Research on Security Technology based on WEB Application

Fanxing Kong
1 Linyi University, Shandong China, 276000

Keywords: WEB Application; Security Technology; Research.

Abstract: This article described the relevant technologies of web security, thoroughly analyzed the application
security of Web in three aspects of security threats of Web client, security threats of Web server, security
threats of data transmission, and accordingly studied the security technology based on WEB application.
Hope the elaboration of this article could provide some reference to the relevant personnel in the field.

1 INTRODUCTION
2.2 Authorization technology
With the advent of the information era, WEB application
has entered into people's life and work, and the After authentication, if the subject has the right of
application programs based on WEB have been fully follow-up access, the access rights involved, we can call
used in various fields, including Internet management, it authorization. Authorization mainly contains two
control of facilities, etc (Xiaojie X,2015). aspects, the first is the control information of resource
For the current Internet, any information and data access; the second is the information of subject.
needs the WEB service. Now, WEB has been widely
used, and the programs and data based on WEB 2.3 Security and privacy technology
application are the targets mostly attacked by network
hackers. According to the relevant reports, the Internet This technique is mainly hidden in the user information
data vulnerabilities are all the key ways of secure without authorization application, which mainly uses
dissemination. Browser and WEB applications began to encryption technology, after encryption, users can
be hacked, in which, 75% of the Internet threats are transfer data, but other users can not view the transmitted
related to WEB applications. These security risks have information, even by the network protocol analyzer
brought serious losses to the relevant areas. Then, the (Juan D,2014).
paper will further analyze and discuss the security
technologies based on WEB application
comprehensively (Ziqian W,2015). 3 SECURITY ANALYSIS OF WEB
APPLICATION
2 RELATED TECHNOLOGIES OF Web application mainly consists of two parts, the first is
WEB SECURITY the client; the second is the server. It mainly draws
support from the TCP/IP protocol layer to achieve data
2.1 Authentication technology transmission and processing. The most widely used
client program is the Web browser. The Web server has
The so-called authentication technology mainly refers access to Web resources. Web resources mainly involve
the process that divide it into two subjects, and one of the five aspects, the static text file, document of hypertext
subjects clear confirms the other. When one user's markup language, media file, client code and dynamic
identity is taken as a subject, it requires to use script. The mode of Web application is shown in figure 1
authentication technology to verify its identity, if (Yi S,2014):
successful, it can continue to access, otherwise, it cannot
(Dongjiao Z,2016).

367
Kong F.
Research on Security Technology based on WEB Application.
367
DOI: 10.5220/0006450603670370
In ISME 2016 - Information Science and Management Engineering IV (ISME 2016), pages 367-370
ISBN: 978-989-758-208-0
c 2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
Copyright
ISME 2016 - Information Science and Management Engineering IV
ISME 2016 - International Conference on Information System and Management Engineering

to click the performance button of these Web elements

without knowing the facts, and then achieve specific
supply performance (Yubei Y,2015). For example,
linkJacking attacks can not only hijack information,
while after the implementation of a series of tedious
actions, network hackers can eventually control the
camera.

