Using Security Patterns in Web-Application
©2014 Textbook 69 Pages
Web-Application have been widely accepted by the organization be it in private, public or government sector and form the main part of any e-commerce business on the internet.<br>However with the widespread of web-application, the threats related to the web-application have also emerged. Web-application transmit substantial amount of critical data such as password or credit card information etc. and this data should be protected from an attacker. There has been huge number of attacks on the web-application such as ‘SQL Injection’, ‘Cross-Site Scripting’, ‘Http Response Splitting’ in recent years and it is one of the main concerns in both the software developer and security professional community.This projects aims to explore how security can be incorporated by using security pattern in web-application and how effective it is in addressing the security problems of web-application.
3.5.2 Countermeasure of Cross-Site Scripting ... 20
3.6 HTTP Response Splitting ... 20
3.6.1 What is HTTP Response Splitting? ... 20
3.6.2 Countermeasure for HTTP Response Splitting ... 21
3.7 Reason of Attack on Web Application ... 22
Chapter 4: Introduction to Patterns ... 23
4.1. An introduction to pattern language ... 23
4.2. What is Design Pattern? ... 24
4.3 History of Design Pattern ... 25
4.4 Design Pattern Template ... 26
Chapter 5: An Introduction to Security Patterns ... 27
5.1 What is Security Pattern? ... 27
5.2 History of Security Pattern ... 28
5.3 Why Security Pattern? ... 29
5.4 Types of Security Pattern ... 30
5.5 Use and Misuse Case in Security Pattern. ... 30
5.6 Security Pattern Template ... 31
Chapter 6: Overview and Implementation of Security Patterns ... 33
6.1 Overview of Security Pattern used to address attack ... 33
6.1.1 Secure Pipe Pattern ... 33
6.1.2 Secure Proxy Pattern ... 34
6.1.3 Secure Logger Pattern ... 34
6.1.4 Intercepting Validator Pattern ... 34
6.2 Implementation of Security Pattern in Context to Attack ... 35
6.2.1 Mitigating Eavesdropping with Secure Pipe and its Related Pattern ... 35
6.2.2 Mitigating poor authentication exploit with Secure Proxy & its Related Pattern ... 42
6.2.3 Mitigating Log Tampering with Secure Logger & its Related Pattern ... 45
6.2.4 Mitigating SQL Injection, Cross- Site Scripting and HTTP Response Splitting with Intercepting
Validator and its Related Pattern ... 48
Chapter 7: Analysis of Security Patterns ... 52
7.1 Analysis between main security pattern and related pattern ... 52
7.1.1 Secure Pipe Pattern versus Message Intercepting Gateway ... 52
7.1.2 Secure service proxy versus message interceptor gateway ... 54
7.1.3 Secure logger pattern versus secure pipe pattern... 55
7.1.4 Intercepting Validator versus Intercepting Filters ... 56
7.2 Views ... 57
Conclusion ... 60
References ... 63
List of figures
Figure 1 the operation of Web Application  ... 12
Figure 2: Secure Pipe Pattern Diagram  ... 37
Figure 3: Sequence Diagram of the Secure Pipe Pattern  ... 38
Figure 4 Message Interceptor Gateway Pattern ... 41
Figure 5 Secure Service Proxy Pattern Diagram ... 43
Figure 6 the sequence diagram of secure proxy pattern ... 44
Figure 7 Secure Logger Pattern Structure ... 46
Figure 8 Secure logger pattern using secure pipe pattern diagram ... 47
Figure 9 Intercepting Validator pattern diagram ... 48
Figure 10 the sequence diagram of Intercepting Validator Pattern diagram ... 49
Chapter 1: Introduction
In these advance world where paper had changed its form to electronic version and office had
moved itself to cloud making the entire world very small place to communicate. People have
become more inclined towards the technology due to the advances in technologies as their
work can be done conveniently and faster than the normal scenario.
The advances in the technologies and the widespread of internet had come up with lots of
advantages and disadvantages. On one hand internet had made the task very simple for a
human being and one great examples is the discovery of email for sending letter to your friend,
relatives etc is just a matter of seconds to anywhere in the world, as compared to olden days
where if you want to send letter to someone living in abroad you have to wait fifteen days for
the letter to be delivered. There are many such examples about the advantages these
technologies had brought to us and the list is never ending.
