHTMLX

components. On the other hand we do not limit you there and you can still

create application the way you like using DHTMLX components to

implement some specific functionality.

FusionCharts : Helps you create animated and interactive Flash charts for

web and desktop applications. It livens up your applications by converting

monotonous data into exciting visuals.


9/73

CHAPTER 1

INTRODUCTION

1.1 PROJECT OVERVIEW

As organizations have grown increasingly dependent on online software, the

risk of malicious attacks has also become far more serious. Such attacks can bring

a business to a standstill, cost a company millions of dollars in lost transactions and

potentially tarnish its brand image.

Fortunately, well-governed organizations can protect their Web applications

by injecting vulnerability assessments and ethical hacks into their software devel-

opment and delivery processes. By using automated tools to perform these checks

throughout the online application lifecycle, auditors, developers and quality assur-

ance (QA) professionals can help foil hackers and reduce their companys

exposure to potential business losses.

This application describes the most common hacker attacks and provides

basic rules that can help to create more hack-resistant Web applications.

1.2 EXISTING SYSTEM

Now we are using white-box testing, which has not experienced widespread

use for finding security flaws in web applications.

-It tests only the structure.

-They rely on a database with known bugs.

-It is not automated.

-limited detection capabilities


10/73

-When the coding complexity increases this type of scanning tool fail to detect the

attacks.

1.3 PROPOSED SYSTEM

In practice, black-box vulnerability scanners are used to discover security

problems in web applications

-To increase the confidence in the correctness of our scan results, our tool

also attempts to automatically generate proof-of-concept exploits in certain

cases.

-There is the need for a scanner that covers a broad range of general classes

ofvulnerabilities, without specific knowledge of bugs in particular versions

of web applications.

-Web application scanner uses a black-box approach to crawl and scan web

sites for the presence of exploitable SQL injection and XSS vulnerabilities.

-Our system does not rely on a database of known bugs. Instead, the

distinctive, underlying properties of application-level vulnerabilities are

exploited to detect affected programs.

-Web application scanner has a flexible architecture that consists of

multithreaded crawling, attack, and analysis components.

-With the help of a graphical user interface, the user can configure single or

combined crawling and attack runs.

-These tools operate by launching attacks against an application and

observing its response to these attacks.

-These tools are valuable components when auditing the security of a web

site; they largely lack the ability to identify a prioriunknown instances of

vulnerabilities.


11/73

SCOPE:

i. Customer registration and profile management

ii. Static information about most common risks and vulnerabilities.

iii. Users can see their historical scan data and reports.

iv. Secure access of confidential data (users details). SSL used.


12/73

CHAPTER 2

PROJECT DESCRIPTION

2.1 LITERATURE REVIEW

Now we are using white-box testing, which has not experienced widespread

use for finding security flaws in web applications. An important reason is the

limited detection capability of white-box analysis tools, in particular due to

heterogeneous programming environments and the complexity of applications that

incorporate database, business logic, and user interface components.

In practice, black-box vulnerability scanners are used to discover security

problems in web applications. These tools operate by launching attacks against an

application and observing its response to these attacks. These tools are valuable

components when auditing the security of a web site; they largely lack the ability

to identify aprioriunknown instances of vulnerabilities.

There is the need for a scanner that covers a broad range of general classes

ofvulnerabilities, without specific knowledge of bugs in particular versions of web

applications. Web application scanner uses a black-box approach to crawl and scan

web sites for the presence of exploitable SQL injection and XSS vulnerabilities.

Our system does not rely on a database of known bugs. Instead, the distinctive,

underlying properties of application-level vulnerabilities are exploited to detect

affected programs. To increase the confidence in the correctness of our scan

results, our tool also attempts to automatically generate proof-of-concept exploits

in certain cases. Web application scanner has a flexible architecture that consists of

multithreaded crawling, attack, and analysis components. With the help of a


13/73

graphical user interface, the user can configure single or combined crawling and

attack runs.

2.2 MODULE DESCRIPTION

The word implementation means changing old system to new system that is

adapting new features. Each successive version can incorporate the capabilities of

previous version and provides additional processing function. System

implementation specifies the functional and performance test that must be

performed and standards to be applied to the source code, internal documentation

and external documentation such as the design specification, the test plan, the

users manual, the principles of operation, and the installation and maintenance

procedures. The desired functional and physical audits of source code, documents,

and physical media are specified.

2.2.1 USER MANAGEMENT

In this module, we are going to manage the users i.e., only authorized users

are allowed to use our tool. User will be authenticated based on the user credentials

like user name and password. If they did not provide correct user name and

password they will not be allowed to use our tool. If the user is new to our

application means they will be provided with username and password after

registration. Privileges like retrieving forget password is also available in this

module.

2.2.2 CLIENT ACCOUNT LEVEL DATA

In this module, we are going to maintain the clients information and client

account level data. Admin will maintain clients account level data. Account

number and credit card information like cvv number, bank, and card type will be


14/73

maintained in this module. These details will be provided by the users at the time

of registration.

2.2.3 SERVICE LEVEL DATA

In this module, the privileges for three types of users will be maintained. The

restrictions for the users will be maintained by the admin in this level. Only paid

users are allowed to upload files and scan, other users will not be allowed to use

our application

Privilege for user to access Scanner tool

i. Silver Customer (Free User)

ii. Gold Customer (independent developers)

iii. Platinum Customer (corporate customers)

2.2.4 GATHERING DATA FROM APPLICATION

When the users give the application to scan we have to gather information

about that application. That process will be carried out in this module. We have to

gather sufficient data from the application.

