Project Synopsis

Website Security Analysis

Under the Supervision of

Ms. Renu Dalal
Submitted by:
Gaurav Sharma : 00110102713
Harshvardhan : 00910102713
Gaurav Singh : 06410102713

B. Tech. CSE 4th Year

Ambedkar Institute of Advanced
Communication Technologies & Research
GGSIPU, New Delhi

Abstract
Websites & Web Based Applications are prone to security risks. And so are any
networks to which web servers are connected. Security is a vital aspect for providing a
reliable service on the web. Website security is achieved by a number of network
protocols at all tiers, for which encryption and key generation algorithms are essential
to protect data integrity and confidentiality in transit.
Primarily, we are to develop a Cloud-deployed web application which will be secured
using firewalls, authentication measures, data encryption and intrusion detection
systems.
Secondly, we will perform penetration testing on the developed web application as
part of routine security audit.
We will use current vulnerability analytic tools to demonstrate various security
features of our Website.

Introduction
An increasing penetration of Web Services has enticed attackers which has made Web
Services prone to various attacks. A set of strong security algorithms are needed to
provide identity authentication and confidentiality [1]. The Security Algorithms need
to be strong enough so that they cannot be exploited using even the most advanced
computers in a feasible time frame.
The basic principles of information security apply to provide a reliable and secure
Web Service, which are Authentication - Implemented by using Secured Protocols and algorithms for
generating a private logged link between user and the system.
Confidentiality - Implemented by using encryption of traffic at Transport and
Application layers.
Maintaining integrity of data.
Availability of the service at all times is very important as more and more
activities are utilising the World Wide Web
Most organisations rely on an ongoing, iterative process of Risk Management to assess
threats, vulnerabilities to manage risk while striking a balance between cost and
effectiveness of countermeasures to protect the organisations information resources.
Penetration Testing is an important element of the Risk Management process. A
Penetration Test is an attempt to evaluate the security of an IT infrastructure by safely

trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems,

service and application flaws, improper configurations, or risky end-user behaviour.
Such assessments are also useful in validating the efficacy of defensive mechanisms,
as well as, end-user adherence to security policies.

Functional Requirements
The proposed Security Algorithms, Protocols and firewall must support the
following functions:
A Secured & JavaScript enabled browser must be used by the users (Chrome,
Firefox etc.).
User must be authenticated using secured private connection with an Anti-bot
verification feature.
Intrusion Detection is the main chain-link to prevent.
The IP Address of the user must be verified & monitored for unusual behavior
like spoofing, redirecting etc.
The Website's Firewall must reserve some ports on the target system.
IP address will be blacklisted, reports must be sent to both Admin and user & a
quick solution must be availed.
Security measures must be taken so that it does not affect the website's
responsiveness, flexibility & interaction.

Background
The following keywords have been frequently used in our analysis of the website:
Authentication: A security measure designed to verify the identity of a transmission,
user, user device, entity,
or data. [3]
Back Door: Hidden software or hardware mechanism used to get around security
controls.
Firewall: Hardware or software that permits only authorized users to enter, and logs
attempted intrusions. [2]
Malicious Code: Any type of software capable of performing an unauthorized process
on an information
system.

Phishing: Impersonating a legitimate entity to illegally acquire information via email,

phone calls, voicemail, or
text messaging.
Spoofing: Impersonating another person or computer, usually by providing a false
email name, URL, domain
name server, or IP address.
Spyware: Software that collects information without the user's informed consent.
Audit: A process conducted by qualified, independent auditors to review and examine
records and activities to verify compliance with applicable requirements resulting in a
formal report that could require corrective action. [2]
Botnet: A group of computers that have the same bot installed, that can communicate
with and control each other, and are usually used for malicious activities (create and
send spam email, propagate malicious software, or other cyber-attack).

Technology Used
For Developing the Website, JSP will be used along with the interaction of Java
Servlets to ensure secured, worm-free environment.
Java Programming will be used to code the Authentication Algorithms and it will be
embedded to a Java Server Page (JSP).
JSP uses Java Programming so is easily portable. It also offers higher performance
than other server side pages like CGI, Perl.
We will be using several software (SQL Injector, Metasploit, w3af etc.) and tools (pen
test-tools etc.) for penetration testing of our website, checking the strength of its
stronghold.

References
1. William Stallings, Cryptography and network security: principles and

practices (2006), Pearson Education India.

2. M.T. Dlamini, J.H.P. Eloff, M.M. Eloff, Information security: The moving
target (2009), Computers & Security (Vol. 28, Issues 3-4)
3. Lori M. Kaufman, Data Security in the World of Cloud Computing (2009),
IEEE Security & Privacy (Vol.7, Issue 4)