5,812 results on '"Web application security"'
Search Results
2. Comparative Analysis of CNN and Transformers on Malicious Intent Detection in HTTP
- Author
-
Tiwari, Kanishka, Bhatia, Anmolpreet Singh, Garg, Nibhrit, Arora, Ishaan, Saini, Poonam, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Pastor-Escuredo, David, editor, Brigui, Imene, editor, Kesswani, Nishtha, editor, Bordoloi, Sushanta, editor, and Ray, Ashok Kumar, editor
- Published
- 2024
- Full Text
- View/download PDF
3. Penetration Testing for the Cloud-Based Web Application
- Author
-
Al-Khannak, Rafid, Nehal, Sajjan Singh, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Joshi, Amit, editor, Mahmud, Mufti, editor, Ragel, Roshan G., editor, and Karthik, S., editor
- Published
- 2024
- Full Text
- View/download PDF
4. Threats and Vulnerabilities in Web Applications and How to Avoid Them
- Author
-
Čović, Zlatko, Masys, Anthony J., Editor-in-Chief, Bichler, Gisela, Advisory Editor, Bourlai, Thirimachos, Advisory Editor, Johnson, Chris, Advisory Editor, Karampelas, Panagiotis, Advisory Editor, Leuprecht, Christian, Advisory Editor, Morse, Edward C., Advisory Editor, Skillicorn, David, Advisory Editor, Yamagata, Yoshiki, Advisory Editor, Kovács, Tünde Anna, editor, Nyikes, Zoltán, editor, Berek, Tamás, editor, Daruka, Norbert, editor, and Tóth, László, editor
- Published
- 2024
- Full Text
- View/download PDF
5. Potecting Patient Privacy: Understanding and Classifying Attacks and Vulnerabilities in Web-Based Healthcare Records
- Author
-
Bensahab, Laila, Abouelmehdi, Karim, Elmoutaouakkil, Abdelmajid, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Ezziyyani, Mostafa, editor, and Balas, Valentina Emilia, editor
- Published
- 2024
- Full Text
- View/download PDF
6. Game-based detection method of broken access control vulnerabilities in Web application.
- Author
-
HE Haitao, XU Ke, YANG Shuailin, ZHANG Bing, ZHAO Yuxuan, and LI Jiazheng
- Abstract
To solve the problem that the access control strategy of the program in the industrial Internet was difficult to extract from the source code, and that the user's access operation was difficult to trigger all access paths, which led to the difficulty of universal detection of logical vulnerabilities, game theory was applied to the access control logic vulnerability detection for the first time. The vulnerabilities were identified by analyzing the game results of different participants on resource pages in the Web application, so that the access logic of different users could be targeted to obtain. Experimental results demonstrate that the proposed method successfully detect 31 vulnerabilities, including 8 unreported ones, out of 11 open-source applications, with a detection range exceeding 90%. [ABSTRACT FROM AUTHOR]
- Published
- 2024
- Full Text
- View/download PDF
7. WebHOLE: Developing a web-based hands-on learning environment to assist beginners in learning web application security.
- Author
-
Su, Jun-Ming
- Subjects
WEB-based user interfaces ,INTERNET security ,LEARNING ,ONLINE education ,UNDERGRADUATES - Abstract
With the rapid growth of web applications, web application security (WAS) has become an important cybersecurity issue. For effective WAS protection, it is necessary to cultivate and train personnel, especially beginners, to develop correct concepts and practical hands-on abilities through cybersecurity education. At present, many methods offer vulnerable web environments to support practical hands-on training, including large-scale "Capture the Flag" mode (e.g., Cyber Range), pre-configured virtual machine images (e.g., Mutillidae), pre-built stand-alone applications (e.g., WebGoat), and web-based system (e.g., Damn Vulnerable Web Application). However, beginners need not only hands-on training tools and systems but also assistance to support effective learning. Moreover, pre-built training content and exercises are usually not easy to modify and thus lack the flexibility to meet specific teaching needs. Therefore, this study proposed and developed the Web-based Hands-On Learning Environment (WebHOLE) to efficiently assist beginners in learning WAS. To improve the flexibility of the training content, a web-based authoring tool was developed in WebHOLE to create customized hands-on learning exercises. Accordingly, learners can learn and practice the WAS training content online with learning assistance provided by the hands-on learning system. The hands-on abilities of the learners can be efficiently assessed by the hands-on testing system using online exams with progressive hints and automatic grading. Furthermore, to improve the effectiveness of teaching and testing, a portfolio analysis scheme using a data mining technique was developed to identify learning barriers and problematic test items. WebHOLE was applied to an actual beginner-level WAS course for undergraduate students. The experimental results showed the benefits of WebHOLE on WAS learning, with a significant improvement in learning outcomes. Students expressed high satisfaction with WebHOLE's learning assistance, rating it with average satisfaction scores above 4.0 out of 5.0. The portfolio analysis scheme also showed the effectiveness of WebHOLE in identifying learning problems and refining test items. [ABSTRACT FROM AUTHOR]
- Published
- 2024
- Full Text
- View/download PDF
8. Survey on detecting and preventing web application broken access control attacks.
- Author
-
Anas, Ahmed, Elgamal, Salwa, and Youssef, Basheer
- Abstract
Web applications are an essential component of the current wide range of digital services proposition including financial and governmental services as well as social networking and communications. Broken access control vulnerabilities pose a huge risk to that echo system because they allow the attacker to circumvent the allocated permissions and rights and perform actions that he is not authorized to perform. This paper gives a broad survey of the current research progress on approaches used to detect access control vulnerabilities exploitations and attacks in web application components. It categorizes these approaches based on their key techniques and compares the different detection methods in addition to evaluating their strengths and weaknesses. We also spotted and elaborated on some exciting research gaps found in the current literature, Finally, the paper summarizes the general detection approaches and suggests potential research directions for the future. [ABSTRACT FROM AUTHOR]
