This report focuses on vulnerabilities on web-applications and web-sites from Cross-Site Scripting attacks (XSS). The different types of XSS attacks are examined: DOM-based, active and passive attacks. The spread of XSS attacks across... more
This report focuses on vulnerabilities on web-applications and web-sites from Cross-Site Scripting attacks (XSS). The different types of XSS attacks are examined: DOM-based, active and passive attacks. The spread of XSS attacks across platforms government and financial institutions, transportation companies, hospitality and entertainment has been analyzed. Research and analysis of the security of corporate websites and their resistance to XSS attacks have been carried out. The basic guidelines for preventing valuable data theft and unauthorized access to websites and applications from XSS attacks are reviewed and systematized.
Web application has become an essential part of daily activities to provide easy accessibility that ensures better performance. It is a platform where sensitive information such as username, password, credit card details, operating system... more
Web application has become an essential part of daily activities to provide easy accessibility that ensures better performance. It is a platform where sensitive information such as username, password, credit card details, operating system and software version. is stored that attracts intruders to generate most of their attacks. Intruders can steal valuable data by compromising web application security flaws; cross site scripting (XSS) vulnerability is one of these. Several studies have been conducted in order to prevent the XSS vulnerability. In this research, we searched Scopus Indexed articles published in the last 11 years (between 2008 and 2020) using two keywords ("XSS attack prevention" and "XSS prevention"). The purpose of this study was to conduct a literature review on XSS prevention techniques e.g., strengths and weaknesses, including structural issues and real-time deployment location in order to extract valuable information. This review identified 14 articles among the 25 selected articles that provided various suitable prevention techniques for XSS attacks. Seven articles are based on tools that have been implemented and take into account design, coding, testing, and integrating validation processes, six articles are about server site solutions, and one is about automatic mitigation solutions. As a result, this research will be invaluable in guiding the advancement of XSS prevention techniques.
PHP is one of the most commonly used languages to develop web sites because of its simplicity, easy to learn and it can be easily embedded with any of the databases. A web developer with his basic knowledge developing an application... more
PHP is one of the most commonly used languages to develop web sites because of its simplicity, easy to learn and it can be easily embedded with any of the databases. A web developer with his basic knowledge developing an application without practising secure guidelines, improper validation of user inputs leads to various source code vulnerabilities. Logical flaws while designing, implementing and hosting the web application causes work flow deviation attacks. In this paper, we are analyzing the complete behaviour of a web application through static and dynamic analysis methodologies.
Organizations invest heavily in technical controls for their Information Assurance (IA) infrastructure. These technical controls mitigate and reduce the risk of damage caused by outsider attacks. Most organizations rely on training to... more
Organizations invest heavily in technical controls for their Information Assurance (IA) infrastructure. These technical controls mitigate and reduce the risk of damage caused by outsider attacks. Most organizations rely on training to mitigate and reduce risk of non-technical attacks such as social engineering. Organizations lump IA training into small modules that personnel typically rush through because the training programs lack enough depth and creativity to keep a trainee engaged. The key to retaining knowledge is making the information memorable. This paper describes common and emerging attack vectors and how to lower and mitigate the associated risks.
— Application-level web security refers to obligation inherent in the code of a web-application itself. few months ago application-level vulnerabilities have been exploited with serious consequences: hackers have good knowledge of... more
— Application-level web security refers to obligation inherent in the code of a web-application itself. few months ago application-level vulnerabilities have been exploited with serious consequences: hackers have good knowledge of e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested and confidential information has been leaked. In this paper we introduce new tools and techniques which address the problem of application-level web security. (i) We describe a scalable structuring mechanism facilitating the abstraction of security policies from large web-applications developed in heterogeneous multi-platform environments. (ii) In that present a tool which assists programmers develop secure applications which are resilient to a wide range of common attacks. (iii) The report results and experience arising from our implementation of these techniques.
ABSTRACT Due to its distributed and open nature, Web Services give rise to new security challenges. This technology is susceptible to Cross-site Scripting (XSS) attack, which takes advantage of existing vulnerabilities. The proposed... more
ABSTRACT Due to its distributed and open nature, Web Services give rise to new security challenges. This technology is susceptible to Cross-site Scripting (XSS) attack, which takes advantage of existing vulnerabilities. The proposed approach makes use of two Security Testing techniques, namely Penetration Testing and Fault Injection, in order to emulate XSS attack against Web Services. This technology, combined with WS-Security (WSS) and Security Tokens, can identify the sender and guarantee the legitimate access control to the SOAP messages exchanged. We use the vulnerability scanner soapUI that is one of the most recognized tools of Penetration Testing. In contrast, WSInject is a new fault injection tool, which introduces faults or errors on Web Services to analyze the behavior in an environment not robust. The results show that the use of WSInject, in comparison to soapUI, improves the detection of vulnerability allows to emulate XSS attack and generates new types of them.