2.2.5 SCANNING APPLICATION

In this module the application given by the user will be scanned. The users

have to upload the executable file, after uploading the executable file our

application will automatically scan the application. Both the request and response

will be scanned in this process.

2.2.6 TRACKING ATTACK


15/73

In this module, users application will be tracked to know how secured the

application is. There are 12 types of hacking; application should not allow those

attacks. Those attacks will be tracked in this module.

2.2.7 MAINTAIN LOGS AND REPORTS

In this module, logs will be maintained. If there is any attack in user

application means it will be tracked in the above modules and the results will be

maintained as a log file and it will be given to the user.

2.3 METHODOLOGY

2.3.1 BYTECODE ENGINEERING

Extensions and improvements of the programming language Java and its

related execution environment (Java Virtual Machine, JVM) are the subject of a

large number of research projects and proposals. There are projects, for instance, to

add parameterized types to Java, to implement Aspect-Oriented Programming, to

perform sophisticated static analysis, and to improve the run-time performance.

Since Java classes are compiled into portable binary class files (called byte

code), it is the most convenient and platform-independent way to implement these

improvements not by writing a new compiler or changing the JVM, but by

transforming the byte code. These transformations can either be performed after

compile-time, or at load-time. Many programmers are doing this by implementing

their own specialized byte code manipulation tools, which are, however, restricted

in the range of their re-usability.

To deal with the necessary class file transformations, we introduce an API

that helps developers to conveniently implement their transformations.


16/73

The Java language has become very popular and many research projects deal

with further improvements of the language or its run-time behavior. The possibility

to extend a language with new concepts is surely a desirable feature, but

implementation issues should be hidden from the user. Fortunately, the concepts of

the Java Virtual Machine permit the user-transparent implementation of such

extensions with relatively little effort.

Because the target language of Java is an interpreted language with a small

and easy-to understand set of instructions (the byte code), developers can

implement and test their concepts in a very elegant way. One can write a plug-in

replacement for the systems class loader which is responsible for dynamicallyloading class files at run-time and passing the byte code to the Virtual Machine.

Class loaders may thus be used to intercept the loading process and transform

classes before they get actually executed by the JVM [LB98]. While the original

class files always remain unaltered, the behavior of the class loader may be

reconfigured for every execution or instrumented dynamically.

The BCEL API (Byte Code Engineering Library), formerly known as

JavaClass, is a toolkit for the static analysis and dynamic creation or

transformation of Java class files. It enables developers to implement the desired

features on a high level of abstraction without handling all the internal details of

the Java class file format and thus re-inventing the wheel every time. BCEL is

written entirely in Java and freely available under the terms of GNU Library Public

License (LGPL)

2.3.2 JAVA CLASS FILE FORMAT

Giving a full overview of the design issues of the Java class file format and

the associated byte code instructions is beyond the scope of this report. We will


17/73


18/73

Fig 2.3.2 Java Class File Format

2.3.3 BYTE-CODE INSTRUCTION SET

The JVM is a stack-oriented interpreter that creates a local stack frame of

fixed size for every method invocation. The size of the local stack has to be

computed by the compiler. Values may also be stored intermediately in a frame

area containing localvariableswhich can be used like a set of registers. These local

variables are numbered from 0 to 65535, i.e. you have a maximum of 65536 oflocal variables. The stack frames of caller and callee method are overlapping, i.e.

the caller pushes arguments onto the operand stack and the called method receives

them in local variables.


19/73

The byte code instruction set currently consists of 212 instructions, 44

opcodes are marked as reserved and may be used for future extensions or

intermediate optimizations within the Virtual Machine. The instruction set can be

roughly grouped as follows:

Stack operations: Constants can be pushed onto the stack either by loading them

from the constant pool with the ldc instruction or with special short-cut

instructions where the operand is encoded into the instructions, e.g. iconst 0 or

bipush (push byte value).

Arithmetic operations: The instruction set of the Java Virtual Machine

distinguishes its operand types using different instructions to operate on values of

specific type. Arithmetic operations starting with i, for example, denote an integer

operation.

Control flow: There are branch instructions like goto and if icmpeq, whichcompares two integers for equality. There is also a jsr (jump sub-routine) and ret

pair of instructions that is used to implement the finally clause of try-catch blocks.

Exceptions may be thrown with the athrow instruction. Branch targets are coded as

offsets from the current byte code position, i.e. with an integer number.

Load and store operations: for local variables like iload and istore. There are also

array operations like iastore which stores an integer value into an array.

Field access: The value of an instance field may be retrieved with getfield and

written with putfield. For static fields, there are getstatic and putstatic counterparts.


20/73


21/73

1. A package that contains classes that describe static constraints of class

files, i.e., reflect the class file format and is not intended for byte code

modifications. The classes may be used to read and write class files from

or to a file. This is useful especially for analyzing Java classes without

having 9 the source files at hand. The main data structure is called

JavaClass which contains methods, fields, etc.

2. A package to dynamically generate or modify JavaClass objects. It may

be used e.g. to insert analysis code, to strip unnecessary information from

class files, or to implement the code generator back-end of a Java

compiler.3. Various code examples and utilities like a class file viewer, a tool to

convert class files into HTML, and a converter from class files to the

Jasmin assembly language [MD97].