- Published
- 2024
- Full Text
- View/download PDF
9. Modified Parse-Tree Based Pattern Extraction Approach for Detecting SQLIA Using Neural Network Model.
- Author
-
A., Meharaj Begum and Arock, Michael
- Subjects
TIME complexity ,REPRESENTATIONS of graphs ,SQL ,WEB-based user interfaces ,COMPLETE graphs ,FEATURE extraction - Abstract
Whatever malware protection is upcoming, still the data are prone to cyber-attacks. The most threatening Structured Query Language Injection Attack (SQLIA) happens at the database layer of web applications leading to unlimited and unauthorized access to confidential information through malicious code injection. Since feature extraction accuracy significantly influences detection results, extracting the features of a query that predominantly contributes to SQL Injection (SQLI) is the most challenging task for the researchers. So, the proposed work primarily focuses on that using modified parse-tree representation. Some existing techniques used graph representation to identify characteristics of the query based on a predefined fixed list of SQL keywords. As the complete graph representation requires high time complexity for traversals due to the unnecessary links, a modified parse tree of tokens is proposed here with restricted links between operators (internal nodes) and operands (leaf nodes) of the WHERE clause. Tree siblings from the leaf nodes comprise the WHERE clause operands, where the attackers try to manipulate the conditions to be true for all the cases. A novelty of this work is identifying patterns of legitimate and injected queries from the proposed modified parse tree and applying a pattern-based neural network (NN) model for detecting attacks. The proposed approach is applied in various machine learning (ML) models and a neural network model, Multi-Layer Perceptron (MLP). With the scrupulously extracted patterns and their importance (weights) in legitimate and injected queries, the MLP model provides better results in terms of accuracy (97.85%), precision (93.8%), F1-Score (96%), and AUC (97.8%). [ABSTRACT FROM AUTHOR]
- Published
- 2024
- Full Text
- View/download PDF
10. Enhancing Security of Web-Based IoT Services via XSS Vulnerability Detection †.
- Author
-
Kim, Jemin and Park, Joonseok
- Subjects
- *
INTERNET of things , *WEB-based user interfaces , *WEB services , *FALSE alarms , *MONITOR alarms (Medicine) , *SECURITY management - Abstract
The Internet of Things (IoT) technology is experiencing significant growth and integration into various aspects of daily life. With the rising number of connected devices, diverse security challenges are emerging as substantial threats to IoT. Cross-Site Scripting (XSS) is one of the major security risks in web services and so is within the application layer of IoT. Many existing web applications remain susceptible to XSS vulnerabilities. In this paper, we propose an XSS detection scheme aimed at enhancing the security of IoT, particularly concerning web application services. To achieve this, we developed a framework for combining symbolic execution and dynamic taint analysis to provide a comprehensive security assessment. Our objective is to increase the ratio of vulnerability detection while avoiding false alarms and keeping the required analysis time as minimal. To realize our idea, we have defined an instrumentation scheme for taint analysis and concolic executions and automated the process of vulnerability detection for a web application. Our framework is capable of pinpointing the precise locations of security vulnerabilities and the exact input datasets at risk of XSS threats. Subsequently, the detected flaws can be easily removed. The experimental results demonstrate the validity of the proposed scheme. We achieved a detection rate of XSS threats of 90.62% using a test set of SecuriBench Micro and 69.11% using OWASP while showing 0% false positives. [ABSTRACT FROM AUTHOR]
- Published
- 2023
- Full Text
- View/download PDF
11. An Alternative Static Taint Analysis Framework to Detect PHP Web Shell-Based Web Attacks.
- Author
-
Suwais, Khaled, Hnaif, Adnan A., and Almanasra, Sally
- Subjects
FLOWGRAPHS ,SOURCE code ,WEB-based user interfaces ,INTERNET servers ,DATA modeling ,SYNTAX (Grammar) - Abstract
Web shell attacks through malicious PHP scripts allow attackers to execute system commands remotely and take control of web servers. Most existing PHP shell detection methods rely on signature matching, which can be evaded by obfuscation. This paper proposes an alternative static taint analysis framework to detect PHP web shell attacks by modeling data flows from untrusted inputs to sensitive sinks. The proposed web shell attacks detector takes PHP source code as input and performs a staged analysis, including lexical analysis to tokenize the code, syntactic analysis to generate a parse tree, semantic analysis to extract variables and functions into a dependency control flow graph (D-CFG), dataflow analysis to track taint through the D-CFG and identify flows from untrusted sources like $_GET to sinks like shell commands, and evaluation to compare identified flows to known malicious patterns and check for indications of a web shell attack. Each stage builds on the previous one, and the whole process aims at reliably detecting PHP web shell threats through static taint analysis of program flows from origin to system execution. It conducts a hybrid analysis using lexical, syntactic, and semantic analysis of the abstract syntax tree. Static taint analysis is a program analysis technique used to identify how untrusted data propagated through a codebase without executing the program. Also, static taint analysis helps find security issues by modeling how untrusted inputs interact with critical operations via a static code inspection rather than dynamic execution. Results on a PHP web shells dataset showed that our framework could achieve 95% recall and 90% precision, outperforming existing static and dynamic analysis methods. The approach also had fewer false positives than signature-based methods. The evaluation demonstrates the framework's capabilities in precisely detecting web shell attacks with high accuracy. [ABSTRACT FROM AUTHOR]
- Published
- 2023
- Full Text
- View/download PDF
12. A Study on Written Communication About Client-Side Web Security
- Author
-
Rauti, Sampsa, Laato, Samuli, Farooq, Ali, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Abraham, Ajith, editor, Hong, Tzung-Pei, editor, Kotecha, Ketan, editor, Ma, Kun, editor, Manghirmalani Mishra, Pooja, editor, and Gandhi, Niketa, editor
- Published
- 2023
- Full Text
- View/download PDF
13. Generating Human-Like Motion to Defeat Interaction-Based CAPTCHAs
- Author
-
Moore, Matthew, Walcott, Kristen R., Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, and Arai, Kohei, editor
- Published
- 2023
- Full Text
- View/download PDF
14. A Metamodel for Web Application Security Evaluation
- Author
-
Shao-Fang Wen
- Subjects
software security ,web application security ,security evaluation ,owasp ,Telecommunication ,TK5101-6720 - Abstract
In the digital era, web applications have become a prevalent tool for businesses. As the number of web applications continues to grow, they become enticing targets for malicious actors seeking to exploit potential security vulnerabilities. Organizations face constant risks associated with vulnerabilities in their web-based software systems, which can result in data breaches, service disruptions, and a loss of trust. Consequently, organizations require an effective and efficient approach to assess and analyze the security of acquired web-based software, ensuring sufficient confidence in its utilization. This research aims to enhance the quantitative evaluation and analysis of web application security through a model-based approach. We focus on integrating the Open Web Application Security Project's (OWASP) Application Security Verification Standard (ASVS) into a structured and analyzable metamodel. This model aims to effectively assess the security levels of web applications while offering valuable insights into their strengths and weaknesses. By combining the ASVS with a comprehensive framework, we aim to provide a robust methodology for evaluating and analyzing web application security.
- Published
- 2023
- Full Text
- View/download PDF
15. Towards an intrusion detection system for detecting web attacks based on an ensemble of filter feature selection techniques.
- Author
-
Kshirsagar, Deepak and Kumar, Sandeep
- Subjects
- *
FEATURE selection , *MACHINE learning , *INTRUSION detection systems (Computer security) - Abstract
The use of machine learning models in intrusion detection systems (IDSs) takes more time to build the model with many features and degrade the performance. The present paper proposes an ensemble of filter feature selection techniques (EFFST) to obtain a significant feature subset for web attack detection by selecting one-fourth split of the ranked features. The experimentation on the CICIDS 2017 dataset shows that the proposed EFFST method provides a detection rate of 99.9909%, with J48 using 24 features. The system's performance is compared to the original features and traditional relevant feature selection methods employed in IDSs.. [ABSTRACT FROM AUTHOR]
- Published
- 2023
- Full Text
- View/download PDF
16. Vulnerability Scanner: Web-based Security Testing.
- Author
-
ANDRONESCU, Andrei-Daniel, BRĂSLAȘU, Ioana-Ilona, and NĂSTAC, Dumitru-Iulian
- Subjects
INTERNET security ,TECHNOLOGICAL innovations ,COMPUTER software ,COMPUTER crimes ,WEB-based user interfaces - Abstract
As the use of internet-based software increased, cybersecurity has emerged as a major issue in the current world. The fast-paced technology innovations allowed most companies to scale their business, consumers to access easier their favorite products, thus increasing the reliance on web-based software. The importance of web security cannot be emphasized given the increase in cybercrime and the damage it poses to businesses, people, and governments. This paper proposes an automated solution capable of detecting and exploiting common vulnerabilities found on web-based software, this being done without performing any malicious intended operations. By using software capable of automatically detecting the means a client could communicate with a server, users can ensure that a thorough verification is done on their web-applications, revealing the blind spots that developers may have overlook. [ABSTRACT FROM AUTHOR]
- Published
- 2023
17. Machine and Deep Learning-based XSS Detection Approaches: A Systematic Literature Review
- Author
-
Isam Kareem Thajeel, Khairulmizam Samsudin, Shaiful Jahari Hashim, and Fazirulhisyam Hashim
- Subjects
Cross-site scripting (XSS) attacks ,Web application security ,Cybersecurity ,Machine learning ,Deep learning ,Electronic computers. Computer science ,QA75.5-76.95 - Abstract
Web applications are paramount tools for facilitating services providing in the modern world. Unfortunately, the tremendous growth in the web application usage has resulted in a rise in cyberattacks. Cross-site scripting (XSS) is one of the most frequent cyber security attack vectors that threaten the end user as well as the service provider with the same degree of severity. Recently, an obvious increase of the Machine learning and deep learning ML/DL techniques adoption in XSS attack detection. The goal of this review is to come with a special attention and highlight of Machine learning and deep learning approaches. Thus, in this paper, we present a review of recent advances applied in ML/DL for XSS attack detection and classification. The existing proposed ML/DL approaches for XSS attack detection are analyzed and taxonomized comprehensively in terms of domain areas, data preprocessing, feature extraction, feature selection, dimensionality reduction, Data imbalance, performance metrics, datasets, and data types. Our analysis reveals that the way of how the XSS data is preprocessed considerably impacts the performance and the attack detection models. Proposing a full preprocessing cycle reveals how various ML/DL approaches for XSS attacks detection take advantage of different input data preprocessing techniques. The most used ML/DL and preprocessing stages have also been identified. The limitations of existing ML/DL-based XSS attack detection mechanisms are highlighted to identify the potential gaps and future trends.
- Published
- 2023
- Full Text
- View/download PDF
18. Server-Side Cross-Site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS Auditor.
- Author
-
Pardomuan, Chrisando Ryan, Kurniawan, Aditya, Darus, Mohamad Yusof, Mohd Ariffin, Muhammad Azizi, and Muliono, Yohan
- Subjects
PARSING (Computer grammar) ,WEB-based user interfaces ,HTTP (Computer network protocol) ,AUDITORS ,DATABASES ,SECURITY systems - Abstract
Cross-site Scripting attacks have been a perennial threat to web applications for many years. Conventional practices to prevent cross-site scripting attacks revolve around secure programming and client-side prevention techniques. However, client-side preventions are still prone to bypasses as the inspection is done on the user’s browser, so an adversary can alter the inspection algorithm to come up with the bypasses or even manipulate the victim to turn off the security measures. This decreases the effectiveness of the protection and leads to many web applications are still vulnerable to cross-site scripting attacks. We believe that XSS Auditor, which was pre-installed in Google Chrome browser for more than 9 years, is a great approach in combating and preventing XSS attacks. Hence, in this paper, we proposed a novel approach to thoroughly identify two types of cross-site scripting attacks through server-side filter implementation. Our proposed approach follows the original XSS Auditor mechanism implemented in Google Chrome. However, instead of placing the detection system on the client side, we design a detection mechanism that checks HTTP requests and responses as well as database responses for possible XSS attacks from the server side. From 500 payloads used to evaluate the proposed method, 442 payloads were classified correctly, thus showing that the proposed method was able to reach 88.4% accuracy. This work showed that the proposed approach is very promising in protecting users from devastating Cross-site Scripting attacks. [ABSTRACT FROM AUTHOR]
- Published
- 2023
- Full Text
- View/download PDF
19. OblivSend: Secure and Ephemeral File Sharing Services with Oblivious Expiration Control
- Author
-
Shen, Yanjun, Yu, Bin, Lai, Shangqi, Yuan, Xingliang, Sun, Shi-Feng, Liu, Joseph K., Nepal, Surya, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Susilo, Willy, editor, Chen, Xiaofeng, editor, Guo, Fuchun, editor, Zhang, Yudi, editor, and Intan, Rolly, editor
- Published
- 2022
- Full Text
- View/download PDF
20. An Approach to Generate Realistic HTTP Parameters for Application Layer Deception