While the 21st century has seen the explosion of the Internet bubble and the arrival of Web 2.0, the standards have changed very little to support the growing number of new programs. Nevertheless developers have managed to continue... more
While the 21st century has seen the explosion of the Internet bubble and the arrival of Web 2.0, the standards have changed very little to support the growing number of new programs. Nevertheless developers have managed to continue delivering interactivity with the users and have continued to provide interesting Web-based applications for online services. Most web applications include JavaScript language that executes on the end-user's browser, unlike other languages such as Java, ASP and PHP that run on the server-side. Running a web application on a client’s browser allows it to acquire and obtain different HTTP parameters that may put it within a sizable diversity of web security vulnerabilities, such as SQL injection and Cross-site scripting (XSS). XSS vulnerabilities are undoubtedly the most common vulnerabilities found in Web applications. Although cross-site scripting has been assessed as mild-severity vulnerability from time to time, the development of XSS attacks has revived its portrait. This paper will discuss XSS vulnerabilities; most importantly, it will study three common known forms of XSS and approaches to preventing XSS attacks. Keywords: cross-site scripting, XSS, persistent, content security policy, DOM
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as... more
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities. By leveraging SQL injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL injection can also be used to add, modify and delete records in a database, affecting data integrity. To such an extent, SQL injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property and other sensitive information.
Cross Site Scripting (XSS) attacks are most common vulnerability issues in the digital era for the Web applications. These attacks occur, when an attacker uses a web application to send malicious code in the form of client side script.... more
Cross Site Scripting (XSS) attacks are most common vulnerability issues in the digital era for the Web applications. These attacks occur, when an attacker uses a web application to send malicious code in the form of client side script. These scripts exploit the vulnerabilities in the code and resulting in a serious consequence like theft of cookies, passwords and any confidential user data. In extreme cases, the user may have lost his/her control on the browser. In this paper, we explained detection, and prevention of Cross Site Scripting (XSS) vulnerability attacks through a systematic review process. Vamsi Mohan | Dr. Sandeep Malik"Secure Web Applications Against Cross Site Scripting (XSS): A Review" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-1 , December 2017, URL: http://www.ijtsrd.com/papers/ijtsrd7135.pdf
Web applications are becoming a requisite mediator to provide access to the various on-line dynamic web services. As more features add to making interactive and efficient web applications, attackers get more options to bypass those... more
Web applications are becoming a requisite mediator to provide access to the various on-line dynamic web services. As more features add to making interactive and efficient web applications, attackers get more options to bypass those vulnerabilities. According to OWASP Community, the number of web attacks is increasing drastically since last few years. Cross Site Scripting (XSS) is one of the vulnerabilities commonly found on websites which affects both the client and server as well. These types of attack usually take place due to vulnerabilities of User Interface. This paper discusses why the Cross Site Scripting Attack is so threatening and what are the potential consecutions of such kind of attacks. Further, this article provides an approach to user input sanitization techniques to prevent critical XSS attacks.
Web-based applications has turn out to be very prevalent due to the ubiquity of web browsers to deliver service oriented application on-demand to diverse client over the Internet and cross site scripting (XSS) attack is a foremost... more
Web-based applications has turn out to be very prevalent due to the ubiquity of web browsers to deliver service oriented application on-demand to diverse client over the Internet and cross site scripting (XSS) attack is a foremost security risk that has continuously ravage the web applications over the years. This paper critically examines the concept of XSS and some recent approaches for detecting and preventing XSS attacks in terms of architectural framework, algorithm used, solution location, and so on. The techniques were analysed and results showed that most of the available recognition and avoidance solutions to XSS attacks are more on the client end than the server end because of the peculiar nature of web application vulnerability and they also lack support for self-learning ability in order to detect new XSS attacks. Few researchers as cited in this paper inculcated the self-learning ability to detect and prevent XSS attacks in their design architecture using artificial neu...
