In my thesis I would like to make the first step in auditing web applications. The main difficulty is coming from the fact that HTTP is a stateless protocol. This nature of the protocol makes hard to group individual HTTP requests into sessions, what is neccessary for storing the communication’s audit data in a searchable and replayable format.
First I summarize my reserach in the topic by introducing a time based and a statistical method that uses Dempster-Shafer theory to resolve the problem. Due to the big difference between the research results and the topic of the thesis I tried to search other solutions.
After that comes a short description of firewall types and the analisys of some popular web applications (Drupal CMS, Wordpress blog engine, Erste netbank, Neptun, diplomaterv.bme.hu, TomCat Management App.).
Then comes the design and implementation of the choosen solution what is based on injecting tracer cookies. And this is followed by the last chapter that includes the test results of the solution.