- Author
-
Sahin, Merve, Hébert, Cédric, Cabrera Lozoya, Rocio, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Ateniese, Giuseppe, editor, and Venturi, Daniele, editor
- Published
- 2022
- Full Text
- View/download PDF
21. Prevention of SQL Injection Attacks Using Cryptography and Pattern Matching
- Author
-
Madhusudhan, R., Ahsan, Mohammad, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Barolli, Leonard, editor, Hussain, Farookh, editor, and Enokido, Tomoya, editor
- Published
- 2022
- Full Text
- View/download PDF
22. Code Injection Prevention in Content Management Systems Using Machine Learning
- Author
-
Kavithamani, C., Subramanian, R. S. Sankara, Krishnamurthy, Srinevasan, Chathu, Jayakrishnan, Iyer, Gayatri, Kacprzyk, Janusz, Series Editor, Pal, Nikhil R., Advisory Editor, Bello Perez, Rafael, Advisory Editor, Corchado, Emilio S., Advisory Editor, Hagras, Hani, Advisory Editor, Kóczy, László T., Advisory Editor, Kreinovich, Vladik, Advisory Editor, Lin, Chin-Teng, Advisory Editor, Lu, Jie, Advisory Editor, Melin, Patricia, Advisory Editor, Nedjah, Nadia, Advisory Editor, Nguyen, Ngoc Thanh, Advisory Editor, Wang, Jun, Advisory Editor, Smys, S., editor, Tavares, João Manuel R. S., editor, and Balas, Valentina Emilia, editor
- Published
- 2022
- Full Text
- View/download PDF
23. Effective and scalable black-box fuzzing approach for modern web applications
- Author
-
Aseel Alsaedi, Abeer Alhuzali, and Omaimah Bamasag
- Subjects
Black-box fuzzing ,Web application security ,Dynamic features ,Vulnerability analysis ,Dynamic analysis ,Constraint solving ,Electronic computers. Computer science ,QA75.5-76.95 - Abstract
Web applications’ security is critical because we share sensitive data through them frequently, which attracts attackers who exploit their vulnerabilities. Detecting and exploiting such vulnerabilities automatically is challenging because of the applications’ increasing complexity and strong dependence upon dynamic features such as JavaScript. In this paper, we propose an approach that addresses the difficulties presented in web applications by using dynamic analysis techniques in a black-box fashion to explore applications’ space. It also performs a client-side validation analysis to increase the coverage and therefore, identify more vulnerabilities. We implemented our approach with a tool and evaluated its effectiveness using real-world web applications. Our system discovered 207 unique URLs, submitted 102 web forms successfully, and exploited 32 vulnerabilities automatically. A detailed comparison of state-of-the-art black-box fuzzing approaches showed that our system exceeds them in coverage, the number of vulnerabilities detected, and performance.
- Published
- 2022
- Full Text
- View/download PDF
24. SECURITY STANDARDS FOR WEB APPLICATIONS.
- Author
-
AJVAZI, Grela, IDRIZI, Florim, MEMETI, Agon, and VESELI, Bleran
- Subjects
WEB-based user interfaces ,COMPUTER hacking ,COMPUTER programming ,COMPUTER software development ,COMPUTER software - Abstract
Application security refers to security measures used at the application level to protect against stealing or hacking of data or program code. It includes security considerations that take place throughout application development and design, as well as systems and methods to protect apps after they are put into use. Like any software, web applications inherently have issues. Some of these issues represent genuine vulnerabilities that can be used against organizations. Security for web applications guards against these defects. It entails utilizing secure development methodologies and putting security controls in place at every stage of the software development life cycle (SDLC), making sure that both implementation- and design-level bugs are fixed. Development teams must follow web application security standards to defend software organizations from attack, as online applications are currently the number one target of proven security breaches. In this article, I'll attempt to explain how web application security works and what developers truly need to do to create secure applications that allow users to enter any data. We will also highlight certain standards that have been developed by various security organizations that have attempted to develop a safe online application in order to make it as simple as possible to comprehend the security of web apps. [ABSTRACT FROM AUTHOR]
- Published
- 2023
25. Dynamic feature selection model for adaptive cross site scripting attack detection using developed multi-agent deep Q learning model
- Author
-
Isam Kareem Thajeel, Khairulmizam Samsudin, Shaiful Jahari Hashim, and Fazirulhisyam Hashim
- Subjects
Cross-Site Scripting (XSS) Attack ,Web Application Security ,Feature Drift ,Dynamic Feature Selection ,Multi-agent Reinforcement Learning ,Electronic computers. Computer science ,QA75.5-76.95 - Abstract
Web applications’ popularity has raised attention in various service domains, which increased the concern about cyber-attacks. One of these most serious and frequent web application attacks is a Cross-site scripting attack (XSS). It causes grievous harm to victims. Existing security methods against XSS fail due to the evolving nature of XSS attacks. One evolving aspect of XSS attacks is feature drift which changes the feature relevancy and causes degradation in the performance. Unfortunately, dynamic awareness of drift occurrence is missing. Thus, this study attempts to fill the gap by proposing a feature drift-aware algorithm for detecting the evolved XSS attacks. The proposed approach is a dynamic feature selection based on a deep Q-network multi-agent feature selection (DQN-MAFS) framework. Each agent is associated with one feature and is responsible for selecting or deselecting its feature. DQN-MAFS provides a sub-model for reward distribution over agents, which is named as fair agent reward distribution based dynamic feature selection FARD-DFS. This framework is capable of supporting real-time, dynamic updates and adjustment of embedded knowledge as long as new labelled data arrives. DQN-MAFS has been evaluated using four real XSS attack datasets with various feature length sizes. The evaluation process was conducted and compared with state-of-the-art works. The obtained results show the superiority of our FARD-DFS over the benchmarks in terms of the majority of metrics. The improvement percentages of the mean accuracy and F1-measure ranged from 1.01% to 12.1% and from 0.55% to 6.88%, respectively, in comparison with the benchmarks. This approach can be deployed as an autonomous detection system without the need for any offline retraining process of the model to detect the evolved XSS attack.