Cybersecurity is a global challenge as Cyberspace is never risk free. Cybersecurity ensures the attainment and maintenance of the security properties of the digital infrastructure and services against relevant security risks in the cyber... more
Cybersecurity is a global challenge as Cyberspace is never risk free. Cybersecurity ensures the attainment and maintenance of the security properties of the digital infrastructure and services against relevant security risks in the cyber environment. Currently web applications are highly functional and rely upon two-way flow of information between the server and browser. New technologies in Web applications have brought with them a new range of security vulnerabilities and new possibilities for exploitation. WebGIS is an effective way for disseminating geospatial data and geo-processing tools through internet. WebGIS is similar to the client/server architecture and the server-side geo-processing components will store, process and serve the data to the client/browser, during which Database server, Application server and a web server will be involved. The networking infrastructure in WebGIS environment plays a critical role in the security of the data centres. This paper presents the architecture of WebGIS environment, role of networking components, traits of Cybersecurity and portrays various defence mechanisms that aid in Cybersecurity in WebGIS environment.
Hypertext pre-processor (PHP), a server side scripting language very often used to develop a web application. Web application has a big importance in communication over internet. Web applications got very fast growth in past some time. To... more
Hypertext pre-processor (PHP), a server side scripting language very often used to develop a web application. Web application has a big importance in communication over internet. Web applications got very fast growth in past some time. To pay bills, shopping, transactions, emails, social networking every days billions of users using these web application on in internet. Though web applications are very effective and time saving still security threats is also there. Now a day’s most of the application facing problem of security and data integrity. This study is to give different types possible attacks on web application which is developed by using php and how we anticipate such attack and prevent from them for future.
Researchers have devised multiple solutions to cross-site scripting, but vulnerabilities persists in many Web applications due to developer " s lack of expertise in the problem identification and their unfamiliarity with the current... more
Researchers have devised multiple solutions to cross-site scripting, but vulnerabilities persists in many Web applications due to developer " s lack of expertise in the problem identification and their unfamiliarity with the current mechanisms. As proclaimed by the experts, cross-site scripting is among the serious and widespread threats in Web applications these days more than buffer overflows. Recent study shows XSS has ranked first in the MITRE Common Weakness Enumeration (CWE)/SANS Institute list of Top 25 Most Dangerous Software Errors and second in the Open Web Application Security Project (OWASP). However, vulnerabilities continue to exist in many Web applications due to developers " lack of understanding of the problem and their unfamiliarity with current guarding strengths and limitations. Existing techniques for defending against XSS exploits suffer from various weaknesses: inherent limitations, incomplete implementations, complex frameworks, runtime overhead, and intensive manual-work requirements. Security researchers can address these weaknesses from two different perspectives. They need to look beyond current techniques by incorporating more effective input validation and sanitization features. In time, development tools will incorporate security frameworks such as ESAPI that implement state-of-the-art technology. This paper focus on program verification perspective, how researchers must integrate program analysis, pattern recognition, concolic testing, data mining, and AI algorithms to solve different software engineering problems and to enhance the effectiveness of vulnerability detection. Focus on such issues would improve the precision of current methods by acquiring attack code patterns from outside experts as soon as they become available.
Most web programs are vulnerable to cross site scripting (XSS) that can be exploited by injecting JavaScript code. Unfortunately, injected JavaScript code is difficult to distinguish from the legitimate code at the client side. Given... more
Most web programs are vulnerable to cross site scripting (XSS) that can be exploited by injecting JavaScript code. Unfortunately, injected JavaScript code is difficult to distinguish from the legitimate code at the client side. Given that, server side detection of injected JavaScript code can be a layer of defense. Existing server side approaches rely on identifying legitimate script code, and an attacker can circumvent the technique by injecting legitimate JavaScript code. Moreover, these approaches assume that no JavaScript code is downloaded from third party websites. To address these limitations, we develop a server side approach that distinguishes injected JavaScript code from legitimate JavaScript code. Our approach is based on the concept of injecting comment statements containing random tokens and features of legitimate JavaScript code. When a response page is generated, JavaScript code without or incorrect comment is considered as injected code. Moreover, the valid comments are checked for duplicity. Any presence of duplicate comments or a mismatch between expected code features and actually observed features represents JavaScript code as injected. We implement a prototype tool that automatically injects JavaScript comments and deploy injected JavaScript code detector as a server side filter. We evaluate our approach with three JSP programs. The evaluation results indicate that our approach detects a wide range of code injection attacks.
Organizations invest heavily in technical controls for their Information Assurance (IA) infrastructure. These technical controls mitigate and reduce the risk of damage caused by outsider attacks. Most organizations rely on training to... more
Organizations invest heavily in technical controls for their Information Assurance (IA) infrastructure. These technical controls mitigate and reduce the risk of damage caused by outsider attacks. Most organizations rely on training to mitigate and reduce risk of non-technical attacks such as social engineering. Organizations lump IA training into small modules that personnel typically rush through because the training programs lack enough depth and creativity to keep a trainee engaged. The key to retaining knowledge is making the information memorable. This paper describes common and emerging attack vectors and how to lower and mitigate the associated risks.
—The best practice to prevent Cross Site Scripting (XSS) attacks is to apply encoders to sanitize untrusted data. To balance security and functionality, encoders should be applied to match the web page context, such as HTML body,... more
—The best practice to prevent Cross Site Scripting (XSS) attacks is to apply encoders to sanitize untrusted data. To balance security and functionality, encoders should be applied to match the web page context, such as HTML body, JavaScript, and style sheets. A common programming error is the use of a wrong type of encoder to sanitize untrusted data, leaving the application vulnerable. We present a security unit testing approach to detect XSS vulnerabilities caused by improper encoding of untrusted data. Unit tests for the XSS vulnerability are constructed out of each web page and then evaluated by a unit test execution framework. A grammar-based attack generator is devised to automatically generate test inputs. We also propose a vulnerability repair technique that can automatically fix detected vulnerabilities in many situations. Evaluation of this approach has been conducted on an open source medical record application with over 200 web pages written in JSP.
Web applications are constantly under attack. They are popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems. Cross-site scripting flaws are one of the most common types of... more
Web applications are constantly under attack. They are popular, typically accessible from anywhere on the Internet, and they can be abused as malware delivery systems. Cross-site scripting flaws are one of the most common types of vulnerabilities that are leveraged to compromise a web application and its users. A large set of cross-site scripting vulnerabilities originates from the browser’s confusion between data and code. That is, untrusted data input to the web application is sent to the clients ’ browser, where it is then interpreted as code and executed. While new applications can be designed with code and data separated from the start, legacy web applications do not have that luxury. This paper presents a novel approach to securing legacy web applications by automatically and statically rewriting an application so that the code and data are clearly separated in its web pages. This transformation protects the application and its users from a large range of server-side cross-sit...
Security issues of web applications are still a current topic of interest especially when considering the consequences of unintended behaviour. Such services might handle sensitive data about several thousands or millions of users. Hence,... more
Security issues of web applications are still a current topic of interest especially when considering the consequences of unintended behaviour. Such services might handle sensitive data about several thousands or millions of users. Hence, exploiting services or other undesired effects that cause harm on users has to be avoided. Therefore, for software developers of such applications one of the major tasks in providing security is to embed testing methodologies into the software development cycle, thus minimizing the subsequent damage resulting in debugging and time intensive upgrading. Model-based testing evolved as one of the methodologies which offer several theoretical and practical approaches in testing the system under test (SUT) that combine several input generation strategies like mutation testing, using of concrete and symbolic execution etc. by putting the emphasis on specification of the model of an application. In this work we propose an approach that makes use of an attack pattern model in form of a UML state machine for test case generation and execution. The paper also discusses the current implementation of our attack pattern testing tool using a XSS attack pattern and demonstrates the execution in a case study. Index Terms-Attack pattern model, cross-site scripting, model-based testing, security testing.
Government bringing innovation into its activities is a good gesture but innovation that constitutes peril due to inadequate technical capability necessitates re-assessment, hence this investigation.This study investigated susceptibility... more
Government bringing innovation into its activities is a good gesture but innovation that constitutes peril due to inadequate technical capability necessitates re-assessment, hence this investigation.This study investigated susceptibility of some chosen government websites to infiltration due to flaws in the design of their websites. Sixty four websites of some organizations were randomly selected using an advanced feature of google to sieve organization’s websites that have adopted the use of country code Top Level Domain (ccTLD) i.e. the “.gov.ng”. The research was based on some major measuring parameters which are: Cross Site Scripting (XSS), Structured Query Language injection (SQLi), Cookie manipulation (CM), unencrypted password (UP) and broken links (BL). The sixty four (64) government websites chosen span 8 categories of sectors with a view to evaluating their immunity against cyber attacks. It was found that 27 (42.2%) of the websites are vulnerable to XSS, while 20 (31.3%) to SQLi. Also, 24 websites which represents 37.5% of the websites examined are having the password inputted by the user unencrypted while a high percentage (70.3) have informational issues, like broken links which in itself may not constitute high vulnerability but could create susceptible platform which could permit infiltration. Thereafter, some appropriate policy directions which provide technical advice as to protect government resources available through the Internet were advanced. This tends to also increase citizens’ confidence on the adoption of the government web-presence initiative.
