Dissertations / Theses: 'Web Applications; Storage; Security'

1

Lin, Wenghui. "Data Security Enhancement for Web Applications Using Cryptographic Back-end Store." Scholarly Repository, 2009. http://scholarlyrepository.miami.edu/oa_theses/235.

Full text

Abstract:

Conventional storage technologies do not always give sufficient guarantees of security for critical information. Databases and file servers are regularly compromised, with consequential theft of identities and unauthorized use of sensitive information. Some cryptographic technologies increase the security guarantees, but rely on a key, and key secrecy and maintenance are difficult problems. Meanwhile, there is an accelerating trend of moving data from local storage to Internet storage. As a result, automatic security of critical information without the need for key management promises to be an important technology for Web Applications. This thesis presents such solution for Internet data storage that uses a secret sharing scheme. The shared secrets are packaged as JSON objects and delivered to various endpoints using HTTP semantics. A shopping website is developed to demonstrate the solution.

APA, Harvard, Vancouver, ISO, and other styles

2

Prabhakara, Deepak. "Web Applications Security : A security model for client-side web applications." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2009. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-8962.

Full text

Abstract:

The Web has evolved to support sophisticated web applications. These web applications are exposed to a number of attacks and vulnerabilities. The existing security model is unable to cope with these increasing attacks and there is a need for a new security model that not only provides the required security but also supports recent advances like AJAX and mashups. The attacks on client-side Web Applications can be attributed to four main reasons – 1) lack of a security context for Web Browsers to take decisions on the legitimacy of requests, 2) inadequate JavaScript security, 3) lack of a Network Access Control and 4) lack of security in Cross-Domain Web Applications. This work explores these four reasons and proposes a new security model that attempts to improve overall security for Web Applications. The proposed security model allows developers of Web Applications to define fine-grained security policies and Web Browsers enforce these rules; analogous to a configurable firewall for each Web Application. The Browser has disallows all unauthorized requests, thus preventing most common attacks like Cross-Site Script Injections, Cross-Frame Scripting and Cross-Site Tracing. In addition the security model defines a framework for secure Cross-Domain Communication, thus allowing secure mashups of Web Services. The security model is backward compatible, does not affect the current usability of the Web Applications and has cross-platform applicability. The proposed security model was proven to protect against most common attacks, by a proof-of-concept implementation that was tested against a comprehensive list of known attacks.

APA, Harvard, Vancouver, ISO, and other styles

3

Svartberg, Anja. "Security in Offline Web Applications." Thesis, Norges Teknisk-Naturvitenskaplige Universitet, Institutt for elektronikk og telekommunikasjon, 2009. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-10003.

Full text

Abstract:

Offline Web applications are increasingly popular. The possibility to have both the advantages of Web applications and traditional desktop applications is exiting. An offline Web application can be accessed from all computers, with any operating system, as well as offering to store information locally, giving the user the opportunity to use the application when the user does not have Internet access. The concept of offline Web applications is tempting, but it is important to integrate security in the process of making them. The users rely on a high level of security. In this thesis I have looked specifically on how the persistent client-side storage needed for offline storage for the offline Web application can be compromised due to security vulnerabilities on the Web server. I have performed a literature review to gather information on the topic of security in offline Web applications, and it was found that there has not been much previous research in this area. Two technologies for realization of offline Web applications were reviewed: HTML5 and Google Gears. Following, a Web server was set up, and two test applications with offline capabilities, representing the two chosen technologies, were put on the Web server. A set of security tests were performed on these test applications to reveal possible vulnerabilities in having persistent client-side storage. The results of the security testing demonstrate the consequences of having security weaknesses in Web servers hosting offline Web applications. If there is one cross-site scripting vulnerability on the Web server, an attacker can attack the persistent client-side storage: steal, change, delete or add information related to the offline Web application. Some thoughts on possible consequences of attacks on the hosting Web server are also given. A comparison between Google Gears and HTML5 was performed, and it was found that some of the design choices in Google Gears help provide a higher level of security in offline Web applications. Some strategies for testing the security of offline Web applications are suggested, focused on cross-site scripting vulnerabilities. The work in this thesis underlines the importance of including security in the process of developing and deploying offline Web applications. It shows the large consequences that can result from small security vulnerabilities present in the hosting Web server. Introductorily, the advantages of offline Web applications were discussed. The work presented here shows that the increasing use of offline Web applications relies on a high focus on security in order to keep the users' information safe.

APA, Harvard, Vancouver, ISO, and other styles

4

Ge, Xiaocheng. "Agile security for Web applications." Thesis, University of York, 2007. http://etheses.whiterose.ac.uk/11071/.

Full text

Abstract:

Web-based applications (or more concisely, Web applications) are a kind of information system with a particular architecture. They have progressively evolved from Internet browser-based, read-only information repositories to Web-based distributed systems. Today, increasing numbers of businesses rely on their Web applications. At the same time, Web applications are facing many security challenges and, as a result, are exposing businesses to many risks. This thesis proposes a novel approach to building secure Web applications using agile software development methods.

APA, Harvard, Vancouver, ISO, and other styles

5

Erdogan, Gencer. "Security Testing of Web Based Applications." Thesis, Norwegian University of Science and Technology, Department of Computer and Information Science, 2009. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-9993.

Full text

Abstract:

Web applications are becoming more and more popular in means of modern information interaction, which leads to a growth of the demand of Web applications. At the same time, Web application vulnerabilities are drastically increasing. This will inevitably expose more Web application users to malicious attacks, causing them to lose valuable information or be harmed in other ways. One of the most important software security practices that is used to mitigate the increasing number of vulnerabilities is security testing. The most commonly applied security testing methodologies today are extensive and are sometimes too complicated with their many activities and phases. Because of this complexity, developers very often tend to neglect the security testing process. Today, there is only a few security testing methodologies developed especially for Web applications and their agile development environment. It is therefore necessary to give attention to security testing methodologies for Web applications. A survey of state-of-the-art security testing methodologies for Web applications is performed. Based on some predefined criterions, Agile Security Testing is selected as the most adequate security testing methodology for Web applications, and is further extended to support all the predefined criterions. Furthermore, the extended Agile Security Testing methodology (EAST) is integrated into the Software Development Life Cycle applied by the Administrative Information Services group at the Department of General Infrastructure Services at CERN−The European Organization for Nuclear Research. Finally, by using the EAST methodology and the security testing methodology applied by the AIS group (which is an ad hoc way of performing security tests), an evaluation of the EAST methodology compared to existing ad hoc ways of performing security tests is made. The security testing process is carried out two times using the EAST methodology and two times using the ad hoc approach. In total, 9 vulnerability classes are tested. The factors that are used to measure the efficiency is: (1) the amount of time spent on the security testing process, (2) the amount of vulnerabilities found during the security testing process and (3) the ability to mitigate false-positives during the security testing process. The results show that the EAST methodology is approximately 21% more effective in average regarding time spent, approximately 95% more effective regarding the amount of vulnerabilities found, and has the ability to mitigate false-positives, compared to existing ad hoc ways of performing security tests. These results show that structured security testing of Web applications is possible not being too complicated with many activities and phases. Furthermore, it mitigates three important factors that are used as basis to neglect the security testing process. These factors are: The complexity of the testing process, the too time-consuming attitude against security testing of Web applications and that its considered to lack a significant payoff.

APA, Harvard, Vancouver, ISO, and other styles

6

Srilatha, Rondla, and Gande Someshwar. "Security Testing for Web Applications in SDLC." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-2903.

Full text

Abstract:

Context: In Web applications, the Software vulnerability can be reduced by applying security testing in all phases of the software development life cycle (SDLC). Lot of vulnerabilities might occur if the security testing is applied in the last phase of SDLC. In order to mitigate these vulnerabilities, a lot of rework is required that involves reverse engineering in the development and design phases. To overcome this situation, organizations are shifting from security testing (performed in last phase) towards security testing in the early phases of SDLC. Objectives: The main objectives of this thesis are to gather the benefits and challenges of security testing in the last phase versus security testing in every phase of the SDLC. After gathering, authors want to compare both implementations because these days most organizations are shifting from last phase to every phase of SDLC. Justification to the reason can be achieved by this comparison. Methods: In order to satisfy the objectives of this thesis, a literature review and interviews were conducted. The literature review was conducted by gathering benefits and challenges of last phase and every phase of SDLC. Authors have applied coding technique to the data gathered from literature review. By using the results from literature review, a set of questions were framed. Based on these questions, interviews in various organizations were performed. To analyze the practitioner’s data we used Sorting and Coding technique. Then, we conducted a comparative analysis to compare both results. Results: Application of security testing in the last phase of the SDLC results in a lot of rework which in turn leads to instability in managing the cost, time and resources in an organisation. In order to overcome this, more and more organisations are introducing security testing at each and every phase of SDLC. Conclusions: It can be concluded that every phase of security testing in SDLC has more benefits than applying in last phase of SDLC. To evaluate this process more research is needed to acquire more knowledge of security testing in all phases of SDLC. Through literature review and interviews conducted, it is evident that security testing at early phases causes a reduction in rework which in turn leads to more efficient management of cost, time and resources of a project.
+91 8977404640

APA, Harvard, Vancouver, ISO, and other styles

7

Singh, Kapil. "Designing security policies and frameworks for web applications." Diss., Georgia Institute of Technology, 2011. http://hdl.handle.net/1853/41122.

Full text

Abstract:

The new developments behind Web 2.0 have increased the complexity of web systems making the task of securing these systems a challenging problem. As a result, end-to-end security for web access has been hindered by the limitations of current web security policies and by the lack of systems that enable effective enforcement of policies. The focus of this dissertation is on how new tools and frameworks may be designed to aid the protection of web systems by acting as policy specification and enforcement points. In particular, we develop a set of policies and frameworks for three web players--the user, the web browser and the web application--that determine the end-to-end security of web content. Our contributions include a framework for users to specify security policies, a platform to enforce user policies for third-party applications, a systematic analysis of browser policy issues, and a mechanism to provide improved end-to-end security/integrity guarantees.

APA, Harvard, Vancouver, ISO, and other styles

8

Mundada, Yogesh. "Building data-centric security mechanisms for web applications." Diss., Georgia Institute of Technology, 2016. http://hdl.handle.net/1853/55013.