In this report we presented the BCEL API that is intended to be a general

purpose tool for byte code engineering. It helps developers to implement analysis

tools or byte code transformations conveniently. It has proved to be useful in

several projects and is not restricted to a special kind of application area. We found

two issues of the API that may be considered as drawbacks: The generic constant

pool is a Add-only data structure, i.e. constant pool entries can be added and

retrieved but not be removed directly.

They are referenced via integer indexes and not some kind of virtual handle.

We think that the removal of entries from the constant pool is rarely an issue and

that implementing the access to it via handles would cause too much overhead.

One would rather write a supplementary tool to strip unnecessary entries from

classes. The second issue may be not to encapsulate instructions into instruction


22/73

handles anymore but to put the necessary code directly into the instructions. Yet

we feel that this would not give us such a clear and elegant level of abstraction as it

does now and we could not share instruction objects.


23/73

CHAPTER 3

SYSTEM REQUIREMENT

3.1 REQUIREMENT SPECIFICATION

3.1.1 HARDWARE REQUIREMENT

Pentium IV at 3 GHz

RAM: 1 GB

Disk Space: 160 GB

3.1.2 SOFTWARE REQUIREMENT

Client on Internet: Web Browser, Operating System

(any)

Web Server: Apache Tomcat 6.0, Operating System

(any)

Data Base Server: MySQL 6.0, Operating System (any)Development End: J2EE, Java, Java Bean, Servlets, HTML,

CSS, Javascript, XML, MySQL, OS

(Windows), Apache Tomcat

3.2 TECHNOLOGIES

J2EE, JSP, SERVLETS: Application Architecture

MYSQL: Database

ECLIPSE: Development Tool

APACHE TOMCAT: Web Server


24/73

3.2.1 SERVLETS

INTRODUCTION:

Servlets are the Java platform technology of choice for extending and

enhancing Web servers. Servlets provide a component-based, platform-

independent method for building Web-based applications, without the performance

limitations of CGI programs. And unlike proprietary server extension mechanisms

(such as the Netscape Server API or Apache modules), servlets are server- and

platform-independent. This leaves you free to select a "best of breed" strategy for

your servers, platforms, and tools.Servlets have access to the entire family of Java APIs, including the JDBC

API to access enterprise databases. Servlets can also access a library of HTTP-

specific calls and receive all the benefits of the mature Java language, including

portability, performance, reusability, and crash protection.

Today servlets are a popular choice for building interactive Web

applications. Third-party servlet containers are available for Apache Web Server,

Microsoft IIS, and others. Servlet containers are usually a component of Web and

application servers, such as BEA WebLogic Application Server, IBM WebSphere,

Sun Java System Web Server, Sun Java System Application Server, and others.

Servlets are Java technology's answer to CGI programming. Building Web

pages on the fly is useful (and commonly done) for a number of reasons:

The Web page is based on data submitted by the user. For example the

results pages from search engines are generated this way and programs that

process orders for e-commerce sites do this as well.


25/73

The data changes frequently. For example, a weather-report or news

headlines page might build the page dynamically, perhaps returning a

previously built page if it is still up to date.

The Web page uses information from corporate databases or other such

sources. For example, you would use this for making a Web page at an on-

line store that lists current prices and number of items in stock.

ADVANTAGES OVER CGI TECHNOLOGIES:

Java servlets are more efficient, easier to use, more powerful, more portable,

and cheaper than traditional CGI and than many alternative CGI-like technologies.(More importantly, servlet developers get paid more than Perl programmers :-).

Efficient: With traditional CGI, a new process is started for each HTTP

request. If the CGI program does a relatively fast operation, the overhead of

starting the process can dominate the execution time. With servlets, the Java

Virtual Machine stays up, and each request is handled by a lightweight Java

thread, not a heavyweight operating system process. Similarly, in traditional

CGI, if there are N simultaneous request to the same CGI program, then the

code for the CGI program is loaded into memory N times. With servlets,

however, there are N threads but only a single copy of the servlet class.

Servlets also have more alternatives than do regular CGI programs for

optimizations such as caching previous computations, keeping database

connections open, and the like.

Convenient: Besides the convenience of being able to use a familiar

language, servlets have an extensive infrastructure for automatically parsing

and decoding HTML form data, reading and setting HTTP headers, handling

cookies, tracking sessions, and many other such utilities.


26/73

Powerful: Java servlets let you easily do several things that are difficult or

impossible with regular CGI. For one thing, servlets can talk directly to the

Web server (regular CGI programs can't). This simplifies operations that

need to look up images and other data stored in standard places. Servlets can

also share data among each other, making useful thing like database

connection pools easy to implement. They can also maintain information

from request to request, simplifying things like session tracking and caching

of previous computations.

Portable: Servlets are written in Java and follow a well-standardized API.

Consequently, servlets written for, say I-Planet Enterprise Server can runvirtually unchanged on Apache, Microsoft IIS, or WebStar. Servlets are

supported directly or via a plug-in on almost every major Web server.

Inexpensive: There are a number of free or very inexpensive Web servers

available that are good for "personal" use or low-volume Web sites.

However, with the major exception of Apache, which is free, most

commercial-quality Web servers are relatively expensive. Nevertheless, once

you have a Web server, no matter the cost of that server, adding servlet

support to it (if it doesn't come preconfigured to support servlets) is

generally free or cheap.

3.2.2 JAVA SERVER PAGES

Java Server Pages (JSP) technology enables Web developers and designers

to rapidly develop and easily maintain, information-rich, dynamic Web pages that

leverage existing business systems. As part of the Java technology family, JSP

technology enables rapid development of Web-based applications that are platform

independent. JSP technology separates the user interface from content generation,


27/73

enabling designers to change the overall page layout without altering the

underlying dynamic content.

ADVANTAGES OF JSP:

vs. Active Server Pages (ASP): ASP is a similar technology from Microsoft.

The advantages of JSP are twofold. First, the dynamic part is written in Java,

not Visual Basic or other MS-specific language, so it is more powerful and

easier to use. Second, it is portable to other operating systems and non-Microsoft Web servers.

vs. Pure Servlets: JSP doesn't give you anything that you couldn't in

principle do with a servlet. But it is more convenient to write (and to

modify!) regular HTML than to have a zillion println statements that

generate the HTML. Plus, by separating the look from the content you can

put different people on different tasks: your Web page design experts can

build the HTML, leaving places for your servlet programmers to insert the

dynamic content.

vs. Server-Side Includes (SSI): SSI is a widely-supported technology for

including externally-defined pieces into a static Web page. JSP is better

because it lets you use servlets instead of a separate program to generate that

dynamic part. Besides, SSI is really only intended for simple inclusions, not

for "real" programs that use form data, make database connections, and the

like.

vs. JavaScript: JavaScript can generate HTML dynamically on the client.

This is a useful capability, but only handles situations where the dynamic


28/73

information is based on the client's environment. With the exception of

cookies, HTTP and form submission data is not available to JavaScript. And,

since it runs on the client, JavaScript can't access server-side resources like

databases, catalogs, pricing information, and the like.

vs. Static HTML: Regular HTML, of course, cannot contain dynamic

information. JSP is so easy and convenient that it is quite feasible to

augment HTML pages that only benefit marginally by the insertion of small

amounts of dynamic data. Previously, the cost of using dynamic data would

preclude its use in all but the most valuable instances.

3.2.3 JAVASCRIPT

JavaScript is a cross-platform, object-oriented scripting language. JavaScript

is a small, lightweight language; it is not useful as a standalone language, but is

designed for easy embedding in other products and applications, such as web

browsers. Inside a host environment, JavaScript can be connected to the objects of

its environment to provide programmatic control over them.


29/73

CHAPTER 4

SYSTEM DESIGN

Object-Oriented Design (OOD) converts the analysis model into design

model that serves as an outside for software construction. The Objects in an

Object-Oriented design are related to the solution to the problem that is being

solved. There may be close relationships between some problem objects and some

solution objects but the designer inevitably has to add new objects and to

implement the solution.

OOD can yield the following benefits:

Maintainability through simplified mapping to the problem domain,

which provides for less analysis effort, less complexity in system design,

and easier verification by the user.

Reusability of the design artifacts, which saves time and costs; and

productivity gains through direct mapping to features of Object-Oriented

Programming Languages.

4.1 ARCHITECTURAL DESIGN

Architectural design is the high level design where the whole

system is divided into different subsystems and the

dependency relationship and communication between them

are also identified. A good architectural design shows the


30/73

dependencies and the primary communication mechanisms

between the various packages.

4.1.1 ARCHITECTURAL STYLES

The builder has used an architectural style as a descriptive mechanism to

differentiate the house from other styles (e.g., A-frame, raised ranch, Cape Cod).But more important, the architectural style is also a pattern for construction

Each style describes a system category that encompasses

(1) A set of components (e.g., a database, computational modules) that

perform a function required by a system.

(2) A set of connectors that enable communication, co ordinations and

cooperation among components.

(3) Constraints that define how components can be integrated to form the

system.

(4) Semantic models that enable a designer to understand the overall

properties of a system by analyzing the known properties.

Data-centered architectures

A data store (e.g., a file or database) resides at the center of this architecture

and is accessed frequently by other components that update, add, delete, or

otherwise modify data within the store.

Data-flow architectures


31/73

This architecture is applied when input data are to be transformed through a

series of computational or manipulative components into output data. A pipe and

filter pattern has a set of components, called filters, connected by pipes that

transmit data from one component to the next.

Layered architectures

A number of different layers are defined, each accomplishing operations

that progressively become closer to the machine instruction set. At the outer layer,

components service user interface operations.

Object-oriented architectures

The components of a system encapsulate data and the operations that must

be applied to manipulate the data. Communication and coordination between

components is accomplished via message passing.


32/73

Fig 4.1 Architectural diagram of WEB APPLICATION SCANNER

Figure 4.1 architectural elements help to identify the application domain of

Web App Scanner. It is designed using various models like structural and

behavioral model, which includes various use-case and activity diagrams. Thus

the project is designed with an overview of the patterns using the UML diagrams.

4.2 DATA-FLOW MODEL

The data flow diagram enables the software engineer to develop models of

the information domain and functional domain at the same time. It takes an input-

process-output view of a system.

4.2.1 LEVEL 0 DFD


33/73


34/73

Fig 4.2.3 Level 2 DFD

4.3 INTERFACE DESIGN

The interface design elements for software tell how information flows into

and out of the system and how it is communicated among the components defined

as part of the architecture. There are three important elements of interface design:

The User Interface (UI)

The External interface to other systems, devices, networks, or other

producers and consumers of information.

The Internal interfaces between various designs components.


