esearch on Security Technology based on WEB Application
Fanxing Kong
Linyi University, Shandong China, 276000
Keywords: WEB Application; Security Technology; Research.
Abstract: This article described the relevant technologies of web security, thoroughly analyzed the application
security of Web in three aspects of security threats of Web client, security threats of Web server, security
threats of data transmission, and accordingly studied the security technology based on WEB application.
Hope the elaboration of this article could provide some reference to the relevant personnel in the field.
With the advent of the information era, WEB application
has entered into people's life and work, and the
application programs based on WEB have been fully
used in various fields, including Internet management,
control of facilities, etc (Xiaojie X,2015).
For the current Internet, any information and data
needs the WEB service. Now, WEB has been widely
used, and the programs and data based on WEB
application are the targets mostly attacked by network
hackers. According to the relevant reports, the Internet
data vulnerabilities are all the key ways of secure
dissemination. Browser and WEB applications began to
be hacked, in which, 75% of the Internet threats are
related to WEB applications. These security risks have
brought serious losses to the relevant areas. Then, the
paper will further analyze and discuss the security
technologies based on WEB application
comprehensively (Ziqian W,2015).
2.1 Authentication technology
The so-called authentication technology mainly refers
the process that divide it into two subjects, and one of the
subjects clear confirms the other. When one user's
identity is taken as a subject, it requires to use
authentication technology to verify its identity, if
successful, it can continue to access, otherwise, it cannot
(Dongjiao Z,2016).
2.2 Authorization technology
After authentication, if the subject has the right of
follow-up access, the access rights involved, we can call
it authorization. Authorization mainly contains two
aspects, the first is the control information of resource
access; the second is the information of subject.
2.3 Security and privacy technology
This technique is mainly hidden in the user information
without authorization application, which mainly uses
encryption technology, after encryption, users can
transfer data, but other users can not view the transmitted
information, even by the network protocol analyzer
(Juan D,2014).
Web application mainly consists of two parts, the first is
the client; the second is the server. It mainly draws
support from the TCP/IP protocol layer to achieve data
transmission and processing. The most widely used
client program is the Web browser. The Web server has
access to Web resources. Web resources mainly involve
five aspects, the static text file, document of hypertext
markup language, media file, client code and dynamic
script. The mode of Web application is shown in figure 1
(Yi S,2014):
Kong F.
Research on Security Technology based on WEB Application.
DOI: 10.5220/0006450603670370
In ISME 2016 - Information Science and Management Engineering IV (ISME 2016), pages 367-370
ISBN: 978-989-758-208-0
2016 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
Figure 1: Mode of Web application
3.1 Security threat analysis of Web
3.1.1 Security threats of browser
Browser usually refers to the program of client host,
which is used to meet the needs of the Web server, while
display and process the data and information given by
Web server. The browser only needs to provide the
display function for HTML static page before, but with
the rapid development of scripts and plug-in technology,
scripts and plug-in technology with ActiveX, FLASH
model have been used comprehensively, which provides
the conditions for the enhance of browser’s performance,
but followed by the gradually increasing security
problems in the process of Web application. Browser is
the key to the entire Internet, network hackers often use
browser software to set the virus, attack the client, and
which leads to Web client being threatened (Wang
3.1.2 Cross-site scripting attacks
Usually, there are two kinds of XSS attack, one is
persistent attack, and the other is a reflection attack.
Persistent attack mainly refers that the attacker saves the
virus in the database crossing with Web application
program, when users access it, Web application will send
the potential virus to the user. When the user executes
the program, the relevant information of user will be sent
to the attacker. Reflection attack mainly refers that the
attackers do not save the virus in the server side, and
reflect it directly to the user. They mainly use the
malicious script sent by others, copy the virus into it,
when the user links, it will steal user's information. This
attack does not have persistence.
