1. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
Tool to Detect and Prevent Web Attacks
Nilesh Khochare Dr.B.B.Meshram
nileshkhochare@gmail.com bbmeshram@vjti.org.in
Computer Department Computer Department
VJTI, Mumbai VJTI, Mumbai
Abstract— A Web Application Firewall (WAF) is a security
tool that protects the web application and web application
server from various attacks. Application protection is a
valuable security layer to add because it can protect against a
number of application layer security threats which is usually
not protected by a typical network layer intrusion detection
system. The Web Application can easily be attacked by the
hackers even though with the existence of the normal firewall in
the system. This is due to the limitation that the normal firewall
does not work in the application layer. The hackers will attack
the Web Application using the methods like structured Query
Language (SQL) Injection, Cross Site Scripting (XSS),
Command Injection, or Session Manipulation, cookie
poisoning, Directory traversal, Forceful browsing. This paper
addresses these problems by presenting a methodology for the
automatic detection of vulnerabilities in web application and
preventing web application from various attacks. The proposed
methodology, implemented in this paper monitors all the Fig 1. Basic working of Application Firewall
incoming and outgoing data in the web application and blocks
web related attacks like SQL injection attacks, Cross Site Application firewall is a set of application-specific policies
Scripting attacks, Buffer Overflow attacks, Cookie poisoning that gives you granular control over network traffic on the
,Forceful browsing and Directory traversal attacks. level of users. The primary functionality of this
application-layer tool is to regulate Web browsing, file
Index Terms—Application Firewall, SQL injection, Cross transfer, email, and email attachments. Using application
Site Scripting, WAF.
firewall, you can restrict transfer of certain file names, file
types, email attachments, attachment types, email with
I. INTRODUCTION certain subjects, and email or attachments with certain
Today applications are becoming the prime target for keywords or byte patterns. You can deny internal or external
cyber attacks. A recent research showed that approximately network access based on various criteria.
80% of all successful web attacks exploit application
vulnerabilities and there is no shortage of vulnerabilities to II. RELATED WORK
go after, all of them require some skill to exploit. The
This paper describes a methodology and a tool for the
traditional firewalls block packets effectively at the network
detecting and preventing attacks on web application. Now we
layer; they are ineffective against attacks which point to
describe various approaches to securing Web applications
application weaknesses. Web application firewalls detect
from web-based attacks.
application vulnerabilities and whether sensitive data, such as
account information or credit card number, is being hacked A. Open source Tools
and can take suitable action accordingly. [2] IronBee is an open source tool designed by Qualys.
Various web applications such as online branch of a bank, IronBee implements a robust framework for application
an online-shop, a customer, partner, or employee portal, all security monitoring and defense. It provides a layered set of
are available to their customers as well as to their attackers features at different levels of abstraction, enabling its users to
around the clock due to the always on nature of the internet. choose the approach that works best for the work they need to
Attacks such as SQL injection, cross-site scripting or session accomplish. It provides security from DoS and DDoS attacks,
hijacking and many more are aimed at vulnerabilities in the Cookie related attacks, Brute Force attacks, SQL injection
web applications itself. Web application firewalls are attacks and cross site scripting attacks. [11]
specialized tools whose purpose is to increase security in web AQTRONIX WebKnight is an application firewall for IIS
applications. Figure 1 show the basic working of the web and other web servers and is released under the GNU General
application firewall, where only normal user can access the Public License. WebKnight scans all requests and processing
web application or web server and access is denied for an them based on filter rules, set by the administrator. These
attacker. [18] rules are not based on a database of attack signatures that
require regular updates. WebKnight filters buffer overflow,
375
3. ISSN: 2278 – 1323
International Journal of Advanced Research in Computer Engineering & Technology
Volume 1, Issue 4, June 2012
its final destination and examines each request and response Buffer Overflow
using its rule set. AQTRONIX SQL injection
2 Open Source
WebKnight Directory
Traversal
Rule based
signature
Forward Request Guardian
Request Security detection
to web 3 @JUMPER Open Source
Check server/Applicatio SQL injection
Z.NET
of n Cross Site
Web
Request Pass
Scripting
Application
Firewall Request SQL injection
Fail
Cross Site
4. ModSecurity Open Source
Scripting
Cookie attacks
Display Specific
Error Message
Web
DoS attacks
Server/Web
Application Information
Leakage
Fail OWASP Top Ten
attacks
Data theft
Response
protection
Response 5. Barracuda Commercial
Pass
Security Brute Force
Check of Protection
Respons
e SQL injection
Cross Site
Fig 3. Proposed Working of Application Firewall Scripting
Cookie and form
As the Figure 3 shows, when a user requests a URL on a tampering
web server, the application firewall first examines the request SQL Injection
in “Security Check of Request”. These rules check for Cross site
various types of attacks on the web servers. Application Imperva scripting
Firewall also checks to see if the request needs further 6. Secure Commercial Cross Site
filtering. If the request passes the Application Firewall Sphere Request Forgery
security checks, it is passed to the Web Server. The web site OWASP Top Ten
or web service sends its response back to the Application attacks[20]
Firewall, which examines the response in “Security Check of Buffer Overflow
Response”. If the response does not violate any security Cookie Poisoning
checks, the Application Firewall forwards the response to the XML related
user. This process is repeated for each request and response. attacks
7. Citrix Commercial
SQL injection
IV. COMPARISON WITH OTHER TOOLS Cross Site
TABLE I Scripting
COMPARISON WITH OTHER TOOLS Credit card theft
Sr. Name of Features and SQL injection
Type
No. Tool prevented attacks
Cross site
Dos, DDoS attack scripting
Cookie attacks Financial fraud
Brute force attack protection
SQL injection Prevent Identity
Cross Site 8. FortiWeb Commercial
Theft
Scripting XML related
1 Iron Bee Open Source Information threats
leakage Cross Site
Error message Request Forgery
detection Information Leak
Behavioral SQL injection
monitoring Proposed Cross Site
9 Open Source
Tool Scripting
Cross site Request
377