Verification of web content integrity : a new approach to protect servers against tampering

The provision of web services is a real-time process, conducted in ad-hoc, ‘off the cuff’ manner. Consequently the verification of the data content and the identification of any authorized data interference or manipulation are not without problems. Some progress has been made in addressing the verification of server content integrity, but current solutions are restricted by the limitations of the SSL protocol, the statelessness of HTTP, and difficulties with automatic code analysis. This paper reviews the problems associated with unauthorized data manipulation of static and dynamic web content, presents a web security real-time framework that can be used to verify the static and dynamic web content of a requested page. It is suggested that such a framework will offer an increased level of user confidence, since the framework will provide a much greater protection against web server subversion.

[1]  Wael Hassan,et al.  Security Technologies for the World Wide Web , 2000 .

[2]  A. Jefferson Offutt,et al.  Bypass testing of Web applications , 2004, 15th International Symposium on Software Reliability Engineering.

[3]  Bob Gehling,et al.  eCommerce security , 2005, InfoSecCD '05.

[4]  Magnus Almgren,et al.  An Adaptive Intrusion-Tolerant Server Architecture , 2004 .

[5]  Richard Sharp,et al.  Specifying and Enforcing Application-Level Web Security Policies , 2003, IEEE Trans. Knowl. Data Eng..

[6]  Mikko Honkala,et al.  Secure Web Forms with Client-Side Signatures , 2005, ICWE.

[7]  Josef Pieprzyk,et al.  On-the-fly web content integrity check boosts users' confidence , 2002, CACM.

[8]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[9]  Magnus Almgren,et al.  An Architecture for an Adaptive Intrusion-Tolerant Server , 2002, Security Protocols Workshop.

[10]  Rolf Oppliger,et al.  Effective Protection Against Phishing and Web Spoofing , 2005, Communications and Multimedia Security.

[11]  Robert L. Probert,et al.  Formal Testing of Web Content using TTCN-3 , 2005 .

[12]  Brian A. Malloy,et al.  An application-centered course on data-driven web sites , 2001, 31st Annual Frontiers in Education Conference. Impact on Engineering and Science Education. Conference Proceedings (Cat. No.01CH37193).

[13]  Bingyang Zhou An integrated Web security system , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[14]  Lincoln D. Stein Web Security: A Step-by-Step Reference Guide , 1998 .

[15]  Marko Hassinen,et al.  Client controlled security for Web applications , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[16]  Filippo Ricca,et al.  Analysis, testing and re-structuring of Web applications , 2004, 20th IEEE International Conference on Software Maintenance, 2004. Proceedings..