In 2014 over 70% of people in Great Britain accessed the Internet every day. This resource is an optimal vector for malicious attackers to penetrate home computers and as such compromised pages have been increasing in both number and... more
In 2014 over 70% of people in Great Britain accessed the Internet every day. This resource is an optimal vector for malicious attackers to penetrate home computers and as such compromised pages have been increasing in both number and complexity. This paper presents X-Secure, a novel browser plug-in designed to present and raise the awareness of inexperienced users by analysing web-pages before malicious scripts are executed by the host computer. X-Secure was able to detect over 90% of the tested attacks and provides a danger level based on cumulative analysis of the source code, the URL, and the remote server, by using a set of heuristics, hence increasing the situational awareness of users browsing the internet.
The stipulation of electronic services, such as Transactional, Non-transactional, Financial institution administration, Management of multiple users having varying levels of authority and Transaction approval process, by banking... more
The stipulation of electronic services, such as Transactional, Non-transactional, Financial institution administration, Management of multiple users having varying levels of authority and Transaction approval process, by banking organizations evolves and spreads with the introduction of enhanced communication technologies. More specifically, the information systems (IS) auditor should have the necessary technical and operational skills and knowledge to carry out the review of the technology employed and risks associated with Internet banking, Financial services etc. Following this necessity an approach made by URL Analysis and Cross Site Scripting with Secured Authentication Protocol System in Financial Services [URL-SAP] is presented to provide security to the end users.
Cross channel scripting (XCS) is a common web application vulnerability, which is a variant of a cross-site scripting (XSS) attack. An XCS attack vector can be injected through network protocol and smart devices that have web interfaces... more
Cross channel scripting (XCS) is a common web application vulnerability, which is a variant of a cross-site scripting (XSS) attack. An XCS attack vector can be injected through network protocol and smart devices that have web interfaces such as routers, photo frames, and cameras. In this attack scenario, the network devices allow the web administrator to carry out various functions related to accessing the web content from the server. After the injection of malicious code into web interfaces, XCS attack vectors can be exploited in the client browser. In addition, scripted content can be injected into the networked devices through various protocols, such as network file system, file transfer protocol (FTP), and simple mail transfer protocol. In this paper, various computational techniques deployed at the client and server sides for XCS detection and mitigation are analyzed. Various web application scanners have been discussed along with specific features. Various computational tools ...
Input sanitization mechanisms are widely used to mitigate vulnerabilities to injection attacks such as cross-site scripting. Static analysis tools and techniques commonly used to ensure that applications utilize sanitization functions.... more
Input sanitization mechanisms are widely used to mitigate vulnerabilities to injection attacks such as cross-site scripting. Static analysis tools and techniques commonly used to ensure that applications utilize sanitization functions. Dynamic analysis must be to evaluate the correctness of sanitization functions. The proposed approach is based on unit testing to bring the advantages of both static and dynamic techniques to the development time. Our approach introduces a technique to automatically extract the sanitization functions and then evaluate their effectiveness against attacks using automatically generated attack vectors. The empirical results show that the proposed technique can detect security flaws cannot find by the static analysis tools.
PHP is one of the most commonly used languages to develop web sites because of its simplicity, easy to learn and it can be easily embedded with any of the databases. A web developer with his basic knowledge developing an application... more
PHP is one of the most commonly used languages to develop web sites because of its simplicity, easy to learn and it can be easily embedded with any of the databases. A web developer with his basic knowledge developing an application without practising secure guidelines, improper validation of user inputs leads to various source code vulnerabilities. Logical flaws while designing, implementing and hosting the web application causes work flow deviation attacks. In this paper, we are analyzing the complete behaviour of a web application through static and dynamic analysis methodologies.
Integrating security testing into the workflow of software developers not only can save resources for separate security testing but also reduce the cost of fixing security vulnerabilities by detecting them early in the development cycle.... more
Integrating security testing into the workflow of software developers not only can save resources for separate security testing but also reduce the cost of fixing security vulnerabilities by detecting them early in the development cycle. We present an automatic testing approach to detect a common type of Cross Site Scripting (XSS) vulnerability caused by improper encoding of untrusted data. We automatically extract encoding functions used in a web application to sanitize untrusted inputs and then evaluate their effectiveness by automatically generating XSS attack strings. Our evaluations show that this technique can detect 0-day XSS vulnerabilities that cannot be found by static analysis tools. We will also show that our approach can efficiently cover a common type of XSS vulnerability. This approach can be generalized to test for input validation against other types injections such as command line injection.