DETECTING SERVER-SIDE ENDPOINTS IN WEB APPLICATIONS BASED ON STATIC ANALYSIS OF CLIENT-SIDE JavaScript CODE

2021 ◽  
pp. 32-54
Author(s):  
D. A. Sigalov ◽  
◽  
A. A. Khashaev ◽  
D. Yu. Gamayunov ◽  
◽  
...  
Keyword(s):  
Static Analysis ◽  
Web Application ◽  
Web Applications ◽  
Security Analysis ◽  
Endpoint Detection ◽  
Security Testing ◽  
Application Security ◽  
Server Side ◽  
Dynamic Web ◽  
Client Side

The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.

scholarly journals Preventive Measures for Cross Site Request Forgery Attacks on Web-based Applications

2018 ◽  
Vol 7 (4.15) ◽  
pp. 130
Author(s):  
Emil Semastin ◽  
Sami Azam ◽  
Bharanidharan Shanmugam ◽  
Krishnan Kannoorpatti ◽  
Mirjam Jonokman ◽  
...  
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Operating Cycle ◽  
Web Application Security ◽  
Web Based ◽  
Business World ◽  
Application Security ◽  
Server Side ◽  
Combined Solution ◽  
Cross Site Request Forgery

Today’s contemporary business world has incorporated Web Services and Web Applications in its core of operating cycle nowadays and security plays a major role in the amalgamation of such services and applications with the business needs worldwide. OWASP (Open Web Application Security Project) states that the effectiveness of security mechanisms in a Web Application can be estimated by evaluating the degree of vulnerability against any of the nominated top ten vulnerabilities, nominated by the OWASP. This paper sheds light on a number of existing tools that can be used to test for the CSRF vulnerability. The main objective of the research is to identify the available solutions to prevent CSRF attacks. By analyzing the techniques employed in each of the solutions, the optimal tool can be identified. Tests against the exploitation of the vulnerabilities were conducted after implementing the solutions into the web application to check the efficacy of each of the solutions. The research also proposes a combined solution that integrates the passing of an unpredictable token through a hidden field and validating it on the server side with the passing of token through URL.  

An Alternative Threat Model-based Approach for Security Testing

2015 ◽  
Vol 6 (3) ◽  
pp. 50-64 ◽  
Author(s):  
Bouchaib Falah ◽  
Mohammed Akour ◽  
Samia Oukemeni
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Security Attacks ◽  
Security Testing ◽  
Security Risks ◽  
Web Application Security ◽  
Application Security ◽  
Malicious Codes ◽  
Testing Approach ◽  
Interaction Web

In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer from bad reputation. One of the effective mitigation practices is to perform security testing against the application before release it to the market. This solution won't protect web application 100% but it will test the application against malicious codes and reduce the high number of potential attacks on web application. One of known security testing approach is threat modeling, which provides an efficient technique to identify threats that can compromise system security. The authors proposed method, in this paper, focuses on improving the effectiveness of the categorization of threats by using Open 10 Web Application Security Project's (OWASP) that are the most critical web application security risks in generating threat trees in order to cover widely known security attacks.

An Alternative Threat Model-Based Approach for Security Testing

2018 ◽  
pp. 441-454
Author(s):  
Bouchaib Falah ◽  
Mohammed Akour ◽  
Samia Oukemeni
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Security Testing ◽  
Security Risks ◽  
Web Application Security ◽  
Threat Model ◽  
Application Security ◽  
Malicious Codes ◽  
Testing Approach ◽  
Interaction Web

In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer from bad reputation. One of the effective mitigation practices is to perform security testing against the application before release it to the market. This solution won't protect web application 100% but it will test the application against malicious codes and reduce the high number of potential attacks on web application. One of known security testing approach is threat modeling, which provides an efficient technique to identify threats that can compromise system security. The authors proposed method, in this paper, focuses on improving the effectiveness of the categorization of threats by using Open 10 Web Application Security Project's (OWASP) that are the most critical web application security risks in generating threat trees in order to cover widely known security attacks.

scholarly journals Static analysis for discovering IoT vulnerabilities

2020 ◽  
Author(s):  
Pietro Ferrara ◽  
Amit Kr Mandal ◽  
Agostino Cortesi ◽  
Fausto Spoto
Keyword(s):  
Static Analysis ◽  
Web Application ◽  
Web Applications ◽  
Security Vulnerabilities ◽  
Web Application Security ◽  
Robust Solution ◽  
Representative Case ◽  
Application Security ◽  
Industrial Analyzer ◽  
The Relationship

AbstractThe Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia’s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies.

XML Pipeline Processing in the Browser

2010 ◽  
Author(s):  
Vojtěch Toman
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Application Development ◽  
Web Browser ◽  
Development Models ◽  
Server Side ◽  
Potential Benefits ◽  
Pipeline Processing ◽  
Xml Web ◽  
Client Side

With the growing interest in end-to-end XML web application development models, many web applications are becoming predominantly XML-based, requiring XML processing capabilities not only on the-server-side, but often also on the client-side. This paper discusses the potential benefits of using XProc for XML pipeline processing in the web browser and describes the developments of a JavaScript-based XProc implementation.

scholarly journals Using open source software for web application security testing

2017 ◽  
Vol 12 (2) ◽  
Author(s):  
Ksenija Živković ◽  
Ivan Milenković ◽  
Dejan Simić
Keyword(s):  
Open Source Software ◽  
Web Application ◽  
Web Applications ◽  
Functional Testing ◽  
Functional Requirements ◽  
Security Testing ◽  
Web Application Security ◽  
High Expectations ◽  
Application Security ◽  
Web Application Testing

Web applications are a standard part of our everyday lives. Their purpose can vary significantly, from e-banking to social networks. However, one thing is similar - users have generally high expectations from different web applications. To assure such high expectations, proper web application testing is necessary. Non-functional testing is an important part of web application testing. As technology advances and requirements become more complex, the importance of non-functional application aspects becomes even greater. It is necessary to identify non-functional requirements of web applications which are important to users, implement those requirements and test them.

scholarly journals Neutralizing SQL Injection Attack Using Server Side Code Modification in Web Applications

2017 ◽  
Vol 2017 ◽  
pp. 1-12 ◽  
Author(s):  
Asish Kumar Dalai ◽  
Sanjay Kumar Jena
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Large Set ◽  
Sql Injection ◽  
Web Application Security ◽  
Application Security ◽  
Server Side ◽  
Injection Attacks ◽  
Sql Injection Attack ◽  
Sql Injection Attacks

Reports on web application security risks show that SQL injection is the top most vulnerability. The journey of static to dynamic web pages leads to the use of database in web applications. Due to the lack of secure coding techniques, SQL injection vulnerability prevails in a large set of web applications. A successful SQL injection attack imposes a serious threat to the database, web application, and the entire web server. In this article, the authors have proposed a novel method for prevention of SQL injection attack. The classification of SQL injection attacks has been done based on the methods used to exploit this vulnerability. The proposed method proves to be efficient in the context of its ability to prevent all types of SQL injection attacks. Some popular SQL injection attack tools and web application security datasets have been used to validate the model. The results obtained are promising with a high accuracy rate for detection of SQL injection attack.

RWAG: A Tool for Dynamic Web Application Development

2001 ◽  
Author(s):  
Hongqing Song ◽  
Stephen Huang
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Application Development ◽  
Server Side ◽  
Multiple User ◽  
Advanced User ◽  
Dynamic Web ◽  
User Access ◽  
Share Information ◽  
The Web

Abstract The purpose of this tool, Rapid Web Application Generator (RWAG), is to allow a user to create a database-driven web application without the knowledge of DBMS and server-side programming. RWAG automatically generates database definitions and ASP pages for manipulating the data. The advantages of using RWAG are as follows: first, a user can create web applications in minutes without ever having to write any code (no need to know ASP, Perl, or Java); secondly, an advanced user can leverage his knowledge of ASP, Perl, Java, JavaScript, HTML, XML and DBMS to expand and customize the web application; thirdly, RWAG allows a user to own a record in the database, which means a record can only be edited by the user who creates it; finally, RWAG provides multiple user access levels. RWAG is ideal for a group of users to share information on the web.

scholarly journals ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting attacks

2019 ◽  
Vol 9 (2) ◽  
pp. 1393
Author(s):  
PMD Nagarjun ◽  
Shaik Shakeel Ahamad
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Human Life ◽  
Single Line ◽  
Sensitive Information ◽  
Server Side ◽  
Client Side ◽  
Application Execution ◽  
Cross Site

<span lang="EN-US">Cross-Site Scripting (XSS) is one of serious web application attack. Web applications are involved in every activity of human life. JavaScript plays a major role in these web applications. In XSS attacks hacker inject malicious JavaScript into a trusted web application, execution of that malicious script may steal sensitive information from the user. Previous solutions to prevent XSS attacks require a lot of effort to integrate into existing web applications, some solutions works at client-side and some solutions works based on filter list which needs to be updated regularly. In this paper, we propose an Image Substitute technique (ImageSubXSS) to prevent Cross-Site Scripting attacks which works at the server-side. The proposed solution is implemented and evaluated on a number of XSS attacks. With a single line, developers can integrate ImageSubXSS into their applications and the proposed solution is able to prevent XSS attacks effectively.</span>

Sign in / Sign up

Export Citation Format

Share Document