XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers

2021 ◽  
Author(s):  
Lukas Knittel ◽  
Christian Mainka ◽  
Marcus Niemietz ◽  
Dominik Trevor Noß ◽  
Jörg Schwenk
Keyword(s):  
Formal Model ◽  
Web Browsers ◽  
Automatic Evaluation ◽  
Cross Site

scholarly journals Analisis Kerentanan Serangan Cross Site Scripting (XSS) pada Aplikasi Smart Payment Menggunakan Framework OWASP

2020 ◽  
Vol 5 (3) ◽  
pp. 146
Author(s):  
Imam Riadi ◽  
Rusydi Umar ◽  
Tri Lestari
Keyword(s):  
Information Disclosure ◽  
Web Browsers ◽  
Content Type ◽  
Self Test ◽  
Cross Site

E-commerce that is growing so rapidly can provide space for unauthorized parties in carrying out cybercrime, security anticipation is needed so that e-commerce applications can be protected from harassment or hacking attacks such as cross-site scripting (XSS), malware, exploits, and database injection. This research was conducted to determine the vulnerability of the Smart Payment application by self-test using the ZAP tool. This test is carried out to secure applications that serve as recommendations for follow-up in securing the Smart Payment application. The results of this study found vulnerabilities in the Smart Payment application. Vulnerabilities found were Information Disclosure-Suspicious Comments, X-Frame-Options Header not Set, X-Content-Type-Options Header Missing, Timestamp Disclosure-Unix, XSS Protection Not Enabled Web Browsers, and Directory Browsing. In addition to obtaining vulnerabilities from the Smart Payment application, solutions are also provided to overcome vulnerabilities in the Smart Payment application.  

BDS

2018 ◽  
pp. 910-927
Author(s):  
Shashank Gupta ◽  
B. B. Gupta
Keyword(s):  
Web Applications ◽  
Web Pages ◽  
Web Browsers ◽  
Security Model ◽  
Web Browser ◽  
User Input ◽  
Defensive Strategies ◽  
Client Side ◽  
Cross Site ◽  
The Web

Cross-Site Scripting (XSS) attack is a vulnerability on the client-side browser that is caused by the improper sanitization of the user input embedded in the Web pages. Researchers in the past had proposed various types of defensive strategies, vulnerability scanners, etc., but still XSS flaws remains in the Web applications due to inadequate understanding and implementation of various defensive tools and strategies. Therefore, in this chapter, the authors propose a security model called Browser Dependent XSS Sanitizer (BDS) on the client-side Web browser for eliminating the effect of XSS vulnerability. Various earlier client-side solutions degrade the performance on the Web browser side. But in this chapter, the authors use a three-step approach to bypass the XSS attack without degrading much of the user's Web browsing experience. While auditing the experiments, this approach is capable of preventing the XSS attacks on various modern Web browsers.

BDS

2015 ◽  
pp. 174-191 ◽  
Author(s):  
Shashank Gupta ◽  
B. B. Gupta
Keyword(s):  
Web Applications ◽  
Web Pages ◽  
Web Browsers ◽  
Security Model ◽  
Web Browser ◽  
User Input ◽  
Defensive Strategies ◽  
Client Side ◽  
Cross Site ◽  
The Web

Cross-Site Scripting (XSS) attack is a vulnerability on the client-side browser that is caused by the improper sanitization of the user input embedded in the Web pages. Researchers in the past had proposed various types of defensive strategies, vulnerability scanners, etc., but still XSS flaws remains in the Web applications due to inadequate understanding and implementation of various defensive tools and strategies. Therefore, in this chapter, the authors propose a security model called Browser Dependent XSS Sanitizer (BDS) on the client-side Web browser for eliminating the effect of XSS vulnerability. Various earlier client-side solutions degrade the performance on the Web browser side. But in this chapter, the authors use a three-step approach to bypass the XSS attack without degrading much of the user's Web browsing experience. While auditing the experiments, this approach is capable of preventing the XSS attacks on various modern Web browsers.

scholarly journals WebMTD: Defeating Cross-Site Scripting Attacks Using Moving Target Defense

2019 ◽  
Vol 2019 ◽  
pp. 1-13 ◽  
Author(s):  
Amirreza Niakanlahiji ◽  
Jafar Haadi Jafarian
Keyword(s):  
Web Applications ◽  
Defense Mechanism ◽  
Moving Target ◽  
Web Browsers ◽  
Random Mutation ◽  
Moving Target Defense ◽  
Backward Compatibility ◽  
Low Performance ◽  
Cross Site ◽  
Code Modification

Existing mitigation techniques for cross-site scripting attacks have not been widely adopted, primarily due to imposing impractical overheads on developers, Web servers, or Web browsers. They either enforce restrictive coding practices on developers, fail to support legacy Web applications, demand browser code modification, or fail to provide browser backward compatibility. Moving target defense (MTD) is a novel proactive class of techniques that aim to defeat attacks by imposing uncertainty in attack reconnaissance and planning. This uncertainty is achieved by frequent and random mutation (randomization) of system configuration in a manner that is not traceable (predictable) by attackers. In this paper, we present WebMTD, a proactive moving target defense mechanism that thwarts various kinds of cross-site scripting (XSS) attacks on Web applications. Relying on built-in features of modern Web browsers, WebMTD randomizes values of certain attributes of Web elements to differentiate the application code from the injected code and disallow its execution; this is done without requiring Web developer involvement or browser code modification. Through rigorous evaluation, we show that WebMTD has very a low performance overhead. Also, we argue that our technique outperforms all competing approaches due to its broad effectiveness, transparency, backward compatibility, and low overhead.

Cross-Site Request Forgery: Vulnerabilities and Defenses

2014 ◽  
Vol 3 (2) ◽  
pp. 13-21 ◽  
Author(s):  
Bharti Nagpal ◽  
Naresh Chauhan ◽  
Nanhay Singh
Keyword(s):  
Cross Site Request Forgery ◽  
Cross Site
Sign in / Sign up

Export Citation Format

Share Document