Personalized Message Passing as Email

Personalized Message Passing as Email Bishal Shrestha

Asker Ali A.

B.E / III- Computer Science and Engineering Angel College of Engineering and Technology Tirupur, INDIA [email protected]

B.E / III- Computer Science and Engineering Angel College of Engineering and Technology Tirupur, INDIA [email protected]

Abstract— This paper on “Personalized Message Passing (PMP) as E-Mail” deals on the method to overcome the problem on message confidentiality and privacy that arises while using other domain email services. It also displays how and on which areas this can prove more effective on changing the outcome. The PMP allows the personalized version of the email services to various areas as per the requirement. It also deals with specific problem tackling methods like Anti-SQL injection as well as some advanced features like dynamic webpage creation.

can provide a message passing mechanism, similar to email servers. But here, the control of your messages remains to you rather than at some unknown server location managers.

Keywords—message passing; Anti-SQL Injection; session riding; CSRF; XSS; email confidentiality;

I. INTRODUCTION During the civilization to the modern world, People have evolved from being an Ape Man to this current state. People changed, society changed, lifestyle changed but what hasn’t changed yet is that we, Human, find our way to pass our message to one other. Weused to pass our message through hand signals, then by written statements, by posts, emails and finally the Instant Messaging. But we still prefer E-MAIL as the standard message passing mechanism. E-Mail, as the name denotes Electronic mail, is one of the easiest and fastest way of passing the message over any part of the world. Especially in this industrial & Science and Technology era, the official means of Communication is E-Mail. But the question that arises there is “Is our Data Confidential?” This is one of the thing that matters in communication. We prefer that no other third party is included between us and the receiver. There are several web – client applications providing the services of Electronic Mail. They are providing these features in like no-cost at all. But how do we know that our data isn’t open to other third parties. In technical terms, when we access a web-client for sending emails, then the data are stored somewhere before being actually delivered to the intended receiver. Don’t we want our data to be confidential? Isn’t there any other option that we do not have to share these data to other unwanted parties? This is the solution we have worked up to avoid these problems and we named it “Personalized Message Passing (PMP) as E-Mail” Personalized Message Passing (PMP) enables you to access the feature of passing your message over a domain of people. Specially, in a corporates or an institution or any private group of company, it will prove worthy of use. We

II. EXISTING SYSTEM At the present context, there are lots of email service providers ranging from the top corporates to new introduce. There are providers of GBs of storages and with some of the best security system on the internet. They are made with languages like PHP, Servlets, JSPs which gives more security to the web-service by providing a dynamic webpages. Though they provide the best security system and they can hide the data from other external parties but not from themselves. Our data are still open-source to them and can never be confidential. Specially while working in a corporate company we, as a manager, expect our company messages to be private as we do not want our valuable data like blueprints, product designs, etc. to be accessed by anybody else except our permission. We don’t want the best security system that doesn’t give privacy to our data from themselves. It is the fullconfidentiality that we expect when we want to pass our message. Because message is one of our private things and is our basic right. Besides getting bulk of Storages, Protections, Security and many more, it is the Customized and Personalized version of these things that we want. III. PROPOSED SYSTEM Personalized Message Passing (PMP) is specially meant for the corporates, institution or private group of company. This project is designed for providing customized and personalized email service so that the manager has the control over the data transmitted within the domain. When we use the email service provided by other providers, we don’t get the idea about who is controlling our data. We do not have privacy on the matters shared between us. There is no guarantee that the important data we might be someway misused somewhere. Whether it is the material we share over an institution, private information of the company or other useful documents shared between two parties, the privacy of these things aren’t assured. The security of all these confidential information is what our proposed system is. By providing a customized and personalized message passing system within these various institutions, we will be able to maintain the confidentiality of data.

