Secure ASP.NET Web Application by Discovering Broken Authentication and Session Management Vulnerabilities

Today, web application security is most significant battlefield between victim, attacker and resource of web service. The owner of web applications can’t see security vulnerability in web application which develops in ASP.NET. This paper explain one algorithm which aim to identify broken authentication and session management vulnerability. The given method of this paper scan the web application files. The created scanner generator relies on studying the source character of the application limited ASP.NET files and the code be beholden files. A program develop for this motive is to bring about a report which describes vulnerabilities types by mentioning the indict name, disclose description and its location. The aim of the paper is to discover the broken authentication and session management vulnerabilities. The indicated algorithm will uphold organization and developer to repair the vulnerabilities and recover from one end to the other security.

Download Full-text

Taxonomy of Login Attacks in Web Applications and Their Security Techniques Using Behavioral Biometrics

Modern Theories and Practices for Cyber Ethics and Security Compliance - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-3149-5.ch008 ◽

2020 ◽

pp. 122-139

Author(s):

Rizwan Ur Rahman ◽

Deepak Singh Tomar

Keyword(s):

Web Application ◽

Initial Phase ◽

Web Applications ◽

Application Development ◽

Web Application Security ◽

Application Security ◽

Security Issues ◽

Large Numbers ◽

Web Application Development ◽

The Web

Research into web application security is still in its initial phase. In spite of enhancements in web application development, large numbers of security issues remain unresolved. Login attacks are the most malevolent threats to the web application. Authentication is the method of confirming the stated identity of a user. Conventional authentication systems suffer from a weakness that can compromise the defense of the system. An example of such vulnerabilities is login attack. An attacker may exploit a pre-saved password or an authentication credential to log into web applications. An added problem with current authentication systems is that the authentication process is done only at the start of a session. Once the user is authenticated in the web application, the user's identity is assumed to remain the same during the lifetime of the session. This chapter examines the level login attacks that could be a threat to websites. The chapter provides a review of vulnerabilities, threats of login attacks associated with websites, and effective measures to counter them.

Download Full-text

HTTP SECURITY HEADERS

Knowledge International Journal ◽

10.35120/kij3003701p ◽

2019 ◽

pp. 701-706

Author(s):

Lilyana Petkova

Keyword(s):

Web Application ◽

Web Applications ◽

Application Development ◽

Web Application Security ◽

Application Security ◽

The Past ◽

General Data ◽

The One ◽

Compatibility Question ◽

The Web

Nowadays security becomes more important than the content and the SEO of a web application. Due to a lack of protection, the number of attacked websites augments in the past few years. In most of the cases, developers are either uninformed or unqualified to implement security during the application development, which causes a huge amount of data flaws. Supporting the developers and easily managing the workflow, some organizations have developed different kind of guidelines for security integration. Such guide helps handling the security from the outset of the development process, which influence over the protection of the entire application. The one used in this article is a project developed by Open Web Application Security Project (OWASP) Foundation named OWASP Secure Headers Project. Its aim is to show the developers the balance between usability and security implemented through http headers. By giving general data and examples of HTTP response headers usability it is a platform which help increasing the security of the application. In this article, we explain the necessity of HTTP Security Headers and how they can help in preventing a cyber invasion in our web application! We will give details on the most important HTTP headers and will retrieve a basic information for some with a lower need. We will give examples for their implementation in one ASP.NET web application to provide more descriptive perspective of their use! In the recent years, browsers have integrated certain security header controls to support the web application security. Those headers give instructions to the browser how to behave when handling sensitive content and data of the application. If developers enable them in the application, browser will prevent attacks automatically. But not all browsers support them, which brings a compatibility question: what are the alternatives in a case of deprecated header on a specific browser. As a part of the research we will provide an analyze of the use of the HTTP headers in some of the most common sites used in Bulgaria with the help of ALEXA Top 1 Million sites. There have already been developed a lot of applications to show if a certain website has HTTP security headers implemented. Most of them are freely to use and gives detailed information on what was done and what should be done in case that specific layer of security is missing from the web application. The need of security in the web applications become more and more necessary. Along with other security implementations on a programming and on a server level the ones described in the article bring another layer of security management that mitigates certain types of cyberattacks and vulnerabilities.

Download Full-text

Assessment of the web application security effectiveness against various methods of network attacks

Journal of Computer Sciences Institute ◽

10.35784/jcsi.707 ◽

2018 ◽

Vol 9 ◽

pp. 340-344

Author(s):

Mateusz Erbel ◽

Piotr Kopniak

Keyword(s):

Research Methodology ◽

Web Application ◽

Web Applications ◽

Network Attacks ◽

Internet Applications ◽

Web Application Security ◽

Application Security ◽

Security Effectiveness ◽

The Web

The article discusses the issue of the security of Internet applications. The most popular types of attacks and methods of securing web applications against them are discussed. The study conducted the effectiveness of security of web applications. The research methodology was based on the proprietary application implemented in PHP technology. The result of the research is a proposal of solutions aimed at improving application security.

