Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Background
Java Servlet Overview
Related Work
Conclusion and Future Work
References
All Topics
Computer Science
Cybersecurity

Developing a Security Typed Java Servlet

Profile image of Sherif El-kassasSherif El-kassas

2008, 2008 The Fourth International Conference on Information Assurance and Security

Abstract

The Lack of security policy enforcement in web development languages is one of the most important challenges in web application systems development, as there is no formal check for security policy violation that may occur during web application system development. To check for policy compliance, the programmer must walk through all the code and check every line to make sure that there are no security violations. For example, a developer may develop a web application system connected to data base that seems to work properly, but it can make a certain security policy violation by permitting unauthorized users to access the data base system. This paper proposes a solution for the above problem by developing and application of a security typed Java servlet that can run on the web server side safely. This servlet is developed by embedding the Java code produced by compiling the Java information flow language (Jif) (a security-typed programming language that extends Java with support for information flow control and access control, both at compile time and at run time) into a servlet code format. The code produced by compiling Jif language is security typed and support servlet with means of flow control and access control. Hence we can guarantee that when we run this servlet into a web application system it will check input data trough the web application system for information flow security policy violation.

Related papers

Access Control Configuration for J2EE Web Applications: A Formal Perspective
Matteo Casalino

Business services are increasingly dependent upon Web applications. Whereas URL-based access control is one of the most prominent and pervasive security mechanism in use, failure to restrict URL accesses is still a major security risk. We argue that this risk can be mitigated by providing formal analysis tools to evaluate access control policies as well as the impact of changes on configurations. In order to tackle this issue, this paper gives a formal semantics for access control constraints standardized in the J2EE Java Servlet Specification, arguably one of the most common framework for web applications. Two different analysis tools are developed on top of this formal building block: a decision engine and a comparison algorithm for change impact of access control configurations. The formal semantics is compared against two major web application containers. The experiments reveal non-compliant access control decisions of these containers and validate our approach.

View PDFchevron_right
Developing secure web applications
Dimitris Kanellopoulos

International Journal of Internet Technology and Secured Transactions

The security of web applications is an important issue for any organisation that deploys its own websites. If an organisation takes the required precautions and countermeasures, it can prevent the possible attacks. Otherwise, its critical data, reputation and credibility will be at risk. Nowadays, firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) provide security at the network layer. However, more than 70% of present world's security attacks exploit the vulnerabilities at the application level. Cross-site scripting, SQL injection, cookie poisoning and forceful browsing are some of the most common website vulnerabilities. Stringent user input validation, proper session management, and exploitation of web application firewalls, etc., can be used as countermeasures to combat the attacks on websites. In this paper, we discuss how attackers can exploit the vulnerabilities of web applications and how we can implement effective countermeasures to secu...

View PDFchevron_right
Challenges for Security Typed Web Scripting Languages Design
Doaa Hassan

Doaa Hassan Salem, 2008

This paper focuses on the different challenges to design a security typed web scripting language. It uses the type system approach on a simple imperative language that captures a subset of the security typed web language constructs to express the security properties that must be held in the language with respect to its formal semantics to prevent insecure information flow in web application system and hence the common web application security vulnerabilities.

View PDFchevron_right
Perusal of Web Application Security Approach
Dr. Divyakant T Meva

2017

Internet users and its usage have grown almost exponentially during last decade. Most of the web applications contain both private(sensitive) and public information in theircorresponding database that brings the security of private information on the forefront of the challenge of this domain. Cyber criminals can attempt to stealor tamperwith private information from these insecure or vulnerable web applications by exploiting. In this paper, we have analyzed different approaches of web application security used in current practices since their development such as secure coding, Web Application firewall, vulnerability assessment and penetration testing. In addition, we have also discussed various approachesand repositories which support vulnerability assessment and penetration testing processes.

