1

Security in Web Application

Mrs. P. Shopa1, Mrs. N. Sumitha2 and Dr. P.S.K Patra3
1
Department of Computer Science and Engineering/Agni College of Technology/
Anna University/ Chennai – 603 103/Tamil Nadu/India
shopa1990@gmail.com

2
Assistant Professor/ Department of Computer Science and Engineering/ Agni College of Technology/ Anna University/
Chennai – 603 103/Tamil Nadu/India
sumitha.cse@act.edu.in

3
Head of the Department /Department of Computer Science and Engineering/Agni College of Technology/
Anna University/ Chennai – 603 103/Tamil Nadu/India
csehod@act.edu.in

Abstract passing the information content to database and access to

Internet services and applications have become a part of daily database servers by updating and retrieving the request
life, enabling communications from anywhere. To accommodate within the database. Finally where it presents the
this increase in applications and data complexity, web services information to the user through the browser. The below
has moved to multi-tiered design wherein the webserver runs figure 1 shows the layer procedure.
the application as the front end logic and data are outsourced to
a database. Existing, request from user directly access to main
server which connected to database. So there is a possibility of
hacking the request also attacks plays a key role in this
situation. In order to overcome this drawback, double guard is
proposed for the user session across both the front-end logic and
back-end database. By monitoring both web and subsequent
database request, paved for detecting the attacks that an
intrusion detection system would not able to identify. Double
guard achieved by using a technique named Light Weight
Virtualization, in which a container is maintained for detecting
attacks. Here the web container acts as intermediate server
between user and main server. Furthermore, technique has been
enhanced by not only detecting the attacks also for security
purpose.
Keywords: Web Services, Web Server, Hacking, Intrusion
Detection, Database, Double Guard.
Fig 1. Layer Procedure
1. Introduction
The first layer is normally a web browser or the user
1.1 Overview Of Web Application interface; the second layer is the dynamic content
generation technology tool such as Java servlets (JSP) or
A web application is any application that uses a web Active Server Pages (ASP), and the third layer is the
browser as a client. The application can be as simple as a database containing content (e.g., news) and customer
message board or a guest sign-in book on a website, or as data (e.g., usernames and passwords, social security
complex as a word processor or a spreadsheet. In this numbers and credit card details). The initial request is
application the client is used in client-server environment triggered by the user through the browser over the
to refer to the program the person uses to run the Internet to the web application server. The web
application. A client-server environment is one in which application accesses the databases servers to perform the
multiple computers share information such as entering requested task updating and retrieving the information
information into a database. The 'client' is the application lying within the database. The web application then
used to enter the information, and the server is the presents the information to the user through the browser.
application used to store the information. Here comes, the
web application classifies their process in layer wise. This 1.2 Benefits Of Web Applications
describes how the client and server initiating the request,
Web applications, therefore, are a gateway to databases
especially custom applications which are not developed
with security best practices and which do not undergo
regular security audits. A web application relieves the
developer of the responsibility of building a client for a
specific type of computer or a specific operating system.
Since the client runs in a web browser, the user could be
using an IBM-compatible or a Mac. They can be running
Windows XP or Windows Vista. They can even be using
Internet Explorer or Firefox, though some applications
require a specific web browser. Web applications
commonly use a combination of server-side script (ASP,
PHP, etc) and client-side script (HTML, JavaScript, etc.)
to develop the application. The client-side script deals
with the presentation of the information while the server-
side script deals with all the hard stuff like storing and
retrieving the information.
1.3 Client – Server Applications
The client-server model distinguishes between
applications as well as devices. Network clients make
requests to a server by sending messages, and servers
respond to their clients by acting on each request and
returning results. One server generally supports numerous
clients, and multiple servers can be networked together in
a pool to handle the increased processing load as the
number of clients grows. A client computer and a server
computer are usually two separate devices, each
customized for their designed purpose. For example, a
Web client works best with a large screen display, while a
Web server does not need any display at all and can be
located anywhere in the world. However, in some cases a
given device can function both as a client and a server for
the same application. Likewise, a device that is a server
for one application can simultaneously act as a client to
other servers, for different applications. In this paper , the
request from the client or user session initiated to the web
container (intermediate server) wherein it creates the