Full text

Abstract:

Data loss from web applications at different points of compromise has become a major liability in recent years. Existing security guidelines, policies, and tools fail often, ostensibly for reasons stemming from blatant disregard of common practice to subtle exploits originating from complex interactions between components. Current security mechanisms focus on “how to stop illicit data transfer”(i.e., the “syntax”), and many tools achieve that goal in principle. Yet, the practice of securing data additionally depends on allowing administrators to clearly specify “what data should be secured” (i.e., the “semantics”). Currently, translation from “security semantics” to “security syntax” is manual, timeconsuming, and ad hoc. Even a slight oversight in the translation process could render the entire system insecure. Security semantics frequently need modifications due to changes in various external factors such as policy changes, user reclassification, and even code refactoring. This dissertation hypothesizes that adaptation to such changes would be faster and less error prone if the tools also focused on automating translation from semantics to syntax, in addition to simply executing the syntax. With this approach, we build following low maintenance security tools that prevent unauthorized sensitive data transfer at various vantage points in the World Wide Web ecosystem. We show how the security tools can take advantage of inherent properties of the sensitive information in each case, making the translation process automatic and faster: ● Appu, a tool that automatically finds personal information(semantics) spread across web services, and suggests actions(syntax) to minimize data loss risks. ● Newton, a tool that formalizes the access control model using web cookies. Using this formal approach, it improves the security of the existing session management techniques by detecting(semantics) and protecting(syntax) privileged cookies without requiring input from the site administrator. ● SilverLine, a system for cloudbased web services that automatically derives data exfiltration rules(syntax) from the information about sensitive database tables & intertable relationships(semantics). Then, it executes these rules using information flow control mechanism.

APA, Harvard, Vancouver, ISO, and other styles

9

Ur-Rehman, Wasi. "Maintaining Web Applications Integrity Running on RADIUM." Thesis, University of North Texas, 2015. https://digital.library.unt.edu/ark:/67531/metadc804975/.

Full text

Abstract:

Computer security attacks take place due to the presence of vulnerabilities and bugs in software applications. Bugs and vulnerabilities are the result of weak software architecture and lack of standard software development practices. Despite the fact that software companies are investing millions of dollars in the research and development of software designs security risks are still at large. In some cases software applications are found to carry vulnerabilities for many years before being identified. A recent such example is the popular Heart Bleed Bug in the Open SSL/TSL. In today’s world, where new software application are continuously being developed for a varied community of users; it’s highly unlikely to have software applications running without flaws. Attackers on computer system securities exploit these vulnerabilities and bugs and cause threat to privacy without leaving any trace. The most critical vulnerabilities are those which are related to the integrity of the software applications. Because integrity is directly linked to the credibility of software application and data it contains. Here I am giving solution of maintaining web applications integrity running on RADIUM by using daikon. Daikon generates invariants, these invariants are used to maintain the integrity of the web application and also check the correct behavior of web application at run time on RADIUM architecture in case of any attack or malware. I used data invariants and program flow invariants in my solution to maintain the integrity of web-application against such attack or malware. I check the behavior of my proposed invariants at run-time using Lib-VMI/Volatility memory introspection tool. This is a novel approach and proof of concept toward maintaining web application integrity on RADIUM.

APA, Harvard, Vancouver, ISO, and other styles

10

Ngu, Phuc Huy. "Web applications - New mobile service paradigm." Thesis, Norges teknisk-naturvitenskapelige universitet, Institutt for telematikk, 2012. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-19040.

Full text

Abstract:

The explosion of mobile applications both in number and variety raises the need of shedding light on their architecture, composition and quality. Indeed, it is crucial to understand which mobile application paradigm fits better to what type of application and usage. Such understanding has direct consequences on the user experience, the development cost and sale revenues of mobile apps. In this thesis, we identify four main mobile application paradigms and evaluate them from the viewpoints of developers, users and service providers. To ensure objectivity and accuracy we start by defining high level criteria and then breaking down into finer-grained criteria. After a theoretical evaluation an implementation was carried out as a practical verification to ensure that the method adopted in analysis and evaluation is trusted and applicable. The selected application is object recognition app, which is both exciting and challenging to develop.

APA, Harvard, Vancouver, ISO, and other styles

11

Li, Louis. "Security Analysis of Java Web Applications Using String Constraint Analysis." Thesis, Harvard University, 2015. http://nrs.harvard.edu/urn-3:HUL.InstRepos:14398534.

Full text

Abstract:

Web applications are exposed to myriad security vulnerabilities related to malicious user string input. In order to detect such vulnerabilities in Java web applications, this project employs string constraint analysis, which approximates the values that a string variable in a program can take on. In string constraint analysis, program analysis generates string constraints -- assertions about the relationships between string variables. We design and implement a dataflow analysis for Java programs that generates string constraints and passes those constraints to the CVC4 SMT solver to find a satisfying assignment of string variables. Using example programs, we illustrate the feasibility of the system in detecting certain types of web application vulnerabilities, such as SQL injection and cross-site scripting.

APA, Harvard, Vancouver, ISO, and other styles

12

Grimstad, Jo. "Security in Single Sign-On Web Applications : An Assessment of the Security in and Between Web Applications Sharing a Common Single Sign-On User Session." Thesis, Norges teknisk-naturvitenskapelige universitet, Institutt for telematikk, 2010. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-11130.

Full text

Abstract:

Single Sign-On (SSO) is a solution where the authentication process is taken care of once by a third-party Web site rather than at each of the the Web sites providing services to their users. This new way of separating user identities from the service-providing Web sites leads to different security requirements. As an approach towards assessing the security of Web applications utilizing SSO, this thesis investigates the concepts and functionality of OpenID, a decentralized authentication protocol. The assessment addresses vulnerabilities and threats related to SSO, using real Web applications as examples. Development of an OpenID-enabled Web application is a part of the security assessment. The thesis includes experimenting with various OpenID-enabled Web sites and Identity Providers (IdPs), and observing how they are affected by different kinds of Web security threats. The results of the thesis shows how security weaknesses were discovered at two major IdPs by performing Clickjaking attacks. Also, the thesis outlines some attacks that are threatening the concept of SSO in general.

APA, Harvard, Vancouver, ISO, and other styles

13

Lunyov, Phillip. "Detecting changes in web applications." Thesis, Linnéuniversitetet, Institutionen för datavetenskap och medieteknik (DM), 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-97021.

Full text

Abstract:

As the availability and popularity of the Internet continues to grow, the trend ofproviding global access to business resources and services online is an efficient andprofitable way for organizations to acquire a new share of the market. Due to the flexibilityand scalability of modern web technologies, web-based applications processand store personal or critical information in enormous amounts. Hence, the overallapplication’s functionality and secure data processing are the main key factors ofeach web application. For ensuring those key factors, the web page code must be regularlymonitored to retain the overall quality of the code. This project is devoted tochange identification and classification in modern web-based applications, based onthe comparison of two versions of web page code, acquired in different time periods.The foundation of the development is described as a detection algorithm in one of theacademic papers. The algorithm was supplemented by a more extensive classificationof changes that was originally proposed by the author. The result of the researchis a semi-automatic tool, developed in Python. The tool compares two versions ofthe web page code to find changes and classify those changes. The result of the tool’sexecution is a report file that contains statistics of the overall algorithm’s executionand type-clustered information about the detected changes between two versions ofthe web page code. The analysis of results showed that the implemented diff-toolprovides reliable results and allocates all types of possible changes in the web pagecodes, which are acknowledged by statistical analysis. The comparative analysis ofthe results of the developed diff-tool with the results of other similar technical solutionsrevealed serious shortcomings of other solutions, due to their data processingimplementation, classification of the changes and resulting report file.

APA, Harvard, Vancouver, ISO, and other styles

14

Singaravelu, Lenin. "End-to-End Security of Information Flow in Web-based Applications." Diss., Georgia Institute of Technology, 2007. http://hdl.handle.net/1853/16142.

Full text

Abstract:

Web-based applications and services are increasingly being used in security-sensitive tasks. Current security protocols rely on two crucial assumptions to protect the confidentiality and integrity of information: First, they assume that end-point software used to handle security-sensitive information is free from vulnerabilities. Secondly, these protocols assume point-to-point communication between a client and a service provider. However, these assumptions do not hold true with large and complex vulnerable end point software such as the Internet browser or web services middleware or in web service compositions where there can be multiple value-adding service providers interposed between a client and the original service provider. To address the problem of large and complex end-point software, we present the AppCore approach which uses manual analysis of information flow, as opposed to purely automated approaches, to split existing software into two parts: a simplified trusted part that handles security-sensitive information and a legacy, untrusted part that handles non-sensitive information without access to sensitive information. Not only does this approach avoid many common and well-known vulnerabilities in the legacy software that compromised sensitive information, it also greatly reduces the size and complexity of the trusted code, thereby making exhaustive testing or formal analysis more feasible. We demonstrate the feasibility of the AppCore approach by constructing AppCores for two real-world applications: a client-side AppCore for https-based applications and an AppCore for web service platforms. Our evaluation shows that security improvements and complexity reductions (over a factor of five) can be attained with minimal modifications to existing software (a few tens of lines of code, and proxy settings of a browser) and an acceptable performance overhead (a few percent). To protect the communication of sensitive information between the clients and service providers in web service compositions, we present an end-to-end security framework called WS-FESec that provides end-to-end security properties even in the presence of misbehaving intermediate services. We show that WS-FESec is flexible enough to support the lattice model of secure information flow and it guarantees precise security properties for each component service at a modest cost of a few milliseconds per signature or encrypted field.

APA, Harvard, Vancouver, ISO, and other styles

15

Near, Joseph P. (Joseph Paul). "Finding security bugs in web applications using domain-specific static analysis." Thesis, Massachusetts Institute of Technology, 2015. http://hdl.handle.net/1721.1/99841.

Full text

Abstract:

Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2015.
Cataloged from PDF version of thesis.
Includes bibliographical references (pages 129-133).
This thesis proposes new techniques for finding and eliminating application-specific bugs in web applications. We demonstrate three approaches to finding these bugs, each representing one position in the compromise between specificity and automation. All three are powered by a scalable symbolic execution specifically tailored to the structure of web application implementations, allowing analysis of even the largest real-world applications. In contrast to existing general-purpose verification approaches, this work was inspired by the hypothesis that narrowing our focus might produce more effective tools. Our approach has been to take advantage of properties specific to application-specific security bugs in web applications in order to produce more effective tools. The results suggest that focusing on a particular class of applications (web applications) and on a particular class of bugs (missing security checks) we can build static analysis tools that are both significantly more scalable and more automated than general-purpose bug-finding tools.
by Joseph P. Near.
Ph. D.

APA, Harvard, Vancouver, ISO, and other styles

16

Erickson, Adam, and Oscar Nielsen. "Keep our web applications safe : A security evaluation of Service Workers." Thesis, Linköpings universitet, Programvara och system, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-161753.

