Information Technology Reference
In-Depth Information
alert page for post-events pages. Pages have the same level are put on the same row.
For pages accessed by pre-events list, pages with lowest level (they are connected
directly to the selected alert page) are positioned at the bottom, and pages with higher
level are positioned at higher rows. For pages accessed by post-events list, pages with
lowest level (they are connected directly from the selected alert page) are at the top,
and pages with higher level are positioned at lower rows. This arrangement creates a
natural flow from top to bottom of pages according to how far they are from/to the
selected alert page. We implement the space-oriented coordinate system using a tech-
nique like Treemap [15] to make the usage of space efficiently. Firstly, the whole
space is divided vertically into levels, and then for each level, its space is divided
horizontally for each page.
5
Experiments
5.1
Experiment Settings
In this section, we want to see what the attack scenarios look like under different con-
ditions. To realize that purpose, we use 3 web application vulnerability scanners to
attack a web application that is installed on a local web server. We also invite a
knowledgeable person in web application security to do some attacks on the same
target. Our expectations for doing these tasks are that there are noticeable differences
in the visualization results, and some knowledge about the attacking process can be
reasoned from these visualizations.
The web server we use to host the test web application is an Apache HTTP server
version 2.2.1 [16]. Accesses to this web server, either by the automatic scanning tools,
or by the human attacker, are stored in an access.log file. We develop a script to ex-
tract the data from this log file and store them in a Java DB [17] database for later
processing.
To capture attack/alert data, we use PHPIDS [18] as the web application IDS. Be-
cause PHPIDS can only detect intrusions to web applications written in PHP language,
the target web application is a PHP-based one. The attacks that PHPIDS captures are
stored in a MySQL database [19]. So we also create another script to copy them to the
same Java DB database that stores Apache access records described previously. It is
worth noting that PHPIDS, like other IDSs, definitely contains false detections, either
negative or positive. As a result, we do not intend to evaluate our technique in term of
correctness, but rather in term of insight it may bring to observers.
We also develop a custom crawler to extract linking relationships between pages
on the target web application. These linking relationships are used to calculate page
levels that are mentioned previously in the visualization design section. For two web
pages A and B with two URIs UA and UB respectively, we say A links to B if either:
•
The HTML content of A contains at least one hyperlink that points to U
B
•
The HTML content of A contains at least one form that has its action attribute as
U
B
After running the crawler, all linking relationships on the test web application are
found and stored in the same Java DB that stores accesses and alerts data.
Search WWH ::
Custom Search