3.1.3 Clickjacking
Clickjacking mainly refers to a kind of visual deception,
hackers mainly upload the transparent Web elements to a
web page, when users link the web page, they don’t they
have clicked on the Web elements, and then information
is operated or stolen. Network hackers mainly lure users
to click the performance button of these Web elements
without knowing the facts, and then achieve specific
supply performance (Yubei Y,2015). For example,
linkJacking attacks can not only hijack information,
while after the implementation of a series of tedious
actions, network hackers can eventually control the
3.2 Security threat analysis of Web
server side
Once the server side has security threats, it will lead to
the security threats of Web applications, Web servers, as
well as the database. Once the complicacy of Web
applications gradually increases, the security awareness
of Web programmers and the corresponding
management personnel gradually reduces, and which
will provide the conditions for the attacker's attack. In
normal circumstances, the security threats of Web server
side are mainly two aspects (Chuan L,2010).
(1) The security threats of server side’s data and file,
such as the leakage of bank accounts and credit card
information, etc. Assuming that the intruders have
obtained this information, they can cheat by the way of
role playing, and then obtain the corresponding
economic benefits.
(2) Web applications of server side are also affected
by the preservation of malicious code, thereby attacked
by the Trojan horse of Webpage. The Web threats we
often encounter include SQL injection attacks, attacks of
remote code execution, and so on (Chengyu H,2011).
3.3 Security threat analysis of data
In the process of user side data transfer or server side
data transfer, once there is improper operation, there is a
security threat. The main attacks we often encounter are
two kinds, one is the active attack, and the other is a
passive attack. Active attack mainly refers to the data
attack in the network. This attack mainly uses user side
or server to revise user information, and then achieves
the effect of attack. Passive attack mainly refers to
reading data in the network, this kind of attacks mostly
read the important information in the network, such as
user names, user passwords and users’ personal
information, etc (Yongxiang W,2014)
ISME 2016 - Information Science and Management Engineering IV
ISME 2016 - International Conference on Information System and Management Engineering
4.1 Security technology of client
For the security threats of browser and the host operating
system, in order to enhance the security of the host
operating system and browser, browser version and real
time patch update of operating system should be well
done in the link of security, and the vulnerabilities of
browser and operating system should be timely repaired.
For the security threat of Web client’s script, Web
client’s ability of fighting against attacks should be
strengthened, install detection system in the Web client
script, and detect regularly. In general, there are two
kinds of detection technologies for malicious web page,
the first is static detection; the second is dynamic
detection. Static detection detects malicious code on the
webpage by code analysis. Compared to static detection,
dynamic detection has relative low efficiency, but strong
pertinence, which can effectively identify the malicious
code in the page. If the malicious code is encrypted or
changed, dynamic detection can read the relevant
information in malicious code, analyze characteristics of
the behavior, and then achieve the purpose of protection.
Therefore, dynamic detection has good accuracy.
4.2 Security protection method of
4.2.1 AJAX protection mechanism
Comparing the AJAX protection mechanism and
original security system of Web application, there are
certain similarities in nature, which contains the data
query by interacting with data, response ability of data
transfer, capability of data transmission and information
call, etc.
4.2.2 Input validation
In order to prevent the phenomenon of only the user side
is verified, all of the information of clients and servers
should be verified, such as the verification of HTTP
header, cookie verification, parameter verification, data
validation, and the verification of length, specification of
user data.
4.2.3 Security of client’s program code
The protection mechanism mainly involves four aspects,
first, the application system mechanism of user end;
second, mechanism of third party’s external program;
third, the data call mechanism; fourth, the protection
mechanism of data processing.
4.2.4 SOAP filtering and WSDL
strengthening mechanism
Typically, before the filtering of firewall or HTTP layer,
it is unable to defend the attack of Web services, and
needs to play the effect of resistance in the filter and
supervision of SOAP layer. While as one of key sources,
information of WSDL date could not be leaked, its
enforcement mechanism mainly includes two aspects,
the first is in the process of program design, it needs to
provide the corresponding function; second, it is only
used in SSL.
4.2.5 Authentication, authorization and
development mechanism of security
The protection mechanism involves five aspects, first, R
&D staff of the system carry out WSDL access control;
second, apply security assertion markup language; third,
WS-Security certificate; fourth, SOAP filtration; fifth,
data transfer.