normality model of isolated user session that include both
web front-end and back-end network transactions . Here
employing the virtualization technique to assign each
user’s session to dedicated container, an isolated
computing environment. Then the request are being
forwarded to main server, the subsequent request are
verified with privileged conditions by applying request
forwarded mechanisms. Finally the corresponded requests
are turned out to be a corresponded respond for accessing
web applications.
1.3.1 Client – Server Architecture
In Client Server Architecture, the term client-server refers
to a popular model for computer networking that utilizes
client and server devices each designed for specific
purposes. The client-server model can be used on the
Internet as well as local area networks (LANs). Examples
2
of client-server systems on the Internet include Web
browsers and Web servers, FTP clients and servers, and
the DNS.
1.3.1.1 Client and Server Devices
Client/server networking grew in popularity many years
ago as personal computers (PCs) became the common
alternative to older mainframe computers. Client devices
are typically PCs with network software applications
installed that request and receive information over the
network. Mobile devices as well as desktop computers can
both function as clients. Likewise, PCs play client role in
this project. This enhance the mobile authentication key
where it verifies whether the authorized user accessing or
not. Once the request are initiated to the main server in
completing the registration procedure. To ensure for the
authorized user the main server responds to client for
securing the request to be initiated, by declaring the
authentication key to PC, which will be useful for future
also secure purpose. For example, If the user wants to
update their information, an One time password will be
generated by the server and send to the user’s mobile
number to identify the that request was made by the
prominent user or not. It also ensures the security by
informing the user, if the hacker is attempting to hack is
user’s account.
1.4 Objectives
The objective of this system is to detect the attacks and
securing it by imposing an additional interface
(intermediate server) between the user and main server.
This prevents user directly access to main server. Since
the main server has an access only to authenticate the
username and password, it paves a way for hacker to hack
the request .Web container handles the user request with
some set of rules, if it matches it forwarded to main server
then to database. Finally it forwarded to web applications.
2. System requirements
2.1 System Specification
The minimum hardware requirements used in this system
are Pentium 4 processor, 512MB RAM, 40GB HDD and
Nokia Express Music Mobile with the data cable. The
minimum software requirements used are Windows XP
Platform, front end as Java jdk1.5, Apache tomcat 5.5,
Nokia PC suite and back end as MS SQL Server. The non-
functional requirements are security requirement,
reliability, efficiency and correctness. Then the external
Interface requirements are the user interface, hardware
interface and software interface.
2.2 Software Used
2.2.1 HTML
Hyper Text Markup Language (HTML) is the
main markup language for displaying web pages and
other information that can be displayed in a web browser.
HTML is written in the form of HTML
elements consisting of tags enclosed in angle
brackets (like <html>), within the web page content.
HTML tags most commonly come in pairs
like <h1> and </h1>, although some tags, known
as empty elements, are unpaired, for example <img>. The
first tag in a pair is the start tag, the second tag is the end
tag (they are also called opening tags and closing tags). In
between these tags web designers can add text, tags,
comments and other types of text-based content. The
purpose of a web browser is to read HTML documents and
compose them into visible or audible web pages. The
browser does not display the HTML tags, but uses the tags
to interpret the content of the page. HTML elements form
the building blocks of all websites. HTML allows images
and objects to be embedded and can be used to
create interactive forms. It provides a means to
create structured documents by denoting
structural semantics for text such as headings, paragraphs
etc.
Microsoft SQL Server is a relational database
management system developed by Microsoft. As a
database, it is just a software product whose primary
function is to store and retrieve data as requested by other
software applications, be it those on the same computer or
those running on another computer across a network
(including the Internet). There are at least a dozen
different editions of Microsoft SQL Server aimed at
different audiences and for different workloads (ranging
from small applications that store and retrieve data on the
same computer, to millions of users and computers that
access huge amounts of data from the Internet at the same
time). True to its name, Microsoft SQL Server's
primary query languages are T-SQL and ANSI SQL.
2.2.4 Java JDK
The Java Development Kit (JDK) is an Oracle
Corporation product aimed at Java developers. The JDK
also comes with a complete Java Runtime Environment,
usually called a private runtime, due to the fact that it is
separated from the "regular" JRE and has extra contents.
It consists of a Java Virtual Machine and all of the class
libraries present in the production environment, as well as
additional libraries only useful to developers, such as
the internationalization libraries and the IDL libraries.