35/73

These interface design elements allow the software to communicate

externally and also enable internal communication between the components. Web

App Scanner is developed with the support of the User Interface designs which

facilitates the working of the project. It also describes the various internal

interfaces developed to integrate the modules. The User Interface is the unique

subsystem within the overall Web App Scanner architecture. Design Realization

of analysis classes represents all operations and the messaging schemes and

provides communication and collaboration between operations in various classes

and modules.

CHAPTER 5

ATTACKS

5.1 SQL INJECTION

SQL Injection is one of the many web attack mechanisms used by hackers to

steal data from organizations. It is perhaps one of the most common application

layer attack techniques used today. It is the type of attack that takes advantage of

improper coding of your web applications that allows hacker to inject SQL


36/73

commands into say a login form to allow them to gain access to the data held

within your database.

In essence, SQL Injection arises because the fields available for user input

allow SQL statements to pass through and query the database directly.

SQL INJECTION POSSIBILITIES

Using SQL injections, attackers can:

Add new data to the database

Could be embarrassing to find yourself selling politically incorrect

items on an eCommerce site.

Perform an INSERT in the injected SQL

Modify data currently in the database

Could be very costly to have an expensive item suddenly be deeply

discounted

Perform an UPDATE in the injected SQL

Often can gain access to other users system capabilities by obtaining their

password.

Technologies affected by SQL Injections:

JSPASPXML

XSL JavascriptVB

MFC and other ODBC-based tools

APIs3- and 4GL-based languages such as C, OCI, Pro*C, and

COBOL Perl

CGI scripts that access Oracle databases many more.

Types of SQL Injections


37/73

Blind SQL injections

SQL injections

Advanced SQL injects.

Techniques in SQL Injections

Authorization bypass

Using the SELECT command

Using the INSERT command

Using SQL server stored procedures

How to use SQL injection

Here is a sample basic HTML form with two inputs, login and

password.

The easiest way for the login.asp to work is by building a database

query that looks like this:

SELECT id FROM logins WHERE username = '$username' AND

password = '$password

If the variables $username and $password are requested directly from

the user's input, this can easily be compromised. Suppose that we gave

"Joe" as a username and that the following string was provided as a

password: anything' OR 'x'='x


38/73

SELECT id FROM logins WHERE username = 'Joe' AND password =

'anything' OR 'x'='x'

Make sure that your short term goals will help to achieve the Medium

term goals and vice versa.

As the inputs of the web application are not properly sanitised, the use

of the single quotes has turned the WHERE SQL command into a

two-component clause.

The 'x'='x' part guarantees to be true regardless of what the first part

contains.

This will allow the attacker to bypass the login form without actually

knowing a valid username / password combination!

Depending on the actual SQL query, you may have to try some of

these possibilities:

' or 1=1

or 1=1

or 1=1

' or 'a'='a

" or "a"="a

') or ('a'='a

How to avoid SQL Injections

Filter out character like single quote, double quote, slash, back slash, semi

colon, extended character like NULL, carry return, new line, etc, in all

strings from:

- Input from users

- Parameters from URL

- Values from cookie


39/73

For numeric value, convert it to an integer before parsing it into SQL

statement. Or using ISNUMERIC to make sure it is an integer. Change

"Startup and run SQL Server" using low privilege user in SQL Server

Security tab. Delete stored procedures that you are not using like:

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask.

5.2 CROSS SITE SCRIPTING

Have you ever mistyped the address of a web site and received a message

like Error - page name could not be found or The page you requested: page

name does not exist? Certainly you have, and odds are you never gave it a second

thought; you simply corrected the address or went to a different site altogether. It

happens all the time. There are plenty of dead links, or links with typos to stumble

upon. However, when you encounter an error message like the two listed above,

you are actually witnessing a potential security breachnot necessarily against the

site, but rather against you directly.

Suppose you entered the following valid URL:

http://www.example.com/FILENAME.html

If the document "FILENAME.html" did not exist, the web site could return

an error message such as

404 page does not exist: FILENAME.html

....

Notice that "FILENAME.html" is a string that you entered. The web site has

included it in the page returned straight through to your browser.

This may seem harmless, but now imagine that you are browsing through

auctions on a popular site; lets call it auctions.example.com. You come across

several auctions that someone has posted and would like to see more items that the

same person has for sale; lets assume this person is a bad guy (though you dont


40/73

know it) and call him BG12345. You click on BG12345s website and see a listing

of his auctions. You click on a link on his page that interests you and are taken to

auction.example.coms site displaying that item. You scroll down to place a bid,

and the auction site prompts you for your name and password to sign in. You enter

all the information and hit the submit button. Everything looks fine, but in reality,

the information that you submit is getting sent back to BG12345. How can this be?

The answer is that auction.example.com has what is known as a cross-site scripting

(CSS) vulnerability.

A CSS vulnerability is caused by the failure of a site to validate user input

before returning it to the clients web-browser. The essence of cross-site scripting

is that an intruder causes a legitimate web server to send a page to a victim's

browser that contains malicious script or HTML of the intruder's choosing. The

malicious script runs with the privileges of a legitimate script originating from the

legitimate web server. The two error messages mentioned earlier could be

examples of such a situation. If instead of entering a page name, you entered an

HTML or script tag, the server would have returned that command to your

browser, as well. Your browser would assume the HTML or script tag was from

auction.example.com. It would run the script with the privileges that are set up for

that site, and when you looked at the website, everything would appear to be

normal.

