ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting attacks

<span lang="EN-US">Cross-Site Scripting (XSS) is one of serious web application attack. Web applications are involved in every activity of human life. JavaScript plays a major role in these web applications. In XSS attacks hacker inject malicious JavaScript into a trusted web application, execution of that malicious script may steal sensitive information from the user. Previous solutions to prevent XSS attacks require a lot of effort to integrate into existing web applications, some solutions works at client-side and some solutions works based on filter list which needs to be updated regularly. In this paper, we propose an Image Substitute technique (ImageSubXSS) to prevent Cross-Site Scripting attacks which works at the server-side. The proposed solution is implemented and evaluated on a number of XSS attacks. With a single line, developers can integrate ImageSubXSS into their applications and the proposed solution is able to prevent XSS attacks effectively.</span>

Download Full-text

DETECTING SERVER-SIDE ENDPOINTS IN WEB APPLICATIONS BASED ON STATIC ANALYSIS OF CLIENT-SIDE JavaScript CODE

PRIKLADNAYa DISKRETNAYa MATEMATIKA ◽

10.17223/20710410/53/3 ◽

2021 ◽

pp. 32-54

Author(s):

D. A. Sigalov ◽

◽

A. A. Khashaev ◽

D. Yu. Gamayunov ◽

◽

...

Keyword(s):

Static Analysis ◽

Web Application ◽

Web Applications ◽

Security Analysis ◽

Endpoint Detection ◽

Security Testing ◽

Application Security ◽

Server Side ◽

Dynamic Web ◽

Client Side

The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.

Download Full-text

Server Side Method to Detect and Prevent Stored XSS Attack

Iraqi Journal for Electrical And Electronic Engineering ◽

10.37917/ijeee.17.2.8 ◽

2021 ◽

Vol 17 (2) ◽

pp. 58-65

Author(s):

Iman Khazal ◽

Mohammed Hussain

Keyword(s):

Open Source ◽

Web Application ◽

Web Applications ◽

User Input ◽

Server Side ◽

Cross Site ◽

The Web

Cross-Site Scripting (XSS) is one of the most common and dangerous attacks. The user is the target of an XSS attack, but the attacker gains access to the user by exploiting an XSS vulnerability in a web application as Bridge. There are three types of XSS attacks: Reflected, Stored, and Dom-based. This paper focuses on the Stored-XSS attack, which is the most dangerous of the three. In Stored-XSS, the attacker injects a malicious script into the web application and saves it in the website repository. The proposed method in this paper has been suggested to detect and prevent the Stored-XSS. The prevent Stored-XSS Server (PSS) was proposed as a server to test and sanitize the input to web applications before saving it in the database. Any user input must be checked to see if it contains a malicious script, and if so, the input must be sanitized and saved in the database instead of the harmful input. The PSS is tested using a vulnerable open-source web application and succeeds in detection by determining the harmful script within the input and prevent the attack by sterilized the input with an average time of 0.3 seconds.

Download Full-text

XML Pipeline Processing in the Browser

Proceedings of Balisage: The Markup Conference 2010 ◽

10.4242/balisagevol5.toman01 ◽

2010 ◽

Cited By ~ 2

Author(s):

Vojtěch Toman

Keyword(s):

Web Application ◽

Web Applications ◽

Application Development ◽

Web Browser ◽

Development Models ◽

Server Side ◽

Potential Benefits ◽

Pipeline Processing ◽

Xml Web ◽

Client Side

With the growing interest in end-to-end XML web application development models, many web applications are becoming predominantly XML-based, requiring XML processing capabilities not only on the-server-side, but often also on the client-side. This paper discusses the potential benefits of using XProc for XML pipeline processing in the web browser and describes the developments of a JavaScript-based XProc implementation.

Download Full-text

A Framework for Web Application Vulnerability Detection

International Journal of Engineering and Advanced Technology - Regular Issue ◽

10.35940/ijeat.c4778.029320 ◽

2020 ◽

Vol 9 (3) ◽

pp. 543-549

Keyword(s):