4.3 Security technology of data
4.3.1 HTTPS protocol
HTTPS mainly refers to running HTTP based on SSL,
the structure after fusion is called HTTPS, when building
a TCP in HTTP, link to it, when the user side presents a
demand server will give corresponding reply. In the
process of applying SSL, the user side must build a TCP,
link to it, build a SSL channel on it, send the same
requirement in the SSL channel, and the server side will
make corresponding response to the SSL channel. In
terms of the traditional HTTP server, the information
SSL accepts is equivalent to spam, because that not all of
the servers can apply SSL. Therefore, in order to ensure
the quality of the data, it needs to select the appropriate
application channels in the application process. It needs
to use the Web address starting with HTTPS to achieve
the application of SSL.
4.3.2 SRTP protocol
SRTP protocol mainly researches and develops the
safety performance of the two contents, the first is the
voice stream; the second is the video stream, SRTP gives
the encryption modes and cognitive methods
corresponding to AES. So the main function of SRTP
protocol is security and real time. SRTP can be used in
Research on Security Technology based on WEB Application
Research on Security Technology based on WEB Application
TCP/UDP, but people often use it in UDP, for the
transmission of voice and video is mainly based on
Protection of data authentication and integrity: in
general, the authentication algorithm used by RTP is
MAC-SHA1. After the calculation results are sent to the
data packet, the receiving side will choose a reasonable
label value of M according to the calculation results, and
compare it with the label value received (Hung-Bin
4.3.3 RTMPS protocol
RTMPS protocol is also called security protocol, it is the
protocol got after the SSL encryption. The protocol can
support data transfer. The main function of secure
sockets layer is to provide a security protocol with data
integrity for network communication. SSL mainly uses
the transmission layer to achieve the encryption of the
network link. The default port is 443.
All in all, with the rapid development of Internet
technology, the application programs based on Web
have steadily developed, and become an important
standard of the current computing platform. With the
appearance of Web mail, shopping and media, Web
applications has entered our work, life and learning,
become an indispensable part of our daily life, and
played a key role in network information service.
Because of the rapid development of Web technology,
applications related to Web have become cumbersome,
which also makes the security vulnerabilities gradually
emerge. In order to ensure the safety of Internet
applications, it is necessary to conduct a comprehensive
security analysis of the Web application, and develop an
efficient and reliable method to prevent attacks, so as to
ensure the security of programs and data.
Xiaojie X, Yang X, Shuo J., Research and Design of Web
Application Firewall Based on Feature Matching.
Netinfo security, (11)53-59,2015
Ziqian W, Bo W., Research on technology taking use of
vulnerability of information security in Web
application system. Electronic Product Reliability and
Environmental Testing, (6):30-33, 2015
Dongjiao Z, Ping W., Analysis on the security technology
of Java Web application program. Computer fan,
Juan D, Yang X, Yuwei M., Research and design of audit
system of security log based on Web application.
Netinfo security, (10):70-76,2014
Yi S, Dongyun L, Wenjie W., Research on the key
technology of security testing platform of Web
application program. Information Security and
Technology, (1):29-32, 2014,
Wang X.,Desing of Secure Identity Authentication System
Based on JAAS in the Web Application System. Journal
of Beijing University of Civl Engineering and
Architecture, 24(2):55-59,2008
Yubei Y., Application security of PGP encryption
technology based on WEB in mail system, Network
Security Technology & Application,(6):38-40,2015
Chuan L., Research on Application of Web J2EE system
identity authentication security mechanism based on
Unix authentication. Journal of Chongqing University
of Arts and Sciences,(4):65-67,2010
Chengyu H. Research on the protection method of Web
Java application software, Software Guide,(11):57-
Yongxiang W, On WEB website security optimization.
Network Security Technology & Application,(5):136-
Linhai Y, Binying H., Research on the content of Web
code security artificial audit, Jiangxi Science,(4):536-
Hung-Bin C, Izhak Rubin,Ofer Hadar., Scalable Video
Multicast for Multi-Cell Cellular Wireless Networks.
Journal of Communications, 10(9):715-727, 2015
ISME 2016 - Information Science and Management Engineering IV
ISME 2016 - International Conference on Information System and Management Engineering