Full text

Abstract:

With the ever-expanding internet, finding new ways to increase the user experience are vital in order to keeping concurrent users on your web application. One way to achieve this could be to implement a Service Worker to unlock more capabilities of a web application. The purpose of this paper is to evaluate what new security vulnerabilities can arise when implementing a Service Worker. This could then be used to evaluate if the technology has evolved far enough to be used by a wider audience of programmers and users. The analysis in this paper will be presented in a security matrix that is based on four experiments and a complementary literature study on web-based attacks. This paper found that some new vulnerabilities must be considered when implementing a Service Worker in a web application. The worst of these is the Living Outside of Scope, which can be used by an attacker to secretly hijack a victim's computer even when the application is shut down. This paper concludes that the technology has evolved far enough so that a secure web application with the use of the Service Worker is possible, but there are still some new vulnerabilities that can become a problem if not considered.

APA, Harvard, Vancouver, ISO, and other styles

17

Zhou, Yu. "AUTOMATIC GENERATION OF WEB APPLICATIONS AND MANAGEMENT SYSTEM." CSUSB ScholarWorks, 2017. https://scholarworks.lib.csusb.edu/etd/434.

Full text

Abstract:

One of the major difficulties in web application design is the tediousness of constructing new web pages from scratch. For traditional web application projects, the web application designers usually design and implement web application projects step by step, in detail. My project is called “automatic generation of web applications and management system.” This web application generator can generate the generic and customized web applications based on software engineering theories. The flow driven methodology will be used to drive the project by Business Process Model Notation (BPMN). Modules of the project are: database, web server, HTML page, functionality, financial analysis model, customer, and BPMN. The BPMN is the most important section of this entire project, due to the BPMN flow engine that most of the work and data flow depends on the engine. There are two ways to deal with the project. One way is to go to the main page, then to choose one web app template, and click the generating button. The other way is for the customers to request special orders. The project then will give suitable software development methodologies to follow up. After a software development life cycle, customers will receive their required product.

APA, Harvard, Vancouver, ISO, and other styles

18

Forsman, Tomas. "Security in Web Applications and the Implementation of a Ticket Handling System." Thesis, Umeå universitet, Institutionen för datavetenskap, 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-86002.

Full text

Abstract:

Today the Internet is filled with various web applications. One category of things that can cause a lot of problems are security holes. Some of them are due to programming mistakes, some due to inexperience, or in other ways failure to protect the system against harmful input. Part one of this thesis will look into some common problem areas in web application security and how to make those areas less problematic. There will be a summary of those problem areas and also some more detailed explanations. These areas include SQL injections and Cross-Site Scripting which, by prominent security companies, are deemed to be the most problematic areas on the web right now regarding security. Part two is the implementation of a ticket handling system for computer support at Department of Computing Science, Umea University. Such a system is responsible for receiving requests from employees and students, and managing them in a way that is easy to overview and handle. Having helpful supporting systems will, in turn, make it easier to provide good support to the employees and students. Knowledge from part one of this thesis is used to make the implementation in part two a secure application.

APA, Harvard, Vancouver, ISO, and other styles

19

Xiong, Pulei. "A Model-driven Penetration Test Framework for Web Applications." Thesis, Université d'Ottawa / University of Ottawa, 2012. http://hdl.handle.net/10393/20552.

Full text

Abstract:

Penetration testing is widely used in industry as a test method for web application security assessment. However, penetration testing is often performed late in a software development life cycle as an isolated task and usually requires specialized security experts. There is no well-defined test framework providing guidance and support to general testers who usually do not have in-depth security expertise to perform a systematic and cost-efficient penetration test campaign throughout a security-oriented software development life cycle. In this thesis, we propose a model-driven penetration test framework for web applications that consists of a penetration test methodology, a grey-box test architecture, a web security knowledge base, a test campaign model, and a knowledge-based PenTest workbench. The test framework enables general testers to perform a penetration test campaign in a model-driven approach that is fully integrated into a security-oriented software development life cycle. Security experts are still required to build up and maintain a web security knowledgebase for test campaigns, but the general testers are capable of developing and executing penetration test campaigns with reduced complexity and increased reusability in a systematic and cost-efficient approach. A prototype of the framework has been implemented and applied to three web applications: the benchmark WebGoat web application, a hospital adverse event management system (AEMS), and a palliative pain and symptom management system (PAL-IS). An evaluation of the test framework prototype based on the case studies indicates the potential of the proposed test framework to improve how penetration test campaigns are performed and integrated into a security-oriented software development life cycle.

APA, Harvard, Vancouver, ISO, and other styles

20

Dahl, Andreas, and Kristofer Nylander. "Differences in security between native applications and web based applications in the field of health care." Thesis, Linnéuniversitetet, Institutionen för datavetenskap (DV), 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-40397.

Full text

Abstract:

Developing native applications for different platforms with different resolutions and screen sizes is both time consuming and costly. If developers were able to develop one web based application which can be used on multiple platforms, yet retain the same level of security as a native application, they would be able to reduce both development time and costs. In this thesis we will investigate the possibilities of achieving a level of security in a web-based application that can equal that of a native application, as well as how to develop an application that uses the Mina Vårdkontakter (My Healthcare Contacts) framework.

APA, Harvard, Vancouver, ISO, and other styles

21

Huang, Xujing. "Quantitative information flow of side-channel leakages in web applications." Thesis, Queen Mary, University of London, 2016. http://qmro.qmul.ac.uk/xmlui/handle/123456789/12864.

Full text

Abstract:

It is not a secret that communications between client sides and server sides in web applications can leak user confidential data through side-channel attacks. The lower lever traffic features, such as packet sizes, packet lengths, timings, etc., are public to attackers. Attackers can infer a user's web activities including web browsing histories and user sensitive information by analysing web traffic generated during communications, even when the traffic is encrypted. There has been an increasing public concern about the disclosure of user privacy through side-channel attacks in web applications. A large amount of work has been proposed to analyse and evaluate this kind of security threat in the real world. This dissertation addresses side-channel vulnerabilities from different perspectives. First, a new approach based on verification and quantitative information flow is proposed to perform a fully automated analysis of side-channel leakages in web applications. Core to this aim is the generation of test cases without developers' manual work. Techniques are implemented into a tool, called SideAuto, which targets at the Apache Struts web applications. Then the focus is turned to real-world web applications. A black-box methodology of automatically analysing side-channel vulnerabilities in real-world web applications is proposed. This research demonstrates that communications which are not explicitly involving user sensitive information can leak user secrets, even more seriously than a traffic explicitly transmitting user information. Moreover, this thesis also examines side-channel leakages of user identities from Google accounts. The research demonstrates that user identities can be revealed, even when communicating with external websites included in Alexa Top 150 websites, which have no relation to Google accounts.

APA, Harvard, Vancouver, ISO, and other styles

22

Hadjichristofi, George Costa. "IPSec Overhead in Wireline and Wireless Networks for Web and Email Applications." Thesis, Virginia Tech, 2001. http://hdl.handle.net/10919/35710.

Full text

Abstract:

This research focuses on developing a set of secure communication network testbeds and using them to measure the overhead of IP Security (IPSec) for email and web applications. The network testbeds are implemented using both wireline and wireless technologies. The testing involves a combination of authentication algorithms such as Hashed Message Authentication Code-Message Digest 5 (HMAC-MD5) and Hashed Message Authentication Code-Secure Hash Algorithm 1 (HMAC-SHA1), implemented through different authentication protocols such as ESP and AH, and used in conjunction with the Triple Digital Encryption Standard (3DES). The research examines the overhead using no encryption and no authentication, authentication and no encryption, and authentication and encryption. A variety of different sizes of compressed and uncompressed files, are considered when measuring the overhead. The testbed realizes security using IPSec to secure the connection between different nodes. The email protocol that is used is the Simple Mail Transfer Protocol (SMTP) and the web protocol considered is the Hyper Text Transfer Protocol (HTTP). The key metrics considered are the network load in bytes, the number of packets, and the transfer time. This research emphasizes the importance of using HTTP to access files than using SMTP. Use of HTTP requires fewer packets, lower network loads, and lower transfer times than SMTP. It is demonstrated that this difference, which occurs regardless of security, is magnified by the use of authentication and encryption. The results also indicate the value of using compressed files for file transfers. Compressed and uncompressed files require the same transfer time, network load and number of packets since FreeS/WAN IPSec does not carry any form of compression on the data before passing it to the data link layer. Both authentication algorithms, HMAC-MD5 and HMAC- SHA1, result in about the same network load and number of packets. However, HMAC-SHA1 results in a higher transfer time than HMAC-MD5 because of SHA1's higher computational requirements. ESP authentication and ESP encryption reduce the network load for small files only, compared to ESP encryption and AH authentication. ESP authentication could not be compared with AH authentication, since the FreeS/WAN IPSec implementation used in the study does not support ESP authentication without using encryption. In a wireless environment, using IPSec does not increase the network load and the number of transactions, when compared to a wireline environment. Also, the effect of security on transfer time is higher compared to a wireline environment, even though that increase is overshadowed by the high transfer time percentage increase due to the wireless medium.
Master of Science

APA, Harvard, Vancouver, ISO, and other styles

23

Lundberg, Karl Johan. "Investigating the current state of securityfor small sized web applications." Thesis, Linköpings universitet, Databas och informationsteknik, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-89160.

Full text

Abstract:

It is not uncommon to read about hacker attacks in the newspaper today. The hackers are targeting governments and enterprises, and motives vary. It may be political or economic reasons, or just to gain reputation. News about smaller systems is, unsurprisingly, not as common. Does this mean that security is less relevant of smaller systems? This report investigates the threat model of smaller web applications, to answer that very question.Different attacks are described in the detail needed for explaining their threat but the intention is not to teach the reader to write secure code. The report does, however, provide the reader with a rich source of references for that purpose. After describing some of the worst threats, the general cloud threat model is analyzed. This is followed by a practical analysis of a cloud system, and the report is closed with general strategies for countering threats.The severe destruction that a successful attack may cause and the high prevalence of those attacks motivates some security practices to be performed whenever software is produced. Attacks against smaller companies are more common now than ever before

APA, Harvard, Vancouver, ISO, and other styles

24

Huang, Jin. "Detecting Server-Side Web Applications with Unrestricted File Upload Vulnerabilities." Wright State University / OhioLINK, 2021. http://rave.ohiolink.edu/etdc/view?acc_num=wright163007760528389.