On the other hand due to the widespread of internet and the huge acceptance of technologies
in business community had developed a series of problem in the world. Also with the
introduction of e-commerce in business further worsen the issues as business houses started
doing business on the internet through readymade web-application developed by big brand
such as Microsoft or Java Software or in-house web-application development.
These web-applications and business software's had become one of the major targets for
attacker because of the fact that many critical information can be derived such as credit card
information, login credentials etc, from such attack and which can later be used for some
financials benefits. Attack such as eavesdropping, exploiting poor authentication system,
tampering the system log, cross-site scripting, SQL injection attack and HTTP Response Splitting
are some of the most common attacks and very large in numbers.
One of the main reasons behind all this attack and which are already been proved by the
industry experts and researcher is poor coding and design flaws of the web-application or
software system. The developer who does the development of the web-application usually is
not aware of the security and their main point of concentration is the functionality part of the
application rather than its security implications.
Therefore, a solution should come up which will bridge up this gap between the development
and security community. Additionally, the solution should also serves as the remedies for the
attack which are identified above and helps in developing secure software and web-application.
In my thesis I have spoken about this solution in more detail so that the subject can easily be
1.2 Aim and Objectives
Aim: The aim of this paper is to explore how security is incorporated by using security
pattern in web-application.
Objectives: The Preliminary objective of this dissertation is as follows:
Introduce web-application and web-application security
Introduce design pattern and Security Pattern
The Main objective is to:
Identify a set of security patterns which can be used to address the issues in web-application
How effective these security patterns are in addressing the problems?
What are the benefits and liabilities of implementing this pattern in web-application?
Justify that security pattern actually improves the security of the web-application with
The structure of paper is divided in four phase where each phase also includes chapters.
Phase 1 This phase consists of two chapters where it provides introduction to web-application
and web-application security along with attack and countermeasures to attack.
Phase 2 This phase consists of two chapters where it provides introduction to design pattern
and security pattern.
Phase 3 - This phase consists of two chapters where the security patterns are identified and
also the implementation of the security pattern had been discussed in details along with their
benefits and liabilities after implementation. This phase consist all of the work
Phase 4- This phase consist of conclusion drawn from this thesis.
Chapter 2: Background on Web Application & Web
2.1 Background of Web- Application
Over the past 20 years, web had benefitted millions of businesses and served as the channel for
the customer to communicate with the businesses for exchanging information. According to the
survey more than 1 billion user uses internet today [Source - Computer Industry Almanac, 2006]
and in the U.S alone the U.S e-commerce spending accounted for $102.1 billion in 2006[Source-
comScore Networks, 2007]
Before explaining Web Application I would like to say the fundamental part of web application
which is the word "application". As said by Bob Baxley the word application means "a computer
program designed for a specific task or use" 
In his document he also said that "The Fundamental purpose of all web applications is to
facilitate the completion of one or more tasks" .
To start with the conversation I will categorize website into two forms: 
Content - Based Website.
Website Based for Service.
Content based website is the website which we can see in day to day life such as BBC News,
ISBN Sports, Times of India etc. This kind of website is basically used for information where you
can visit and read necessary information whereas the later which is service-oriented website
are used for some specific task to be performed by the visitor of the website.Users who visit
this kind of site have some objective to visit the website. This service oriented based website is
support by the application servers and a database servers in background which used web
browser to interact with end user or client and is also known as web-application. One of the
best examples of web-application is email where company like Google and Rediffmail is
providing the web-based mailing client.
The most significant benefit of web-application that its need a web-browser as a client to
interact with back end server. Web application follows the architecture of client-server
environment. Client Server environment can be explained as an environment where multiple
computers have access and share the information such as entering private date into the
The designer who develop the web-application does not have to worry to develop the client
end for accessing the application for a specific computer or operating system as it uses the web
browser as client that can run on any platform be it Mac, Windows or Linux. However some of
the web-application only supports browser like Windows Explorer and Firefox and they are
The technology commonly used in developing the web application is the combination of server
side scripting such as ASP, PHP, JSP and client- side scripting known as HTML, DHTML, and
side takes care of the more vital part of the web-application such as storing or retrieving data
from the database.
