• No results found

Protecting web content integrity from malicious attacks

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Protecting web content integrity from malicious attacks"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Protecting web content integrity from malicious attacks

1

B.Dinesh Reddy

2

M. Vikram

1

M. Tech Student , SV College of Engineering, Tirupathi, Andhra Pradesh, India , Email- [email protected]

2

Assoc. Professor SV College of Eengineering Tirupathi, Andhra Pradesh, India , Email- [email protected]

Abstract

To harness the safe operation of Web-based systems in Web Environments,

we propose an SSPA (Server based SHA-1 Page Digest Algorithm) to verify the integrity of web contents before the server issues an HTTP response to a user request. In addition to standard security measures, our Java implementation of the SSPA, which is called the Dynamic Security Surveillance Agent (DSSA), provides further security in terms of content integrity to Web-based systems. Its function is to prevent the display of Web contents that have been altered through the malicious acts of attackers and intruders on Client machines. This is to protect the reputation of organizations from Cyber Attacks and to ensure the safe operation of web systems by dynamically monitoring the integrity of a Web site’s content on demand.

INTRODUCTION

In the fast growing generation everybody is running along the clock. So every moment of our life is very precious. Major part of life is spending on solving problems to achieve their goals. So they can’t spend time to solve other person problems. As part of this concern, our system supports the people and help the needy during their problems belongs to any domain

Overview of Project:

Continuous attack on web servers and alteration of web contents by intruders and hackers, who exploit system weaknesses, are prime concerns of the organization, owners of the sites, as well as users who access them.

To strengthen the security of web systems we have developed and implemented a Server side web content verifying agent, which automatically and dynamically intercept and processes the users request before the web server responds to the client. In this scenario the organizations running web servers are primary parties interested in the integrity of there their sites contents.

Our Algorithm running at the server prevents display of the web page which has been modified by malicious attacks.

This is done by blocking material that doesn’t match its true finger print (Page digest).

By introducing the verification agent, our aim is to further secure web systems in co-operative internet computing and other web based environments, where still clients can verify digitally signed web pages via other methods for their confidence to conduct online transactions.

Proposing web contents integrity verifying agent:Web servers

are accessible by any client who has access to the internet. Although this universal accessibility is very attractive for all kinds of E-commerce applications, it exposes the servers to attackers who may alter web content. The alterations may range from humorous additions or changes, which are typically easy to spot, to more sinister tampering with web page content providing false or damaging information.Information displayed by web servers needs to be protected against illegal Modifications, which otherwise would damage the reputation of site owners.

To strengthen the security of web systems, our thesis suggests a Server based SHA-1 Page digest Algorithm

(SSPA) for verifying the integrity of web contents before server

issues an HTTP (Hyper Text Transfer Protocol) response to users request for a web resource.

Its JAVA implementation, which is called Dynamic

Security Surveillance Agent (DSSA), provides further security

in terms of content integrity to web based systems. It automatically intercepts the users request and on the fly checks the integrity of the requested page before the web server responds to the client. This is to ensure that users would find access to find the correctly provided information and services, and also to protect the reputation of organizations from damages, which could otherwise occur because of display of illegally altered material on browsers.

hash functions:

A hash function is a form of encryption that takes some plaintext input and transforms it into a fixed-length encrypted output called the message digest. The digest is a fixed-size set of bits that serves as a unique "digital fingerprint" for the original message. If the original message is altered and hashed again, it will produce a different

(2)

signature. Thus, hash functions can be used to detect altered and forged documents. They provide message integrity, assuring recipients that the contents of a message have not been altered or corrupted.

Using the SHA-1 with the DSA

Hash functions are one-way, meaning that it is easy to compute the message digest but very difficult to revert the message digest back to the original plaintext (e.g., imagine trying to put a smashed pumpkin back to exactly the way it was).

Hash function features are listed here:

A hash function should be impossible for two different messages to ever produce the same message digest. Changing a single digit in one message will produce an entirely different message digest.

• It should be impossible to produce a message that has some desired or predefined output (target message digest).

• It should be impossible to reverse the results of a hash function. This is possible because a message digest could have been produced by an almost infinite number of messages.

• The resulting message digest is a fixed size. A hash of a short message will produce the same size digest as a hash of a full set of encyclopedias. Hash functions may be used with or without a key.

digital signatures:

A digital signature is added to the encrypted data after the data is key encrypted to indicate exactly who sent the data and who is to receive it. On the sending side, the data is signed, and on the receiving side, the signature on the data is verified. If the verification succeeds, it is very likely the

sender and receiver are who they are supposed to be. In the diagram, the hash is key encrypted and signed so the receiving side can verify the signature on the hash. The message could also be signed if needed or desired.Digital signatures can potentially provide security by enabling a client to verify the legitimacy of a document by its alleged owner.