Web Application ◽

Human Life ◽

Dynamic Change ◽

The Internet ◽

Detection Mechanism ◽

Server Side ◽

Digital World ◽

Mechanism Research ◽

User Friendly ◽

Client Side

Hardly a facet of human life is not influenced by the Internet due to the continuous proliferation in the Internet facilities, usage, speed, user friendly browsing, global access, etc. At flip side, hackers are also attacking this digital world with new tactics and techniques through exploiting the web application vulnerabilities. The analysis of these vulnerabilities is of paramount importance in direction to secure social digital world. It can be carried out in two ways. First, manual analysis which is error prone due to the human nature of forgiveness, dynamic change in technology and fraudulence attack techniques. Second, through the existing web application vulnerability scanners that sometime may suffer from generating false alarm rate. Hence, there is a need to develop a framework that can detect different levels of vulnerabilities, ranging from client side vulnerabilities, communication side vulnerabilities to server side vulnerabilities. This paper has carried out the literature survey in direction of identifying the new attack vectors, vulnerabilities, detection mechanism, research gaps and new working areas in same field. Continuous improvement in framework is easy. Hence, a framework is proposed to overcome the identified research gap

Download Full-text

Addressing Web Application Security Issues and Vulnerabilities Assessment Pen Testing

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.f8169.038620 ◽

2020 ◽

Vol 8 (6) ◽

pp. 2314-2321

Keyword(s):

Vulnerability Assessment ◽

Web Application ◽

Web Applications ◽

Sensitive Information ◽

Security Measures ◽

Security Issues ◽

Online Sales ◽

Application Service ◽

Cross Site ◽

The Web

The world relies heavily on the Internet, and every organization uses web applications extensively for information sharing, business purposes such as online sales, money transfer, etc., and Exchange services. Nowadays, providing security for web applications is the greatest challenge in the corporate world because web applications will be the main way for their daily business and if the web application is affected, then daily business and reputation will be affected. As many organizations have been using the web application service to share or store sensitive information about their clients and assets. So, Web Applications are inclined to security attacks and new security vulnerabilities have grown in the last two decades in a web application and have become an important target for attackers. So, it is very vital to secure a web application. The vulnerabilities in web applications will incur due to the security misconfigurations, programming mistakes, improper usage of security measures, etc. So, vulnerability assessment and pen testing will help to figure out the different vulnerabilities present in web applications. The websites are also using to deliver the critical services to its customers so it must run every time without any interception, to do this VAPT will play a crucial role. This paper reviews about vulnerability assessment and pretesting steps and types, website vulnerabilities like SQL Injection, Cross-Site scripting, file inclusion, cross-site request forgery, and broken authentication with types and remediations and also discuss how the effect of these vulnerabilities on a web application.

Download Full-text

Optimized watershed delineation library for server-side and client-side web applications

Open Geospatial Data Software and Standards ◽

10.1186/s40965-019-0068-9 ◽

2019 ◽

Vol 4 (1) ◽

Cited By ~ 3

Author(s):

Muhammed Sit ◽

Yusuf Sermet ◽

Ibrahim Demir

Keyword(s):

Web Applications ◽

Server Side ◽

Watershed Delineation ◽

Client Side

Download Full-text

Preventive Measures for Cross Site Request Forgery Attacks on Web-based Applications

International Journal of Engineering & Technology ◽

10.14419/ijet.v7i4.15.21434 ◽

2018 ◽

Vol 7 (4.15) ◽

pp. 130

Author(s):

Emil Semastin ◽

Sami Azam ◽

Bharanidharan Shanmugam ◽

Krishnan Kannoorpatti ◽

Mirjam Jonokman ◽

...

Keyword(s):

Web Application ◽

Web Applications ◽

Operating Cycle ◽

Web Application Security ◽

Web Based ◽

Business World ◽

Application Security ◽

Server Side ◽

Combined Solution ◽

Cross Site Request Forgery

Today’s contemporary business world has incorporated Web Services and Web Applications in its core of operating cycle nowadays and security plays a major role in the amalgamation of such services and applications with the business needs worldwide. OWASP (Open Web Application Security Project) states that the effectiveness of security mechanisms in a Web Application can be estimated by evaluating the degree of vulnerability against any of the nominated top ten vulnerabilities, nominated by the OWASP. This paper sheds light on a number of existing tools that can be used to test for the CSRF vulnerability. The main objective of the research is to identify the available solutions to prevent CSRF attacks. By analyzing the techniques employed in each of the solutions, the optimal tool can be identified. Tests against the exploitation of the vulnerabilities were conducted after implementing the solutions into the web application to check the efficacy of each of the solutions. The research also proposes a combined solution that integrates the passing of an unpredictable token through a hidden field and validating it on the server side with the passing of token through URL.