Figure 1: Mode of Web application

3.2 Security threat analysis of Web
server side
3.1 Security threat analysis of Web
Once the server side has security threats, it will lead to
client the security threats of Web applications, Web servers, as
well as the database. Once the complicacy of Web
3.1.1 Security threats of browser
applications gradually increases, the security awareness
Browser usually refers to the program of client host, of Web programmers and the corresponding
which is used to meet the needs of the Web server, while management personnel gradually reduces, and which
display and process the data and information given by will provide the conditions for the attacker's attack. In
Web server. The browser only needs to provide the normal circumstances, the security threats of Web server
display function for HTML static page before, but with side are mainly two aspects (Chuan L,2010).
the rapid development of scripts and plug-in technology, (1) The security threats of server side’s data and file,
scripts and plug-in technology with ActiveX, FLASH such as the leakage of bank accounts and credit card
model have been used comprehensively, which provides information, etc. Assuming that the intruders have
the conditions for the enhance of browser’s performance, obtained this information, they can cheat by the way of
but followed by the gradually increasing security role playing, and then obtain the corresponding
problems in the process of Web application. Browser is economic benefits.
the key to the entire Internet, network hackers often use (2) Web applications of server side are also affected
browser software to set the virus, attack the client, and by the preservation of malicious code, thereby attacked
which leads to Web client being threatened (Wang by the Trojan horse of Webpage. The Web threats we
X,2008). often encounter include SQL injection attacks, attacks of
remote code execution, and so on (Chengyu H,2011).
3.1.2 Cross-site scripting attacks
3.3 Security threat analysis of data
Usually, there are two kinds of XSS attack, one is transmission
persistent attack, and the other is a reflection attack.
Persistent attack mainly refers that the attacker saves the In the process of user side data transfer or server side
virus in the database crossing with Web application data transfer, once there is improper operation, there is a
program, when users access it, Web application will send security threat. The main attacks we often encounter are
the potential virus to the user. When the user executes two kinds, one is the active attack, and the other is a
the program, the relevant information of user will be sent passive attack. Active attack mainly refers to the data
to the attacker. Reflection attack mainly refers that the attack in the network. This attack mainly uses user side
attackers do not save the virus in the server side, and or server to revise user information, and then achieves
reflect it directly to the user. They mainly use the the effect of attack. Passive attack mainly refers to
malicious script sent by others, copy the virus into it, reading data in the network, this kind of attacks mostly
when the user links, it will steal user's information. This read the important information in the network, such as
attack does not have persistence. user names, user passwords and users’ personal
information, etc (Yongxiang W,2014)
3.1.3 Clickjacking
Clickjacking mainly refers to a kind of visual deception,
hackers mainly upload the transparent Web elements to a
web page, when users link the web page, they don’t they
have clicked on the Web elements, and then information
is operated or stolen. Network hackers mainly lure users

368
368
 Research on Security Technology based on WEB Application
Research on Security Technology based on WEB Application

4 SECURITY TECHNOLOGY OF third, the data call mechanism; fourth, the protection
WEB APPLICATION DATA mechanism of data processing.

4.2.4 SOAP filtering and WSDL

4.1 Security technology of client strengthening mechanism
For the security threats of browser and the host operating Typically, before the filtering of firewall or HTTP layer,
system, in order to enhance the security of the host it is unable to defend the attack of Web services, and
operating system and browser, browser version and real needs to play the effect of resistance in the filter and
time patch update of operating system should be well supervision of SOAP layer. While as one of key sources,
done in the link of security, and the vulnerabilities of information of WSDL date could not be leaked, its
browser and operating system should be timely repaired. enforcement mechanism mainly includes two aspects,
For the security threat of Web client’s script, Web the first is in the process of program design, it needs to
client’s ability of fighting against attacks should be provide the corresponding function; second, it is only
strengthened, install detection system in the Web client used in SSL.
script, and detect regularly. In general, there are two
kinds of detection technologies for malicious web page, 4.2.5 Authentication, authorization and
the first is static detection; the second is dynamic development mechanism of security
detection. Static detection detects malicious code on the program
webpage by code analysis. Compared to static detection,
dynamic detection has relative low efficiency, but strong The protection mechanism involves five aspects, first, R
pertinence, which can effectively identify the malicious &D staff of the system carry out WSDL access control;
code in the page. If the malicious code is encrypted or second, apply security assertion markup language; third,
changed, dynamic detection can read the relevant WS-Security certificate; fourth, SOAP filtration; fifth,
information in malicious code, analyze characteristics of data transfer.
the behavior, and then achieve the purpose of protection.
Therefore, dynamic detection has good accuracy. 4.3 Security technology of data
transmission
4.2 Security protection method of
server 4.3.1 HTTPS protocol
4.2.1 AJAX protection mechanism HTTPS mainly refers to running HTTP based on SSL,
the structure after fusion is called HTTPS, when building
Comparing the AJAX protection mechanism and a TCP in HTTP, link to it, when the user side presents a
original security system of Web application, there are demand server will give corresponding reply. In the
certain similarities in nature, which contains the data process of applying SSL, the user side must build a TCP,
query by interacting with data, response ability of data link to it, build a SSL channel on it, send the same
transfer, capability of data transmission and information requirement in the SSL channel, and the server side will
call, etc. make corresponding response to the SSL channel. In
terms of the traditional HTTP server, the information
4.2.2 Input validation SSL accepts is equivalent to spam, because that not all of
the servers can apply SSL. Therefore, in order to ensure
In order to prevent the phenomenon of only the user side
the quality of the data, it needs to select the appropriate
is verified, all of the information of clients and servers
application channels in the application process. It needs
should be verified, such as the verification of HTTP
to use the Web address starting with HTTPS to achieve
header, cookie verification, parameter verification, data
the application of SSL.
validation, and the verification of length, specification of
user data. 4.3.2 SRTP protocol
4.2.3 Security of client’s program code SRTP protocol mainly researches and develops the
safety performance of the two contents, the first is the
The protection mechanism mainly involves four aspects,
voice stream; the second is the video stream, SRTP gives
first, the application system mechanism of user end;
the encryption modes and cognitive methods
second, mechanism of third party’s external program;
corresponding to AES. So the main function of SRTP
protocol is security and real time. SRTP can be used in