Another significant benefit of the web-application is that it can easily be implemented without
much installation requirement and can also be easily deployed anywhere at no cost.
One of the vital aspects of web application is how this web-application works? To explain the
understanding of web application operation, I will take a support of the Figure 1.1 to illustrate
the operation of web application:
Figure 1 the operation of Web Application 
In the Figure above shows that the visitor had visit the company website and the initial request
had been triggered by the visitor via browser to the web-server which is then forwarded to the
web-application. The web-application in response to the request had accessed the database
and performs the task requested such as modifying or retrieving the content of the database.
After the process had been completed, the web-application then represents the information to
the user via browser.
However, the future of web-application is going towards a new generation of web-application
where the web-application will not need any backend server to store or retrieve data. It will be
similar to the way you save your word document on your computer and it does not need server
to the save that document on to the desktop.
2.2 Background on Web Application Security
The vulnerabilities in software had increased at an unexpected rate and in the year 2006,
National Institute of Standards and Technology [NIST] National Vulnerability Database had
recorded the informed vulnerability to something over 6,600 vulnerabilities. Due to these
vulnerabilities a new trend had been emerged and the software community started including
the security in their design and development phase which has resulted into overall
improvement to operating system security.
As the operating system had become more secure there had been a shift in the hacker
community. They started targeting the application layer vulnerabilities instead of operating
system vulnerabilities. 
The changing business environment together with the advances in web-technologies has leaded
the organization to adopt the web-application by default. Today any organization whether is it
public, private or government sector depends solely on web-application to interact with
customer or client.
Although the adoption of web-application in business community gives greater efficiency and
convenience, it's give rise to the new threat in security, which can be of significant risk to an
organization if the I.T. Infrastructure of the organization had not been handled carefully.
As the web-application can be easily deployed, its growth is beyond expectation and due to this
trend in web-application, I.T. Infrastructure became more complex and distributed which are
harder to maintain from the security perspective. From almost a decade if you see then most of
the organization had been dependent on the firewall for their security in order to protect their
I.T Infrastructure. However now trends had been changed, hacker community is no longer
targeting network perimeter such as firewall to gain access to the organization resources
instead they are targeting more on the security flaws of the web-application design such as
injection flaws, improper input validation etc. Therefore deploying of network perimeter will
not be enough for the safeguard of web-application, a more robust security implementation is
required to safeguard application from such threats.
The threats are generated in different way such as dishonest user, session-less protocols,
insecure network and complex web technologies. In web-application the client end are not
basically controlled by the owner of the application. Hence the input by a client cannot be fully
trusted and processed directly. An attacker can masquerade as a legitimate user and thus
create false message and cookies. In addition to this, HTTP is a session-less protocol and it is
subjected to attack such as replay and injection attack.The HTTP Message can be easily
tampered which will result in modified message and due widespread of spoofing software it can
easily be spoofed or sniffed. 
According to the "2002 Computer Crime and Security Survey" conducted by Computer Security
Institute & San Francisco FBI Computer Intrusion Squad.
"Web application incidents cost companies more than $320,000,000 in 2001."
44% respondent to the 2002 Computer Crime and Security Survey were willing and able to
quantify their financial losses .These respondents reported $455,848,000 in financial losses. 
Therefore the organization should understand the risk and threats properly in order to
implement appropriate countermeasures or safeguard. Additionally both the technical and
administrative security control must be reinforced for the security of the critical I.T.
Infrastructure in response to the web-application deployment.
Chapter 3: Attacks and Countermeasures of Web
With the increase in adoptability of the web-application by different organization comprises of
private, public and government sector had given birth to different kind of attack on web-
The Open Web Application Security Project had become the industry de-facto guidelines for
developing secure web-application software. The OWASP is free accessible worldwide and
serves as the standard for secure development, However it is not regarded as standard officially
and it's just states a set of guidelines which are to be followed during web-application
The OWASP had listed the top ten vulnerabilities such as Cross-Site Scripting, Injection Flaws,
and Malicious File Extension etc. The total list of the TOP TEN vulnerabilities of web application
can be found on
In this section of the project I will be discussing some of the most fundamental attack from the
developer perspective in regard to web-application such as Eavesdropping, Poor Authentication
Mechanism, Log Tempering, SQL Injection and Cross-Site Scripting and its countermeasures.
However If the developer develop code by keeping in mind the security implication of the web-
application then this kind of attack can be avoided. The details are discussed later on this thesis.
3.1.1 What is Eavesdropping?
Intercepting real-time private communication traffic in an unauthorized way is known as
Eavesdropping. Some of the examples are insecure data transmission between computers,
VOIP calls etc. The term eavesdrop had been derived from the word eaves which mean
standing under the eaves of the house and listening the private conversation without the
knowledge of the other. 
3.1.2 How Eavesdropping happen?
In my example of explanation I will be taking the scenario of the normal LAN network where all
computers into the network are using the common shared media such as HUB to communicate
with each other. Eavesdropping attack can be implemented in this kind of network.
In a normal network, the network interface card is usually set to a non-promiscuous mode by
default and the network card is only bothered about the traffic intended to his address and
leaves the other traffic. Eavesdropping attack is conducted by an attacker by setting the
network interface card to promiscuous mode. Once this mode is activated the network
interface card capture all traffic irrespective of its destination address ,thus an attacker can
read all the traffic and can derived the password or other valuable information from the traffic
if the traffic is not encrypted or secure.
There are several tools available in the marketplace for eavesdropping such as `tcpdump' 
and ethereal .
3.1.3 Countermeasures for Eavesdropping
In this section I would be explaining the countermeasures from the perspective of web-
application. As stated above that the attack happen on the network layer then how its effect
the working of web-application. Following the attack, suppose an user entered his credit card
detail in an website which has to processed for his payment online and during the transmission
of this data, an attacker had intercepted it ,thus an attacker has a credit card information of the
customer which he can used it later.
Therefore the most effective countermeasures suggested for this attack are as follows:
Proper segmentation of the network should be done and a strong security physical security
should be placed. We have to first locally secure the traffic such as inside organization building
The traffic should be fully encrypted during the transmission from one node to another node or
one LAN to another LAN.A proper implementation of SSL and IPSEC should be done in order to
provide a secure communication between nodes. 
3.2 Exploiting Poor Authentication
3.2.1 What is Poor Authentication?
In my example of explaining poor authentication I will take the most conventional
authentication method of username and password which is widely used across every domain.
Also most of the web-application used this conventional method to authenticate the client. One
of the most significant weaknesses of this authentication method is that client usually uses
weak password which are easy to guess and also sometime this client uses the same password
across other domain for authentication.
Therefore an attacker can easily derive the password and used it for unauthorized access to the
3.2.2 How the poor authentication can be exploited?
As stated above that the client usually choose easy password which can be easily guessed.
Following this scenario an attacker would deploy a dictionary attack which contain the list of
most commonly used password. The dictionary attack will try the entire commonly used
password on to the system for access till it successfully logged in and thus an attacker have a
password which he can use and masquerade as a legitimate client to web-application and
perform the task which he is not authorized to do.
3.2.3 Countermeasures of poor authentication
Several countermeasures had been suggested in the literature but among them the most
common countermeasures are as follows:
User should choose strong password with a combination of digits, special characters, mixing
of capital and small alphabets etc.
User should follow the principle of One-Time Password where the password should be used
only once to login to the system.
Strong security policy should be implemented by the administrator of the web-application
for choosing password.
Dual authentication system should be implemented to the web-application for better and
reliable authentication process.
3.3 Log Tampering
3.3.1 Overview of Log
In the most common language log can be explained as the data which are maintain by the
system and it contains event log of the operating system component. This log files contain
information such as changes in devices, driver, system, event etc. 
3.3.2 What is log tampering?
These attacks basically target the log file on the system. An attacker first tries to access the log
files of system and then injects, modify or forge log entries into the log file of the system. As an
attacker had modified the log entries, this modified log easily mislead a log audit, hence the
attacker is successful in covering the traces of attack and can easily perform the unauthorized
actions on to the system. To deploy this attack, an attacker firstly observes the system and he
can have some knowledge about the logging format of the system as well. The attacker after his
homework starts attacking the system either directly by modifying the content of the log files
or through a log injection who are specially implemented into the system which will write logs.
3.3.3 Countermeasures for Log Tampering
Some of the common countermeasures for mitigating the log tampering are as follows: