DEMOCRATIC AND POPULAR ALGERIAN REPUBLIC

MINISTRY OF HIGHER EDUCATION AND SCIENTIFIC RESEARCH

MOHAMED BOUDIAF UNIVERSITY - M'SILA

FACULTY OF MATHEMATICS AND
INFORMATICS

DEPARTMENT OF COMPUTER SCIENCE

Final study thesis

Presented for the obtaining of the MASTER degree
Field: Mathematics and Computer Science
Computer Science
Specialty: Information and Communication Technology

By: DAHIA Youcef

SUBJECT

Securing web applications

Publicly supported on: 2016 in front of the jury composed of:

……………………………… University of M'sila President
Mr. BENAZI Makhlouf University of M'sila Rapporteur
……………………………… University of M'sila Examiner
……………………………… University of M'sila Examiner

Promotion: 2015/2016
 Thank you

I would like to express my sincerest thanks to the people who

who have brought me their help and contributed to the development of this thesis.

These thanks go first to Mr. BENAZI Makhlouf my supervisor.

for their valuable advice and tailored guidance.

To the faculty of the computer science department, which deploys

great efforts to ensure for Master's students.

To my colleagues and my friends

I finally send a special thought to my parents and my family for their support.
support in my choices and their unwavering attention, including encouragements and
Unconditional love has accompanied me always.

i
 Table of contents
Title Page
Thank you
Table of contents
List of tables
List of figures
List of abbreviations
General introduction 1
Chapter 1: Tools of Cybersecurity

1 Introduction 3

Terminology of Information Security 3

The objective of computer security 4

4The standards of information security 4

4.1 The International Organization for Standardization 4
4.2 The management of information systems security 6
5The security mechanisms 6
5.1 Encryption 7
5.1.1 Symmetric cryptography algorithms (with secret keys) 7
5.1.2 Asymmetric cryptography algorithms (public and private key) 7
5.2 Tunneling and Virtual Private Networks (VPN) 8
5.3 Firewall 9
5.4 Antivirus 10
5.5 Intrusion Detection/Prevention System IDS/IPS Solution 10
5.6 Reverse proxy 11
6 Conclusion 12
Chapter 2: Application Security
1 Introduction 13
2 Principles and Concepts of Web Applications 13
3 Typology of web attacks 14
4 Good practices and countermeasures for securing web applications 16
4.1 PLAN 16

ii
 4.1.1 Application architecture 16
4.1.2 Definition of security rules 17
4.1.3 Risk Assessment 18
4.2 DO 18
4.2.1 Definition of defense in depth 18
4.2.2 The partitioning 19
4.2.3 High Availability 20
4.2.4 Multi-level defense of services 21
4.2.5 Choice of tools and staff training 22
4.3 Check 22
4.4 ACT 23
5. Conclusion 23
Chapter 3: Conceptual Analysis
1 Introduction 24
2 Definition of objectives 24
Modeling of the projected architecture 24
3.1 Use case diagram 25
3.1.1 Identification of system stakeholders 25

3.1.2 Identification of use cases 25

3.2 Activity Diagram 28
4 Architecture 31
5 Choice of tools and technologies to implement 33
5.1 The operating system 34
5.2 Endian Firewall 34
5.2.1 Netfilter 34
5.2.2 IDS/IPS SNORT 35
5.3 Reverse Proxy SQUID 36
6 Conclusion 37
CHAPTER 4: Implementation and Execution
1 Introduction 38
2 Preparation of the test platform 38
2.1 The components of the test platform 38
2.2 Addressing plan of the platform 39

iii
3 Installation and configuration of the Endian Firewall 39
3.1 Installation 39
3.2 Configuration 40
3.3 Definition and application of firewall rules 40
Inter-Zone Traffic 40
3.3.2 Incoming traffic 41
3.3.3 Outgoing traffic 42
3.4 Configuration of the intrusion prevention probe 42
4 Installation and configuration of the SQUID reverse proxy 43
4.1 Installation 43
4.2 Configuration 44
5 Audit and monitoring 45
5.1 Setting up the audit station 45
5.2 Traffic monitoring interfaces 46
6 Conclusion 47
General conclusion 48
Bibliography and webography
Annexes
Summary

iv
 List of figures
Title Page
Figure 1.1: Symmetric cryptography 7

Figure 1.2: Asymmetric cryptography 8

Figure 1.3: VPN Mechanism 9

Figure 1.4: Operation of a firewall 10

Figure 1.5: Mechanism of a reverse proxy 11

Figure 2.1: The layers of web applications 13

Figure 2.2: Cenzic, Inc Report on Web Application Vulnerabilities (2013) 15

Figure 2.3: Comparison of vulnerability rates in 2011 and 2012 16

Figure 2.4: Secure web application architecture 20

Figure 3.1: Use case Administrator 26

Figure 3.2: Front office use case 27

Figure 3.3: Back Office Use Case 27

Figure 3.4: Front Office Activity Diagram 29

Figure 3.5: Activity Diagram Administration 30

Figure 3.6: Backup activity diagram 31

Figure 3.7: Proposed architecture for the website platform 32

Figure 4.1: Addressing plan of the platform 39

Figure 4.2: The configuration of inter-Zone traffic 41

Figure 4.3: The configuration of incoming traffic 41

Figure 4.4: The NAT source configuration 42

Figure 4.5: The outgoing traffic configuration 42

Figure 4.6: The configuration of the intrusion prevention probe 43

Figure 4.7: Live journaling of traffic 46

Figure 4.8: Monitoring the platform with the Ntop tool 47

v
 List of abbreviations
AES: Advanced Encryption Standard
ANSSI: National Agency for the Security of Information Systems
ASP:Active Server Pages
ASVS: Application Security Verification Standard
CERT: Computer Emergency Response Team
CESTI: Center for Evaluation of Information Technology Security
CSRF: Cross-Site Request Forgery
CSS: Cascading Style Sheets
DES: Data Encryption Standard
DMZ: Demilitarized Zone
DNS: Domain Name System
DoS: Denial of Service
ESAPI: Enterprise Security API
FTP: File Transfer Protocol
HIDS: Host Based Intrusion Detection System
HTML: Hypertext Markup Language
HTTP: HyperText Transfer Protocol
IDS: Intrusion Detection System
IEC: International Electrotechnical Commission
IETFInternet Engineering Task Force
HMI: Human Machine Interface
IPS: Intrusion Prevention System
IPSec: Internet Protocol Security
ISO: International Organization for Standardization
Information technology
JSP: Java Server Pages
L2F: Layer Two Forwarding
L2TP: Layer Two Tunneling Protocol
NAT: Network Address Translation
NIDS: Network Based Intrusion Detection System
OWASP: Open Web Application Security Project
PDCA: Plan, Do, Check, Act

vi
POP3: Post Office Protocol
PPTP: Point-to-Point Tunneling Protocol
RC4: Rivest Cipher 4
Active Solidarity Income
Secunia PSI: Secunia Personal Software Inspector
DBMS: Database Management System
ISMS: information security management systems
SMTP: Simple Mail Transfer Protocol
SSH: Secure SHell
SSL: Secure Sockets Layer
TCP: Transmission Control Protocol
TLS: Transport Layer Security
UML: Unified Modeling Language
Uniform Resource Locator
UTM: Universal Transverse Mercator
Virtual Private Network
VRT: Vulnerability Research Team
WASC: Web Application Security Consortium
XML: Extensible Markup Language
XSS: cross-site scripting

vii
 General introduction

The emergence of the web and the dynamics that the computer industry is experiencing have impacted

Our review has made us dependent on the use of these technologies to perform everything.
type of transaction.

Now everything can be done online: electronic shopping, social networks, transactions
banking... etc.

This constant and revolutionary evolution in the use of new technologies of

Information and communication have affected all areas, and resulted in threats.
can harm private life and personal data as well as confidential data
people or companies.

For these reasons, the security aspect has been emphasized. It now represents a crucial asset.
for the company, which must ensure a secure framework for both itself and its
users.

Cybersecurity experts affirm that zero risk cannot be achieved.

Nevertheless, good practices are in effect and can considerably reduce it.

The hostile context of the internet world, the constant emergence of threats, as well as the
complexity of web applications that goes hand in hand with the emergence of new technologies,
we face recurring issues which are:

How to secure a web application?

How to maintain the security of a web application?
What steps should be taken to secure a web application?
It is in this context that this work is situated, with a dual objective. Firstly
to conduct a thorough study on information security in general and security on the
fabric in particular as well as the threats that companies must face.

Secondly, it is about putting into practice the acquired knowledge, in order to secure
The web application, this need will be the subject of our thesis.

To this end, we will address in this study the security aspect of web applications and
best practices to consider in a secure and high architecture
availability.

1
 General Introduction

In the practical part, we will define a typical architecture based on best practices.
practices for securing web applications and implementing essential tools
which will be subject to a front barrier to ensure security at four levels:

The limitation of access through the implementation and configuration of a firewall

Open source Endian firewall.
Securing access to the website through implementation and configuration.
an open source reverse proxy SQUID.
The control of incoming and outgoing packets through a detection solution
Open source intrusion Snort.

Our thesis is organized as follows:

Chapter 1 presents a study on the foundations of information security in its

globality and the most widely used security tools and their functionalities.

Chapter 2 presents an overview of the mechanism and basic concepts of

web applications, we briefly expose the most common vulnerabilities and threats,
and we discuss the best practices to consider for securing the
web applications.

Chapter 3 presents the conceptual analysis in which we present a study of

the existing and blurred objectives, and we use an annotation for modeling of
the architecture that we are going to implement and finally we list the chosen tools while
arguing our choice.

Chapter 4 provides an overview of all the steps taken in the implementation of

the architecture and the deployment of the tools on which our choice was based.

2
 Chapter 1
Tools of computer security
1 Introduction

To cope with the hostile computing environment where we are constantly subjected to
Of all kinds of aggression, it is essential to know what to arm oneself with and against what.

In this context, this chapter provides an overview of the basic concepts and standards
international, in order to become familiar with the field of computer security and its
management, as well as a state of the art of IT security tools.

2 Terminology of computer security

Cybersecurity uses a well-defined vocabulary; first of all, we will try

to give a few definitions of the most commonly used terms:
Threats: represents the source of risk; it can be defined as being a
potential danger that can harm the proper functioning of the information system, this
includes the availability of the system itself, the data, the network usage or
the use of the system to plan an attack.
Vulnerabilities: a defect or weakness in the design of a system, its
implementation, operation or administration that could be exploited to violate
the security policy.
The impact: represents the consequence of the risk on the company and its objectives [1]
Intrusions: event or combinations of events allowing undue access
access (without authorization) to a system and its resources.
Countermeasures: these are the procedures or techniques used to resolve a
vulnerability or to counter a specific attack (in which case there may be other
attacks on the same vulnerability.
Risk: the probability that a threat will exploit a vulnerability in the system; pair
(threat, vulnerability)
Intrusion detection: analysis of events occurring in a system for the purpose
to find in real-time, in quasi real-time or in deferred mode unauthorized access attempts
authorized and immediately notify the system administrator of these attempts.

3
 Chapter 1 - Tools of Information Security

False positive: detection in the absence of an attack, alarm generated by an IDS (Intrusion Detection System)

intrusion detection) for a legal event.

False negative: absence of detection in the presence of an attack, no alarm generated by
an IDS for an illegal event.

The objective of information security

The main objective of computer security is to ensure that the system can
preserve the fundamental criteria namely:

Integrity
Professor Jean REMAEKERS defines integrity as follows: "Integrity allows for
certify that the data, processes or services have not been modified, altered or
destroyed both intentionally and accidentally
Availability
The availability of a resource is its accessibility and usability.
is measured over the period of time during which the offered service is operational.
Confidentiality
The International Organization for Standardization defines confidentiality as follows: "the
ensuring that the information is only accessible to those whose access is
authorized." In other words, confidentiality consists of protecting information against its
disclosure by a third party.
Authenticity
Authenticity is the proof that information truly comes from the person who has it.
issued the information, this proof results from an authentication process.
non-repudiation
During a conversation, it may happen that one of the two interlocutors denies having
I participated in the information exchange. This service helps to protect the other interlocutor.

4 The standards of computer security

4.1 The International Organization for Standardization

(International Standards Organization ISO) is an international organization composed of

representatives of national standardization organizations from 164 countries.

4
 Chapter 1 – Tools of Information Security

This organization was created in 1947 with the aim of producing international standards in
the industrial and commercial areas called ISO standards.
These standards are useful for industrial and economic organizations of all types, to
governments, to regulatory bodies, to economic leaders, to
compliance assessment professionals, to suppliers and buyers of products and
services, in both the public and private sectors, and ultimately, they serve the interests
the public in general when acting as a consumer and user.
The ISO 27000 family of standards helps organizations ensure the security of their
information. These standards facilitate the management of information security, particularly the
financial data, documents submitted to intellectual property, information
related to staff or the data that you are entrusted with by third parties.
ISO/IEC 27001, which outlines the requirements for security management systems
Information Security Management System (ISMS) is the most famous standard in this family.

An ISMS refers to the systematic approach by which an organization ensures security.

sensitive information. Built according to a risk management process, it encompasses
the people, processes, and systems of Information Technology (IT).
This solution can be useful to organizations of all sectors and sizes that
are committed to the confidentiality of their information.

Certification to ISO/IEC 27001

Like all other management system standards from ISO, certification

according to ISO/IEC 27001 is a possibility, but not an obligation. Some users
decide to implement the standard simply for the direct benefits it provides
best practices.
Others choose certification to prove to their clients that they comply with the
recommendations of the standard. ISO does not provide certification services.
Standards 27000 and 27001 are the most well-known and used standards. There are
additional standards, namely:
ISO 27002: Catalogue of security measures
ISO 27003: Implementation of the ISMS
ISO 27004: Monitoring indicator of the ISMS
ISO 27005: Risk assessment and treatment
ISO 27007: Audit of the ISMS

5
 Chapter 1–Tools of Cybersecurity

Also, we can add the complementary standards that align with our theme, we

ISO 27031: Information technology -- Security techniques -- Guidelines

for the preparation of communication and information technologies for the
business continuity
ISO 27032: Information technology - Security techniques - Guidelines
for cybersecurity
ISO 27033: Information technology - Security techniques - Network security
ISO 27034: Application Security

4.2 The management of information system security

The management of cybersecurity by definition encompasses people, processes and

IT systems ensuring the security and protection of information systems.
The foundation of the Information Security Management System ISMS is based on
PDCA model (Plan, Do, Check, Act). This model can be summarized as follows:
Plan: The identification and assessment of risks in the form of a document detailing the
security measures to be taken.
Do: Allocation of necessary resources and training of personnel as well as
the application of security measures as defined in the planning process.
Regular audit written in the form of a document detailing the corrections
envisageable
Act: Application of patches.
The application of the PDCA model allows to:
Set a policy and objectives for information security.
Apply the policy, and achieve these objectives.
Control and improve.

5 The security mechanisms

The process of securing any information system first involves

properly list the objectives (what we want to secure and what is its level of criticality),
to accurately respond to the organization's security needs, with a fair
dosage.

6
 Chapter 1–Tools of Information Security

The choice of security tools and their implementation represents the second phase of
PDCA model. We deemed it useful to briefly define the principle of encryption and the
tunneling on which the majority of cybersecurity technologies rely, thus
what the main security tools.

5.1 Encryption

Cryptography is the method used to make information unreadable in order to

guarantee access to a single authenticated recipient. The data conversion is carried out at
by means of a secret key"[5]
Encryption and decryption of data are carried out using algorithms called
cryptographic algorithms. There are two types of cryptographic algorithms, namely:

5.1.1 Symmetric cryptographic algorithms (with secret keys)

The encryption and decryption keys are identical, security relies on the non
disclosure of keys and the resistance of algorithms to attacks. The most known are:
DES, IDEA, RC4 and AES.

Figure 1.1: Symmetric cryptography.

5.1.2 Asymmetric cryptography algorithms (public and private key)

The encryption and decryption keys are different, the security relies on the fact
the time required to deduce the secret keys associated with the public keys is
theoretically unreasonable.
The most well-known are: RSA, elliptic curves, Pohlig-Hellman, Rabin, and ElGamal.

7
 Chapter 1–Tools of Cybersecurity

Figure 1.2: Asymmetric cryptography.

5.2 Tunneling and Virtual Private Networks (VPN)

The VPN allows communication between two computing entities in a way

secured and this by using a transmission protocol called tunneling. The transmission is
encrypted between the two ends of the tunnel.
Nowadays, the massive use of VPN tunnels is due to its easy implementation.
costly.
There are various types of tunneling protocols, here are a few:
PPTP (Point-to-Point Tunneling Protocol) is a level 2 protocol developed by Microsoft.
3Com, Ascend, US Robotics and ECI Telematics.
L2F (Layer Two Forwarding) layer 2 protocol developed by Cisco, Northern
Telecom and Shiva.
L2TP (Layer Two Tunneling Protocol) converges the two protocols PPTP and L2F.
IPSec is a layer 3 protocol, resulting from the work ofthe IETFallowing to transport
encrypted data for IP networks.
SSL/TLS
SSH

8
 Chapter 1 – Tools of Information Security

Figure 1.3: VPN Mechanism.

5.3 Firewall [6]

A firewall is a hardware or software solution implemented within

the network infrastructure to filter access to defined network resources. It does not allow
enter only authorized users, holding a key or a badge, and create a layer
protective between the network and the outside world. It is equipped with built-in filters that can
prevent unauthorized or potentially dangerous documents from accessing the system. It
also records intrusion attempts in a log sent to the administrators
of the network.

It also allows controlling access to applications and preventing hijacking.

in use.
The firewall allows all or part of the packets that are authorized to pass through.
block and log exchanges that are prohibited.
The firewall is an IDS, which only detects attacks that come from outside.
Intranet, firewalls are necessary, but insufficient, to implement a policy of
security.
Some firewalls only allow email to pass through. In this way, they
prohibit any other attack except an attack based on the mail service.
Other firewalls, less strict, only block services recognized as being
dangerous services. Generally, firewalls are configured to protect against
unauthenticated access from the external network. Figure 1.4 illustrates the operation of a
firewall.

9
 Chapter 1 – Tools of Information Security

Figure 1.4: Operation of a firewall.