Full text

APA, Harvard, Vancouver, ISO, and other styles

25

Dacosta, Italo. "Practical authentication in large-scale internet applications." Diss., Georgia Institute of Technology, 2012. http://hdl.handle.net/1853/44863.

Full text

Abstract:

Due to their massive user base and request load, large-scale Internet applications have mainly focused on goals such as performance and scalability. As a result, many of these applications rely on weaker but more efficient and simpler authentication mechanisms. However, as recent incidents have demonstrated, powerful adversaries are exploiting the weaknesses in such mechanisms. While more robust authentication mechanisms exist, most of them fail to address the scale and security needs of these large-scale systems. In this dissertation we demonstrate that by taking into account the specific requirements and threat model of large-scale Internet applications, we can design authentication protocols for such applications that are not only more robust but also have low impact on performance, scalability and existing infrastructure. In particular, we show that there is no inherent conflict between stronger authentication and other system goals. For this purpose, we have designed, implemented and experimentally evaluated three robust authentication protocols: Proxychain, for SIP-based VoIP authentication; One-Time Cookies (OTC), for Web session authentication; and Direct Validation of SSL/TLS Certificates (DVCert), for server-side SSL/TLS authentication. These protocols not only offer better security guarantees, but they also have low performance overheads and do not require additional infrastructure. In so doing, we provide robust and practical authentication mechanisms that can improve the overall security of large-scale VoIP and Web applications.

APA, Harvard, Vancouver, ISO, and other styles

26

Gholami, Sadeq, and Zeineb Amri. "Automated secure code review for web- applications." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-300125.

Full text

Abstract:

Carefully scanning and analysing web- applications is important, in order to avoid potential security vulnerabilities, or at least reduce them. Traditional code reviewing methods, such as manual code reviews, have various drawbacks when performed on large codebases. Therefore it is appropriate to explore automated code reviewing tools and study their performance and reliability. The literature study helped identify various prerequisites, which facilitated the application of automated code reviewing tools. In a case study, two static analysis tools, CodeQL and Semgrep, were used to find security risks in three open source web- applications with already known vulnerabilities. The result of the case study indicates that the automated code reviewing tools are much faster and more efficient than the manual reviewing, and they can detect security vulnerabilities to a certain acceptable degree. However there are vulnerabilities that do not follow a pattern and are difficult to be identified with these tools, and need human intelligence to be detected.
Det är viktigt att skanna och analysera webbapplikationer noggrant för att undvika potentiella säkerhetsproblem eller åtminstone minska dem. Traditionella kodgranskningsmetoder, såsom manuella kodgranskningar, har olika nackdelar när de utförs på stora kodbaser. Därför är det lämpligt att utforska automatiserade verktyg för kodgranskning och studera deras prestanda och tillförlitlighet. Litteraturstudien hjälpte till att identifiera olika förutsättningar, som underlättade tillämpningen av automatiserade kodgranskningsverktyg. I en fallstudie användes två statiska analysverktyg, CodeQL och Semgrep, för att hitta säkerhetsrisker i tre open sourcewebbapplikationer med redan kända sårbarheter. Resultatet av fallstudien indikerar att de automatiska kodgranskningsverktygen är mycket snabbare och effektivare än de manualla kodgranskningar och att de kan upptäcka säkerhetsproblem i viss acceptabel grad. Det finns emellertid sårbarheter som inte följer ett mönster och som är svåra att identifiera med dessa verktyg, och behöver mänsklig intelligens för att upptäckas.

APA, Harvard, Vancouver, ISO, and other styles

27

Davis, Debra Lee. "Efficient storage and retrieval of georeferenced objects in a semantic database for web-based applications." FIU Digital Commons, 2000. http://digitalcommons.fiu.edu/etd/2744.

Full text

Abstract:

The use and dissemination of remotely-sensed data is an important resource that can be used for environmental, commercial and educational purposes. Because of this, the use and availability of remotely-sensed data has increased dramatically in recent years. This usefulness, however, is often overshadowed by the difficulty encountered with trying to deal with this type of data. The amount of data available is immense. Storing, searching and retrieving the data of interest is often difficult, time consuming and inefficient. This is particularly true when these types of data need to be rapidly and continually accessed via the Internet, or combined with other types of remotely-sensed data, such as combining Aerial Photography with US Census vector data. This thesis addresses some of these difficulties, a two-fold approach has been taken. First, a database schema which can store various types of remotely-sensed data in one database has been designed for use in a Semantic Object-Oriented Database System (Sem-ODB). This database schema includes in its design a linear addressing scheme for remotely-sensed objects which maps an object’s 2-dimentional (latitude/longitude) location information to a 1-dimensional integrated integer value. The advantages of using this Semantic schema with remotely-sensed data is discussed and the use of this addressing scheme to rapidly search for and retrieve point-based vector data is investigated. In conjunction with this, an algorithm for transforming a remotely-sensed range search into a number of linear segments of objects in the 1-dimensional array is investigated. The main issues and the combination of solutions involved are discussed.

APA, Harvard, Vancouver, ISO, and other styles

28

Ahlberg, Gustav. "Generating web applications containing XSS and CSRF vulnerabilities." Thesis, Linköpings universitet, Databas och informationsteknik, 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-111652.

Full text

Abstract:

Most of the people in the industrial world are using several web applications every day. Many of those web applications contain vulnerabilities that can allow attackers to steal sensitive data from the web application's users. One way to detect these vulnerabilities is to have a penetration tester examine the web application. A common way to train penetration testers to find vulnerabilities is to challenge them with realistic web applications that contain vulnerabilities. The penetration tester's assignment is to try to locate and exploit the vulnerabilities in the web application. Training on the same web application twice will not provide any new challenges to the penetration tester, because the penetration tester already knows how to exploit all the vulnerabilities in the web application. Therefore, a vast number of web applications and variants of web applications are needed to train on. This thesis describes a tool designed and developed to automatically generate vulnerable web applications. First a web application is prepared, so that the tool can generate a vulnerable version of the web application. The tool injects Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) vulnerabilities in prepared web applications. Different variations of the same vulnerability can also be injected, so that different methods are needed to exploit the vulnerability depending on the variation. A purpose of the tool is that it should generate web applications which shall be used to train penetration testers, and some of the vulnerabilities the tool can inject, cannot be detected by current free web application vulnerability scanners, and would thus need to be detected by a penetration tester. To inject the vulnerabilities, the tool uses abstract syntax trees and taint analysis to detect where vulnerabilities can be injected in the prepared web applications. Tests confirm that web application vulnerability scanners cannot find all the vulnerabilities on the web applications which have been generated by the tool.

APA, Harvard, Vancouver, ISO, and other styles

29

Vural, Gurkan. "Anomaly Detection From Personal Usage Patterns In Web Applications." Master's thesis, METU, 2006. http://etd.lib.metu.edu.tr/upload/12607973/index.pdf.

Full text

Abstract:

The anomaly detection task is to recognize the presence of an unusual (and potentially hazardous) state within the behaviors or activities of a computer user, system, or network with respect to some model of normal behavior which may be either hard-coded or learned from observation. An anomaly detection agent faces many learning problems including learning from streams of temporal data, learning from instances of a single class, and adaptation to a dynamically changing concept. The domain is complicated by considerations of the trusted insider problem (recognizing the difference between innocuous and malicious behavior changes on the part of a trusted user). This study introduces the anomaly detection in web applications and formulates it as a machine learning task on temporal sequence data. In this study the goal is to develop a model or profile of normal working state of web application user and to detect anomalous conditions as deviations from the expected behavior patterns. We focus, here, on learning models of normality at the user behavioral level, as observed through a web application. In this study we introduce some sensors intended to function as a focus of attention unit at the lowest level of a classification hierarchy using Finite State Markov Chains and Hidden Markov Models and discuss the success of these sensors.

APA, Harvard, Vancouver, ISO, and other styles

30

Babatunde, John Oluwole. "Evaluating the impact of security measures on performance of secure web applications hosted on virtualised platforms." Thesis, University of East London, 2015. http://roar.uel.ac.uk/4771/.

Full text

Abstract:

The use of web applications has drastically increased over the years, and so has the need to secure these applications with effective security measures to ensure security and regulatory compliance. The problem arises when the impact and overheads associated with these security measures are not adequately quantified and factored into the design process of these applications. Organizations often resort to trading-off security compliance in order to achieve the required system performance. The aim of this research work is to quantify the impact of security measures on system performance of web applications and improve design decision-making in web application design process. This research work examines the implications of compliance and security measures on web applications and explores the possibility of extending the existing Queueing Network (QN) based models to predict the performance impact of security on web applications. The intention is that the results of this research work will assist system and web application designers in specifying adequate system capacity for secure web applications, hence ensuring acceptable system performance and security compliance. This research work comprises three quantitative studies organized in a sequential flow. The first study is an exploratory survey designed to understand the extent and importance of the security measures on system performance in organizations. The survey data was analyzed using descriptive statistics and Factor Analysis. The second study is an experimental study with a focus on causation. The study provided empirical data through sets of experiments proving the implications of security measures on a multi-tiered state-of-the-art web application - Microsoft SharePoint 2013. The experimental data were analyzed using the ANCOVA model. The third study is essentially a modeling-based study aimed at using the insights on the security implications provided by the second study. In the third study, using a well-established QN result - Mean Value Analysis (MVA) for closed networks, the study demonstrated how security measures could be incorporated into a QN model in an elegant manner with limited calculations. The results in this thesis indicated significant impact of security measures on web application with respect to response time, disk queue length, SQL latches and SQL database wait times. In a secure three-tiered web application the results indicated greater impacts on the web tier and database tier primarily due to encryption requirements dictated by several compliance standards, with smaller impact seen at the application tier. The modeling component of this thesis indicated a potential benefit in extending QN models to predict secure web application performance, although more work is needed to enhance the accuracy of the model. Overall, this research work contributes to professional practice by providing performance evaluation and predictive techniques for secure web applications that could be used in system design. From performance evaluations and QN modeling perspective, although three-tiered web application modeling has been widely studied, the view in this thesis is that this is the first attempt to look at security compliance in a three-tiered web application modeling on virtualized platforms.

APA, Harvard, Vancouver, ISO, and other styles

31

Månsson, Anton. "Webbsystem säkerhet : Ur ett API och webbapplikations perspektiv." Thesis, Linnéuniversitetet, Institutionen för datavetenskap (DV), 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:lnu:diva-68000.