The PMP can be modified as per the need of the organization and be deployed then irrespective of needing skillful technicians in the field. Assuming that the need of each organization might vary, their storage capacity might vary, manpower might vary and so as their funds. By providing the Message Passing mechanism using the PHP and MYSQL, we can make an effective system that reaches the needs of the users. This proposed system works with PHP and HTML to maintain and display the dynamic email features with the backend being attached to MYSQL. With each thing in the world being techno-crafted, everybody now wants to have their own personalized domain, personalized apps including various platforms like Android, Java, IOS, etc., web apps, desktop apps and so on. Our system allows them to have an instance to their own message passing mechanism shaped with the to-date features available

with how the message passing is done to a large audience. These are still good means of learning new things. But let us consider that we want to pass a message to a certain group of people within the institution or to a separate group of students who are having selective choice of the interests. The PAM implementation in such institutions can have a huge range of advantages to detect similar interest of people and pass the message. V. IMPLEMENTATION OF THE PROJECT

IV. SCOPE OF THE RESEARCH A. Corporate Industry: Industry is one of the factor that has a major role in the development of our society. The Industry, in specific Corporate Industry, has a good scope in these days. There has always been a huge competition in the industry for gaining a height in their area. But a small carelessness, or let us say a misfortune might ruin the whole company. Each company has their own private information and confidential data. But a sometimes small incidents may turn down all those secrets which ultimately harms the industry. The PMP provides a feasible option for those corporates industry to maintain the most important thing, possibly the Message Passing. Every Corporate Industry, be it a IT Industry, or Share Market, or Fashion Fiesta, or BPOs, they need to pass the rightful information to their employees. This is the most crucial part of the organization where these information are meant for confidentiality. But with the Email services being centrally controlled by some other parties which are unknown to us, the data from many companies accumulate together at their server, which obviously isn’t what the company wants to happen. The PMP allows them to have their own personalized version of the Message Passing mechanism which is totally under the control of the company. This helps a lot for them to maintain the important data of the organization which they do not want other external parties to know. B. Educational Institutions Education is the door of success. On that context, Educational Institutions are the path that leads to this door. A proper method of Learning is essential for opening this door in a less-go manner. Educational Institute are supposed not only to teach students what are in the book but also deliver the information correctly. Here, we again come back to the topic Message Passing, which is equally an important part in such institute. Let us consider the online portals, or department profiles or any other message passing forums. All of these are related

Fig 1: Internal flow of the Process

A. Front End- HTML HTML - Hyper Text Markup Language is a Client-Side Technology that is used as one of the front End Languages in this project. HTML are basically used for the structuring the webpage like headers, body, text, links etc. HTML allows the authors to design the various components in the webpage. HTML in the project has been used in designing the Login page, Send Mail page and structuring the overall content of the webpage while obtaining the Email. B. Front End – PHP PHP- Hypertext Preprocessor are the server side language that is a web development language. It is used to create web applications in combination with a web server such as Apache. The task done by PHP is invisible to the end-user as the result of PHP is usually HTML.

PHP in this project has been used in making the database connectivity with the back-end so that the communication can take place between the Front-end and Back-end. PHP makes it efficient to store and retrieve the data from the database. C. Presentation – CSS CSS- Cascading Style Sheets are used specially for presentation of elements in the webpage separately from the structure of the document like headers, body, text, links etc. This separation of structure from presentation simplifies maintaining and modifying a document’s layout. CSS in this project has been used in providing the looks to the Login Page, making the tables look better and displaying the Received Mail in a better way. D. Back End – MySQL MySQL- Structural Query Language are language of relational databases. They are used to interact with numerous database across all platforms. MySQL in this project has been used in managing the database, fetching and storing data by the help of the SQL queries VI. TECHNOLOGIES USED A. Anti- SQL Injection: One of the well-known SQL injection techniques is by giving special characters in a string in a SQL statement. The method “mysqli” allows to implement certain functions like: • mysql_real_escape_string: escapes special character in string for use in a SQL statemtent, • striplashes :inquote string quoted with addslashes.

the memory consumed by it at the database. It also helps to manage the website properly using the same syntax.

Fig 3: Dynamic Link Creation

By the use of such dynamic pages, we can maintain various actions like Read, Delete, Important or Spam that are some of the premium features of email. This dynamic webpage enables us to access all of this features in the Personalized Message Passing mechanism. VII. TECHNOLOGIES IMPLEMENTED

A. Session Sniffing: Session sniffing is a process of accessing the session established between one user and the web server. Usually whenever the client tries to establish the connection with the server, then after the successful connection a unique Token session called Session ID is created. The attacker uses the snuffer to access this session ID and gain the unauthorized access to the web server.

Fig 2: Use of Stripslashes

We have implemented the mysql_real_escape_string to prevent the sqlattack on data that was typed by the user. If anybody tries to add special characters for SQLinjection mechanism, this function helps to detect them and stripslashes function is used to remove the additional character.

Fig 4: Attacker sniffing a Session

B. Dynamic Page Creation: This concept has been used to create email ID pages dynamically at runtime. These concepts are specially used in blogs to create each page by the help of page IDs. Here, We have used the $mailID variable to create a dynamic page for each new email received at run time itself, thus decreasing

*(ON RESEARCH)

Besides the Anti- SQL Injection feature for security, the exploiters are finding new ways of trying to control the session between the user and server. We’ve researched on some of the possible methods to prevent these accesses and used them in the project.

Fig 5: Manipulating the token session

After gaining the unauthorized access to the server, he can manipulate the token ID for executing the session hijack.

Preventing Session Hijacking:  Encryption of data traffic passed between parties by using SSL/TLS  Using a long random number or string as session key  Regeneration of the session key after a successful login  Making the IP Check of the user This prevention mechanism like IP check of the user is used so that no other attacker can access the data even though he has the session ID of the user.

C. Cross-Site Request Forgery(CSRF): A cross-Site Request Forgery is also known as session riding where unauthorized commands are transmitted from ta user that website trusts. It exploits the trust a website has in a user’s browser. The CSRF attack is generally made through image tags where users are allowed to post images but not JavaScript. Such attacks have been made in the websites like Google and Yahoo. If the cookie of the user isn’t expired and the user tries to load some images that has references to another vulnerable action, then the action will take place without the consent of the victim.

View your Image Fig 7: Vulnerable code of CSRF

B. Cross Site Scripting(XSS): Cross site scripting occurs when the web application collects the malicious data from the user which is usually gathered in the form of hyperlinks. When such hyperlinks containing the malicious contents are clicked from an external website, then the attacker may collect all the necessary information, like email messages, and create a new webpage with the data. Such data can be used later by the attacker for accessing the private data of the victim. It exploits the trust a user has for a particular website. The XSS Attack can be done by tricking the user into submitting the web scripting code such as JavaScript to a dynamic form on the target website. http://www.examplesite.com/submit.php?value =alert(document.cookie) Fig 6: URL of a XSS Attack

The above example on being clicked by the victim will pop up an alert displaying the cookies of the current session. These cookies can be transmitted to the destination desired by the attacker. It will be more difficult to discover if the link is having the HEX code for the scripts. Preventing XSS Attack:  Adding the input validation to our script. $text= ~s/[^A-Za-z0-9]*//g; 

Using the HTML::Entities module bundles in the libwww-perl CPAN Distribution. The input validation techniques is introduced to avoid the cross site scripting attacks in the personalized mail passing platform.

The above example of CSRF on being load will all the unread mails of the user if the vital information like session ID and password are stored in the cookie of X. A user who is authenticated by a cookie saved in the web browser can send an HTTP request to a site that it trusts thus causing unwanted actions. A: Preventing Session Riding: Synchronizer Token Pattern: It is a technique where a special token is hidden in each of the fields in the page. This token is verified in the server side. The token can be generated by using hash chain which makes the attacker unable to place the correct token in his request. Fig 8: Passing of Token in each requests

There are other several way of passing tokens like HTTP Header Requests and Cookie-to-Header token. This can be used in the Personalized Message Passing to avoid the attacker to read the important details like mails by CSRF.

VIII. CONCLUSION This paper explains about what is the scope of the PMP project in various fields like corporate world, Educational Institutions. The implementation layer of the project on front-end, back-end and presentation is also shown in this paper. It also demonstrates the special key features and technologies used in this project. It provides the control of your messages within the domain of area. On overall, the Personalized Message Passing as Email Service can provide the required privacy and confidentiality of the data that is exchanged within the specific area.

IX. REFERENCES: [1]. Steve Suehring, Tim Converse, and Joyce Park, “PHP6 and MySQL”, 6 – Bible, Wiley India Pvt. Ltd. [2]. H. M. Deitel, P.J. Deitel, A.B. Goldberg, “Internet & World Wide Web, How to Program”, 3rd Edition, Prentice- Hall of India Pvt. Ltd. [3]. Robert Auger, “The cross-site request forgery(CSRF/XSRF) ”, CGI Security & OWASP(Open Web Application Security Project) [4]. David Endler, “The Evolution of Cross-Site Scripting Attacks” iDEFENSE Labs, iALERT White Paper