5.4 Antivirus

An antivirus is a software that protects a machine against viruses. Antivirus programs

they focus on signature files and then compare the genetic signatures of the virus
to the codes to check. Some programs also apply the heuristic method.
tending to discover malicious code by its behavior.
Antivirus can scan the content of a hard drive, but also the memory of
the computer. For the more modern ones, they act upstream of the machine by scrutinizing the
file exchanges with the outside, both in upstream and downstream flows. Thus, the
Letters are examined, but also files copied to or from removable media.
such as CD-ROMs, floppy disks, network connections,...
Today, there are many antivirus programs like Norton Antivirus, McAfee Antivirus,
Kaspersky Antivirus...

5.5 Intrusion Detection/Prevention Solution IDS/IPS

An intrusion detection system or IDS: Intrusion Detection Systems is a system

which allows for precise observation of activity on a network or a host, it enables detection
an intrusion and report it to take the necessary measures.
There are three types of IDS:
The NIDS (Network Based Intrusion Detection System), intended for the network.
The HIDS (Host Based Intrusion Detection System) is intended for hosts.
Hybrid IDS (NIDS and HIDS) equipped with an alert escalation system.

10
 Chapter 1–Tools of Computer Security

The operation of intrusion detection is based on the same principle used

For antivirus, an IDS has a signature library.
The intrusion prevention solution is a solution similar to detection solutions.
of intrusion into its operation, it also ensures the functionality of detection,
function to automatically apply a preventive measure during an attack.
For example: Blocking a port when detecting an intrusion attempt on a
open port.

5.6 Reverse proxy

Reverse proxy or commonly called a frontend proxy server allows the relay between
an external internet user to access internal servers, reverse proxies ensure
so the functionality of a reverse proxy.
In terms of cybersecurity, the reverse proxy provides the following benefits:
The control of external access to internal servers
Distributing the load among several servers
Cache management
Traffic auditing and monitoring
...

Figure 1.5: Mechanism of a reverse proxy.

11
 Chapter 1–Tools of Computer Security

6 Conclusion

This chapter has allowed us to understand some essential concepts in the implementation of
Work of computer security, it requires a whole management system.
The second part of the chapter helped us to understand the functioning of the main.
computer security tools.
In the next chapter, we will talk about web applications, their mechanisms and their
basic concepts, we briefly expose the vulnerabilities and the most significant threats
answered, in order to show the good practices to be followed for the security of
web applications.

12
 Chapter 2
The security of web applications
1 Introduction

Web attacks can have harmful effects on any business that has a website.
web. In this context, it is essential to understand how applications work.
web and the typology of attacks in order to accurately define the security approach to
to undertake in their protections while relying on best practices.

2 Principles and concepts of web applications

…There are only two types of companies: those that have been hacked and those that haven't.
There are two types of companies: those that have been hacked and those that will be.
said Robert S. Mueller, director of the FBI.
In terms of software architecture, web applications are undergoing an evolution.
permanent, and are becoming increasingly complex. This complexity is felt at
through several points to understand the operation that involves several machines, the logic
development that relies on other existing applications, as well as interoperability
programming languages used.
Web applications are generally based on a Client-server architecture, 3-tier.
In a three-tier architecture, the principle of this architecture is defined by these three layers:

The presentation layer: It corresponds to the Human-Machine interface, that is to say

how the user interacts graphically with the application.
The business layer: it corresponds to the functional aspect of the application.
The data layer: it corresponds to access to the data as well as the data itself.
Figure 2.1 illustrates the principle of web application layers

Figure 2.1: The layers of web applications.

13
 Chapter 2 - The Security of Web Applications

This architecture results in a number of components:

The web server
The application server
The database server
An evolution in programming languages also goes hand in hand with complexity.
of the software architecture of web applications, indeed with the emergence of web 2.0 a
A panoply of technologies has brought a new vision to application development
web. Among the server software we can mention: JSP, [Link]...etc.
On the browser side, we can mention the technologies: JavaScript, HTML, CSS, XML, Java.
ActiveX, flash...etc.

3 Typology of web attacks

To properly assess the threat that a company should expect, knowledge of

the typology of web attacks is necessary, we will expose in this chapter the attacks
the most responded to based on the classification of vulnerabilities and attacks
web applications developed by WASC (Web Application Security Consortium).
The WASC categorized the attacks into six distinct categories:
The "Authentication" category groups web site attacks that target the
identity validation system for a user, a service, or an application.
The "Authorization" category encompasses all web site attacks aimed at
the rights verification system of a user, a service, or an application
to perform an action in the application.
The category "Client-side Attacks" brings together attacks targeting the user during
that he uses the application.
The category 'Command Execution' encompasses all attacks that allow
to execute commands on one of the components of the website architecture.
The category 'Information Disclosure' defines the set of attacks that allow for
discover hidden information or features.
The category 'Logical Attacks' characterizes attacks that use processes
applications (password change system, account creation system, ...)
for hostile ends.
The Open Web Application Security Project (OWASP) is a public community
allowing organizations to develop, purchase, and maintain reliable applications.

14
 Chapter 2 – Web Application Security

On its part, OWASP periodically establishes a comprehensive list called 'TOP 10' ranking
also the most common threats to web applications in order of importance, it is to
note that the information mentioned here is taken from the most recent version (2013) published by
the OWASP.
In figure 2.2, we compare the different threats mentioned in table 2.1.
For more information on the top 10 threats, see the annex.

3% 2% XSS
5%
Info Leakage
5% 26% Session Management
6% Authentication & Authorization
CSRF
8% SQL Injection
Web Server Version
Remote Code Execution
16%
13% Web Server Configuration
Unauthorized Directory Access
16%

Figure 2.2: Cenzic, Inc report on web application vulnerabilities (2013).

Top 10 OWASP
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards

15
 Chapter 2 - Web Application Security

In figure 2.3 we compare the vulnerability rates in 2011 and 2012

(Cenzic Application Vulnerability Trends Report, 2013)

30
25
20
15
10
5
2011
0
2012

Figure 2.3: Comparison of vulnerability rates in 2011 and 2012.

4 Good practices and countermeasures for securing web applications

Opinions differ regarding the formulation of best practices and their implementation.
security measures for web applications, but they all follow the same method namely
the PDCA method (Plan, Do, Check, and Act), also known as the Deming wheel, mentioned in the
Chapter 1, the section "The Management of Information Systems Security". At the level of
In this part, we will detail each step while emphasizing best practices.
retain and implement before, during, and after the realization of a web application.

4.1 PLAN

4.1.1 Application Architecture

The first brick in securing web applications starts at their

concepts, and it spreads throughout the lifecycle of the web application. It is imperative
to adopt good practices in development to address threats
referring to the code of web applications.
There are many guides summarizing the requirements and best practices to follow for a
secure development, we cite:

16
 Chapter 2 – Web Application Security

ASVS "Application Security Verification Standard"

The OWASP 'Enterprise Security API' (ESAPI) project
HALFOND 06
…
According to the French Information Security Club Clusif, the main guidelines of
secure development is summarized in the following steps:
a. Input validation;
b. The limitation of attack surfaces;
c. The application of the principle of least privilege;
d. The proper management of technical errors;
e. The proper management of technical traces;
Do not rely on security through obscurity;
g. Do not confuse security function or tool with secure functionality.

4.1.2 Definition of security rules

Once the application is designed, we can determine the security strategy.

adequate, based on the criticality of the web application, the classification of the information
stored and exchanged (confidential or not), access...etc.
We can mention as an example the aspects that can be addressed and detailed.
in the security strategy:
usage charter
remote access
information protection
machine safety
application security
configuration management
change management (patch management policy)
identity management
network security
management of access to active elements
etc.

17
 Chapter 2 - The security of web applications

4.1.3 Risk Assessment

Risk assessment can be conducted using many approved methods in

different organizations we mention: the MEHARI method, EBIOS, MARION, COBIT,
OCTAVE...etc.
The result of the risk analysis is part of the approach to securing
the web application and represents the foundation on which rests:
the security policy to be undertaken and its evolution.
the definition of priorities by breaking down the solution into elements ranging from the most critical to

less critical and act accordingly.

the preparation of a business continuity plan or a recovery plan.
It should be noted that at this stage, it is imperative to determine a measure for
each identified risk and formalize it in a document that will be used in the step
next.

4.2 DO

This phase consists of describing and implementing the security measures identified in the
phase PLAN.
In our case, we will detail the generic and fundamental measures.
foreseeable, but it should be noted that the measures vary from one web application to another.
other according to its criticality.

4.2.1 Definition of defense in depth

Deep defense, a term borrowed from a military technique intended to delay

the enemy consists of exploiting several security techniques in order to reduce the risk
when a particular security component is compromised or fails.
As stated in the definition, defense in depth is a strategy that consists of
to put multiple security measures serving as barriers to reduce the risk. According to
CLUSIF and their study entitled "Deep Defense of Web Applications", the defense in
depth is governed by five fundamentals:
Isolate the web application with independent and successive lines of defense, each
This created zone has a uniform and coherent level of security. These zones are
called demilitarized zones (DMZ).
Ensure continuity and service recovery in case of an incident.

18
 Chapter 2–Web Application Security

Ensure multi-level defense of services: at the network level, at the system level
of exploitation and at the application level;

Only allow what is strictly necessary for the functioning of the web application;
Only implement controlled barriers both technically
which is organizational.