View PDFchevron_right
Defensive programming: Developing a web application with a secure coding practices
Syarifah Rahayu, Siti Rashid, Arniyati Ahmad

VIII INTERNATIONAL ANNUAL CONFERENCE “INDUSTRIAL TECHNOLOGIES AND ENGINEERING” (ICITE 2021)

Web Application Development has shown progressive and rapid growth using various techniques. Nonetheless, web application security is a major component in web development that is often overlooked or not properly focused on. Due to ad hoc existence and poor code written, most available web applications are vulnerable and desirable target for the attackers. To alleviate this issue, the use of defensive programming basic technique allows the developers to develop secure applications. Defensive programming includes validate output and correctly manages error messages. This avoids the misuse of snippets and builds the program in a consistent way despite unpredictable inputs. The purpose of this paper is twofold. Firstly, this paper discussed the development of a web application program using PHP as server-side scripting exploiting defensive programming techniques to overwhelm web application vulnerabilities. Secondly, this paper examined common vulnerabilities of web application risks refer to Open Web Application Security Project to validate the effectiveness of defensive programming technique. The work presented in this paper shall be a fundamental guideline for the development of secure web-based applications. ANATOMY OF WEB DEVELOPMENT Web application are relied upon by many services, as it constantly requires communicating with databases and back-end services so that information could be presented to end user via a browser. Furthermore, most of the web application have multiple of services running in a background so it can cope with user's requirements and requests. There are three components needed to build up a web application which are web browser, application server and database server. For a dynamic web application, data need to be store in database. For database server, there are multiple type of relational database management system (RDMS) available for managing data of the web application. It includes MySQL, Oracle Database or Microsoft SQL Server. Different type of RDMS used need a different type of configuration and programming skills. Moreover, in today technology, developers are allowing to choose lots of available scripting language for a development of web application. However, developers usually need to focus only two type of scripting language during development of web application.

View PDFchevron_right
Secure Web System Development
Ankush Deshmukh

International Journal of Computer and Communication Technology, 2017

The recent development in the field of Web system technology has transformed the software industry radically by integrating a wide range of web users, vendors, and enterprise applications worldwide. In Web-based system, a security requirement is a critical issue. This difficulty is due to the complexity level of such systems as well as their variety and increasing distribution. The World Wide Web has become a highly adopted platform for web system. In order to avoid the high impacts of software vulnerabilities, it is necessary to specify security requirements early in the development on a detailed level and it needs to be built into the application design up-front by explicitly stating the security approach. A current web system faces major security problems because security design is not integrated into the Web Engineering Development Process. Due to insufficient support for a concrete and assessable level the application security and the software security is invaded. This paper em...

View PDFchevron_right
Preventing SQL injections in online applications: Study, recommendations and Java solution prototype based on the SQL DOM
Etienne Janot

2008

SQL Injection Attacks are a relatively recent threat to the confidentiality, integrity and availability of online applications and their technical infrastructure, accounting for nearly a fourth of web vulnerabilities . In this paper based on a master thesis [2], and numerous references therein, we present our study on the prevention of SQL Injections: overview of proposed approaches and existing solutions, and recommendations on preventive coding techniques for Java-powered web applications and other environments. Then, we review McClure's SQL DOM [3] approach for the prevention of SQL Injections in object-oriented applications. We also present our solution for Java-based online applications, SQLDOM4J, which is freely based on the SQL DOM but attempts to address some of our criticisms toward it, and evaluate its performance.

View PDFchevron_right
Using Aspect Programming to Secure Web Applications
Gabriel Hermosillo

Journal of Software, 2009

View PDFchevron_right
Towards full protection of web applications based on Aspect Oriented Programming
Lorena Kodra

2012

Web application security is a critical issue. Security concerns are often scattered through different parts of the system. Aspect oriented programming is a programming paradigm that provides explicit mechanisms to modularize these concerns. In this paper we present a technique for detecting and preventing common attacks in web applications like Cross Site Scripting (XSS) and SQL Injection using an aspect oriented approach by analyzing and validating user input strings. We use an aspect to capture input strings and compare them to predefined patterns. The intrusion detection aspect is implemented in AspectJ and is woven into the target system. The resulting system has the ability to detect malicious user input and prevent SQL Injection and Cross Site Scripting. We present an experimental evaluation by applying it to an insecure web application. The results of our tests show that our technique was able to detect all the attempted attacks without generating any false positives.

View PDFchevron_right
A CASE STUDY: JAVA IS SECURE PROGRAMMING LANGUAGE
TJPRC Publication

TJPRC, 2014

There are many reasons why Java is so popular and some of the reasons are javas’ strongly supports features. These features have made Java the first application language of the World Wide Web. The main aim had to make java simple, portable and reliable.

View PDFchevron_right

References (20)

  1. Jeanne Murray."Building Java HTTP servlets". IBM developerWorks,12 September 2000. Available via: http://www.digilife.be/quickreferences/PT/Building%2 0Java%20HTTP%20servlets.pdf
  2. Stephen Chong, Andrew C. Myers, K. Vikram, and Lantian Zheng. "Jif Reference Manual". June 2006. Available via: http://www.cs.cornell.edu/jif/doc/jif-3.1.1/manual.html
  3. Andrew C. Myers. "Mostly-Static Decentralized Information Flow Control". Ph.D. Thesis, January 1999.
  4. Andrew C.Myers. "JFlow: Practical Mostly-Static Information Flow Control". Proceedings of the 26th ACM Symposium on Principales of Programming Languages (POPL'99),San Antonio, Texas, USA, January 1999.
  5. A. Sabelfeld and A. C. Myers." Language-based information-flow security". IEEE Journal on Selected Areas in Communications, 21(1):5-19, Jan. 2003.
  6. R. Heldal and F. Hultin. "UMLS Bridging Model-based and Language-based Security". In E. Snekkenes and D. Gollmann, editors, Computer Security-ESORICS2003, volume 2808 of LNCS, pages 235-252. Springer, 2003.
  7. Boniface Hicks,Kiyan Ahmadizadeh and Patrick McDaniel. "From Languages to Systems: Understanding Practical Application Development in Security-Typed Languages". Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, p.153-164, December 11-15, 2006.
  8. Aslan Askarov and Andrei Sabelfeld. "Security-typed languages for implementation of cryptographic protocols: A case study". In Proc.of ESORICS 2005, Milan, Italy,Sept.12-14,2005.LNCS.©Springer-Verlag 2005.
  9. Boniface Hicks, Sandra Rueda, Trent Jaeger and Patrick McDaniel. "Integrating SELinux with Security-typed Languages". NSRC Technical Report NAS-TR-0052- 2006.
  10. Vincent Simonet. "Flow Caml in a nutshell". In Graham Hutton, editor, Proceedings of the first APPSEM-II workshop, pages 152-165, Nottingham, United Kingdom, March 2003.
  11. Martin Bond and Debbie Law. "Tomcat Kick Start". June 2003.
  12. James Duncan Davidson with Suzanne Ahmed. "Java™Servlet API Specification: Version2.1a". Sun Microsystems, Inc. © 1998.
  13. Peng Li and Yun Mao. "Integrity Extension in Jif". CIS-670 Course Project Report on Advanced Topics in Programming Languages: Safety and security, Spring 2003.
  14. Andrew C.Myers and Barbara Liskov. "Protecting Privacy using the Decentralized Label Model". ACM Transactions on Software Engineering and Methodology, 9(4):410-442, October 2000.
  15. Peng Li and Steve Zdancewic. " Practical Information flow Control in Web-based Information Systems". In Proceedings of the 18th IEEE Computer Security Foundation Workshop (CSFW), June 2005.
  16. P. Li and S. Zdancewic. "Downgrading policies and relaxed noninterference". In Proc. 32th ACM Symp. On Principles of Programming Languages (POPL), 2005.
  17. Yao-Wen Huang, Fang Yu, Christian Hang, Chung- Hung Tsai, D. T. Lee, Sy-Yen Kuo. "Securing Web applications code by static analysis and runtime protection". In Proceedings of WWW 2004, Manhattan, New York, USA., May 17-22, 2004.
  18. Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel. "From trusted to secure: Building and executing applications that enforce system security". In Proceedings of the USENIX Annual Technical Conference, Santa Clara, CA, USA, June 2007.
  19. Stephen Chong, K. Vikram, Andrew C. Myers. "SIF: Enforcing Confidentiality and Integrity in Web Applications". Proceedings of USENIX Security Symposium 2007, pages 1-16, August 2007.
  20. Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. "Secure Web pplications via Automatic Partitioning". Proceedings of the 1st ACM Symposium on Operating Systems Principles SOSP'07), pages 31-44, October 2007.

Related papers

SECURING WEB APPLICATIONS AND FINDING SECURITY VULNERABILITIES IN JAVA
Research Papers

SQL injection and cross-site scripting are two of the most com-mon security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a language called PQL (Program Query Language) that allows users to declare to specify information flow patterns succinctly and declaratively. We have developed a static context-sensitive, but flowinsensitive information flow tracking analysis that can be used to find all the vulnerabilities in a program. In the event that the analysis gener-ates too many warnings, the result can be used to drive a model-checking system to analyze more precisely. Model checking is also used to automatically generate the input vectors that expose the vulnerability. Any remaining behavior these static analyses have not isolated may be checked dynamically. The results of the static analyses may be used to optimize these dynamic checks.

View PDFchevron_right
Java Based Systems Security
Zvonko Damnjanovic

Organizations need to use security techniques to protect their resources and information. No company gives away its assets unless it no longer wishes to stay in business, and information is one of the most important and strongest assets a company has. This paper explores the basic security concepts of authentication, authorization, confidentiality, and integrity and discusses why these concepts are relevant to an enterprise solution. It also presents some basic examples of security techniques that we will expand upon.

View PDFchevron_right
Aprosec: An Aspect for Programming Secure Web Applications
Gabriel Hermosillo

The Second International …, 2007

View PDFchevron_right
An Appraisal to Secure JAVA Programming
Vamsi Krishna Myalapalli

Security engineering in a program or application exhibits a crucial part, as it prevents or minimizes security holes. Application developers should secure the application code before being deployed or used in a production environment. As such the proposed model is envisioned to assist the JAVA programmers to secure and enhance the JAVA based application(s). This paper elucidates miscellaneous techniques to escalate JAVA application program security and can serve as a security engineering and overhauling tool for the JAVA application programmers. Our experimental denouements designate that security bugs are reduced and maintainability is enhanced.

View PDFchevron_right
ESPY & ALLAY OF SECURITY VULNERABILITIES IN WEB-APPLICATIONS BASED ON JAVA PLATFORM
TJPRC Publication

TJPRC, 2014

Several inbuilt security features are directly offered by the Java programming language along with various characteristics supplied by several securities relevant APIs and implementations. Hence, directly choosing Java will not ensure complete security against severe secrecy attacks, integrity or availability attacks. Numerous security issues needs to be focused and implemented during the entire software development process, entirely free from the selected programming language. The paper reviews discuss all the facets of “Java Security” and then consider the numerous “vulnerabilit ies” & "secure programming techniques” which should be acknowledged when Java programming comes in action. Numerous vulnerabilities classifications and the corresponding intrusions are covered along with some allay (mitigation) techniques. The paper discusses the input data causing attack and how to prevent it.

View PDFchevron_right

Related topics

  • Computer Science
  • Web Development
  • Information Assurance
  • Information Security and Assurance
  • WEB DEVELOPMENT
  • Information Flow Control
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved