| Web Applications, which has widely used in various aspects of social lives, are fastchanging with the phase of the evolution of Internet technology. But due to the nature ofopenness and complexity of Internet environment, the security of applications,especially web applications which is constructed based on Internet, is facingunprecedented threat. And all of these have emphasized the urgent and necessary of thestudy of security assurance approaches of web applications. The existing traditionalsecurity technologies and products, such as firewall which was becoming reliably dayby day, can not provide sufficient security protection to web applications which havedeifferent attributes for its SOA architecture.The traditional security products are mainly working on the network layer, but thebehavior of some attacks, especially the top-10security threatens of web applicationspublished by OWASP, is same with normal access. On the other hand, the research workof security has developed to survivability study, which means the applications shouldhave the ability of tolerate security threat, rather than detecting and preventing.By the study of security threats faced by web applications, and focusing on SQLinjection, XSS preventing and survivability study, this dissertation proposed areverse-proxy based attack detection system for web applications and a recoveryscheme for failed web applications. Based on all the research result and traditionalsecurity approaches, a web-application security ensurance framework is given.This dissertation firstly introduced the significance of security study for webapplications and the traditional web applications secutity research, and then analysisedthe basic theory of SQL injection and XSS attack, as well as the survivability models.On the ground of the work mentioned above, the method for SQL injection/XSSdetecing, a formal survivability model for web applications and the recovery approachfor failed web applications are proposed. At last, a secutity assurance frameworkcombining the existing secutity methodology, a reverse-proxy based attack detectionsystem for web applications and a recovery decision-making strategy, as well asassistant software, for failed web applications are designed and achieved. |
PDF Full Text Request