Open Access  Subscription or Fee Access

Adoption of web applications is increasing for multipurpose services. However, their correct functioning is mission critical for many businesses. At the same time, Web applications tend to be error prone and implementation vulnerabilities are readily and commonly exploited by attackers. The design of countermeasures that detect or prevent such vulnerabilities or protect against their exploitation is an important research challenge for the fields of software engineering and security engineering. In this paper we introduce a single J2EE based web application which can able to handle several vulnerabilities at application level, mainly these are related to injection types, cross site scripting, browser caching and also protecting the session data dependency via changing session identifier at runtime, sequential access and session expiration. By handling all these things together in an application we can protect our web application successfully from the common vulnerabilities.

Web Application, Vulnerabilities, Session Data, Security, Injection Flaw, Cross Site Scripting, Web Application Firewall (WAF).

Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies.

Lieven Desmet, Pierre Verbaeten, Member, IEEE, Wouter Joosen, and Frank Piessens IEEE transactions on software engineering, vol. 34, no. 1, january/february 2008

JAVA SERVLETS - TATA McGraw HILL - Karl Moss

SOFTWARE ENGINEERING: A Practitioner's Approach: McGraw-Hill Publications: Roger S. Pressman.

J2EE-Overview - http://java.sun.com/j2ee/overview.html

JS-NET-http://developer.netscape.com/docs/manuals/communicator/jsref/contents.htm

J2EE-Home- http://java.sun.com/j2ee/

J2EE-Components http://java.sun.com/j2ee/blueprints/platform_technologies/component/index.html

SUN-Developer - http://developer.java.sun.com/developer/

OWASP: Open Web Application Security Project top 10 vulnerabilities 2007.

http://www.owasp.org/index.php/Main_Page

CWE: CWE-89 (SQL Injection), CWE-77 (Command Injection), CWE-90 (LDAP Injection), CWE-91 (XML Injection), CWE-93 (CRLF Injection), others.

WASC Threat Classification: http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml http://www.webappsec.org/projects/threat/classes/sql_injection.shtml http://www.webappsec.org/projects/threat/classes/os_commanding.shtml

OWASP, http://www.owasp.org/index.php/SQL_Injection

OWASP Guide, http://www.owasp.org/index.php/Guide_to_SQL_Injection

CWE: CWE-287 (Authentication Issues), CWE-522 (Insufficiently Protected Credentials), CWE-311 (Reflection attack in an authentication protocol), others.

WASC Threat Classification: http://www.webappsec.org/projects/threat/classes/insufficient_authentication.shtml http://www.webappsec.org/projects/threat/classes/credential_session_prediction.shtml http://www.webappsec.org/projects/threat/classes/session_fixation.shtml

OWASP Guide, http://www.owasp.org/index.php/Guide_to_Authentication

CWE: CWE-79, Cross-Site scripting (XSS)

WASC Threat Classification: http://www.webappsec.org/projects/threat/classes/cross-site_scripting.shtml

OWASP – Cross site scripting, http://www.owasp.org/index.php/Cross_Site_Scripting

OWASP – Testing for XSS, http://www.owasp.org/index.php/Testing_for_Cross_site_scripting

OWASP Stinger Project (A Java EE validation filter) – http://www.owasp.org/index.php/Category:OWASP_Stinger_Project