- Published
- 2023
- Full Text
- View/download PDF
26. Enhancing Security of Web-Based IoT Services via XSS Vulnerability Detection
- Author
-
Jemin Kim and Joonseok Park
- Subjects
Internet of Things (IoT) ,application layer ,web application security ,Cross-Site Scripting (XSS) ,dynamic taint analysis ,concolic execution ,Chemical technology ,TP1-1185 - Abstract
The Internet of Things (IoT) technology is experiencing significant growth and integration into various aspects of daily life. With the rising number of connected devices, diverse security challenges are emerging as substantial threats to IoT. Cross-Site Scripting (XSS) is one of the major security risks in web services and so is within the application layer of IoT. Many existing web applications remain susceptible to XSS vulnerabilities. In this paper, we propose an XSS detection scheme aimed at enhancing the security of IoT, particularly concerning web application services. To achieve this, we developed a framework for combining symbolic execution and dynamic taint analysis to provide a comprehensive security assessment. Our objective is to increase the ratio of vulnerability detection while avoiding false alarms and keeping the required analysis time as minimal. To realize our idea, we have defined an instrumentation scheme for taint analysis and concolic executions and automated the process of vulnerability detection for a web application. Our framework is capable of pinpointing the precise locations of security vulnerabilities and the exact input datasets at risk of XSS threats. Subsequently, the detected flaws can be easily removed. The experimental results demonstrate the validity of the proposed scheme. We achieved a detection rate of XSS threats of 90.62% using a test set of SecuriBench Micro and 69.11% using OWASP while showing 0% false positives.
- Published
- 2023
- Full Text
- View/download PDF
27. Effective and scalable black-box fuzzing approach for modern web applications.
- Author
-
Alsaedi, Aseel, Alhuzali, Abeer, and Bamasag, Omaimah
- Subjects
WEB-based user interfaces - Abstract
Web applications' security is critical because we share sensitive data through them frequently, which attracts attackers who exploit their vulnerabilities. Detecting and exploiting such vulnerabilities automatically is challenging because of the applications' increasing complexity and strong dependence upon dynamic features such as JavaScript. In this paper, we propose an approach that addresses the difficulties presented in web applications by using dynamic analysis techniques in a black-box fashion to explore applications' space. It also performs a client-side validation analysis to increase the coverage and therefore, identify more vulnerabilities. We implemented our approach with a tool and evaluated its effectiveness using real-world web applications. Our system discovered 207 unique URLs, submitted 102 web forms successfully, and exploited 32 vulnerabilities automatically. A detailed comparison of state-of-the-art black-box fuzzing approaches showed that our system exceeds them in coverage, the number of vulnerabilities detected, and performance. [ABSTRACT FROM AUTHOR]
- Published
- 2022
- Full Text
- View/download PDF
28. Count vectorizer model based web application vulnerability detection using artificial intelligence approach.
- Author
-
Manjunatha, K. M. and Kempanna, M.
- Subjects
- *
WEB-based user interfaces , *XML (Extensible Markup Language) , *SURGICAL gloves , *ARTIFICIAL intelligence , *MACHINE learning , *NATURAL language processing , *RANDOM forest algorithms , *DECISION trees - Abstract
A web application is a dynamic, intricate, and interactive program that provides end-users with information and services such as utility payments, online communication, e-learning, socializing, shopping, online banking, and income tax filing etc. Web applications have become a major target for attackers due to their accessibility, availability, and ubiquity. Web application vulnerabilities are hazardous for some reasons. Attackers can harm an organizations image and status. The implementation flaws in web application allow the invader to infuse user-input that violates the syntax-based assembly of the query or infuse malicious code etc. Among various types of injection flaws, SQL injection (SQLI) is more prominent than (XML) both are considered as common application-layer web attack, which allows the attacker to bypass the security mechanisms therefore; these two are ranked as the most common vulnerabilities. Hence, a methodology for detecting evaluating both SQLI & XML vulnerabilities in web applications are considered for research. This research work addresses the above mentioned flaws and proposed an Ensemble Method to classify the Structure Query Language injection vulnerabilities, we selected a benchmark dataset with 33,758 rows containing; various types of SQL and XML injection attacks. Raw data is preprocessed to remove artifacts, and then feature engineering is performed using Natural Language Processing techniques to clean the data and extract 6 types of features such as TF-IDF, Word-to-Vector, SkipGram, Count Vectorizer, Glove and Continuous Bag of words. Imbalance data is handled using sampling techniques, best features are selected using 4 types of validation techniques Significant Test, PCA, Variance Threshold and Sbest. Prepared data is provided to Ensemble Model having two stages; Stage-2 accepts URL from the user and detects presence of susceptibility in the sub domains and domains. Stage-1 having 9 different types of machine learning models Multinomial, Gaussian, Bernoulli Naive Bayes, Logistic Regression, Decision Tree, Random Forest, AdaBoost, SVC with, poly, rbf and linear kernel, these models are trained on additional vectors such as google news and glove to detect the new query either SQL or XML for presences or absence of vulnerability, using this proposed ensemble approach obtained the accuracy of 99%. [ABSTRACT FROM AUTHOR]
- Published
- 2022
- Full Text
- View/download PDF
29. Security testing of web applications: A systematic mapping of the literature.
- Author
-
Aydos, Murat, Aldan, Çiğdem, Coşkun, Evren, and Soydan, Alperen
- Subjects
WEB-based user interfaces ,SECURITY management ,REQUIREMENTS engineering ,INTERNET research ,LITERARY form ,CONFORMANCE testing - Abstract
Web application security is a main component of any web-based business. Web applications are subject to attacks from different locations at various levels of scale and complexity. In this context, a large number of testing techniques, tools and frameworks have been proposed by both practitioners and researchers to effectively and efficiently test the security of web applications. As the number of papers increases in the security of web applications and this research area matures, reviewing and getting an overview of this area is getting challenging for a practitioner or a new researcher. Our objective is to summarize the state-of-the-art in web application security testing which could benefit practitioners to potentially utilize that information. We review and structure the body of knowledge related to web application security testing in the form of a systematic literature mapping (SLM). As part of this study, we pose four sets of research questions, define selection and exclusion criteria, and systematically develop and refine a classification schema. The initial pool consisted of 154 articles. Systematic voting was conducted among the authors regarding the inclusion/exclusion of articles. As a result, there were 80 technical articles in our final pool. Accordance with our inclusion and exclusion criteria, the first article was published in 2005 and this review includes all the papers until the end of 2020. During December 2020, January and February 2021, the search phase has been conducted. This review paper provides an overview of web application security testing with different focused headings. These headings cover contribution types, web security testing tools and their sub features, specific questions/features to the security testing such as vulnerability types, system under testing (SUT) focused headings and more. The results of this study would benefit researchers working on web application security testing. Also, it could be useful for developers who discuss application security while they develop web applications. Thanks to this paper, these researchers could utilize the all results and use them to catch the trend of web application security testing and secure development. [ABSTRACT FROM AUTHOR]
- Published
- 2022
- Full Text
- View/download PDF
30. SQL injection attack: Detection, prioritization & prevention.
- Author
-
Paul, Alan, Sharma, Vishal, and Olukoya, Oluwafemi
- Subjects
- *
WEB-based user interfaces , *DIGITAL technology , *ROCKET payloads , *ALGORITHMS , *ALGEBRA - Abstract
Web applications have become central in the digital landscape, providing users instant access to information and allowing businesses to expand their reach. Injection attacks, such as SQL injection (SQLi), are prominent attacks on web applications, given that most web applications integrate a database system. While there have been solutions proposed in the literature for SQLi attack detection using learning-based frameworks, the problem is often formulated as a binary, single-attack vector problem without considering the prioritization and prevention component of the attack. In this work, we propose a holistic solution, SQLR34P3R, that formulates the SQLi attack as a multi-class, multi-attack vector, prioritization, and prevention problem. For attack detection and classification, we gathered 457,233 samples of benign and malicious network traffic, as well as 70,023 samples that had SQLi and benign payloads. After evaluating several machine-learning-based algorithms, the hybrid CNN-LSTM models achieve an average F1-Score of 97% in web and network traffic filtering. Furthermore, by using CVEs of SQLi vulnerabilities, SQLR34P3R incorporates a novel risk analysis approach which reduces additional effort while maintaining reasonable coverage to assist businesses in allocating resources effectively by focusing on patching vulnerabilities with high exploitability. We also present an in-the-wild evaluation of the proposed solution by integrating SQLR34P3R into the pipeline of known vulnerable web applications such as Damn Vulnerable Web Application (DVWA) and Vulnado and via network traffic captured using Wireshark from SQLi DNS exfiltration conducted with SQLMap for real-time detection. Finally, we provide a comparative analysis with state-of-the-art SQLi attack detection and risk ratings solutions. [ABSTRACT FROM AUTHOR]
- Published
- 2024
- Full Text
- View/download PDF
31. Evolving Rules for Detecting Cross-Site Scripting Attacks Using Genetic Programming
- Author
-
Alyasiri, Hasanen, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Anbar, Mohammed, editor, Abdullah, Nibras, editor, and Manickam, Selvakumar, editor
- Published
- 2021
- Full Text
- View/download PDF
32. Automatic Detection of Security Misconfigurations in Web Applications
- Author
-
Kumi, Sandra, Lim, ChaeHo, Lee, Sang-Gon, Oktian, Yustus Oko, Witanto, Elizabeth Nathania, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Pattnaik, Prasant Kumar, editor, Sain, Mangal, editor, Al-Absi, Ahmed A., editor, and Kumar, Pardeep, editor
- Published
- 2021
- Full Text
- View/download PDF
33. Neither Good nor Bad: A Large-Scale Empirical Analysis of HTTP Security Response Headers
- Author
-
Karopoulos, Georgios, Geneiatakis, Dimitris, Kambourakis, Georgios, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Fischer-Hübner, Simone, editor, Lambrinoudakis, Costas, editor, Kotsis, Gabriele, editor, Tjoa, A Min, editor, and Khalil, Ismail, editor
- Published
- 2021
- Full Text
- View/download PDF
34. Web Attack Detection Based on User Behaviour Semantics
- Author
-
Zhang, Yunyi, Lu, Jintian, Jin, Shuyuan, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, and Qiu, Meikang, editor
- Published
- 2020
- Full Text
- View/download PDF
35. An Educational Intervention for Teaching Secure Coding Practices
- Author
-
Mdunyelwa, Vuyolwethu, Futcher, Lynn, van Niekerk, Johan, Rannenberg, Kai, Editor-in-Chief, Sakarovitch, Jacques, Editorial Board Member, Goedicke, Michael, Editorial Board Member, Tatnall, Arthur, Editorial Board Member, Neuhold, Erich J., Editorial Board Member, Pras, Aiko, Editorial Board Member, Tröltzsch, Fredi, Editorial Board Member, Pries-Heje, Jan, Editorial Board Member, Kreps, David, Editorial Board Member, Reis, Ricardo, Editorial Board Member, Furnell, Steven, Editorial Board Member, Furbach, Ulrich, Editorial Board Member, Winckler, Marco, Editorial Board Member, Malaka, Rainer, Editorial Board Member, Drevin, Lynette, editor, and Theocharidou, Marianthi, editor
- Published
- 2019
- Full Text
- View/download PDF
36. Relating Vulnerability and Security Service Points for Web Application Through Penetration Testing
- Author
-
Kachhwaha, Rajendra, Purohit, Rajesh, Kacprzyk, Janusz, Series Editor, Pal, Nikhil R., Advisory Editor, Bello Perez, Rafael, Advisory Editor, Corchado, Emilio S., Advisory Editor, Hagras, Hani, Advisory Editor, Kóczy, László T., Advisory Editor, Kreinovich, Vladik, Advisory Editor, Lin, Chin-Teng, Advisory Editor, Lu, Jie, Advisory Editor, Melin, Patricia, Advisory Editor, Nedjah, Nadia, Advisory Editor, Nguyen, Ngoc Thanh, Advisory Editor, Wang, Jun, Advisory Editor, Panigrahi, Chhabi Rani, editor, Pujari, Arun K., editor, Misra, Sudip, editor, Pati, Bibudhendu, editor, and Li, Kuan-Ching, editor
- Published
- 2019
- Full Text
- View/download PDF
37. Combating Clickjacking Using Content Security Policy and Aspect Oriented Programming
- Author
-
Sinha, Rakhi, Uppal, Dolly, Rathi, Rakesh, Kanwar, Kushal, Kacprzyk, Janusz, Series editor, Pal, Nikhil R., Advisory editor, Bello Perez, Rafael, Advisory editor, Corchado, Emilio S., Advisory editor, Hagras, Hani, Advisory editor, Kóczy, László T., Advisory editor, Kreinovich, Vladik, Advisory editor, Lin, Chin-Teng, Advisory editor, Lu, Jie, Advisory editor, Melin, Patricia, Advisory editor, Nedjah, Nadia, Advisory editor, Nguyen, Ngoc Thanh, Advisory editor, Wang, Jun, Advisory editor, Bhatia, Sanjiv K., editor, Mishra, Krishn K., editor, Tiwari, Shailesh, editor, and Singh, Vivek Kumar, editor
- Published
- 2018
- Full Text
- View/download PDF
38. XSS Attack Prevention Using DOM-Based Filter
- Author
-
Dalai, Asish Kumar, Ankush, Shende Dinesh, Jena, Sanjay Kumar, Kacprzyk, Janusz, Series editor, Pal, Nikhil R., Advisory editor, Bello Perez, Rafael, Advisory editor, Corchado, Emilio S., Advisory editor, Hagras, Hani, Advisory editor, Kóczy, László T., Advisory editor, Kreinovich, Vladik, Advisory editor, Lin, Chin-Teng, Advisory editor, Lu, Jie, Advisory editor, Melin, Patricia, Advisory editor, Nedjah, Nadia, Advisory editor, Nguyen, Ngoc Thanh, Advisory editor, Wang, Jun, Advisory editor, Sa, Pankaj Kumar, editor, Sahoo, Manmath Narayan, editor, Murugappan, M., editor, Wu, Yulei, editor, and Majhi, Banshidhar, editor
- Published
- 2018
- Full Text
- View/download PDF
39. PostScript Undead: Pwning the Web with a 35 Years Old Language
- Author
-
Müller, Jens, Mladenov, Vladislav, Felsch, Dennis, Schwenk, Jörg, Hutchison, David, Series Editor, Kanade, Takeo, Series Editor, Kittler, Josef, Series Editor, Kleinberg, Jon M., Series Editor, Mattern, Friedemann, Series Editor, Mitchell, John C., Series Editor, Naor, Moni, Series Editor, Pandu Rangan, C., Series Editor, Steffen, Bernhard, Series Editor, Terzopoulos, Demetri, Series Editor, Tygar, Doug, Series Editor, Weikum, Gerhard, Series Editor, Bailey, Michael, editor, Holz, Thorsten, editor, Stamatogiannakis, Manolis, editor, and Ioannidis, Sotiris, editor
- Published
- 2018
- Full Text
- View/download PDF
40. MLPXSS: An Integrated XSS-Based Attack Detection Scheme in Web Applications Using Multilayer Perceptron Technique
- Author
-
Fawaz Mahiuob Mohammed Mokbal, Wang Dan, Azhar Imran, Lin Jiuchuan, Faheem Akhtar, and Wang Xiaoxi
- Subjects
Artificial neural network ,cross-site scripting attack ,detection ,multilayer perceptrons ,web application security ,Electrical engineering. Electronics. Nuclear engineering ,TK1-9971 - Abstract
Dynamic web applications play a vital role in providing resources manipulation and interaction between clients and servers. The features presently supported by browsers have raised business opportunities, by supplying high interactivity in web-based services, like web banking, e-commerce, social networking, forums, and at the same time, these features have brought serious risks and increased vulnerabilities in web applications that enable cyber-attacks to be executed. One of the common high-risk cyber-attack of web application vulnerabilities is cross-site scripting (XSS). Nowadays, XSS is still dramatically increasing and considered as one of the most severe threats for organizations, users, and developers. If the ploy is successful, the victim is at the mercy of the cybercriminals. In this research, a robust artificial neural network-based multilayer perceptron (MLP) scheme integrated with the dynamic feature extractor is proposed for XSS attack detection. The detection scheme adopts a large real-world dataset, the dynamic features extraction mechanism, and MLP model, which successfully surpassed several tests on an employed unique dataset under careful experimentation, and achieved promising and state-of-the-art results with accuracy, detection probabilities, false positive rate, and AUC-ROC scores of 99.32%, 98.35 %, 0.3%, and 99.02%, respectively. Therefore, it has the potentials to be applied for XSS-based attack detection in either the client-side or the server-side.
- Published
- 2019
- Full Text
- View/download PDF
41. Security of Web Application: State of the Art : Research Theories and Industrial Practices
- Author
-
Rehman, Habib ur, Nazir, Mohammed, Mustafa, Khurram, Barbosa, Simone Diniz Junqueira, Series editor, Chen, Phoebe, Series editor, Filipe, Joaquim, Series editor, Kotenko, Igor, Series editor, Sivalingam, Krishna M., Series editor, Washio, Takashi, Series editor, Yuan, Junsong, Series editor, Zhou, Lizhu, Series editor, Kaushik, Saroj, editor, Gupta, Daya, editor, Kharb, Latika, editor, and Chahal, Deepak, editor
- Published
- 2017
- Full Text
- View/download PDF
42. Web Uygulama Sızma Testlerinde Kapsam Genişletme İşlemi İçin Metodoloji Geliştirilmesi ve Uygulanması.
- Author
-
YALÇINKAYA, Mehmet Ali and KÜÇÜKSİLLE, Ecir Uğur
- Abstract
Nowadays, all institutions and organizations serving in different fields use web applications effectively in order to reach the masses for serving faster and providing more effective services. The widespread use of web applications has led to a significant increase in the number and type of attacks on these applications. Due to the serious damage caused by the attacks, institutions and organizations subject their web applications to penetration tests periodically. In penetration tests, experts check the presence of various vulnerabilities on web applications. In penetration tests performed on web applications, experts are often given a single URL address and are asked to perform their tests based on this URL. In this study; A scoping tool has been developed that creates a list of URL addresses to be scanned during testing, using different sources and methods, according to user preferences. The developed tool was compared with 6 different tools used to determine the scope of the test actively in web application infiltration tests and it was seen that it collected the maximum number of URL addresses together with the Httrack tool. The developed tool presents a more modular and comprehensive scan facility than many of the vulnerability scanners used in the literature thanks to the scope scanning modules in different modes. [ABSTRACT FROM AUTHOR]
- Published
- 2021
- Full Text
- View/download PDF
43. Cross Channel Scripting and Code Injection Attacks on Web and Cloud-Based Applications: A Comprehensive Review
- Author
-
Indushree M, Manjit Kaur, Manish Raj, Shashidhara R, and Heung-No Lee
- Subjects
cross channel scripting ,attack vector ,scanners ,web application security ,XSS ,Chemical technology ,TP1-1185 - Abstract
Cross channel scripting (XCS) is a common web application vulnerability, which is a variant of a cross-site scripting (XSS) attack. An XCS attack vector can be injected through network protocol and smart devices that have web interfaces such as routers, photo frames, and cameras. In this attack scenario, the network devices allow the web administrator to carry out various functions related to accessing the web content from the server. After the injection of malicious code into web interfaces, XCS attack vectors can be exploited in the client browser. In addition, scripted content can be injected into the networked devices through various protocols, such as network file system, file transfer protocol (FTP), and simple mail transfer protocol. In this paper, various computational techniques deployed at the client and server sides for XCS detection and mitigation are analyzed. Various web application scanners have been discussed along with specific features. Various computational tools and approaches with their respective characteristics are also discussed. Finally, shortcomings and future directions related to the existing computational techniques for XCS are presented.
- Published
- 2022
- Full Text
- View/download PDF
44. Evaluating the Impact of Malware Analysis Techniques for Securing Web Applications through a Decision-Making Framework under Fuzzy Environment.
- Author
-
Kumar, Rajeev, Alenezi, Mamdouh, Jamal Ansari, Md Tarique, Gupta, Bineet Kumar, Agrawal, Alka, and Khan, Raees Ahmad
- Subjects
WEB-based user interfaces ,FUZZY integrals ,REVERSE engineering ,TELECOMMUNICATION systems ,MALWARE prevention ,BOTNETS ,FUZZY decision making - Abstract
Nowadays, most of the cyber-attacks are initiated by extremely malicious programs known as Malware. Malwares are very vigorous and can penetrate the security of information and communication systems. While there are different techniques available for malware analysis, it becomes challenging to select the most effective approach. In this context, the decision-making process may be an efficient means of empirically assessing the impact of different methods for securing the web applications. In this research study, we have used a methodology that includes the integration of Fuzzy AHP and Fuzzy TOPSIS technique for evaluating the impact of different malware analysis techniques in web application perspective. This study uses different versions of a university's web application for evaluating the impact of several existing malware analysis techniques. The findings of the study show that the Reverse Engineering approach is the most efficient technique for analyzing complex malware. The outcome of this study would definitely aid the future researchers and developers in selecting the appropriate techniques for scanning the web application code and enhancing the security. [ABSTRACT FROM AUTHOR]
- Published
- 2020
- Full Text
- View/download PDF
45. Detection of attack-targeted scans from the Apache HTTP Server access logs
- Author
-
Merve Baş Seyyar, Ferhat Özgür Çatak, and Ensar Gül
- Subjects
Rule-based model ,Log analysis ,Scan detection ,Web application security ,XSS detection ,SQLI detection ,Information technology ,T58.5-58.64 - Abstract
A web application could be visited for different purposes. It is possible for a web site to be visited by a regular user as a normal (natural) visit, to be viewed by crawlers, bots, spiders, etc. for indexing purposes, lastly to be exploratory scanned by malicious users prior to an attack. An attack targeted web scan can be viewed as a phase of a potential attack and can lead to more attack detection as compared to traditional detection methods. In this work, we propose a method to detect attack-oriented scans and to distinguish them from other types of visits. In this context, we use access log files of Apache (or ISS) web servers and try to determine attack situations through examination of the past data. In addition to web scan detections, we insert a rule set to detect SQL Injection and XSS attacks. Our approach has been applied on sample data sets and results have been analyzed in terms of performance measures to compare our method and other commonly used detection techniques. Furthermore, various tests have been made on log samples from real systems. Lastly, several suggestions about further development have been also discussed.
- Published
- 2018
- Full Text
- View/download PDF
46. Fuzzy Multi Criteria Decision Analysis Method for Assessing Security Design Tactics for Web Applications.
- Author
-
Alenezi, Mamdouh, Nadeem, Mohammad, Agrawal, Alka, Kumar, Rajeev, and Khan, Raees Ahmad
- Subjects
WEB design ,DECISION making ,WEB-based user interfaces ,ANALYTIC hierarchy process ,APPLICATION software - Abstract
Security and design tactics estimation of web application for ensuring the security, efficiency and design tactics of web applications is necessary. A survey conducted by the security research team, Micro Focus, of the USA reveals that 80% of the vulnerability defects occur due to the coding defect, validation causes 60% of the errors, 70% errors are due to encapsulation and path traversal. Such statistics call for a more efficacious design to enhance software security. The primary research goal of this study is to compute or evaluate the security threats of the software and web applications from the perspective of design tactics. Towards this intent, we have employed the methodology of Fuzzy Analytic Hierarchy Process (F-AHP) to evaluate the security factors or obtain the weight of different factors. The different design tactics of web application have also been selected according to the factors that affect the security. In this article, researchers have used a crossbreed technique of fuzzy based Multi Criteria Decision Method (MCDM) technique, i.e., F-AHP and Fuzzy Technique for Order of Preferences by Similarity to Ideal Solutions (F-TOPSIS) Technique. The results of the assessment of security will be helpful for developers or experts in designing the security tactics of software or web applications. We have also compared the results of classical and Fuzzy approach to determine the weight of alternatives or attributes and rank of the factors. This process is an effective and conclusive methodology for the developers working for more enhanced secure design tactics of software and web application design. [ABSTRACT FROM AUTHOR]
- Published
- 2020
- Full Text
- View/download PDF
47. Study on the Detection of Cross-Site Scripting Vulnerabilities Based on Reverse Code Audit
- Author
-
Yan, Fen, Qiao, Tao, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Yin, Hujun, editor, Gao, Yang, editor, Li, Bin, editor, Zhang, Daoqiang, editor, Yang, Ming, editor, Li, Yun, editor, Klawonn, Frank, editor, and Tallón-Ballesteros, Antonio J., editor
- Published
- 2016
- Full Text
- View/download PDF
48. Cyber Security of the Application Layer of Mission Critical Industrial Systems
- Author
-
Kozik, Rafał, Choraś, Michał, Renk, Rafał, Hołubowicz, Witold, Goos, Gerhard, Series Editor, Hartmanis, Juris, Founding Editor, Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Weikum, Gerhard, Series Editor, Saeed, Khalid, editor, and Homenda, Władysław, editor
- Published
- 2016
- Full Text
- View/download PDF
49. Solution to Data Imbalance Problem in Application Layer Anomaly Detection Systems
- Author
-
Kozik, Rafał, Choraś, Michał, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Martínez-Álvarez, Francisco, editor, Troncoso, Alicia, editor, Quintián, Héctor, editor, and Corchado, Emilio, editor
- Published
- 2016
- Full Text
- View/download PDF
50. Do I really need all this work to find vulnerabilities?: An empirical case study comparing vulnerability detection techniques on a Java application
- Author
-
Elder, Sarah, Zahan, Nusrat, Shu, Rui, Metro, Monica, Kozarev, Valeri, Menzies, Tim, and Williams, Laurie
- Published
- 2022
- Full Text
- View/download PDF
Catalog
Discovery Service for Jio Institute Digital Library
For full access to our library's resources, please sign in.