Download Full-text

Preventive Measures for Cross Site Request Forgery Attacks on Web-based Applications

International Journal of Engineering & Technology ◽

10.14419/ijet.v7i4.15.21434 ◽

2018 ◽

Vol 7 (4.15) ◽

pp. 130

Author(s):

Emil Semastin ◽

Sami Azam ◽

Bharanidharan Shanmugam ◽

Krishnan Kannoorpatti ◽

Mirjam Jonokman ◽

...

Keyword(s):

Web Application ◽

Web Applications ◽

Operating Cycle ◽

Web Application Security ◽

Web Based ◽

Business World ◽

Application Security ◽

Server Side ◽

Combined Solution ◽

Cross Site Request Forgery

Today’s contemporary business world has incorporated Web Services and Web Applications in its core of operating cycle nowadays and security plays a major role in the amalgamation of such services and applications with the business needs worldwide. OWASP (Open Web Application Security Project) states that the effectiveness of security mechanisms in a Web Application can be estimated by evaluating the degree of vulnerability against any of the nominated top ten vulnerabilities, nominated by the OWASP. This paper sheds light on a number of existing tools that can be used to test for the CSRF vulnerability. The main objective of the research is to identify the available solutions to prevent CSRF attacks. By analyzing the techniques employed in each of the solutions, the optimal tool can be identified. Tests against the exploitation of the vulnerabilities were conducted after implementing the solutions into the web application to check the efficacy of each of the solutions. The research also proposes a combined solution that integrates the passing of an unpredictable token through a hidden field and validating it on the server side with the passing of token through URL.

Download Full-text

DATABASE PROTECTION BASED ON WEB APPLICATION FIREWALL

Journal of Automation and Information sciences ◽

10.34229/0572-2691-2021-1-7 ◽

2021 ◽

Vol 1 ◽

pp. 84-90

Author(s):

Rustam Kh. Khamdamov ◽

◽

Komil F. Kerimov ◽

Keyword(s):

Web Application ◽

Web Applications ◽

Personal Information ◽

Database Security ◽

Security Threats ◽

Web Application Security ◽

Application Security ◽

Client Request ◽

Database Protection ◽

Information Bank

Web applications are increasingly being used in activities such as reading news, paying bills, and shopping online. As these services grow, you can see an increase in the number and extent of attacks on them, such as: theft of personal information, bank data and other cases of cybercrime. All of the above is a consequence of the openness of information in the database. Web application security is highly dependent on database security. Client request data is usually retrieved by a set of requests that request the application user. If the data entered by the user is not scanned very carefully, you can collect a whole host of types of attacks that use web applications to create security threats to the database. Unfortunately, due to time constraints, web application programmers usually focus on the functionality of web applications, but only few worry about security. This article provides methods for detecting anomalies using a database firewall. The methods of penetration and types of hacks are investigated. A database firewall is proposed that can block known and unknown attacks on Web applications. This software can work in various ways depending on the configuration. There are almost no false positives, and the overhead of performance is relatively small. The developed database firewall is designed to protect against attacks on web application databases. It works as a proxy, which means that requests for SQL expressions received from the client will first be sent to the developed firewall, rather than to the database server itself. The firewall analyzes the request: requests that are considered strange are blocked by the firewall and an empty result is returned to the client.

Download Full-text

Cross Site Scripting Attacks in Web-Based Applications

Journal of Advances in Science and Engineering ◽

10.37121/jase.v1i2.19 ◽

2018 ◽

Vol 1 (2) ◽

pp. 25-35

Author(s):

Aliga Paul Aliga ◽

Adetokunbo MacGregor John-Otumu ◽

Rebecca E Imhanhahimi ◽

Atuegbelo Confidence Akpe

Keyword(s):

Web Application ◽

Web Applications ◽

Learning Ability ◽

Security Risk ◽

Web Application Security ◽

Web Based ◽

Architectural Framework ◽

Self Learning ◽

Cross Site ◽

The Web

Web-based applications has turn out to be very prevalent due to the ubiquity of web browsers to deliver service oriented application on-demand to diverse client over the Internet and cross site scripting (XSS) attack is a foremost security risk that has continuously ravage the web applications over the years. This paper critically examines the concept of XSS and some recent approaches for detecting and preventing XSS attacks in terms of architectural framework, algorithm used, solution location, and so on. The techniques were analysed and results showed that most of the available recognition and avoidance solutions to XSS attacks are more on the client end than the server end because of the peculiar nature of web application vulnerability and they also lack support for self-learning ability in order to detect new XSS attacks. Few researchers as cited in this paper inculcated the self-learning ability to detect and prevent XSS attacks in their design architecture using artificial neural networks and soft computing approach; a lot of improvement is still needed to effectively and efficiently handle the web application security menace as recommended.

Download Full-text

Web Vulnerability Through Cross Site Scripting (XSS) Detection with OWASP Security Shepherd

Indonesian Journal of Information Systems ◽

10.24002/ijis.v3i2.4192 ◽

2021 ◽

Vol 3 (2) ◽

pp. 149

Author(s):

Ripto Mukti Wibowo ◽

Aruji Sulaksono

Keyword(s):

Web Application ◽

Web Applications ◽

Cost Effective ◽

Internet Technology ◽

Cyber Attack ◽

Security Threat ◽

Web Application Security ◽

Application Security ◽

Case Examples ◽

Cross Site

Web applications are needed as a solution to the use of internet technology that can be accessed globally, capable of displaying information that is rich in content, cost effective, easy to use and can also be accessed by anyone, anytime and anywhere. In the second quarter of 2020, Wearesocial released information related to internet users in the world around 4.54 billion with 59% penetration. People become very dependent on the internet and also technology. This condition was also triggered due to the Covid-19 pandemic.One thing that becomes an issue on website application security is internet attacks on website platforms and we never expected the vulnerability. One type of attack or security threat that often arises and often occurs is Cross Site Scripting (XSS). XSS is one of Top 10 Open Web Application Security Projects (OWASP) lists.There are several alternatives that we can use to prevent cyber-attack. OWASP Security Shepherd can be used as a way to prevent XSS attacks. The OWASP Security Shepherd project allows users to learn or develop their manual penetration testing skills. In this research, there are several case examples or challenges that we can use as a simulation of the role of OWASP Security Shepherd to detect this XSS. The purpose of this paper is to conduct a brief and clear review of technology on OWASP Security Shepherd. This technology was chosen as an appropriate and inexpensive alternative for users to ward off XSS attacks.

Download Full-text

SQL Injection and Cross Site Scripting Prevention using OWASP ModSecurity Web Application Firewall

JOIV International Journal on Informatics Visualization ◽

10.30630/joiv.2.4.107 ◽

2018 ◽

Vol 2 (4) ◽

pp. 286 ◽

Cited By ~ 1

Author(s):

Robinson ◽

Memen Akbar ◽

Muhammad Arif Fadhly Ridha

Keyword(s):

Web Application ◽

Web Applications ◽

Monitoring Network ◽

Sql Injection ◽

Web Application Security ◽

Ip Address ◽

Application Security ◽

Rule Set ◽

Security Rule ◽

Cross Site

Web Application or website are widely used to provide functionality that allows companies to build and maintain relationships with their customers. The Information stored by web applications is often confidential and, if obtained by malicious attackers. Its exposure could result in substantial losses for both consumers and companies. SQL Injection and Cross Site Scripting are attacks that aiming web application database vulnerabilities. Its can allow malicious attackers to manipulate web server database that can cause various data lost, information thieving, and inconsistent of data. Therefore, this research propose the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set which can help administrator securing the web servers. OWASP operate by blocking IP Address which try to breaking the security rule, monitoring network traffic and preventing suspicious network requesting from outside.

Download Full-text

An Alternative Threat Model-based Approach for Security Testing

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2015070103 ◽

2015 ◽

Vol 6 (3) ◽

pp. 50-64 ◽

Cited By ~ 4

Author(s):

Bouchaib Falah ◽

Mohammed Akour ◽

Samia Oukemeni

Keyword(s):

Web Application ◽

Web Applications ◽

Security Attacks ◽

Security Testing ◽

Security Risks ◽

Web Application Security ◽

Application Security ◽

Malicious Codes ◽

Testing Approach ◽

Interaction Web

In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer from bad reputation. One of the effective mitigation practices is to perform security testing against the application before release it to the market. This solution won't protect web application 100% but it will test the application against malicious codes and reduce the high number of potential attacks on web application. One of known security testing approach is threat modeling, which provides an efficient technique to identify threats that can compromise system security. The authors proposed method, in this paper, focuses on improving the effectiveness of the categorization of threats by using Open 10 Web Application Security Project's (OWASP) that are the most critical web application security risks in generating threat trees in order to cover widely known security attacks.

Download Full-text