2.2.2 Apache Tomcat Server

Apache Tomcat (formerly under the Apache Jakarta 3. System Design
Project; Tomcat is now a top level project) is a web
container developed at the Apache Software Foundation. 3.1 System Architecture
Tomcat implements the servlet and the Java Server Pages
(JSP) specifications from Sun Microsystems, providing an Architecture is a formal description of a system,
environment for Java code to run in cooperation with a organized in a way that supports reasoning about the
web server. It adds tools for configuration and structural properties of the system. It defines the system
management but can also be configured by editing
configuration files that are normally XML-formatted.
Because Tomcat includes its own HTTP server internally,
it is also considered a standalone web server. Tomcat is a
web server that supports servlets and JSPs. Tomcat comes
with the Jasper compiler that compiles JSPs into servlets.
The Tomcat servlet engine is often used in combination
with an Apache web server or other web servers. Tomcat
can also function as an independent web server. Earlier in
its development, the perception existed that standalone
Tomcat was only suitable for development environments
and other environments with minimal requirements for
speed and transaction handling. However, that perception
no longer exists; Tomcat is increasingly used as a
standalone web server in high-traffic, high-availability
environments. Since its developers wrote Tomcat in Java,
it runs on any operating system that has a JVM.

2.2.3 Microsoft SQL Server Fig 2. System Architecture

3
components or building blocks and provides a plan from
which products can be procured, and systems developed,
that will work together to implement the overall system.
In this project, a representation of a system is a mapping
of functionality between front-end and back-end
database ,also it specifies user interaction in web
applications. Architecture is the top-level, strategic
inventions, likewise here intermediate server play a vital
role in preventing from vulnerabilities that exploit the
front-end as well as back-end database.

3.2 Flow Diagram

Fig 4. Level 1

Fig 3. Level 0

A data flow diagram (DFD) is a graphical representation

of the "flow" of data through an information system,
modeling its process aspects. Often they are a preliminary
step used to create an overview of the system which can
later be elaborated. DFDs can also be used for
the visualization of data processing (structured design). A
DFD shows what kinds of information will be input to
and output from the system, where the data will come
from and go to, and where the data will be stored. It does
not show information about the timing of processes, or
information about whether processes will operate in
sequence or in parallel. For instance, with the flow of
request from each user session through an isolated
environment. The preliminary step used is operation of an 3.3 Usecase Diagram
intermediate server where it maintains each session for
user or client. Also it builds a casual mapping between the
web server and database. This also initiates the network
transaction between front-end and back-end.