Download Full-text

XSS Vulnerability Assessment Procedure and Mitigation for Web Application

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.f9709.038620 ◽

2020 ◽

Vol 8 (6) ◽

pp. 5279-5281

Keyword(s):

Vulnerability Assessment ◽

Web Application ◽

Web Applications ◽

Assessment Procedure ◽

User Comments ◽

Web Vulnerabilities ◽

Client Side

CSS is one of the foremost routine vulnerabilities that affect many web applications. XSS attacks are essentially malicious injections (client-side) that are added to an internet page or app through user comments, form submissions, and so on. The most danger behind XSS is that it allows attackers to inject content into the online app. The injected content can modify how it's displayed, forcing the browser to execute the attacker’s code. Web vulnerabilities are developed for scanning whole webpage of internet sites. Vulnerability Assessment is that the process of identifying vulnerabilities in your application’s environment. Vulnerability is defined as a weakness or flaw within the system that permits an attacker or insider to access the system during a way they’re not authorized.

Download Full-text

Developing Web-Application’s Automated Testing Technique

Vestnik NSU Series Information Technologies ◽

10.25205/1818-7900-2019-17-3-93-110 ◽

2019 ◽

Vol 17 (3) ◽

pp. 93-110

Author(s):

A. V. Tkachev ◽

D. V. Irtegov

Keyword(s):

Web Application ◽

Development Process ◽

Web Applications ◽

Assessment System ◽

Automated Testing ◽

Automatic Assessment ◽

Testing Technique ◽

Code Coverage ◽

Client Side ◽

User Actions

The article is devoted to the technique of automated testing of NSUts – automatic assessment system for programming tasks developed at NSU. The main priority for this technique is to test both the old and the new versions of the application, so that the same or minimally modified tests could be executed on two versions of the system with different architectures. This could be useful while organizing the development process for other applications with a long life cycle. To test not only the server but also the client side of the web application, we suggest using tools like Selenium WebDriver to simulate user actions by sending commands to real browsers. We use the well-known Page Object design pattern to handle differences in HTML layout and functionality, and describe a number of ways to make developed tests less fragile and easily adapt those to work with the new version of the system. The article also describes the use of this technique to organize automated testing of the NSUts system and analyzes its effectiveness. The analysis shows that the estimated code coverage by these tests is quite high, and therefore the technique can be considered effective and applied to other similar web applications.

Download Full-text

On distributed concern delivery in user interface design

Computer Science and Information Systems ◽

10.2298/csis141202021c ◽

2015 ◽

Vol 12 (2) ◽

pp. 655-681 ◽

Cited By ~ 14

Author(s):

Tomas Cerny ◽

Miroslav Macik ◽

Michael Donahoo ◽

Jan Janousek

Keyword(s):

User Interface ◽

Interface Design ◽

Web Application ◽

Significant Information ◽

Server Side ◽

Ui Design ◽

Potential Benefits ◽

And Performance ◽

Client Side

Increasing demands on user interface (UI) usability, adaptability, and dynamic behavior drives ever-growing development and maintenance complexity. Traditional UI design techniques result in complex descriptions for data presentations with significant information restatement. In addition, multiple concerns in UI development leads to descriptions that exhibit concern tangling, which results in high fragment replication. Concern-separating approaches address these issues; however, they fail to maintain the separation of concerns for execution tasks like rendering or UI delivery to clients. During the rendering process at the server side, the separation collapses into entangled concerns that are provided to clients. Such client-side entanglement may seem inconsequential since the clients are simply displaying what is sent to them; however, such entanglement compromises client performance as it results in problems such as replication, fragment granularity ill-suited for effective caching, etc. This paper considers advantages brought by concern-separation from both perspectives. It proposes extension to the aspect-oriented UI design with distributed concern delivery (DCD) for client-server applications. Such an extension lessens the serverside involvement in UI assembly and reduces the fragment replication in provided UI descriptions. The server provides clients with individual UI concerns, and they become partially responsible for the UI assembly. This change increases client-side concern reuse and extends caching opportunities, reducing the volume of transmitted information between client and server to improve UI responsiveness and performance. The underlying aspect-oriented UI design automates the server-side derivation of concerns related to data presentations adapted to runtime context, security, conditions, etc. Evaluation of the approach is considered in a case study applying DCD to an existing, production web application. Our results demonstrate decreased volumes of UI descriptions assembled by the server-side and extended client-side caching abilities, reducing required data/fragment transmission, which improves UI responsiveness. Furthermore, we evaluate the potential benefits of DCD integration implications in selected UI frameworks.

Download Full-text