369
369
ISME 2016 - Information Science and Management Engineering IV
ISME 2016 - International Conference on Information System and Management Engineering

TCP/UDP, but people often use it in UDP, for the Juan D, Yang X, Yuwei M., Research and design of audit
transmission of voice and video is mainly based on system of security log based on Web application.
UDP. Netinfo security, (10):70-76,2014
Protection of data authentication and integrity: in Yi S, Dongyun L, Wenjie W., Research on the key
technology of security testing platform of Web
general, the authentication algorithm used by RTP is application program. Information Security and
MAC-SHA1. After the calculation results are sent to the Technology, (1):29-32, 2014,
data packet, the receiving side will choose a reasonable Wang X.,Desing of Secure Identity Authentication System
label value of M according to the calculation results, and Based on JAAS in the Web Application System. Journal
compare it with the label value received (Hung-Bin of Beijing University of Civl Engineering and
C,2015). Architecture, 24(2):55-59,2008
Yubei Y., Application security of PGP encryption
4.3.3 RTMPS protocol technology based on WEB in mail system, Network
Security Technology & Application,(6):38-40,2015
RTMPS protocol is also called security protocol, it is the Chuan L., Research on Application of Web J2EE system
protocol got after the SSL encryption. The protocol can identity authentication security mechanism based on
Unix authentication. Journal of Chongqing University
support data transfer. The main function of secure of Arts and Sciences,(4):65-67,2010
sockets layer is to provide a security protocol with data Chengyu H. Research on the protection method of Web
integrity for network communication. SSL mainly uses Java application software, Software Guide,(11):57-
the transmission layer to achieve the encryption of the 58,2011
network link. The default port is 443. Yongxiang W, On WEB website security optimization.
Network Security Technology & Application,(5):136-
1137,2014
Linhai Y, Binying H., Research on the content of Web
5 CONCLUDING REMARKS code security artificial audit, Jiangxi Science,(4):536-
538,2014
All in all, with the rapid development of Internet Hung-Bin C, Izhak Rubin,Ofer Hadar., Scalable Video
technology, the application programs based on Web Multicast for Multi-Cell Cellular Wireless Networks.
have steadily developed, and become an important Journal of Communications, 10(9):715-727, 2015
standard of the current computing platform. With the
appearance of Web mail, shopping and media, Web
applications has entered our work, life and learning,
become an indispensable part of our daily life, and
played a key role in network information service.
Because of the rapid development of Web technology,
applications related to Web have become cumbersome,
which also makes the security vulnerabilities gradually
emerge. In order to ensure the safety of Internet
applications, it is necessary to conduct a comprehensive
security analysis of the Web application, and develop an
efficient and reliable method to prevent attacks, so as to
ensure the security of programs and data.

REFERENCE
Xiaojie X, Yang X, Shuo J., Research and Design of Web
Application Firewall Based on Feature Matching.
Netinfo security, (11)53-59,2015
Ziqian W, Bo W., Research on technology taking use of
vulnerability of information security in Web
application system. Electronic Product Reliability and
Environmental Testing, (6):30-33, 2015
Dongjiao Z, Ping W., Analysis on the security technology
of Java Web application program. Computer fan,
(3):48-49,2016

370
370