4

Fig 5. Use Case Diagram
Usecase diagram is a list of steps, defining interactions
between an actor and a system, to achieve a goal. The
actor can be a human or an external system. In systems
engineering, use cases are used at a higher level than
within software engineering, often representing missions
or stakeholder goals. The detailed requirements may then
be captured in SysML or as contractual statements. The
purpose of use case diagram is to capture the dynamic
aspect of a system. But this definition is too generic to
describe the purpose. Use case diagrams are drawn to
capture the functional requirements of a system.
3.3.1 Steps Involved
The user or client sends the web request, receives
acknowledgement for the corresponding request. The user
in use case diagram referred as actor. The attributes
involved in this project are Intermediate server and Main
server. The operations are the intermediate server which
performs attack identification; prevent attacks or
vulnerabilities that exploit the server and database.
Intermediate server examines routing messages that are
being transferred from front-end to back-end. The main
server deals in verifying with privileged access conditions
which satisfies and prove to be a legitimate user. It
displays the different user connections and generates an
authentication key as an alert message. Database plays a
storage and maintenance role where it monitors and
updating the client information. The below figure
describes the steps being followed during network
transactions.
5
DB
Admin
Regis tered Save/Valid
Registration
check Access
UserName/Password WebServer1
User Web Container Main Server
Request for sk Access
Response for sk
WebServer2
S Key
Fig 5. Steps Involved In Transactions
4. Implementation
4.1 User GUI
The client will register all their authentication
information along with his user Name, password, gender,
Mobile number, Age, DOB, and Address. All the
information is stored in the Main Server for
Authentication. Server is responsible for maintaining all
the client information. Server will prevent the unwanted
users entering into the network. It also verifies the access
privileges of each and every user. Client access plays a
vital role in this project because it is deviated from normal
registration. The user generates a network behavior for
both web and database. They are specialized in which
once the registration gets over it is then generates an
authentication key for secure exchange of information.
Server is a computer program running to serve the
requests of other programs, the clients. Thus, the server
performs some computational task on behalf of clients.
The clients either run on the same computer or connect
through the network.
4.2 Establishing Intermediate Server between User
and Main Server
Intermediate server serves an interface between user and
main server. It maintains a web container which handles
the request with some set of access for detecting the
attacks. This is achieved by employing lightweight
virtualization technique to assign each user’s web session
to dedicated container, isolated virtual computing
environment. This build a casual mapping profile by
taking both the web server and database traffic. With this
technique the web container detect the presence of attacks
by verifying with some set of privileged access. Thus
mainly used for detecting the attacks and preventing it
from vulnerabilities.
4.3 Check out The Request
This module describes checking the user request whether
there occurs a Possibility of attacks. The possibility of
attacks such as SQL injection, IP Spoofing, DDOS etc., if
the hacker hacks the username and password by using
special string with logic condition termed as SQL
injection attack. IP Spoofing which refers to hacking
legitimate user’s IP explicitly hiding their own IP and
sending the request to server. DDOS attack which refers
in which from single IP several requests initiated to
server. We are detecting the malicious data URL that was
accessing by the user when accessing their data. Once the
user entered the malicious data URL in the address bar,
the server will detect the URL.
4.4 Initializing Request Forward Mechanism
This module describes Request forwarding mechanism
.This deals with verifying that web request are requested
from intermediate server to main server or not. This also
identifies the attacker request that here for hijacking the
information about the user. Once the user signing up into
account, the request have to be forwarded to the web-
container and to the server then the server hits the
database and retrieve the data. If the user directly hit the
server, the server will not respond to that user’s request.
Also the server will detect the IP address of the system
from which the request was passed. From this module, we
may able to identify the hacker and prevent them from
hacking process.
4.5 Generation of Authentication Key
After the user registers the details, before proceeding for
request, the database stores the details about the user.
Then the main server generates an authentication key as
an alert message to pc suite. This key recommends the
legitimate user not adversaries those intermixed with web
server. If the user wants to update their information, an
One time password will be generated by the server and
send to the user’s mobile number to identify the that
request was made by the prominent user or not. It also
ensures the security by informing the user, if the hacker is
attempting to hack is user’s account.
4.6 Access to Web Applications
This module specifies the access according to the user
request and also allowing for user transaction. Here the
double guard mechanism creates the mapping between
6
web server and database traffic. It operates on multiple
feeds of network traffic using single IDS. The forwarded
request which then verifies with their privileged
conditions in main server initiates its subsequent request
queries to corresponding user session and access in web
applications.
4. Conclusions
This project has been completed since intrusion detection
system that builds models of normal behavior for multi-
tiered web applications from both front-end web request
and back-end database queries. Double guard forms
container-based IDS with multiple input streams to
produce alerts. This employs a technique where it is an
isolated virtual environment i.e., (intermediate server)
where it identifies the attack and blocks that particular web
request using light weight virtualization technique. Then the
legitimate user’s request is then forwarded to main server.
Further the forwarded request is under check through request
forwarding mechanism also verifying the privileged condition.
Additionally the main server also generates a authentication key
to be more secure. Using of this technique it maintains a
quantifying the detection of accuracy in web request. Finally, the
coverage of training sessions is detected and prevent from false
positives.
References
[1] Meixing Le , Angelos Stavrou ,(2012), IEEE , “Double
Guard : detecting intrusion in Web Applications IEEE and Brent
ByungHoon Kang , Member .
[2] K. Bai, H. Wang, and P. Liu, (2011). “Towards Database
Firewalls,” Proc. Ann. IFIP WG 11.3 Working Conf. Data and
Applications Security.
[3] Y. Hu and B. Panda, (2004)“A Data Mining Approach for
Database Intrusion Detection,” Proc. ACM Symp.
Applied Computing (SAC), H. Haddad, A. Omicini, R.L.
Wainwright, and L.M. Liebrock, eds.
[4] S.Y. Lee, W.L. Low, and P.Y. Wong,(2002) “Learning
Fingerprints for a Database Intrusion Detection System,”
ESORICS: Proc. European Symp. Research in Computer
Security.
[5] J. Newsome, B. Karp, and D.X. Song, (2005) “Polygraph:
Automatically Generating Signatures for Polymorphic
Worms,” Proc. IEEE Symp. Security and Privacy.
[6] Author- B. Parno, J.M. McCune, D. Wendlandt, D.G.
Andersen, and A.Perrig, (2009) “CLAMP: Practical Prevention
of Large-Scale Data Leaks”,Proc. IEEE Symp. Security and
Privacy.
[7] C.Anley ,(2002), “Advanced Sql Injection in Sql server
Applications ,” technicalreport , Next Generation Security
Software , Ltd .
[8] C. Krugel and G. Vigna ,(2003)”Anamoly Detection Of Web
Based Attacks ,” Proc. 10 th ACM conf.Computer and
comm.Security (ssc).

[9] H. Debar, M. Dacier, and A. Wespi,(1999) “Towards a

Taxonomy of Intrusion-Detection Systems,” Computer
Networks, vol. 31, no. 9,pp. 805-822.

[10] V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna,

(2010) “Toward Automated Detection of Logic Vulnerabilities
in Web Applications,” Proc. USENIX Security Symp.