Full text

Abstract:

Web applications and APIs have become more popular every year, and security risks haveincreased. Along with more security risks and the large amount of sensitive informationshared on web applications today, the problem grows. I therefore wanted to explore morein security deficiencies to increase my own knowledge and others in the field. To do that,a web application was developed and a survey was made of what security threats existtoday and what solutions they have. Some of the solutions encountered during theinvestigation were then implemented and tested in the web application. The result showedsome general solutions such as validation, which was a solution to a number of threats.The investigation also showed that security is not black and white and that it is possibleto implement actions but attackers can still find ways to attack systems.

APA, Harvard, Vancouver, ISO, and other styles

32

Hellström, Adrian. "Querying JSON and XML : Performance evaluation of querying tools for offline-enabled web applications." Thesis, Högskolan i Skövde, Institutionen för kommunikation och information, 2012. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-5915.

Full text

Abstract:

This article explores the viability of third-party JSON tools as an alternative to XML when an application requires querying and filtering of data, as well as how the application deviates between browsers. We examine and describe the querying alternatives as well as the technologies we worked with and used in the application. The application is built using HTML 5 features such as local storage and canvas, and is benchmarked in Internet Explorer, Chrome and Firefox. The application built is an animated infographical display that uses querying functions in JSON and XML to filter values from a dataset and then display them through the HTML5 canvas technology. The results were in favor of JSON and suggested that using third-party tools did not impact performance compared to native XML functions. In addition, the usage of JSON enabled easier development and cross-browser compatibility. Further research is proposed to examine document-based data filtering as well as investigating why performance deviated between toolsets.

APA, Harvard, Vancouver, ISO, and other styles

33

Skogsrud, Halvard Computer Science &amp Engineering Faculty of Engineering UNSW. "Trust negotiation policy management for service-oriented applications." Awarded by:University of New South Wales. Computer Science and Engineering, 2006. http://handle.unsw.edu.au/1959.4/25723.

Full text

Abstract:

Service-oriented architectures (SOA), and in particular Web services, have quickly become a popular technology to connect applications both within and across enterprise boundaries. However, as services are increasingly used to implement critical functionality, security has become an important concern impeding the widespread adoption of SOA. Trust negotiation is an approach to access control that may be applied in scenarios where service requesters are often unknown in advance, such as for services available via the public Internet. Rather than relying on requesters' identities, trust negotiation makes access decisions based on the level of trust established between the requester and the provider in a negotiation, during which the parties exchange credentials, which are signed assertions that describe some attributes of the owner. However, managing the evolution of trust negotiation policies is a difficult problem that has not been sufficiently addressed to date. Access control policies have a lifecycle, and they are revised based on applicable business policies. Additionally, because a trust relationship established in a trust negotiation may be long lasting, their evolution must also be managed. Simply allowing a negotiation to continue according to an old policy may be undesirable, especially if new important constraints have been added. In this thesis, we introduce a model-driven trust negotiation framework for service-oriented applications. The framework employs a model for trust negotiation, based on state machines, that allows automated generation of the control structures necessary to enforce trust negotiation policies from the visual model of the policy. Our policy model also supports lifecycle management. We provide sets of operations to modify policies and to manage ongoing negotiations, and operators for identifying and managing impacts of changes to trust negotiation policies on ongoing trust negotiations. The framework presented in the thesis has been implemented in the Trust-Serv prototype, which leverages industry specifications such as WS-Security and WS-Trust to offer a container-centric mechanism for deploying trust negotiation that is transparent to the services being protected.

APA, Harvard, Vancouver, ISO, and other styles

34

Gopali, Gopali. "Protecting Web Applications from SQL Injection Attacks- Guidelines for Programmers Master Thesis." Thesis, Malmö universitet, Fakulteten för teknik och samhälle (TS), 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:mau:diva-20238.

Full text

Abstract:

Injektionsattack är den mest kritiska säkerhetsapplikationen för webbapplikationer, och SQL-injektion (SQLi) -attack är den mest rapporterade injektionsattacken på webbapplikationer. I denna avhandling har vi identifierat angreppsteknikerna som används av angripare och vi ger också riktlinjer så att programmerarna kan skriva webbapplikationskoder på ett säkert sätt för att förhindra SQLi-attackerna.Metoden som tillämpas för forskningen är litteraturstudie och vi använde vägen bevis genom demonstration för att få den tydliga bilden. Det första steget var att ta reda på kodningsfelen, då utformade vi riktlinjer som kan hjälpa till att skydda webbapplikationer från SQLi-attacker. Denna avhandling kommer att hjälpa programmerarna att förstå de olika kodningsbristerna och hur dessa kodningsfel kan förhindras och för detta har vi använt bevis genom demonstration. Denna avhandling kommer också att bidra till den allmänna medvetenheten om SQLi-attacker, attacker och riktlinjer för programmerare som designar, utvecklar och testar webbapplikationer.
Injection attack is the most critical web application security risk, and SQL-injection (SQLi) attack is the most reported injection attack on web applications. In this thesis, we have identified the attacking techniques used by attackers and we are also providing guidelines so that the programmers can write web application code in a secure way, to prevent the SQLi attacks.The methodology applied for the research is literature study and we used the way proof by demonstration to get the clear picture. The first step was to find out the coding flaws, then we designed guidelines that can help to protect web applications from SQLi attacks. This thesis will help the programmers to understand the various coding flaws and how those coding flaws can be prevented and for this, we have used proof by demonstration. This thesis will also contribute to the general awareness of SQLi attacks, attack types and guidelines for the programmers who are designing, developing and testing web applications.

APA, Harvard, Vancouver, ISO, and other styles

35

Somé, Dolière Francis. "Sécurité et vie privée dans les applications web." Thesis, Université Côte d'Azur (ComUE), 2018. http://www.theses.fr/2018AZUR4085/document.

Full text

Abstract:

Dans cette thèse, nous nous sommes intéressés aux problématiques de sécurité et de confidentialité liées à l'utilisation d'applications web et à l'installation d'extensions de navigateurs. Parmi les attaques dont sont victimes les applications web, il y a celles très connues de type XSS (ou Cross-Site Scripting). Les extensions sont des logiciels tiers que les utilisateurs peuvent installer afin de booster les fonctionnalités des navigateurs et améliorer leur expérience utilisateur. Content Security Policy (CSP) est une politique de sécurité qui a été proposée pour contrer les attaques de type XSS. La Same Origin Policy (SOP) est une politique de sécurité fondamentale des navigateurs, régissant les interactions entre applications web. Par exemple, elle ne permet pas qu'une application accède aux données d'une autre application. Cependant, le mécanisme de Cross-Origin Resource Sharing (CORS) peut être implémenté par des applications désirant échanger des données entre elles. Tout d'abord, nous avons étudié l'intégration de CSP avec la Same Origin Policy (SOP) et démontré que SOP peut rendre CSP inefficace, surtout quand une application web ne protège pas toutes ses pages avec CSP, et qu'une page avec CSP imbrique ou est imbriquée dans une autre page sans ou avec un CSP différent et inefficace. Nous avons aussi élucidé la sémantique de CSP, en particulier les différences entre ses 3 versions, et leurs implémentations dans les navigateurs. Nous avons ainsi introduit le concept de CSP sans dépendances qui assure à une application la même protection contre les attaques, quelque soit le navigateur dans lequel elle s'exécute. Finalement, nous avons proposé et démontré comment étendre CSP dans son état actuel, afin de pallier à nombre de ses limitations qui ont été révélées dans d'autres études. Les contenus tiers dans les applications web permettent aux propriétaires de ces contenus de pister les utilisateurs quand ils naviguent sur le web. Pour éviter cela, nous avons introduit une nouvelle architecture web qui une fois déployée, supprime le pistage des utilisateurs. Dans un dernier temps, nous nous sommes intéressés aux extensions de navigateurs. Nous avons d'abord démontré que les extensions qu'un utilisateur installe et/ou les applications web auxquelles il se connecte, peuvent le distinguer d'autres utilisateurs. Nous avons aussi étudié les interactions entre extensions et applications web. Ainsi avons-nous trouvé plusieurs extensions dont les privilèges peuvent être exploités par des sites web afin d'accéder à des données sensibles de l'utilisateur. Par exemple, certaines extensions permettent à des applications web d'accéder aux contenus d'autres applications, bien que cela soit normalement interdit par la Same Origin Policy. Finalement, nous avons aussi trouvé qu'un grand nombre d'extensions a la possibilité de désactiver la Same Origin Policy dans le navigateur, en manipulant les entêtes CORS. Cela permet à un attaquant d'accéder aux données de l'utilisateur dans n'importe qu'elle autre application, comme par exemple ses mails, son profile sur les réseaux sociaux, et bien plus. Pour lutter contre ces problèmes, nous préconisons aux navigateurs un système de permissions plus fin et une analyse d'extensions plus poussée, afin d'alerter les utilisateurs des dangers réels liés aux extensions
In this thesis, we studied security and privacy threats in web applications and browser extensions. There are many attacks targeting the web of which XSS (Cross-Site Scripting) is one of the most notorious. Third party tracking is the ability of an attacker to benefit from its presence in many web applications in order to track the user has she browses the web, and build her browsing profile. Extensions are third party software that users install to extend their browser functionality and improve their browsing experience. Malicious or poorly programmed extensions can be exploited by attackers in web applications, in order to benefit from extensions privileged capabilities and access sensitive user information. Content Security Policy (CSP) is a security mechanism for mitigating the impact of content injection attacks in general and in particular XSS. The Same Origin Policy (SOP) is a security mechanism implemented by browsers to isolate web applications of different origins from one another. In a first work on CSP, we analyzed the interplay of CSP with SOP and demonstrated that the latter allows the former to be bypassed. Then we scrutinized the three CSP versions and found that a CSP is differently interpreted depending on the browser, the version of CSP it implements, and how compliant the implementation is with respect to the specification. To help developers deploy effective policies that encompass all these differences in CSP versions and browsers implementations, we proposed the deployment of dependency-free policies that effectively protect against attacks in all browsers. Finally, previous studies have identified many limitations of CSP. We reviewed the different solutions proposed in the wild, and showed that they do not fully mitigate the identified shortcomings of CSP. Therefore, we proposed to extend the CSP specification, and showed the feasibility of our proposals with an example of implementation. Regarding third party tracking, we introduced and implemented a tracking preserving architecture, that can be deployed by web developers willing to include third party content in their applications while preventing tracking. Intuitively, third party requests are automatically routed to a trusted middle party server which removes tracking information from the requests. Finally considering browser extensions, we first showed that the extensions that users install and the websites they are logged into, can serve to uniquely identify and track them. We then studied the communications between browser extensions and web applications and demonstrate that malicious or poorly programmed extensions can be exploited by web applications to benefit from extensions privileged capabilities. Also, we demonstrated that extensions can disable the Same Origin Policy by tampering with CORS headers. All this enables web applications to read sensitive user information. To mitigate these threats, we proposed countermeasures and a more fine-grained permissions system and review process for browser extensions. We believe that this can help browser vendors identify malicious extensions and warn users about the threats posed by extensions they install

APA, Harvard, Vancouver, ISO, and other styles

36

Muedas, Higginson Ana Cristina, and Velásquez Renato Germán Rojas. "Modelo de madurez de seguridad de aplicaciones web ante ciberataques para clínicas de nivel 2." Bachelor's thesis, Universidad Peruana de Ciencias Aplicadas (UPC), 2019. http://hdl.handle.net/10757/628108.