SYSTEM ANALASYS

System analysis is the process of examining a business

situation with the intent of improving it through better procedures and methods. System Analysis is a detailed study of the various operations performed by a system and their relationships within and outside of the system. One aspect of analysis is defining the boundaries of the system and determining whether a new proposed system could be more reliable than the existing system.

EXISTING SYSTEM

• There is no existing system regarding to this project,for representing the integrity of website’s content.In existing systems, we are mainly focus on the providing security for the websites.

• In case if the security failed,the data in the webpages in the webservers will be modified by the hackers.There is no furthere security in existing system.

Drawbacks of Existing System :

• Data will be modified by hackers or

unauthorized persons in web pages on the internet.

• We may not get accuracy data from the

webservers.

• In existing system, it is some difficult to identify the modifications for the Administrator.

FEASIBILITY STUDY

Feasibility study is a compressed capsule version of scope and an objective is conformed and corrected any constraints imposed on the system are identified.

To yield a successful project, there is need to know the likelihood the system will be useful to the organization that can be obtained through efficient and effective feasibility study. Once scope has been identified, it is responsible to ask “Can we build software to meet this scope? Is this project feasible? On this contrary, the feasibility has three dimensions, which are the considerable aspects while building a system.

Feasibility is not warranty for system in which economic justification is obvious, technical risk is low, few legal problems are expected, and no reasonable alternates exist. Three key considerations are involved in the feasibility analysis.

• Economic Feasibility

(3)

• Technical Feasibility

• Operational Feasibility ECONOMIC FEASIBILITY

Economic analysis is the most frequently used for evaluating the effectiveness of the software. More commonly known as cost/benefit analysis, the procedure is tdetermine the benefits that are expected from the software and compared with the costs. If benefits outweigh costs, then the decision is made to design and implement the software. Otherwise, further justification or alternates in the proposed system have to be made if it is to have a chance of being approved.

Proposed system

As the proposed system, is developed with less expected investment and with better information quantity, quality and timeliness. Hence the proposed system is economically feasible.

TECHNICAL FEASIBILITY

The technical feasibility is frequently the most difficult are to encounter at this stage. It is essential that the process of analysis and definition be conducted in parallel with an assessment of technical feasibility.

The technical feasibility issues usually raised during feasibility stage are

• Does the necessary technology exist to do, what is suggested?

• Can the system be expanded if developed?

Proposed system

The system is self-explanting and does not require any sophisticated training. The overall time that a user needs to get trained is less than 15min.The system has been added with features of menu device and button interaction methods which makes him the master as he starts working through the environment. There is no need for additional software and hardware components. As the hardware requirements are satisfied the system is technically feasible to some extent. Hence the proposed system is technically feasible.

OPERATIONAL FEASIBILITY

This type of feasibility asks if the system will work when it is developed. Here are the questions that help to test the operational feasibility of the project:

• Will the system delay in the process?

• Will the proposed system need any other resource.

Proposed system

It is very easy and flexible to use compared to the existing system and the users can easily yield to this project. It saves customer time to think about the problem and searching for appropriate consultancy for solving the problem.

System Components:

Symbolizes Process

Symbolizes external entities

Symbolizes data flow

Symbolizes Data store

CONTEXT LEVEL DIAGRAM

DATA FLOW DIAGRAMS:

First Level/Admin Level

Second/user Level

(4)

Third Level

DATA DICTIONARY

Data dictionary in a database management system is a file that defines the basic organization of a database. A data dictionary contains a list of all files in the database, the number of records in each, and the names and types of each field in the record etc.

Most database management systems keep the data dictionary hidden from users to prevent them from accidentally destroying its contents. Data dictionaries do not contain any actual data from the database, only book keeping information for managing it. Without data dictionary, however, a database management system cannot access data from the database. Analysts use data dictionaries for five important reasons:

1. To manage the detail in large systems.

2. To communicate a common meaning for all

system elements.

3. To document the features of the system.

4. To facilitate analysts of details in order to evaluate var characteristics and determine where system changes would be made.

5. To locate errors and omissions in the system. Digest register:

Field name Data Type Description

Page Text Upload page

Digest Text Hash value of upload

page

Description of Modules

Digestgen

The digest, and updates the database with the URL requested and digest value of the request and the administrator identity that uploaded the page to the Server. To calculate the digest value it takes the help of the class DWA_SHA.This

module returns the digest value and which is further used for checking the integrity of the webpage.

DWAVarifier

This verifier module returns a Boolean value depending upon the Comparison of the old and present of digest values. For this purpose it makes use Of two other classes DigestGen and

DwaConnection.UsingDWAConnectionclass And gets a connection String and using this it retrieves a database digest value. Using Digestgen it gets a digest value, this is the present value. Now the Verifier checks the old value and the present value and returns a Boolean value based upon the result of comparison.

3.Pagefilter:-

The Pagefilter module depends on DWAVerifier. The DWAVerifier returns a Boolean value and depending upon this Boolean value the filter sends a response to the client. If the Boolean value returned by the Verifier is TRUE then the requested web page is sent to Client, else an error note is sent to Client and error mail is sent to Administrator.

CONCLUSION

The “Dynamic Web Agent for Integrity of Website’s

Content” was successfully designed and is tested for accuracy

and quality.

During this project we have accomplished all the objectives and this project meets the needs of the organization. The developement will be used in the organization for uploading the web pages and successfully retrieving the web pages from the webserver without allowing modifications.

Book resources:

[1] “Web Security”, Amrith Tiwana, Pearson Education.

[2] “ Unofficial Guide to Ethical Hacking”, Ankit Fadia ,

Pearson Education.

[3] ” Thinking in Java”, Bruce Eckel, Second Edition,

Prentice Hall, mid-June 2000.

[4] ”The Unified Modeling Language User’s Guide”,

Grady Booch, James Rumbaugh ,Ivar Jacobson, Pearson education.

[5] ”Java2 The Complete Reference”, Herbert Schildt ,

McGraw Hill

(5)

[6] “Java Server Pages”, Hans Bergsten, O’reilly, Third Edition December 2003.

[7] “Java- How to Program”, H.M.Dietel and P.J.Dietel,

Pearson Education,Third Edition,2001.

[8] ” J2ee Security for Servlets , and Web Services:

Applying Theory and Standards to Practice”, ] Pankaj

Kumar, McGraw Hill.

[9] “Software Engineering- A Practioners Approach”, Roger S.Pressman, McGraw-Hill

[10] “SESSION RIDING A Widespread Vulnerability in

Today’s Web Applications”, Thomas Schreiber, Secure

Net GmbH, Pearson Education, December 2004.

Web Resources:

[1] Information on the Web Application Security:

http://www.webappsec.org/projects/articles

[2] Munchner Technologiezentrum, Secure Net :

http://www.securenet.de

www.securityfocus.com/archive/1/297714

[3] The Open Web Application Security Project:

http://www.owasp.org

[4]WorldWideWeb:

http://en.wikipedia.org/wiki/World_Wide_Web

[5] Hackers : http://en.wikipedia.org/wiki/Hackers

AUTHOR1:

B.DINESH REDDY,M.TECH(COMPUTER SCIENCE),

SVCOLLEGE OF ENGINEERING.

AUTHOR2:

M.VIKRAM,ASSOC.PROFESSOR IN CSEDEPT. OF SV COLLEGE ENGENEERING,TIRUPATI

References

Download now ( PDF - 5 Page - 164.30 KB )

Related documents

PRODUCTION PROFILE: Avicii

Below: Avicii is the stage name of Swedish DJ and Producer, Tim Bergling; The SSE Audio crew brought expert engineering skills on the road for the show’s audio needs; HSL supplied

Synthesis and conformational studies of calixarene analogue chiral [3.3.1]metacyclophanes

It is reported [ 39 ] that hydroxyl groups which do not participate in intramolecular hydrogen bonding are necessary for an effective interaction between chiral

SAFETY PLAN. Tom Bradley International Terminal. Refurbishment Project

Since the Construction/Ramp Safety Program is intended to supplement the airport and companies standardized training primary users requesting access to the safety zones will

Common features between neoplastic and preneoplastic lesions of the biliary tract and the pancreas

The pancreatic counterpart of intraepithelial neoplasm of the biliary tract is represented by PanINs, defined as a microscopic flat or micropapillary noninvasive lesions,

Virtual MEG Helmet : Computer Simulation of an Approach to Neuromagnetic Field Sampling

Total Information: SLO With RDSC (see Table I and Fig. 2) 1) Displaced Head Positions in the Standard MEG Array Compared to Stand_1 (see Table I Arrays 2–9, and Fig. 2):

Dairy Farm Business Summary: Northern New York Region 1997

The Statement of Owner Equity allows you to determine to what degree the change in equity was caused by (1) earnings from the business, and nonfarm income, in excess

Biotechnological approaches for improved disease resistance in soybean and wheat

It has previously been shown that recombinant antimicrobial peptides (AMP) are a possible source of increased resistance to fungal plant pathogens when expressed in a variety

Saints Alive. Rector Reflection 1. At the Little Brown Church Lent 2021 ASH WEDNESDAY

Even though we have not been able to meet at church because of COVID, our by-laws say we need to have an annual meeting once a year.. So, please mark your calendar