BG12345 used the same method to deceive you. When you clicked on the

link to BG12345s auction, the link was actually to an invalid page. The link may

have looked something like the example below, it used HTML and scripting to

mimic the auction sites page exactly. However, when you clicked submit, it used a

form that passed your information back to BG12345. Now BG12345 can access

your account, place bids, and change your information. BG12345 can also change


41/73

your password and lock you out of your own account. Even worse, BG12345 can

see the credit card number that you registered with.

So what did BG12345 do? BG12345s web site offered a link to

auction.example.com that looked something like this:


42/73

Fig 5.2 Cross-Site Scripting Attack

So what can be done?

The best protection is to disable scripting when it isnt required. However,

even this does not prevent the injection of malicious HTML. You should

also protect yourself by accessing security sensitive pages directly instead of

following links from unknown sources, or untrusted sites. For example,

dont trust a link to your banking site that is in an email message. If you

need to access your banking site, go there directly. And, as always, exercise

caution when supplying personal information.

Webmasters can also help. They can ensure that none of their pages return

user input that has not been validated. They can also encourage users to

disable scripting.

Another solution is to have signed scripting such that any script with an

invalid or untrusted signature would not be run automatically. Suggestions

of this nature, however, would require changes to the current Internet

standards and specifications. Such changes would have to be submitted for


43/73

consideration to the World Wide Web Consortium (www.w3c.org) or the

Internet Engineering Task Force (www.ietf.org).

If you notice an instance of cross-site Scripting notify the webmaster of that

site, and cc the CERT Coordination Center.

Unfortunately, security is often sacrificed in favor of functionality. But, if

you browse the Internet with scripting enabled, there is very little you can do

to protect your personal information. Cross-site scripting is easy to overlook,

and simple to correct. However, it can cause significant damageyour

passwords and credit card numbers can be unknowingly divulged to

untrusted sources.

CHAPTER 6

TESTING


44/73

Testing is used to uncover as many errors as possible before delivering the

software to the customer. Software testing is a critical element of software quality

assurance and represents the ultimate review of specification design and code

generation. Testing presents an interesting anomaly for the Software engineers.

Testing is the most important part of the software development process. For a

product to acquire a level of reliability, the product has to maintain highest level of

quality standard during all the phases of software development.

Software testing techniques provides analysis of the entire system that

validates the internal logic of the software components and exercises the input and

output control of the programs to reduce errors in the system development so as to

improve their performances.

6.1 VALIDATION TESTING

All the culmination of integration testing, software is completely assembled

as a package, interfacing error have been uncovered and corrected and a final

series of software tests the validation testing begins. Validation testing can be

defined in many ways, but a simple definition is that validation succeeds when the

software functions in a manner that can be reasonably expected by the

user/customer. Software validation conformity is followed with the following

requirements.

1) The functions or performed characteristics conform to specification and

are accepted.

2) A deviation from specification uncovered and a deficiency list is created.

Or error discovered at this step in this project is corrected prior to completion of

this project with the help of user by negotiation to establish a method for resolving


45/73

deficiencies. Thus, the proposed system under consideration has been tested by

using validation testing and found to be working satisfactorily.

6.2 OUTPUT TESTING

6.2.1 DEVIATION

After performing the validation testing, the next step is output testing of the

proposed system; since no system could be useful if does not produce the required

output in the specified format. The output generate or displayed by the system

under consideration are tested by asking the user about the format required by

them. Here, the output format is considered into two ways. One is on screen and

another is printed format.

The output format on the screen is format to be correct as the format was

designed in the system design phase according to the user needs. For the hard copy

also, the output comes out as the specified requirement by the user. Hence, output

testing does not result any correction in the system.

6.3 SYSTEM TESTING

The designed new system is tested with the sample data and final outputs are

verified with the actual manual reports. If these reports are satisfied then the

system is to put with the on-line data entry for the information system.

Thus, the system testing is to find out discrepancies between the developed

system and its original objective, current specification and the system

documentation. It also will verify for the compatibility of the system with the

operational environment.

6.2 ACCEPTANCE TESTING


46/73

User acceptance of the system is the key factor for the success of any

system. The system under consideration was tested for user acceptance by

constantly keeping in touch with the prospective system users at the time of

developing and making change wherever required. This is done in regard to the

following points:

Input Screen Design

Output Screen Design

On-line Message to Guide the User

Menu-driven System

Format of ad-hoc Report and other Outputs


47/73

CHAPTER 7

SCREENSHOTS

HOME PAGE


48/73


49/73

LOGIN PAGE


50/73

WRONG LOGIN


51/73

FORGOT PASSWORD


52/73

USER LOGIN PAGE


53/73

UPLOADING WAR FILE


54/73

SUCESSFUL UPLOAD


55/73

SAMPLE DEMO APPLICATION


56/73

SCANNED REPORT OF UNATTACKED APPLICATION


57/73

SCANNED REPORT OF SQL INJECTION ATTACKED PAGE


58/73

CHAPTER 8

CONCLUSION

Web scanner is an automated tool which helps us to detect the hacking

attack. This application describes the most common hacker attacks and provides

basic rules that can help to create more hack-resistant Web applications. It can be

able to detect vulnerabilities in applications which is more complex. We dint rely

on any database of known bugs so this tool is capable of detecting any kind of

attacks. Finally we conclude that Web Application scanner will be more helpful to

protect our application from the hackers.

8.1 FURTURE ENHANCEMENT

Future enhancements are one of the inevitable for any kind of software

project. Some of the enhancement features that can be applicable for our project

are listed as follows.

1. In future we will design a tool which will be capable of detecting all theattacks.2. We will provide open source tool.

3. We will give solution to the attacks.

4. We will detect and prevent all the attacks.

5.scanned reports will be sent as an mail to the customer.


59/73

APPENDIX

SAMPLE CODINGS

NEW USER DETAILS

/*

* To change this template, choose Tools | Templates

* and open the template in the editor.

*/

package com.webscanner.javaobj;

/**

*

* @author Maran*/

public class NewUserRDetails {

private String _username;

private String _firstname;

private String _lastname;

private String _password;

private String _mailid;

private String _date;

private String _holder;

private String _cardtype;

private String _valid;

private String _cvv;

private String _mailid1;

private String _issue;

public NewUserRDetails(String _username, String _firstname, String _lastname,String _password,String _mailid, String _date, String _mobilenumber, String

_holder, String _cardtype, String _valid, String _cvv, String _mailid1, String_issue) {

this._username = _username;

this._firstname = _firstname;

this._lastname = _lastname;


60/73

this._password = _password;

this._mailid = _mailid;

this._date = _date;

this._mobilenumber = _mobilenumber;

this._address1 = _address1;this._address2 = _address2;

this._sequrityquestion = _sequrityquestion;

this._answer = _answer;

this._usertype = _usertype;

this._holder=_holder;

this._cardtype=_cardtype;

this._valid=_valid;

this._cvv=_cvv;

this._mailid1=_mailid1;this._issue=_issue;

}

public String getAddress1() {

return _address1;

}

public void setAddress1(String _address1) {

this._address1 = _address1;

}

public void setAddress2(String _address2) {

this._address2 = _address2;

}

public String getAnswer() {

return _answer;

}

public void setAnswer(String _answer) {

this._answer = _answer;

}


61/73

public String getDate() {

return _date;

}

public void setDate(String _date) {this._date = _date;

}

public String getFirstname() {

return _firstname;

}

public void setFirstname(String _firstname) {

this._firstname = _firstname;}

public String getLastname() {

return _lastname;

}

public void setLastname(String _lastname) {

this._lastname = _lastname;

}

public void setMailid(String _mailid) {

this._mailid = _mailid;

}

public String getMobilenumber() {

return _mobilenumber;}

public void setMobilenumber(String _mobilenumber) {

this._mobilenumber = _mobilenumber;

}


62/73

public void setPassword(String _password) {

this._password = _password;}

public String getSequrityquestion() {

return _sequrityquestion;

}

public void setSequrityquestion(String _sequrityquestion) {

this._sequrityquestion = _sequrityquestion;

}

public String getUsername() {

return _username;

}

public void setUsername(String _username) {

this._username = _username;

}

public String getUsertype() {

return _usertype;

}

public void setHolder(String _holder) {

this._holder = _holder;

}

public String getHolder() {return _holder;

}

public void setCardtype(String _cardtype) {

this._cardtype = _cardtype;

}


63/73

public String getCardtype() {

return _cardtype;

}

public void setIssue(String _issue) {

this._issue = _issue;}

public void setValid(String _valid) {

this._valid = _valid;

System.out.println("date"+_valid);

}

public void setMailid1(String _mailid1) {

this._mailid1 = _mailid1;

}

public String getMailid1() {return _mailid1;

}

}


64/73

LOGINPAGE

package com.webscanner.action;

/** To change this template, choose Tools | Templates

* and open the template in the editor.

*/

import com.webscanner.dao.WebScannerDAO;

import java.io.IOException;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.servlet.*;

/**

*

* @author fostra

*/

public class loginpage extends HttpServlet {

/**

* Processes requests for both HTTP GET andPOST methods.

* @param request servlet request

* @param response servlet response

* @throws ServletException if a servlet-specific error occurs

* @throws IOException if an I/O error occurs

*/

protected void processRequest(HttpServletRequest request,

HttpServletResponse response)throws ServletException, IOException {

String username = request.getParameter("username");

String password = request.getParameter("password");

if (request.getParameter("buttonval").equals("Login")) {


65/73

String userType = new WebScannerDAO().checkLogin(username,password);

}

else if (userType.equalsIgnoreCase("gold")) {

System.out.println("Login Successful");RequestDispatcher rs1 =

request.getRequestDispatcher("/frmgolduser.jsp");

rs1.forward(request, response);

}

}

else {

System.out.println("Login Failure");

RequestDispatcher rs2 = request.getRequestDispatcher("/failure.jsp");

rs2.forward(request, response);}

}

}

@Override

protected void doGet(HttpServletRequest request, HttpServletResponseresponse)

throws ServletException, IOException {

processRequest(request, response);

}

@Override

protected void doPost(HttpServletRequest request, HttpServletResponseresponse)



}

}


66/73

FORGOT PASSWORD

/*


* and open the template in the editor.*/


import com.webscanner.dao.WebScannerDAO;


import java.io.PrintWriter;

import javax.servlet.ServletException;


import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;

import java.sql.*;

import javax.servlet.RequestDispatcher;

/**

*

* @author Maran

*/

public class ForgetPasswordAction extends HttpServlet {

/**





* @throws IOException if an I/O error occurs*/

protected void processRequest(HttpServletRequest request,HttpServletResponse response)


response.setContentType("text/html;charset=UTF-8");

PrintWriter out = response.getWriter();


67/73

try {

String _username = request.getParameter("username");

String _date = request.getParameter("date");

String _month = request.getParameter("month");

String _year = request.getParameter("year");String _mailid = request.getParameter("mailid");

String _question = request.getParameter("question");

String _answer = request.getParameter("answer");

String password = "";//request.getParameter("password");

ps.setString(2, _date + "/" + _month + "/" + _year);

ps.setString(3, _mailid);

ps.setString(4, _question);

ps.setString(5, _answer);

ResultSet rs = ps.executeQuery();

if (rs.next()) {

password = rs.getString(1);

System.out.println("password" + password);

}

}

}

//

/**

* Handles the HTTP GET method.




* @throws IOException if an I/O error occurs*/



}


68/73

/**

* Handles the HTTP POST method.


* @param response servlet response* @throws ServletException if a servlet-specific error occurs


*/

@Override

protected void doPost(HttpServletRequest request, HttpServletResponseresponse)



}

/**

* Returns a short description of the servlet.

* @return a String containing servlet description

*/

@Override

public String getServletInfo() {

return "Short description";

}//

}

}


69/73

GOLD_USER PAGE

/*


* and open the template in the editor.*/



import java.io.PrintWriter;

import javax.servlet.ServletException;


import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;

import java.io.*;

import java.sql.*;

import javax.servlet.*;

import java.io.File.*;

/**

*

* @author fostra

*/

public class Gold_User_Page extends HttpServlet {

/**



* @param response servlet response* @throws ServletException if a servlet-specific error occurs


*/

protected void processRequest(HttpServletRequest request,HttpServletResponse response)



70/73

response.setContentType("text/html;charset=UTF-8");

PrintWriter out = response.getWriter();

finally {

out.close();

}}

//

/**

* Handles the HTTP GET method.



* @throws ServletException if a servlet-specific error occurs* @throws IOException if an I/O error occurs

*/

@Override

protected void doGet(HttpServletRequest request, HttpServletResponseresponse)



}

/**

* Handles the HTTP POST method.





*/

@Overrideprotected void doPost(HttpServletRequest request, HttpServletResponseresponse)



}


71/73

/**

* Returns a short description of the servlet.

* @return a String containing servlet description

*/

@Overridepublic String getServletInfo() {

return "Short description";

}//

}


72/73

REFERENCES

1. Ed Roman, Mastering Enterprise Java Beans, John Wiley &Sons Inc., 1999.

2. Elliotte Rusty Harold, Java Network Programming, OReilly publishers,2000

3. H.M.Deitel, P.J.Deitel, "Java : how to program", Fifthe edition, PrenticeHall of India private limited.

4. Hortsmann & Cornell, CORE JAVA 2 ADVANCED FEATURES,VOL II, Pearson Education, 2002. .

5. Patrick Naughton, COMPLETE REFERENCE: JAVA2, TataMcGraw-Hill, 2003.

6. Web reference: http://java.sun.com

Byte-code Engineering References

[AFM97] O. Agesen, S. N. Freund, and J. C. Mitchell. Adding Type Parameterization to the Java

Language. InProceedings OOPSLA97, Atlanta, GA, 1997.

[AP98] D. Antonioli and M. Pilz. Statistische Analyse von Java-Classfiles. In Clemens Cap,editor,Proceedings JIT98. Springer, 1998.

[BD98] B. Bokowski and M. Dahm. Poor Mans Genericity for Java. In Clemens Cap, editor,Proceedings JIT98. Springer, 1998.

[BS98] B. Bokowski and A. Spiegel. Barat A Front-End for Java. Technical report, FreieUniversitat Berlin, 1998.

[CCK98] Geoff Cohen, Jeff Chase, and David Kaminsky. Automatic Program Transformationwith JOIE. InProceedings USENIX Annual Technical Symposium, 1998.

[CCZ97] Suzanne Collin, Dominique Colnet, and Olivier Zendra. Type Inference for LateBinding. The SmallEiffel Compiler. InProceedings JMLC97, 1997.
http://java.sun.com/http://java.sun.com/


73/73

SQL INJECTION RFERENCE

http://www.unixwiz.net/techtips/sql-injection.html

http://www.imperva.com/resources/glossary/sql_injection.html

http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners

CROSS SITE SCRIPTING

http://www.cert.org/advisories/CA-2000-02.html

http://www.cert.org/tech_tips/malicious_code_mitigation.html

http://www.kb.cert.org/vuls/id/672683


http://www.unixwiz.net/techtips/sql-injection.htmlhttp://www.imperva.com/resources/glossary/sql_injection.htmlhttp://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttp://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scannershttp://www.cert.org/advisories/CA-2000-02.htmlhttp://www.cert.org/tech_tips/malicious_code_mitigation.htmlhttp://www.kb.cert.org/vuls/id/672683http://www.kb.cert.org/vuls/id/642239http://www.kb.cert.org/vuls/id/560659http://www.unixwiz.net/techtips/sql-injection.htmlhttp://www.imperva.com/resources/glossary/sql_injection.htmlhttp://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttp://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scannershttp://www.cert.org/advisories/CA-2000-02.htmlhttp://www.cert.org/tech_tips/malicious_code_mitigation.htmlhttp://www.kb.cert.org/vuls/id/672683http://www.kb.cert.org/vuls/id/642239http://www.kb.cert.org/vuls/id/560659

web application scanner

Documents