XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers

Analisis Kerentanan Serangan Cross Site Scripting (XSS) pada Aplikasi Smart Payment Menggunakan Framework OWASP

JISKA (Jurnal Informatika Sunan Kalijaga) ◽

10.14421/jiska.2020.53-02 ◽

2020 ◽

Vol 5 (3) ◽

pp. 146

Author(s):

Imam Riadi ◽

Rusydi Umar ◽

Tri Lestari

Keyword(s):

Information Disclosure ◽

Web Browsers ◽

Content Type ◽

Self Test ◽

Cross Site

E-commerce that is growing so rapidly can provide space for unauthorized parties in carrying out cybercrime, security anticipation is needed so that e-commerce applications can be protected from harassment or hacking attacks such as cross-site scripting (XSS), malware, exploits, and database injection. This research was conducted to determine the vulnerability of the Smart Payment application by self-test using the ZAP tool. This test is carried out to secure applications that serve as recommendations for follow-up in securing the Smart Payment application. The results of this study found vulnerabilities in the Smart Payment application. Vulnerabilities found were Information Disclosure-Suspicious Comments, X-Frame-Options Header not Set, X-Content-Type-Options Header Missing, Timestamp Disclosure-Unix, XSS Protection Not Enabled Web Browsers, and Directory Browsing. In addition to obtaining vulnerabilities from the Smart Payment application, solutions are also provided to overcome vulnerabilities in the Smart Payment application.

Download Full-text

BDS

Application Development and Design ◽

10.4018/978-1-5225-3422-8.ch039 ◽

2018 ◽

pp. 910-927

Author(s):

Shashank Gupta ◽

B. B. Gupta

Keyword(s):

Web Applications ◽

Web Pages ◽

Web Browsers ◽

Security Model ◽

Web Browser ◽

User Input ◽

Defensive Strategies ◽

Client Side ◽

Cross Site ◽

The Web

Cross-Site Scripting (XSS) attack is a vulnerability on the client-side browser that is caused by the improper sanitization of the user input embedded in the Web pages. Researchers in the past had proposed various types of defensive strategies, vulnerability scanners, etc., but still XSS flaws remains in the Web applications due to inadequate understanding and implementation of various defensive tools and strategies. Therefore, in this chapter, the authors propose a security model called Browser Dependent XSS Sanitizer (BDS) on the client-side Web browser for eliminating the effect of XSS vulnerability. Various earlier client-side solutions degrade the performance on the Web browser side. But in this chapter, the authors use a three-step approach to bypass the XSS attack without degrading much of the user's Web browsing experience. While auditing the experiments, this approach is capable of preventing the XSS attacks on various modern Web browsers.

Download Full-text

BDS

Handbook of Research on Securing Cloud-Based Databases with Biometric Applications - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-4666-6559-0.ch008 ◽

2015 ◽

pp. 174-191 ◽

Cited By ~ 17

Author(s):

Shashank Gupta ◽

B. B. Gupta

Keyword(s):

Web Applications ◽

Web Pages ◽

Web Browsers ◽

Security Model ◽

Web Browser ◽

User Input ◽

Defensive Strategies ◽

Client Side ◽

Cross Site ◽

The Web

Cross-Site Scripting (XSS) attack is a vulnerability on the client-side browser that is caused by the improper sanitization of the user input embedded in the Web pages. Researchers in the past had proposed various types of defensive strategies, vulnerability scanners, etc., but still XSS flaws remains in the Web applications due to inadequate understanding and implementation of various defensive tools and strategies. Therefore, in this chapter, the authors propose a security model called Browser Dependent XSS Sanitizer (BDS) on the client-side Web browser for eliminating the effect of XSS vulnerability. Various earlier client-side solutions degrade the performance on the Web browser side. But in this chapter, the authors use a three-step approach to bypass the XSS attack without degrading much of the user's Web browsing experience. While auditing the experiments, this approach is capable of preventing the XSS attacks on various modern Web browsers.

Download Full-text

WebMTD: Defeating Cross-Site Scripting Attacks Using Moving Target Defense

Security and Communication Networks ◽

10.1155/2019/2156906 ◽

2019 ◽

Vol 2019 ◽

pp. 1-13 ◽

Cited By ~ 1

Author(s):

Amirreza Niakanlahiji ◽

Jafar Haadi Jafarian

Keyword(s):

Web Applications ◽

Defense Mechanism ◽

Moving Target ◽

Web Browsers ◽

Random Mutation ◽

Moving Target Defense ◽

Backward Compatibility ◽

Low Performance ◽

Cross Site ◽

Code Modification

Existing mitigation techniques for cross-site scripting attacks have not been widely adopted, primarily due to imposing impractical overheads on developers, Web servers, or Web browsers. They either enforce restrictive coding practices on developers, fail to support legacy Web applications, demand browser code modification, or fail to provide browser backward compatibility. Moving target defense (MTD) is a novel proactive class of techniques that aim to defeat attacks by imposing uncertainty in attack reconnaissance and planning. This uncertainty is achieved by frequent and random mutation (randomization) of system configuration in a manner that is not traceable (predictable) by attackers. In this paper, we present WebMTD, a proactive moving target defense mechanism that thwarts various kinds of cross-site scripting (XSS) attacks on Web applications. Relying on built-in features of modern Web browsers, WebMTD randomizes values of certain attributes of Web elements to differentiate the application code from the injected code and disallow its execution; this is done without requiring Web developer involvement or browser code modification. Through rigorous evaluation, we show that WebMTD has very a low performance overhead. Also, we argue that our technique outperforms all competing approaches due to its broad effectiveness, transparency, backward compatibility, and low overhead.

Download Full-text