Full text

Abstract:

La creciente competitividad del mercado, genera una dificultad cada vez mayor en las organizaciones para alcanzar el éxito en sus proyectos. Tal hecho busca priorizar criterios económicos, tiempo, costo, calidad y alcance, ocasionando falta de controles que resultan en brechas de seguridad en la compañía. De esa forma se deja en segundo plano procedimientos de seguridad como por ejemplo el testeo de aplicaciones web. Estas poseen vulnerabilidades que podrían proporcionar los medios para que usuarios finales maliciosos violen mecanismos de protección de un sistema y obtengan acceso a información privada o recursos de la empresa. Los pronósticos referentes a la violación de datos indican que la industria de salud será el blanco más buscado para los ataques cibernéticos en 2017 ya que el alto valor de los registros de salud electrónicos (EHRs) llama cada vez más la atención de los cibercriminales. Dichos registros representan una fuente de ganancias mayor a la que si se accediera a información de tarjetas o cuentas bancarias. El presente proyecto propone un modelo de madurez de seguridad de aplicaciones web ante ciberataques para clínicas de nivel 2 bajo la norma técnica del MINSA, orientada a mostrar las debilidades de las aplicaciones web y las mejoras que se puedan realizar en aspectos de seguridad. El proyecto permitió la implementación de mejoras por parte de las empresas clientes en sus plataformas web mediante la recomendación propuesta por la guía de mejora luego de haber realizado el pentesting propuesto.
Bearing in mind that the projections made for the area of information security point to an increase in attacks on the health sector, added to the lack or little diffusion of security maturity models that allow organizations to know the status of their website in terms of security and that the existing models lack a post-evaluation monitoring, it is necessary to propose a model of security maturity of web applications against cyber-attacks, oriented to the health sector, which is simple to apply. The maturity model proposes to offer the user a portfolio of tools that asks them to apply tests and obtain their results, interpret them and place them at a level of maturity before cyberattacks, then proposing controls to improve the security of the web. This model will be based on the International Professional Practice Framework methodology and will include the main vulnerabilities published by the Open Web Application Security Project to propose attacks that identify the weakness of the evaluated web system, so that the client company has the possibility to reinforce its weaknesses. Guides will also be proposed to select strategies to improve critical points from a security perspective. Because of the validation, it was found that, of the 14 tests applied, five were approved, positioning the web at level 3 of maturity, which means that there are validations in the structure of the web; however, they are partial or inefficient.
Tesis

APA, Harvard, Vancouver, ISO, and other styles

37

Izagirre, Mikel. "Deception strategies for web application security: application-layer approaches and a testing platform." Thesis, Luleå tekniska universitet, Institutionen för system- och rymdteknik, 2017. http://urn.kb.se/resolve?urn=urn:nbn:se:ltu:diva-64419.

Full text

Abstract:

The popularity of the internet has made the use of web applications ubiquitous and essential to the daily lives of people, businesses and governments. Web servers and web applications are commonly used to handle tasks and data that can be critical and highly valuable, making them a very attractive target for attackers and a vector for successful attacks that are aimed at the application layer. Existing misuse and anomaly-based detection and prevention techniques fail to cope with the volume and sophistication of new attacks that are continuously appearing, which suggests that there is a need to provide new additional layers of protection. This work aims to design a new layer of defense based on deception that is employed in the context of web application-layer traffic with the purpose of detecting and preventing attacks. The proposed design is composed of five deception strategies: Deceptive Comments, Deceptive Request Parameters, Deceptive Session Cookies, Deceptive Status Codes and Deceptive JavaScript. The strategies were implemented as a software artifact and their performance evaluated in a testing environment using a custom test script, the OWASP ZAP penetration testing tool and two vulnerable web applications. Deceptive Parameter strategy obtained the best security performance results, followed by Deceptive Comments and Deceptive Status Codes. Deceptive Cookies and Deceptive JavaScript got the poorest security performance results since OWASP ZAP was unable to detect and use deceptive elements generated by these strategies. Operational performance results showed that the deception artifact could successfully be implemented and integrated with existing web applications without changing their source code and adding a low operational overhead.

APA, Harvard, Vancouver, ISO, and other styles

38

Staicu, Cristian-Alexandru [Verfasser], Guido [Akademischer Betreuer] Salvaneschi, Michael [Akademischer Betreuer] Pradel, and Andrei [Akademischer Betreuer] Sabelfeld. "Enhancing the Security and Privacy of Full-Stack JavaScript Web Applications / Cristian-Alexandru Staicu ; Guido Salvaneschi, Michael Pradel, Andrei Sabelfeld." Darmstadt : Universitäts- und Landesbibliothek Darmstadt, 2020. http://d-nb.info/1213027012/34.

Full text

APA, Harvard, Vancouver, ISO, and other styles

39

Staicu, Cristian-Alexandru [Verfasser], Guido Akademischer Betreuer] Salvaneschi, Michael [Akademischer Betreuer] [Pradel, and Andrei [Akademischer Betreuer] Sabelfeld. "Enhancing the Security and Privacy of Full-Stack JavaScript Web Applications / Cristian-Alexandru Staicu ; Guido Salvaneschi, Michael Pradel, Andrei Sabelfeld." Darmstadt : Universitäts- und Landesbibliothek Darmstadt, 2020. http://d-nb.info/1213027012/34.

Full text

APA, Harvard, Vancouver, ISO, and other styles

40

Lövmar, Anton. "Behavioral Monitoring on Smartphones for Intrusion Detection in Web Systems : A Study of Limitations and Applications of Touchscreen Biometrics." Thesis, KTH, Skolan för datavetenskap och kommunikation (CSC), 2015. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-178077.

Full text

Abstract:

Touchscreen biometrics is the process of measuring user behavior when using a touchscreen, and using this information for authentication. This thesis uses SVM and k-NN classifiers to test the applicability of touchscreen biometrics in a web environment for smartphones. Two new concepts are introduced: model training using the Local Outlier Factor (LOF), as well as building custom models for touch behaviour in the context of individual UI components instead of the whole screen. The lowest error rate achieved was 5.6 \% using the k-NN classifier, with a standard deviation of 2.29 \%. No real benefit using the LOF algorithm in the way presented in this thesis could be found. It is found that the method of using contextual models yields better performance than looking at the entire screen. Lastly, ideas for using touchscreen biometrics as an intrusion detection system is presented.
Pekskärmsbiometri innebär att mäta beteende hos en användare som använder en pekskärm och känna denna baserat på informationen. I detta examensarbete används SVM och k-NN klassifierare för att testa tillämpligheten av denna typ av biometri i en webbmiljö för smarttelefoner. Två nya koncept introduceras: modellträning med ''Local Outlier Factor'' samt att bygga modeller för användarinteraktioner med enskilda gränssnittselement iställer för skärmen i sin helhet. De besta resultaten för klassifierarna hade en felfrekvens på 5.6 \% med en standardavvikelse på 2.29 \%. Ingen fördel med användning av LOF för träning framför slumpmässig träning kunde hittas. Däremot förbättrades resultaten genom att använda kontextuella modeller. Avslutande så presenteras idéer för hur ett system som beskrivet kan användas för att upptäcka intrång i webbsystem.

APA, Harvard, Vancouver, ISO, and other styles

41

Makiou, Abdelhamid. "Sécurité des applications Web : Analyse, modélisation et détection des attaques par apprentissage automatique." Thesis, Paris, ENST, 2016. http://www.theses.fr/2016ENST0084/document.

Full text

Abstract:

Les applications Web sont l’épine dorsale des systèmes d’information modernes. L’exposition sur Internet de ces applications engendre continuellement de nouvelles formes de menaces qui peuvent mettre en péril la sécurité de l’ensemble du système d’information. Pour parer à ces menaces, il existe des solutions robustes et riches en fonctionnalités. Ces solutions se basent sur des modèles de détection des attaques bien éprouvés, avec pour chaque modèle, des avantages et des limites. Nos travaux consistent à intégrer des fonctionnalités de plusieurs modèles dans une seule solution afin d’augmenter la capacité de détection. Pour atteindre cet objectif, nous définissons dans une première contribution, une classification des menaces adaptée au contexte des applications Web. Cette classification sert aussi à résoudre certains problèmes d’ordonnancement des opérations d’analyse lors de la phase de détection des attaques. Dans une seconde contribution, nous proposons une architecture de filtrage des attaques basée sur deux modèles d’analyse. Le premier est un module d’analyse comportementale, et le second utilise l’approche d’inspection par signature. Le principal défi à soulever avec cette architecture est d’adapter le modèle d’analyse comportementale au contexte des applications Web. Nous apportons des réponses à ce défi par l’utilisation d’une approche de modélisation des comportements malicieux. Ainsi, il est possible de construire pour chaque classe d’attaque son propre modèle de comportement anormal. Pour construire ces modèles, nous utilisons des classifieurs basés sur l’apprentissage automatique supervisé. Ces classifieurs utilisent des jeux de données d’apprentissage pour apprendre les comportements déviants de chaque classe d’attaques. Ainsi, un deuxième verrou en termes de disponibilité des données d’apprentissage a été levé. En effet, dans une dernière contribution, nous avons défini et conçu une plateforme de génération automatique des données d’entrainement. Les données générées par cette plateforme sont normalisées et catégorisées pour chaque classe d’attaques. Le modèle de génération des données d’apprentissage que nous avons développé est capable d’apprendre "de ses erreurs" d’une manière continue afin de produire des ensembles de données d’apprentissage de meilleure qualité
Web applications are the backbone of modern information systems. The Internet exposure of these applications continually generates new forms of threats that can jeopardize the security of the entire information system. To counter these threats, there are robust and feature-rich solutions. These solutions are based on well-proven attack detection models, with advantages and limitations for each model. Our work consists in integrating functionalities of several models into a single solution in order to increase the detection capacity. To achieve this objective, we define in a first contribution, a classification of the threats adapted to the context of the Web applications. This classification also serves to solve some problems of scheduling analysis operations during the detection phase of the attacks. In a second contribution, we propose an architecture of Web application firewall based on two analysis models. The first is a behavioral analysis module, and the second uses the signature inspection approach. The main challenge to be addressed with this architecture is to adapt the behavioral analysis model to the context of Web applications. We are responding to this challenge by using a modeling approach of malicious behavior. Thus, it is possible to construct for each attack class its own model of abnormal behavior. To construct these models, we use classifiers based on supervised machine learning. These classifiers use learning datasets to learn the deviant behaviors of each class of attacks. Thus, a second lock in terms of the availability of the learning data has been lifted. Indeed, in a final contribution, we defined and designed a platform for automatic generation of training datasets. The data generated by this platform is standardized and categorized for each class of attacks. The learning data generation model we have developed is able to learn "from its own errors" continuously in order to produce higher quality machine learning datasets

APA, Harvard, Vancouver, ISO, and other styles

42

Büchler, Matthias [Verfasser], Alexander [Akademischer Betreuer] Pretschner, and Robert [Akademischer Betreuer] Hierons. "Semi-Automatic Security Testing of Web Applications with Fault Models and Properties / Matthias Büchler. Betreuer: Alexander Pretschner. Gutachter: Alexander Pretschner ; Robert Hierons." München : Universitätsbibliothek der TU München, 2015. http://d-nb.info/1093793147/34.