4.2.2 The partitioning

Partitioning is done through the implementation of security techniques/tools.

detailed information in chapter 1, the section 'The security mechanisms.'
In general, these are the following techniques and tools: Firewall, IDS/IPS, VPN,
reverse proxy and DMZ In a n-tier architecture, we can compartmentalize through the
segmentation of the platform into four DMZs:
DMZ Frontale: Which aims to purify the traffic coming from the internet and lighten the
Lower DMZ of all processes related to traffic purification. This DMZ
behavior: IPS/IDS, Firewall (Application and physical), reverse proxy, load balancing
(load distribution)
Public DMZ: A DMZ dedicated to the web server.
Restricted DMZ: A DMZ containing the application server(s) with a firewall in
entrance.
Private DMZ: Represents the most critical DMZ as it mediates the data server.
To recap this architecture, below is the corresponding diagram:

19
 Chapter 2–The security of web applications

INTERNET

DNS
DNS Reverse
Reverse Proxy
Proxy
Reverse Proxy DNS
Reverse Proxy DNS

WAF WAF
DMZ Frontale DMZ Frontale

IDS/IPS
IDS/IPS IDS/IPS
IDS/IPS

Web
Web server
server Web
Web server
server
Public DMZ Public DMZ

Application
Application server
server
Restricted DMZ Application
Application server
server
Restricted DMZ

IDS/IPS
IDS/IPS
IDS/IPS

Database
Database Server
Server
DMZ Privé Database
Serv eurBServer
as e de ddata
DMZ Privé

Distant site of Remote site of

production rescue
Figure 2.4: Architecture of a secure web application.

4.2.3 High Availability

High availability can be ensured by addressing two cases of unavailability:

The first scenario is the unavailability of the service caused by the demand for the service.
and the load increase, we can remedy this problem through load balancing.

20
 Chapter 2 - Web Application Security

The second scenario is the unavailability of the platform or one of its components.
following an incident, to address this issue it is necessary to plan for a second site
backup that will take over if the first production site does not respond.

4.2.4 Multi-level defense of services

The multi-level defense of services means taking charge of the security aspect on
several levels to know: network level, operating system level, and application level.
The multi-level defense of services can be ensured by rules that the Agency
The National Agency for the Security of Information Systems (ANSSI) has reinstated in its note

technique 'Recommendations for securing websites':

The hardware and software architecture of the website and its hosting infrastructure
must respect the principle of defense in depth.
A precise flow matrix must be established, both for input and output, and its compliance must be
be imposed by a network filtering.
The application components used must be limited to what is strictly necessary.
The application components used must be listed and kept up to date.
The administration of a website must be done through secure protocols.
Access to administrative mechanisms must be restricted to only specific positions.
of authorized administration.
Administrators must be securely authenticated.
The principle of least privilege must be applied to all elements of the system.
The rights to the database must be managed finely to implement the
principle of least privilege.
The queries addressed to the database must be made using queries.
strongly typed preparations or through an abstraction layer ensuring the
control of parameters.
Session identifiers must be random and have an entropy of at least 128 bits.
One must use the HTTPS protocol whenever possible as soon as one
associate a session with specific privileges.
For sensitive actions, implement mechanisms to ensure the
legitimacy of the request.

21
 Chapter 2–Web Application Security

4.2.5 Choice of tools and staff training

The choice of security tools must focus on reliable tools, the acquisition of tools will
of pairing with the allocation of human resources necessary for the administration and the
maintenance of security. Also, training of the technical personnel operating on the platform
is required.

4.3 Check

The check phase is a phase dedicated to controlling the actions carried out in the DO phase.
it is done through:
A regular audit: The purpose of the audit is to monitor the compliance of the web application in
considering all aspects including the organizational aspect. The audit must be
documented.
The implementation of the various technical security tests of the platform:
The tests to be conducted concern the different layers hosting the web application: networks,
systems, hardware, software, database and applications. There is a wide range of tools
intended for vulnerability testing, we cite as an example:
KALI Linux, which is a distribution dedicated to security testing including various
couches.
- Specialized websites for detecting vulnerabilities of online websites, for example:
the siteThe content at the provided URL cannot be accessed for [Link] test the 'Heartbleed' vulnerability
Tools for detecting software vulnerabilities present on an operating system,
example: Secunia Personal Software Inspector (Secunia PSI), Endpoint security 10 Kaspersky
Trusted sites specialized in the publication and listing of vulnerabilities
example: CERT (Computer Emergency Response Team), CESTI (Evaluation Center of the
Information Technology Security), Security Focus (SYMANTEC)
The verification of the application of security procedures. In the case where the policy of
security was established from the outset, and the web solution was documented through
procedures, it is imperative to verify the application of all these procedures and rules.
Log analysis and supervision of tools: The different software and hardware tools
used in securing the web application generate logs, these must be
monitored and meticulously analyzed to identify any anomalies, malfunctions or
doubtful behavior of the system.

22
 Chapter 2 - The security of web applications

4.4 ACT

This phase includes all the corrective actions to be taken to address the
vulnerabilities identified during the CHECK phase.

5. Conclusion

This chapter outlines the methodology to be followed for the implementation of an architecture.

web application at lower risk.

The following chapter presents a detailed analysis that models the projected architecture.
based on the UML language, in order to define the architecture to be implemented and the appropriate tools.

23
 Chapter 3
Conceptual analysis
1 Introduction

At the end of the study conducted in the previous chapters where we saw the web applications.
their principles and concepts and the best practices to follow for their security.

This chapter presents a study of the existing situation and lists the objectives to be achieved in a

first place. Subsequently, we present a modeling of the projected architecture by

based on the UML language to define the architecture to be implemented and the appropriate tools.

2 Definition of Objectives

The priority objective is to secure the hosted website before it goes into production.
finale. To achieve this goal, we propose an architecture that will, on one hand
to apply best practices in terms of securing web applications and another
part of respecting security standards through the implementation of security tools
necessary while adapting to the environment intended to host the site.
As a result, the proposed architecture will optimize access to the site and secure interaction.
among the different components of the platform that will offer flexibility to the user
requesting a more efficient website and administration to the administrator
system/network loaded with the platform.

Modeling of the projected architecture

At this level, we will model the architecture to be designed and its various actors.
With the help of UML (Unified Modeling Language), it will allow us to study in detail.
the functional aspect through the description of each interaction that will take place between the
different stakeholders and the proposed architecture.

24
 Chapter 3 - Conceptual Analysis

3.1 Use case diagram

3.1.1 Identification of the actors in the system

The primary actors are:

- The system/network administrator: this is the person responsible for the proper functioning of

the platform performs the following tasks:

Platform supervision: Physical servers, operating systems,
database, log analysis, connection tracking...etc.
Installation, configuration and updates of systems
Backup monitoring
Maintaining the level of security
Intervention in case of breakdown or malfunction
- The user of the website (front office): person who visits the website, views the
different sections of the site, it can be:
User level 1: he is a member of the general public segment, the consultation
does not require authentication and is done in HTTP
User level 2: he is a member of the professional segment,
consultation requires authentication and is done in HTTPS
- The back office administrator: a person responsible for managing the content of the site.
maybe:
- Webmaster: responsible for managing profiles, content, and the good
functioning of the site in its functional aspect
Editor and validator: two profiles responsible for content insertion and its
validation.

The administrator authenticates to access the administration page over HTTPS.

- Hacker: Any person whose goal is to harm the functioning of the site and the
platform.

3.1.2 Identification of use cases

For each identified actor, we define the different goals they seek to achieve.
to reach.

25
 Chapter 3 - Conceptual Analysis

The goals of the administrator:

Install, configure, and update the platform
Supervise the platform (Servers, traffic, intrusion...)
Analyze the logs and alerts
Intervene in case of breakdown or malfunction
The goals of front office users:
Visit the site: generate statistics, download documents, ask questions
questions...etc.
The goals of the back office administrator:
Administer the site
Insert and validate content
Administrator use case:

Installer <<include>>
Log in

<<include>>
Set up
<<include>>

<<include>>
UPDATE

Check backup
System Administrator
<<include>>

Supervisor <<include>> extend

Analyze the logs

<<include>> <<extend>>
Perform maintenance

<<extend>>
Monitors

Server monitors Network monitor

Figure 3.1: Administrator Use Case.

26
 Chapter 3 – Conceptual Analysis

User front office use case:

Generate statistics

<<extend>>
Front Office Users Level 1

extend
Download Documents
Consult site <<extend>>

<<include>>
extend

Authenticator
<<extend>>
Front Office Level 2 Users
<<extend>>
Ask Questions

Figure 3.2: Front office use case.

Back office administrator use case:

Insert Content

<<include>> Authenticator
Delete Content

<<include>>

Updated Content <<include>>

Back Office Administrator

<<include>>
Publish Content

Create User

Manage Users

<<extend>>
Delete User
<<extend>>

<<extend>>
User Modifier

<<extend>> Create Profile

Assigner Profile

Figure 3.3: Back office use case.

27
 Chapter 3–Conceptual Analysis

3.2 Activity diagram

An activity diagram allows modeling the behavior of the system, which includes the
sequence of actions and their execution conditions.
The activity diagram will allow us to highlight the flow of
requests made by each actor, at the basis of this interaction between each component
we will be able to outline, on the one hand, the typical architecture that will accurately meet our
needs in terms of securing the website, on the other hand the security policy that we
must be established.
Figure 3.4 shows the front office activity diagram related to the actor 'user'.
front office" this diagram details the tracking of the request from its issuance up to
in the end, taking into account all possible scenarios.

28
 Chapter 3 - Conceptual Analysis

Front office IDS Firewall Reverse Proxy Web server Database Server

Enter URL Package analysis

Generate logs and alerts Filter packet

If address and port

Access denied No authorized

Yes

Access Granted Search for the page in the reverse proxy cache

If the Page exists in cache

Yes
Display requested page
No

Parcel forwarder Read and decode packet

Filter packet Request BDD

If address and port

authorized
No Access denied

Yes
Forwarder package Data search

If data
No exists
Error message

Yes
Parcel forwarder Send data

If address and port

authorized
No
Access denied

Yes

Forwarder package Generate web page

Display web page Package forwarder Send web page

Figure 3.4: Front office activity diagram.

29
 Chapter 3 – Conceptual Analysis

Figure 3.5 shows the administrator activity diagram related to the actor.
Administrator the diagram details the tracking of the request from the latter to administer the
platform from its broadcast until its end, taking into account all cases of
possible figures.
Administrator Firewall Server Monitoring and Administrator Backup server DB Server Web server Reverse proxy

Authenticator

If you log in
of correct pass
No

Yes

Forward request connect to (server)

If address
No and authorized ports

Yes

Authenticator
Access denied

Authenticator

Authenticator

Authenticator

No
No

No
Yes
No
Yes
Authenticator Yes
Administer the server Administer the server Manage the server Administer the server
Please log in
in correct way
No

Yes

Manage the server

Figure 3.5: Activity diagram Administration.

30
 Chapter 3 - Conceptual Analysis

Backup server Firewall Administration and monitoring server Database Server Web Server

Start backup on server X Forward package

No Yes

Authenticate

No
Authenticate
Yes

No

Yes

Transfer backup Authenticate

No
Authenticator
Yes
Transfer backup

Access denied Transfer backup

Save the backup Forward packet

Figure 3.6: Backup activity diagram.

Figure 3.6 shows the backup activity diagram.

4 Architecture

In order to achieve the selected objectives, we propose the presented architecture.

in figure 3.7
31
 Chapter 3 - Conceptual Analysis

Figure 3.7: Projected architecture for the website platform.

We have brought the concept of partitioning into architecture through the implementation
instead of demilitarized zones (DMZ), these are classified by order of criticality
going from the public DMZ hosting the web server to the restricted DMZ for the servers
from monitoring and backup to the most critical DMZ private for the server
database.
We grouped the reverse proxy server with the web server, and we put a
probe at the entrance of the platform. The proposed architecture can be explained as follows:
Requests coming from outside pass through the physical firewall and undergo
A preliminary analysis shows that the allowed packets are routed to our second firewall.
software, where they are inspected by a probe to detect any suspicious activity, a
logging is ensured at this level, then filtered by the firewall.
HTTP and HTTPS requests from the outside requesting the web page
Only those can pass through the firewall, the latter are redirected to the reverse server
proxy, subsequently to the web server, the rest of the requests are systematically
rejected by the firewall.
The web server requests the database server through the firewall, this
last is responsible for redirecting the request from the web server (public DMZ) to the

32
 Chapter 3–Conceptual Analysis

database server (private DMZ), only database queries are allowed from
to pass.
the return of the database query will be done in the same way, and will be routed
to the external user going through the firewall that handles redirecting the response from
web server to the outside.
The backup server located in the restricted DMZ is responsible for making
Backups of the servers from the platform cross the firewall destined for both
DMZ to perform backups of the servers: web, reverse proxy, and database
data using a well-defined service and ports.
The monitoring/administration server manages the entire platform, it has access
secured to all components of the platform, logins are made
in SSH and through secured interfaces in HTTPS.

5 Choice of tools and technologies to implement

The tools used in the design of our architecture are free tools (Open
Our choice was to use open tools for the benefits that these
latest offers to know:

The cost of acquisition

The acquisition cost of free software is minimal and most of the time
free, which is an asset for the realization of a reliable project with a low
cost.
Adaptability
Open source software is characterized by its adaptability, in other words, we
use only what we need, and we have the ability to add modules and
features according to our needs. This flexibility offered to the user allows him
to achieve its goal with precision.
The quality and stability of the product
The ongoing contribution of developers from the open source software community
Source allows for the improvement of products on one hand, and to offer stable versions.
to which the user can rely. For example, Linux distributions: they are the
more stable in terms of security.

33
 Chapter 3–Conceptual Analysis

Mutual aid communities

A very large community has formed around open source software, now it
Just type any problem encountered on a forum and you will get help.
to adjust it. Based on all these advantages and the feedback gathered on the tools that
we are going to implement, our choice has been set on the following products:

5.1 The operating system

The operating system installed on all the servers of the testing platform is
Ubuntu 14.04 Server and Desktop version.
We opted for these distributions for the advantages they offer, namely:
Easy and quick installation
Reputed stability
Provided documentation
Free
Simple and powerful configuration tools

5.2 Endian Firewall

Endian Firewall is an open source Linux distribution dedicated to security, it represents
a very comprehensive device based on unified threat management (UTM) integrating several
functions to ensure maximum protection against all forms of threats combined.

Endian firewall includes a stateful firewall, proxy servers for

many protocols (HTTP, FTP, POP3, SMTP), an antivirus (clamav by default),
of an effective anti-spam, of a web content filtering solution, of a solution of
prevention and intrusion detection and VPN (Virtual Private Network) for nomads.

Endian firewall has bundled several software applications and integrated them into a single software for
to facilitate their exploitation and administration, among these software we mention the most prominent:

5.2.1 Netfilter
Netfilter is a firewall operating on a Linux kernel that has existed since version 2.4,
It is the successor to the Ipchains product, aimed at controlling, modifying, and filtering the
IP packets, and to ensure the monitoring of connections.

34
 Chapter 3 - Conceptual Analysis

In terms of functionality, Netfilter is characterized by:

Better integration with the Linux kernel, with speed and reliability at the level
packet processing.
Inspected by state; the firewall has the functionality to trace each connection,
and even the content of the flows in order to try to anticipate the upcoming actions of certain
protocols
Packet filtering using the MAC address and field values (flags) at
TCP header level
System logging, while adjusting the level of detail of the reports
Best Network Address Translation (NAT)
Support for the seamless integration of Web proxy servers (e.g., SQUID)
Flow limiting feature for blocking types of denial of service attacks.
services (DoS) [14]
Netfilter consists of three processing tables, each dedicated to a form
of activity.

5.2.2 IDS/IPS SNORT

The open source intrusion detection and prevention technology Snort was created
in 1998 by Martin Roesch, founder of Sourcefire. It uses a language based on
rules that combine the advantages of signature-based inspection methods,
protocols and anomalies.
His speed, power, and performance quickly established him.
With nearly 4 million downloads to date, Snort has become the technology of
the most widely deployed intrusion prevention and detection system in the world.

The great accessibility of the open source technology Snort offers many advantages:

Because the source code is open, development is much faster than

in the case of proprietary models.
A vast community of security experts continuously examines and tests the
code and suggest improvements.
Engineers and security professionals from around the world are writing
Snort rules at all hours of the day, often in record time, in order to counter the
new and constantly evolving threats.
35
 Chapter 3 – Conceptual Analysis

Snort rules allow for traffic inspection while ensuring that they are capable of
to prevent the exploitation of the vulnerability for which they were designed. Their format
respects the current standard in the sector, used by security experts worldwide
whole.

This is an open format that offers various possibilities to clients:

Check that a rule provides full protection against a vulnerability.

Create new rules or modify existing rules to detect the
potential problems associated with customized or unusual services
Leverage the widely accessible rules proposed by a community of
hundreds of thousands of Snort users.

The vulnerability detection rules formulated by the Sourcefire Vulnerability team

The Research Team (VRT) consists of the official rules of [Link] and are used by
Sourcefire 3D System. The VRT rules differ in various ways from the signatures.
traditional ones based on exploits, which offer no protection against threats
unknowns or 'zero-day':

They provide protection against any type of exploitation of a vulnerability.

They protect clients before exploits are released and they
trigger reliably, without generating false positives or false negatives
The number of updates and the set of rules remains manageable. [15]

5.3 Reverse Proxy SQUID

SQUID is a tool that generally allows to secure and control access to the internet
for users of a company's local network, it is the function of a Proxy, but it can
also be used to secure and control user access to the internet to a or
several internal web servers, it is the function of reverse proxy.

The reverse proxy is placed between the Internet and the web server. When a client browser
make an HTTP request, the DNS server will route the request to the reverse machine
proxy, the web server is not real. The reverse proxy checks its cache to see if it
contains the requested element, otherwise, it connects to the actual web server and downloads the

36
 Chapter 3 - Conceptual Analysis

requested document to its cache. The reverse proxy server's cache can only be used when
for cacheable URLs (such as HTML pages and images)

Dynamic content, such as CGI scripts and Active Server Pages cannot be
cached. The use of proxy caching for static pages is based on the tags
HTTP headers returned from the web page. [16]

6 Conclusion

In this chapter, we modeled and designed the secure architecture to be implemented.

to secure the website, as well as the tools used with the argumentation.
The following chapter will be based on this design for the implementation and
the implementation.

37
 CHAPTER 4

Implementation and realization

1 Introduction
At the end of the conceptual study carried out in the previous chapter, in this chapter we
let's try to achieve the projected architecture.

At this stage, we will implement the various tools and configure them according to our plan.
architecture.

2 Preparation of the test platform

Before moving on to the practical part, we simulated a virtual test platform.
It is composed of servers with the same roles intended for the actual platform.
We opted for this method in order to allow us to carry out the tests.
necessary at first in a separate platform, afterwards integrate the
components in the website infrastructure.

2.1 The components of the testing platform

The test platform is a virtualized platform using the VMware hypervisor.

Workstation 10, it consists of the following virtual machines:

Endian Firewall
Role: Software firewall, intrusion prevention tool, tool for
supervision...etc.
OS: Linux
Software: Netfilter and Snort (plus other tools)
Reverse proxy server
Role: Reverse proxy server
OS: Ubuntu Server 14.04
Software: SQUID
Monitoring and administration server
Role: Administration and monitoring station
OS: Ubuntu Desktop 14.04
Software: Monitoring Tool
38
 Chapter 4 - Implementation and Achievement

Web Server
Role: Web server
Windows 7
Software: wamp server
2.2 Addressing plan of the platform

The addressing plan of the platform is represented in figure 4.1.

The addresses used are for reference only and not real addresses.

Figure 4.1: Addressing plan of the platform.

3 Installation and configuration of the Endian Firewall

3.1 Installation:
Before starting the installation, you need to download the latest stable version of Endian.
Firewall located on the official [Link].
Once the ISO image is retrieved, we can boot with it on our virtual machine which
turns into a firewall office.

Chronologically, the steps to follow for installation and configuration are

mentioned in the appendix.

39
 Chapter 4–Implementation and Realization

3.2 Configuration:
Endian Firewall segments the platform into four zones, each zone corresponds to a
security level:
Red zone: corresponds to the unsecured area, that is to say the internet, we will set.
the interface of this zone at [Link]
Orange zone: area solicited from the outside, it houses the web server and the reverse server.
proxy, its interface is set to [Link]
Blue zone: Specific area for wireless devices (wifi).
Green zone: it is the most protected area, it refers to the local network, it houses our
two restricted and private DMZs, that is why we will assign two network interfaces
for each DMZ for physical separation, plus a logical separation that will take place at
inter-zone firewall rules level.

3.3 Definition and application of firewall rules

The rules to be applied will affect three levels, namely: inter-Zone traffic, incoming traffic, and
outgoing traffic.
It is useful to remind that good practices in applying security rules
consistent in banning all traffic then starting to reopen with specific rules.
3.3.1 Inter-Zone Traffic
The principle applied for the definition of the rules governing inter-Zone traffic is the
principle of least privilege in the connections between the servers of the platform, in
In other words, connections are allowed only for the necessary services/ports.
the execution of well-defined programs.
We start by denying inter-Zone access and then we integrate the rules.

40
 Chapter 4 – Implementation and Realization

The policy results are as follows on Endian Firewall

Figure 4.2: The inter-Zone traffic configuration.

3.3.2 Incoming traffic

As for incoming traffic, we need to use address translation to prevent
that our addresses are visible from the outside, a probe is placed at this level for inspection
incoming traffic

Figure 4.3: The configuration of incoming traffic.

41
 Chapter 4 – Implementation and Realization

Similarly, we use source NAT for the return of the request.

Figure 4.4: The configuration of the NAT source.

3.3.3 Outgoing traffic
The outbound traffic is governed by so-called 'default' rules necessary for the tools provided.
by Endian firewall.

Figure 4.5: The configuration of outgoing traffic.

3.4 Configuration of the intrusion prevention probe

We have placed the Snort probe at the entrance to inspect incoming traffic and report any
attempted intrusion or suspicious traffic, to do this one must:
Activate Snort on Endian firewall: go to the menu Service >> Intrusion Prevention
then slide the activation button.

42
 Chapter 4 - Implementation and Realization

Figure 4.6: The configuration of the intrusion prevention probe.

After activation, it is imperative to update the Snort rules; to do this, you need to
go to the official Snort site [Link] and download the latest one
version of the Snort rules.
Note: To be able to download, you need to create an account on the Snort website.
Once the rules are downloaded, they need to be imported into our Firewall by clicking on
browse and then import the rules.

4 Installation and configuration of the SQUID reverse proxy

4.1 Installation
We will install SQUID on the Ubuntu server OS 14.04, the steps to follow are as follows
suit
OS installation: download the ISO image of Ubuntu server from the official Ubuntu website
[Link].
Once our OS is installed, you need to log in with the user account created at the beginning.
to activate the root account, the following commands need to be executed:
#sudo passwd root
Enter the root account password, then confirm
#sudo passwd -u root
Installing SQUID: run the following command for the installation
apt-get install squid
Once the installation is complete, change the addressing plan while respecting the area or
our server will be assigned, that is to say the orange zone.

43
 Chapter 4–Implementation and Realization

#cd /etc/network
#vi interfaces
Edit the content as follows
auto eth0
interface eth0 inet static

address [Link]
netmask [Link]
gateway [Link]
:wq!
Restart the interface
#cd /etc/init.d
#./networking restart
4.2 Configuration
The configuration of the reverse proxy is done at the level of the [Link] configuration file
which is located at /etc/squid3
#cd /etc/squid3
Copy the existing file and rename it to have a backup of the original file
#[Link]
Edit the content of the [Link] file and insert the following lines
#vi [Link]
The contents of the configuration file must be changed as follows:
http_port 80 accel defaultsite=[Link]
forwarded_for on

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% of 4320

cache_peer [Link] parent 80 0 no-query no-digest originserver name=WEBSERV

aclsites_apache dstdomain [Link]
aclour_sites dstdomain [Link]
cache_peer_access apache allow [Link]

acl all src [Link]/[Link]

acl manager proto cache_object
acl localhostsrc [Link]/[Link]
acl to_localhostdst [Link]/8
acl SSL_ports port 443
acl Safe_ports port 80 http

44
 Chapter 4 – Implementation and Realization

acl Safe_ports port 21 ftp

acl Safe_ports port 443 # https
acl Safe_ports port 70 gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 http-mgmt
acl Safe_ports port 488 gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow [Link]

http_access allow manager all

http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
access_log /var/log/squid/[Link]

The launch of SQUID is done via the command

#cd /etc/init.d
#./squid3 start

5 Audit and surveillance

5.1 Setting up the audit station

In order to maintain the established level of security and improve it over time, it is
It is essential to establish a station dedicated to the periodic audit of the platform, this
the measure represents a preventive measure to identify any potential breaches and to
correct in time.

Backtrack 5 is the most well-known distribution specialized in penetration testing and which
offers a range of security testing tools from network tests to tests
vulnerabilities of websites.

This distribution offers a tool called Zenmap, which is a tool designed to detect ports.
open in a network.

45
 Chapter 4 - Implementation and Realization

5.2 Traffic Monitoring Interfaces

Two interfaces allow the administrator to monitor traffic. The first interface
concerns the logging file of Endian firewall located under the Logs menu
and Reports where you can view the logs live.
Note: To enable logging, Ulogd must be started by executing the commands:
#cd /etc/init.d
#./ulogdstart
The second interface is the traffic monitoring interface located in the menu.
Service>>Traffic Monitoring, then go to the administration interface.

Figure 4.7: Live traffic journaling.

46
 Chapter 4 - Implementation and Realization

Figure 4.8: Platform surveillance with the Ntop tool.

6 Conclusion

At the end of this chapter, we have succeeded in realizing a secure architecture.

implementing the necessary security tools and applying best practices of the
computer security. We have thus presented the different steps to follow to
the installation and configuration of security components.

47
 General conclusion
The study conducted throughout our thesis aimed to respond to the
following issues:
How to secure a web application?
How to maintain the security of a web application?
What steps should be taken for securing a web application?
To provide the necessary answers to these issues, we have
analyzed the aspect of computer security as a whole and application security
web in particular taking into account the constant evolution of technologies
the information that goes hand in hand with the multiplication of the threats we must face
face.
The theoretical study was followed by a conceptual analysis that allowed us to identify
the needs and to model the projected architecture.
Given the importance of the security aspect of web applications, we have used
the fundamental security tools and applying good practices in an architecture
proposed.
The main contributions are summarized as follows:
The application of the computer system security process based on the
PDCA model to highlight the steps to follow;
Design a secure architecture that precisely aligns with the level of
expected security;
Concoct the right and reliable tools and use and configure them as being a
front safety barrier
Highlight the preventive aspect through the implementation of the necessary tools.
intrusion prevention;
However, we can consider different perspectives in order to maintain the level of
security, for example we cite:
Implementation of a tool to test the website's vulnerability.
The establishment of a VPN tunnel.
Finally, we must point out that our thesis, like any research work, is
not free from some gaps and limitations. These are mainly due to reasons
following:
Short duration.

48
 General conclusion

Limited material and software resources for implementation

the test environment

49
 Bibliography and webography
[1] and [2] Professor REMAEKERSJean. "Computer Security Course"
University of Namur. Belgium. 2012.

Official site of the search engine Wikipedia. "International Organization of

Normalization[Link]
ation.

Official website of the International Organization for [Link]://[Link]

Computer dictionary [Link]://[Link]

[6] by Alban Jacquemin and Adrien Mercier. The firewalls [pdf].

Robert S. Mueller, RSA Cyber Security Conference (03/01/2012):

Unable to access the specified URL. Please provide text for translation.
outsmarting terrorists, hackers, and spies

Official site of the Web Application Security Consortium WASC.

The provided text is a URL and cannot be translated into English.

[9] WASC. Web Application Security Consortium: Threat

[Link] input. Please provide text for translation.

Official OWASP site, Top 10 List:

Unable to access the provided link.

Official website of the search engine Wikipedia. "Defense in depth."

Unable to access external links..

Developer and IT pro forum. 'UML2 - from learning to the

practice»[Link]
Official site of Endian Firewall [Link]
[14] Guide from configuration Netfilter-iptables REFERENCE:
OPPIDA/DOC/2009/AUA/534/1.4.
Official site of SourceFire. "SNORT"
[Link]
 Bibliography and Webography

Official site of the computer blog and technology news

EASEOThe provided text is a URL and does not contain translatable content.
squid-3-under-debian
 Annexes

1 TOP 10 of the most addressed OWASP threats

OWASP periodically establishes a comprehensive list called 'TOP 10' ranking also the
most common threats of web applications in order of importance, the latest version
recent (2013) published by OWASP is as follows:

1) Injection
An injection flaw, such as SQL injection, OS injection, and LDAP injection, occurs when data
unreliable is sent to an interpreter as part of a command or request.
The attacker's hostile data can deceive the interpreter into executing some
accidental commands or access unauthorized data.
We will present some attack scenarios in what follows.
Scenario 1:
An application uses unreliable data in the construction of the SQL call.
vulnerable following:
String query = "SELECT * FROM accounts WHERE"
custID='
Scenario 2:
Similarly, blind faith in a Framework application can lead to
on queries still vulnerable (e.g. HibernateQueryLanguage (HQL)):
Query HQLQuery = [Link]("FROM accounts
WHERE custID='" + [Link]("id") + "'
The attacker modifies the ‘id’ parameter in their browser and sends:
' or '1'='1.
For example:
[Link] or '1'='1
The meaning of the two queries is changed to return all the rows of the table.
accounts. The worst attacks can corrupt data, even invoke procedures
stored.
2) Violation of authentication and session management
The application functions related to authentication and session management are not
often not implemented correctly, allowing attackers to compromise the
 Chapter 3 - Conceptual Analysis

Front office IDS Firewall Reverse Proxy Web server Database Server

Enter URL Package analysis

Generate logs and alerts Filter packet

If address and port

Access denied No authorized

Yes

Access Granted Search for the page in the reverse proxy cache

If the Page exists in cache

Yes
Display requested page
No

Parcel forwarder Read and decode packet

Filter packet Request BDD

If address and port

authorized
No Access denied

Yes
Forwarder package Data search

If data
No exists
Error message

Yes
Parcel forwarder Send data

If address and port

authorized
No
Access denied

Yes

Forwarder package Generate web page

Display web page Package forwarder Send web page

Figure 3.4: Front office activity diagram.

29
 Annexes

Note that attackers can also use XSS to bypass countermeasures.

measures taken to protect against CSRF attacks.
4) Unsecured direct references to an object
A direct reference to an object occurs when a developer exposes a reference to
an internal execution object, such as a file, a folder, a database record
or a database key. Without access control or any other protection, attackers
can manipulate these references to access unauthorized data.
Example of an attack scenario
The application uses an unverified value in a SQL query accessing some
account information:
String query = "SELECT * FROM accts WHERE account = ?";
PreparedStatement pstmt =
[Link](query, ...);
[Link](1, [Link]("acct"));
ResultSet results = [Link]();
The attacker modifies the "acct" parameter in their browser in order to send the
account number he wishes. If the parameter is not properly verified,
The attacker can access any account, instead of being limited to their own.
[Link]
5) Poor Security Configuration
Good security requires having a defined secure configuration and
deployed for the application, context, application server, web server, database server
data and the platform. All these parameters must be defined, implemented and
maintained, as many are not delivered secure by default. This implies keeping all
updated software.
Example of attack scenarios
Scenario1
The application server administration console is automatically installed and
not disabled. Default accounts are not modified. The attacker discovers the
console, use the default account and take control.
Scenario 2:
The directory listing is enabled. The attacker discovers it and can list the
directories and find the files. The attacker finds and downloads your Java classes
compiled that it decompiles. It identifies a security access vulnerability.
 Annexes

Scenario 3:
The application server configuration allows the display of stack status at
the user. Attackers appreciate these error messages.
Scenario 4:
The application server comes with example applications that have not been deleted from
your production server. The said application example contains vulnerabilities
knowns usable by the attacker to compromise the server.
6) Exposure of sensitive data
Many web applications do not properly protect sensitive data such as
that credit cards, tax identifiers and authentication information. The hackers
can steal or alter this poorly protected data to commit identity theft,
from credit card fraud or other crimes. Sensitive data deserves a
additional protection such as static or in-transit encryption, as well as precautions
specific during the exchange with the browser.
Examples of attack scenarios
Scenario 1:
A website protects credit card numbers through a function of
transparent encryption (TDE) of the DBMS. This method also leads to a
transparent decryption of data when it leaves the database. By exploiting a
SQL injection, the attacker retrieves the data in plain text...
Scenario 2:
A public site does not require SSL while browsing in the authenticated section.
A malicious actor connects to an open wireless network and collects the traffic.
from a user. It retrieves the token from an authenticated session and thereby accesses the data.
and user privileges in the application.
Scenario 3:
By exploiting a vulnerability in a file upload function, a malicious actor
obtains the hash base of passwords. The hashes having been generated
in the simple form without salt, a rainbow table attack it
reveals passwords.
Lack of access control at the functional level
Almost all web applications check access rights at the functional level.
before making this feature visible in the user interface. However, the
applications must perform the same access control checks on the server during
 Annexes

to access each function. If the requests are not verified, attackers will be
to forge requests in order to access an unauthorized feature.
Examples of attack scenarios
Scenario 1:
The attacker is content to visit the targeted URLs. The following URLs require
Authentication and administrative rights are required for 'admin_getappInfo'.
[Link]
[Link]
A vulnerability exists if an unauthenticated user can access one of these
pages where an authenticated but non-privileged user can access 'admin_getapp'
Info. In this latter case, it may allow the attacker to identify others
unprotected administration features.
Scenario 2:
A page uses an 'action' parameter to specify the functionality to invoke, and
different actions require different privileges. A vulnerability exists if these
privileges are not verified.
8) Cross-Site Request Forgery (CSRF)
A CSRF (Cross Site Request Forgery) attack forces a victim's browser
authenticated to send a forged HTTP request, including the session cookie of the
victim as well as any other information automatically included, to a web application
vulnerable. This allows the attacker to force the victim's browser to generate
requests that the vulnerable application thinks are legitimately coming from the victim.
Example of an attack scenario
An application allows a user to submit a change request.
of state, which requires no secret:
[Link]
4673243243
The attacker can therefore forge a request to transfer money from the account of the
victim on her own account, and hide it in an image tag, or in a tag
iframe, stored on a site under its control:
<img src="[Link]
amount=1500&destinationAccount=attackersAcct#“
 Annexes

If the victim visits one of the attacker's sites while still authenticated
on the site [Link], its browser will include the user session data in the
forged request and the latter will succeed.
9) Use of components with known vulnerabilities
Vulnerable components, such as libraries, contexts, and other software modules
almost always operate with maximum privileges. Thus, if exploited, they can
can cause serious data loss or server takeover. The applications
using these vulnerable components can compromise their defenses and allow a
series of attacks and potential impacts.
Example of attack scenarios
The risks associated with the vulnerability of a component can be very varied, ranging from a
malware simple or complex targeting a desired organization. Since most of the
components run with the maximum privileges of the application, any flaw in
one of these components can have a major impact. The two vulnerable components
the following were downloaded 22 million times in 2011.
Apache CXF Authentication Bypass - By not providing a token
authentication, attackers could use any web
services with all privileges. (Apache CXF is an open framework
source not to be confused with the Apache application server.)
Spring Remote Code Execution - An abuse of the language implementatio
Spring's expression allowed attackers to execute arbitrary code.
and thus take control of the server.
All applications using one of these vulnerable libraries are vulnerable.
to the attacks on these components directly accessible to the users of the application.
Other vulnerable libraries, used deeper in the application,
would be more difficult to exploit.
10) Unvalidated redirects and forwards
Web applications frequently redirect and guide users to others.
web pages and websites, and use unreliable data to determine the pages of
destination. Without proper validation, attackers can redirect victims to
phishing or malware sites, or use redirects to access unauthorized pages
authorized.
Examples of attack scenarios
 Annexes

Scenario 1:
An application has a page '[Link]' that has a single parameter named
An attacker forges a URL that redirects users to a site
malicious (phishing attempt or malware installation).
Invalid input. The provided text does not contain translatable content.
Scenario 2:
An application makes redirects to direct users to certain pages.
internals. To simplify the return, some pages use a parameter containing the
page where the user must be redirected. In this case, an attacker creates a URL
satisfying the application's access controls and then redirecting it to a
administrative function that he should not have access to.
[Link]

2 Installation and configuration of the Endian Firewall

2.1 Installation
Creation of a new virtual machine

Figure 1: Step 1 of setting up the test environment.

Choose the 'typical' installation and then mount the ISO image of our firewall on the disc image.

Figure 2: Step 2 of installing the test environment.

 Annexes

Choose Linux as the OS type and then give the machine a name.

Figure 3: Step 3 of setting up the test environment.

Leave the disk size at default and check 'store Virtual disk as single file' then
click Customize Hardware

Figure 4: Step 4 of installing the test environment.

Remove the USB controller, Sound Card, and Printer to free up the ports
then add three additional network adapters to have four interfaces then
click close then finish
 Annexes

Figure 5: Step 5 of installing the testing environment.

Once the creation of the machine is completed, the startup of the machine will generate the
Starting the installation of our Firewall.

Figure 6: Step 1 of installing the Endian firewall.

 Annexes

Choose the language: English

Figure 7: Step 2 of the Endian firewall installation.

Press OK

Figure 8: Step 3 of the Endian firewall installation.

 Annexes

Press YES to start the installation

Figure 9: Step 4 of the Endian firewall installation.

Press No to prevent the creation of a serial port

Figure 10: Step 5 of Endian firewall installation.

 Annexes

Starting the installation

Figure 11: Step 6 of the Endian firewall installation.

At this level, we need to define the IP address of our interface that must correspond to the zone.
See, this will be the access address to the administration interface of our firewall.

Figure 12: Step 7 of installing the Endian firewall.

 Annexes

End of installation

Figure 13: Step 8 of the Endian firewall installation.

Once the installation is complete, we have a menu to manage the Application by

command line

Figure 14: Step 9 of the Endian firewall installation.

We will now continue the installation via a secure graphical interface.

Access is made via HTTPS from the so-called green zone, which is the most secure area.
To do this, we will set up the administration and monitoring station for
that the latter may have access to the administration interface of our firewall.
Set the IP address of the administration and monitoring station
#cd /etc/network
 Annexes

#vi interfaces
Edit the content as follows
auto eth1
interface eth1 inet static
address [Link]
netmask [Link]
[Link]
:wq!
Restart the interface
#cd /etc/init.d
#./networking restart
Launch the browser and type the address [Link]
corresponds to the green zone.
Homepage

Figure 15: Step 10 of the Endian firewall installation.

Choice of language and time zone

Figure 16: Step 11 of the Endian firewall installation.

 Annexes

Accept the terms

Figure 17: Step 12 of installing the Endian firewall.

Endian firewall offers the possibility to import a configuration backup, into the
if necessary, we click on no because it is a new installation.

Figure 18: Step 13 of the Endian firewall installation.

Change of the passwords for the administration interface and the root account

Figure 19: Step 14 of the Endian firewall installation.

 Annexes

2.2 Configuration :

Red zone: corresponds to the unsecured zone, that is to say the internet, we will set it.
the interface of this zone at [Link]

Figure 20: Step 1 of the Endian firewall configuration.

Orange zone: area solicited from the outside, it houses the web server and the reverse server.
proxy, its interface is set to [Link]

Figure 21: Step 2 of the Endian firewall configuration.

 Annexes

Assign the address and assign the corresponding interface

Figure 22: Step 3 of the Endian firewall configuration.

Green zone: it is the most protected area, it refers to the local network, it houses our
two restricted and private DMZs, which is why we will assign two network interfaces
for each DMZ for physical separation, plus a logical separation that will take place at
level of inter-zone rules of the firewall.

Figure 23: Step 4 of the configuration of the Endian firewall.

 Annexes

Figure 24: Step 5 of the Endian firewall configuration.

Specify the DNS address

Figure 25: Step 6 of the Endian firewall configuration.

Finally click on OK, apply the configuration to save it.

Figure 26: Step 7 of the Endian firewall configuration.

 : ‫ﻣﻠﺨﺺ‬
‫ﻳﺪﺯﺍ ﻣﺖ ﺑﺸﻜﻞ ﺗﻨﻤﻮﺕﺍﻙﺭﺵﺍﻝ ﺿﺪﺕﻫﺠﻤﺎﺍﻝ ﻋﺪﺩﻥﺇ‬، ‫ﺓﻳﺮﺏﻙ ﺧﺴﺎﺋﺮﺏﺏﺱﻱ ﻣﻤﺎ‬، ‫ﺕﻭﻣﺎﻝﻉﻡﺍﻝ ﻥﻷﻡ ﺣﺎﺟﺔﺍﻝﺇﻥﻑﻟﻲﺗﺎﻝﻭﺑﺎ‬
. ‫ﻏﺔﻝﺑﺎ ﺓﻱﻡﻩﺃﺍﺕﺫ ﺡﺻﺐﻱﺕﺍﻙﺭﺵﻝﻝ‬
،‫ﺓﻱﺣﻤﺎﺍﻝ ﺭﺍﺟﺪ ﻳﻨﻬﺎﺏﻥﻡ ﺍﻝﺍﻟﻔﻊ ﻉﺩﻓﺎﺍﻝﺕﺍﻱﺁﻝ ﺩﻱﻭﺯﺕﻝﺕﺍﺩﻭﺃﻭﺕﺍﺳﺎﻱﺱ ﺓﻋﺪﺕﻃﻮﺭ ﻗﺪﻝ‬، ‫ﻑﻛﺶ ﻡﻧﻈﺎ‬
/‫ﻝﻝﺗﺲﺍﻝ ﻉﻣﻦ‬، ‫ﻁﻱﻭﺱﺍﻝ‬
. ‫ﻁﻓﻖﻥﻱﻝﻣﺨﻮﻝﻝ ﻣﺮﻭﺭﻝﺑﺎ ﺡﺳﻤﺎﺍﻝﻭﺝﺧﺎﺭﺍﻝﻭ ﺧﺎﻝﺩﺍﻝﻥﻡ ﺷﺒﻜﺔﺍﻝ ﺭﺏﻉ ﻣﺮﻱ ﻣﺎ ﻛﻞﻝﻭﺗﺒﺎﺩ ﺗﺤﺪﻳﺪ ﻭﻩ ﻣﻨﻬﺎﻑﻫﺪﺍﻝ‬
‫ﺍﺕﺩﺡﻭ ﺙﻻﺙﻥﻡ ﻭﻙﻳﺖﻱﺫﺍﻝﻭ ﺍﻝﻉﻭﻑ ﻁﻱﺑﺲ ﺓ ﻥ‬: ‫ﺓﻱﺣﻤﺎﺍﻝ ﺭﺍﺟﺪ‬، ‫ﻡﻧﻈﺎ‬
‫ﻱﺣﻤﺎ ﻁﻣﺨﻂ ﺡﺭﺍﺕﻕﺑﺎ ﻣﻨﺎﻕ ﺍﺫﻩ ﻧﺎﻉﻭﺭﻣﺶﻱﻑ‬
. ‫ﻑﻛﺶ‬
/‫ﻝﻝﺗﺲﺍﻝ ﻉﻣﻦ‬، ‫ ﻁﻱﻭﺱﺍﻝ‬، ‫ﺓﻱﻷﻣﻦﺍ ﺍﺳﺔﻱﺱﺍﻝﻥﺿﻤﺎﻝ ﺍﻉﻡﻣﻞﻉﺕﺍﺕﺩﺡﻭﺍﻝ ﻩﺍﺕﻩ‬
. ‫ ﻣﻔﺘﺎﺣﻴﺔﺍﻝﺕﻛﻠﻤﺎﺍﻝ‬: ‫ ﺓﻱﺣﻤﺎﺍﻝ ﺭﺍﺟﺪ‬، ‫ﻑﺗﺺ‬
‫ ﺓﻱ‬، ‫ﺏﻱﻭﺍﻝﻕﻱﺏﺗﻂ‬، ‫ﺓﻱﻷﻣﻦﺍ ﺍﺳﺔﻱﺱﺍﻝ‬

Abstract:
The number of attacks against companies is growing, which can cause significant losses.
thus the need of IT security becomes so important.
Several policies and tools have been developed to provide effective defense mechanisms.
which include firewalls, Intrusion detection/prevention system (IDS/IPS), reverse proxy, their
The goal is to filter all traffic exchanged with the outside network and allow only authorized.
traffic.
In our project we proposed a simple and effective architecture for securing web
applications which consists of three modules : Endian Firewall, IDS /IPS, reverse proxy.
Those modules work together to ensure our security policy.
Firewall, filter, web application, security policy.

Summary:
The number of attacks against businesses continues to rise, which can lead to
significant losses, thus the need for companies in cybersecurity becomes
increasingly important.
Several policies and tools have been developed to provide mechanisms for
effective defenses among which are firewalls, Detection/Prevention System
intrusion detection/prevention systems (IDS/IPS), reverse proxy, their purpose being to filter all traffic exchanged with the

external network and to only allow authorized traffic.

In our project, we proposed a simple and effective architecture for securing the
web applications consisting of three modules: Endian Firewall, IDS/IPS, reverse proxy,
these tools can ensure security policy.
Firewall, filter, web application, security policy.