Full text

APA, Harvard, Vancouver, ISO, and other styles

43

Ottosson, Henrik, and Per Lindquist. "Penetration testing for the inexperienced ethical hacker : A baseline methodology for detecting and mitigating web application vulnerabilities." Thesis, Linköpings universitet, Databas och informationsteknik, 2018. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-148581.

Full text

Abstract:

Having a proper method of defense against attacks is crucial for web applications to ensure the safety of both the application itself and its users. Penetration testing (or ethical hacking) has long been one of the primary methods to detect vulnerabilities against such attacks, but is costly and requires considerable ability and knowledge. As this expertise remains largely individual and undocumented, the industry remains based on expertise. A lack of comprehensive methodologies at levels that are accessible to inexperienced ethical hackers is clearly observable. While attempts at automating the process have yielded some results, automated tools are often specific to certain types of flaws, and lack contextual flexibility. A clear, simple and comprehensive methodology using automatic vulnerability scanners complemented by manual methods is therefore necessary to get a basic level of security across the entirety of a web application. This master's thesis describes the construction of such a methodology. In order to define the requirements of the methodology, a literature study was performed to identify the types of vulnerabilities most critical to web applications, and the applicability of automated tools for each of them. These tools were tested against various existing applications, both intentionally vulnerable ones, and ones that were intended to be secure. The methodology was constructed as a four-step process: Manual Review, Testing, Risk Analysis, and Reporting. Further, the testing step was defined as an iterative process in three parts: Tool/Method Selection, Vulnerability Testing, and Verification. In order to verify the sufficiency of the methodology, it was subject to Peer-review and Field experiments.
Att ha en gedigen metodologi för att försvara mot attacker är avgörande för att upprätthålla säkerheten i webbapplikationer, både vad gäller applikationen själv och dess användare. Penetrationstestning (eller etisk hacking) har länge varit en av de främsta metoderna för att upptäcka sårbarheter mot sådana attacker, men det är kostsamt och kräver stor personlig förmåga och kunskap. Eftersom denna expertis förblir i stor utsträckning individuell och odokumenterad, fortsätter industrin vara baserad på expertis. En brist på omfattande metodiker på nivåer som är tillgängliga för oerfarna etiska hackare är tydligt observerbar. Även om försök att automatisera processen har givit visst resultat är automatiserade verktyg ofta specifika för vissa typer av sårbarheter och lider av bristande flexibilitet. En tydlig, enkel och övergripande metodik som använder sig av automatiska sårbarhetsverktyg och kompletterande manuella metoder är därför nödvändig för att få till en grundläggande och heltäckande säkerhetsnivå. Denna masteruppsats beskriver konstruktionen av en sådan metodik. För att definiera metodologin genomfördes en litteraturstudie för att identifiera de typer av sårbarheter som är mest kritiska för webbapplikationer, samt tillämpligheten av automatiserade verktyg för var och en av dessa sårbarhetstyper. Verktygen i fråga testades mot olika befintliga applikationer, både mot avsiktligt sårbara, och sådana som var utvecklade med syfte att vara säkra. Metodiken konstruerades som en fyrstegsprocess: manuell granskning, sårbarhetstestning, riskanalys och rapportering. Vidare definierades sårbarhetstestningen som en iterativ process i tre delar: val av verkyg och metoder, sårbarhetsprovning och sårbarhetsverifiering. För att verifiera metodens tillräcklighet användes metoder såsom peer-review och fältexperiment.

APA, Harvard, Vancouver, ISO, and other styles

44

Strålberg, Linda. "Prevention of Input Validation Vulnerabilities on the Client-Side : A Comparison Between Validating in AngularJS and React Applications." Thesis, Högskolan i Skövde, Institutionen för informationsteknologi, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-17346.

Full text

Abstract:

The aim of this research was to test the JavaScript library React and framework AngularJS against each other in regard of the response time of the validation and validation robustness. The experiments in this work were performed to support developers in their decision making regarding which library or framework to use. There are many other aspects to consider when choosing which library or framework to develop in other than the security and response time related aspects mentioned in this work, but this work can, amongst other information, give yet another viewpoint to the developers. The results showed that there is no difference amongst them security wise, but that it was somewhat faster to validate in a React application than in an AngularJS application.

APA, Harvard, Vancouver, ISO, and other styles

45

Nordlander, Mikael, and Fredrik Martinsson. "Säkerhet och integritet i webbapplikationer : En orientering över säker utveckling." Thesis, Linköping University, Department of Management and Engineering, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-58125.

Full text

Abstract:

The use of Web applications is a growing area. While the possibilities and functionalities are increasing, so is the complexity of them, together with the threats against them because the complexity also opens up the application to vulnerabilities. It is therefore important for developers to know how a web application can be developed with security in mind.

This study’s intention has been to create an introductory documentation of what kind of techniques that exists which can produce higher security, which methods there can be within the development process and what to think about when programming secure web applications. In this paper we have investigated how theoretical manuals in the IT security department handles that area, and interviewed two developers from two different companies to see how they use security in their web applications.

The study has an exploratory technical perspective and does not explain how to practically use and interconnecting different security-enhancing technologies, but is more suppose to give a first glance at what is available and sow a seed for those interested to continue reading further about the subject. The results of the study was generated through comparison of the theoretical material with the empirical material, to then conclude the most prominent points of what are different and similar between those materials.

During the study some key points has been revealed for development: Responsibility for safety in the application lies, in the cases we looked at, with the developers to describe the technical possibilities and hence vulnerabilities when the client usually does not possess the same technical skills for that. The customer was, as the cases we studied, often not so proactive on safety and does not value it very high (if it was not a security-critical business such as being involved with defense technology). Because the customer in such cases didn’t put security as high priority, there existed a lack of motivation to spend extra money to combat threats that were not considered significant. In cases where extra recourses were spent on security, a measurement was developed that security should not cost more than the value of what it protects else the cost is unjustified. Finally it is noted that it is technically difficult to protect against human errors that can disarm the security, for example a simple or misplaced password.

APA, Harvard, Vancouver, ISO, and other styles

46

Lapáček, Vladimír. "Bezpečnost při vývoji softwaru." Master's thesis, Vysoká škola ekonomická v Praze, 2010. http://www.nusl.cz/ntk/nusl-72471.

Full text

Abstract:

The topic of the thesis is issue of security during the application development. The main emphasis is being placed on web applications. The goal is to define a framework for managing the life cycle of applications to meet the security minimum. The objectives of the work are achieved by study of available resources and their subsequent analysis. The target audiences are software developers interested in learning more about how to create secure applications. The work describes the areas that are crucial for security of applications. Work contains security standards which we can use for defining security requirements of applications. Furthermore, there are mentioned the most serious security vulnerabilities and ways how to avoid them. It describes issue of security testing as an important tool for verifying security. The main part of work is the chapter dealing with the way how to include the issue of security throughout the application life cycle.

APA, Harvard, Vancouver, ISO, and other styles

47

Eriksson, Maria. "WEB SERVICES FÖR MOBILAPPLIKATIONER : Utveckling av säkra RESTful web services för mobilapplikationer." Thesis, Örebro universitet, Akademin för naturvetenskap och teknik, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:oru:diva-15879.

Full text

Abstract:

This report describes the development of a RESTful web service for mobile applications. The web service makes resources from an existing system called kompetensdatabasen ("the competence database") available. Kompetensdatabasen holds information about the capabilities of consultants and about assignments carried out at the IT consultant business Nethouse AB. The web service was developed according to the principles of REST and ROA (Resource Oriented Architecture) which puts focus on making resources available. The resources are made available through the HTTP protocol and the methods associated with it. This means it was designed to use the same technologies as the world wide web. Following these principles when designing the system has been of great importance. To make sure that the service does not leak information to competing companies or violate the Personal Data Act some kind of solution for securing the service had to be implemented. A model for authentication was produced to make the system accessible only for employees of the company.
Rapporten beskriver utvecklandet av en RESTful web service för mobilapplikationer. Web servicen tillgängliggör resurser från ett befintligt system som kallas kompetensdatabasen. Kompetensdatabasen innehåller information om konsulters kompetenser och de uppdrag som utförts vid IT-konsultföretaget Nethouse AB. Web servicen utvecklades enligt principerna för REST och ROA (Resource Oriented Architecture) vilket innebär ett fokus på att tillgängliggöra resurser. Resurserna görs nåbara genom HTTP-protokollet och dess metoder, det vill säga samma tekniker som används på webben. Stor vikt har lagts på att designa systemet enligt dessa principer. För att servicen inte skulle läcka information till konkurrenter eller bryta mot personuppgiftslagen behövde någon form av säkerhetslösning implementeras. En autentiseringsmodell togs fram för att göra systemet nåbart enbart för anställda vid företaget.

APA, Harvard, Vancouver, ISO, and other styles

48

Scholte, Theodoor. "Amélioration de la sécurité par la conception des logiciels web." Thesis, Paris, ENST, 2012. http://www.theses.fr/2012ENST0024/document.

Full text

Abstract:

L'internet est devenu un environnement omniprésent dans le monde du travail et du loisir. La popularité sans cesse croissante des applications web ainsi que des services associés entraînent l'exécution de nombreuses transactions critiques, qui soulèvent des questions de sécurité. Du fait de cette croissance, des efforts ont été entrepris durant cette dernière décennie pour rendre les applications web plus sûres. Malgré ces efforts, de récents rapports provenant de l'institut SANS estiment que plus de 60 % des attaques commises sur l'Internet ciblent les applications web en se concentrant sur les vulnérabilités inhérentes aux problèmes de validation, comme le Cross-Site Scripting ou les injections SQL. Dans cette thèse, nous avons conduit deux études de recherche empirique, analysant un grand nombre d'application web vulnérables. Nous avons assemblé une base de données contenant plus de 10.000 rapports de vulnérabilités depuis l'an 2000. Ensuite, nous avons analysé ces données pour déterminer si les développeurs ont pris conscience des problématiques de sécurité web de nos jours, comparé à la période où ces applications émergeaient. Puis nous avons analysé l'étroit lien entre le langage de programmation utilisé pour développer l'application web et le nombre de vulnérabilité reporté. Avec ces résultats empiriques comme base, nous présentons notre solution IPAAS qui aide les développeurs novice en termes de sécurité à écrire des applications sécurisées par défaut. Nous montrons par ailleurs que cette technique améliore de manière probante la sécurité des applications web
The web has become a backbone of our industry and daily life. The growing popularity of web applications and services and the increasing number of critical transactions being performed, has raised security concerns. For this reason, much effort has been spent over the past decade to make web applications more secure. Despite these efforts, recent data from SANS institute estimates that up to 60% of Internet attacks target web applications and critical vulnerabilities such as cross-site scripting and SQL injection are still very common. In this thesis, we conduct two empirical studies on a large number of web applications vulnerabilities with the aim of gaining deeper insights in how input validation flaws have evolved in the past decade and how these common vulnerabilities can be prevented. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Our studies also show that most SQL injection and a significant number of cross-site scripting vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. With these empirical results as foundation, we present IPAAS which helps developers that are unaware of security issues to write more secure web applications than they otherwise would do. It includes a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. We show that this technique results in significant and tangible security improvements for real web applications

APA, Harvard, Vancouver, ISO, and other styles

49

Guitart, Fernández Jordi. "Performance Improvement of Multithreaded Java Applications Execution on Multiprocessor Systems." Doctoral thesis, Universitat Politècnica de Catalunya, 2005. http://hdl.handle.net/10803/5989.

Full text

Abstract:

El disseny del llenguatge Java, que inclou aspectes importants com són la seva portabilitat i neutralitat envers l'arquitectura, les seves capacitats multithreading, la seva familiaritat (degut a la seva semblança amb C/C++), la seva robustesa, les seves capacitats en seguretat i la seva naturalesa distribuïda, fan que sigui un llenguatge potencialment interessant per ser utilitzat en entorns paral·lels com són els entorns de computació d'altes prestacions (HPC), on les aplicacions poden treure profit del suport que ofereix Java a l'execució multithreaded per realitzar càlculs en paral·lel, o en entorns e-business, on els servidors Java multithreaded (que segueixen l'especificació J2EE) poden treure profit de les capacitats multithreading de Java per atendre de manera concurrent un gran nombre de peticions.

No obstant, l'ús de Java per la programació paral·lela ha d'enfrontar-se a una sèrie de problemes que fàcilment poden neutralitzar el guany obtingut amb l'execució en paral·lel. El primer problema és el gran overhead provocat pel suport de threads de la JVM quan s'utilitzen threads per executar feina de gra fi, quan es crea un gran nombre de threads per suportar l'execució d'una aplicació o quan els threads interaccionen estretament mitjançant mecanismes de sincronització. El segon problema és la degradació en el rendiment produïda quan aquestes aplicacions multithreaded s'executen en sistemes paral·lels multiprogramats. La principal causa d'aquest problemes és la manca de comunicació entre l'entorn d'execució i les aplicacions, la qual pot induir a les aplicacions a fer un ús descoordinat dels recursos disponibles.

Aquesta tesi contribueix amb la definició d'un entorn per analitzar i comprendre el comportament de les aplicacions Java multithreaded. La contribució principal d'aquest entorn és que la informació de tots els nivells involucrats en l'execució (aplicació, servidor d'aplicacions, JVM i sistema operatiu) està correlada. Aquest fet és molt important per entendre com aquest tipus d'aplicacions es comporten quan s'executen en entorns que inclouen servidors i màquines virtuals, donat que l'origen dels problemes de rendiment es pot trobar en qualsevol d'aquests nivells o en la seva interacció.

Addicionalment, i basat en el coneixement adquirit mitjançant l'entorn d'anàlisis proposat, aquesta tesi contribueix amb mecanismes i polítiques de planificació orientats cap a l'execució eficient d'aplicacions Java multithreaded en sistemes multiprocessador considerant les interaccions i la coordinació dels mecanismes i les polítiques de planificació en els diferents nivells involucrats en l'execució. La idea bàsica consisteix en permetre la cooperació entre les aplicacions i l'entorn d'execució en la gestió de recursos establint una comunicació bi-direccional entre les aplicacions i el sistema. Per una banda, les aplicacions demanen a l'entorn d'execució la quantitat de recursos que necessiten. Per altra banda, l'entorn d'execució pot ser inquirit en qualsevol moment per les aplicacions ser informades sobre la seva assignació de recursos.

Aquesta tesi proposa que les aplicacions utilitzin la informació proporcionada per l'entorn d'execució per adaptar el seu comportament a la quantitat de recursos que tenen assignats (aplicacions auto-adaptables). Aquesta adaptació s'assoleix en aquesta tesi per entorns HPC per mitjà de la mal·leabilitat de les aplicacions, i per entorns e-business amb una proposta de control de congestió que fa control d'admissió basat en la diferenciació de connexions SSL per prevenir la degradació del rendiment i mantenir la Qualitat de Servei (QoS).

Els resultats de l'avaluació demostren que subministrar recursos de manera dinàmica a les aplicacions auto-adaptables en funció de la seva demanda millora el rendiment de les aplicacions Java multithreaded tant en entorns HPC com en entorns e-business. Mentre disposar d'aplicacions auto-adaptables evita la degradació del rendiment, el subministrament dinàmic de recursos permet satisfer els requeriments de les aplicacions en funció de la seva demanda i adaptar-se a la variabilitat de les seves necessitats de recursos. D'aquesta manera s'aconsegueix una millor utilització dels recursos donat que els recursos que no utilitza una aplicació determinada poden ser distribuïts entre les altres aplicacions.
The design of the Java language, which includes important aspects such as its portability and architecture neutrality, its multithreading facilities, its familiarity (due to its resemblance with C/C++), its robustness, its security capabilities and its distributed nature, makes it a potentially interesting language to be used in parallel environments such as high performance computing (HPC) environments, where applications can benefit from the Java multithreading support for performing parallel calculations, or e-business environments, where multithreaded Java application servers (i.e. following the J2EE specification) can take profit of Java multithreading facilities to handle concurrently a large number of requests.

However, the use of Java for parallel programming has to face a number of problems that can easily offset the gain due to parallel execution. The first problem is the large overhead incurred by the threading support available in the JVM when threads are used to execute fine-grained work, when a large number of threads are created to support the execution of the application or when threads closely interact through synchronization mechanisms. The second problem is the performance degradation occurred when these multithreaded applications are executed in multiprogrammed parallel systems. The main issue that causes these problems is the lack of communication between the execution environment and the applications, which can cause these applications to make an uncoordinated use of the available resources.

This thesis contributes with the definition of an environment to analyze and understand the behavior of multithreaded Java applications. The main contribution of this environment is that all levels in the execution (application, application server, JVM and operating system) are correlated. This is very important to understand how this kind of applications behaves when executed on environments that include servers and virtual machines, because the origin of performance problems can reside in any of these levels or in their interaction.

In addition, and based on the understanding gathered using the proposed analysis environment, this thesis contributes with scheduling mechanisms and policies oriented towards the efficient execution of multithreaded Java applications on multiprocessor systems considering the interactions and coordination between scheduling mechanisms and policies at the different levels involved in the execution. The basis idea consists of allowing the cooperation between the applications and the execution environment in the resource management by establishing a bi-directional communication path between the applications and the underlying system. On one side, the applications request to the execution environment the amount of resources they need. On the other side, the execution environment can be requested at any time by the applications to inform them about their resource assignments.

This thesis proposes that applications use the information provided by the execution environment to adapt their behavior to the amount of resources allocated to them (self-adaptive applications). This adaptation is accomplished in this thesis for HPC environments through the malleability of the applications, and for e-business environments with an overload control approach that performs admission control based on SSL connections differentiation for preventing throughput degradation and maintaining Quality of Service (QoS).

The evaluation results demonstrate that providing resources dynamically to self-adaptive applications on demand improves the performance of multithreaded Java applications as in HPC environments as in e-business environments. While having self-adaptive applications avoids performance degradation, dynamic provision of resources allows meeting the requirements of the applications on demand and adapting to their changing resource needs. In this way, better resource utilization is achieved because the resources not used by some application may be distributed among other applications.

APA, Harvard, Vancouver, ISO, and other styles

50

Dušek, Daniel. "Automatizace penetračního testování webových aplikací." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2019. http://www.nusl.cz/ntk/nusl-403167.

Full text

Abstract:

Tato práce má dva cíle - navrhnout obecně aplikovatelný přístup k penetračnímu testování webových aplikací, který bude využívat pouze nedestruktivních interakcí, a dále pak implementovat nástroj, který se tímto postupem bude řídit. Navrhovaný přístup má tři fáze - v první fázi tester posbírá požadavky pro testovací sezení (včetně požadavků na nedestruktivnost) a připraví si nástroje a postupy, kterých při testování využije, následně začne s průzkumem. V druhé fázi využije dodatečných nástrojů pro zpracování informací z předchozí fáze a pro ověření a odhalení zranitelností. Ve třetí fázi jsou všechny informace překovány ve zprávu o penetračním testování. Implementovaný nástroj je postavený na modulech, které jsou schopny odhalení reflektovaného XSS, serverových miskonfigurací, skrytých adresních parametrů a skrytých zajímavých souborů. V porovnání s komerčním nástrojem Acunetix je implementovaný nástroj srovnatelný v detekci reflektovaného XSS a lepší v detekci skrytých zajímavých souborů. Práce také originálně představuje nástroj pro sledování postranního kanálu Pastebin.com s cílem detekce utíkajících informací.

APA, Harvard, Vancouver, ISO, and other styles

Dissertations / Theses on the topic 'Web Applications; Storage; Security'

Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles