Ontology for Cross-Site-Scripting (XSS) Attack in Cybersecurity

In this work, we tackle a frequent problem that frequently occurs in the cybersecurity field which is the exploitation of websites by XSS attacks, which are nowadays considered a complicated attack. These types of attacks aim to execute malicious scripts in a web browser of the client by including code in a legitimate web page. A serious matter is when a website accepts the “user-input” option. Attackers can exploit the web application (if vulnerable), and then steal sensitive data (session cookies, passwords, credit cards, etc.) from the server and/or from the client. However, the difficulty of the exploitation varies from website to website. Our focus is on the usage of ontology in cybersecurity against XSS attacks, on the importance of the ontology, and its core meaning for cybersecurity. We explain how a vulnerable website can be exploited, and how different JavaScript payloads can be used to detect vulnerabilities. We also enumerate some tools to use for an efficient analysis. We present detailed reasoning on what can be done to improve the security of a website in order to resist attacks, and we provide supportive examples. Then, we apply an ontology model against XSS attacks to strengthen the protection of a web application. However, we note that the existence of ontology does not improve the security itself, but it has to be properly used and should require a maximum of security layers to be taken into account.

Download Full-text

Semi-Automatic Online Tagging with K-Medoid Clustering

International Journal of Software Engineering and Knowledge Engineering ◽

10.1142/s0218194014400075 ◽

2014 ◽

Vol 24 (08) ◽

pp. 1115-1130 ◽

Cited By ~ 1

Author(s):

He Hu ◽

Xiaoyong Du

Keyword(s):

Clustering Algorithm ◽

Prototype System ◽

Web Pages ◽

Web Page ◽

Web Browser ◽

User Input ◽

Browser Extension ◽

Annotation Process ◽

Efficiency And Effectiveness ◽

Automatic Mechanism

Online tagging is crucial for the acquisition and organization of web knowledge. We present TYG (Tag-as-You-Go) in this paper, a web browser extension for online tagging of personal knowledge on standard web pages. We investigate an approach to combine a K-Medoid-style clustering algorithm with the user input to achieve semi-automatic web page annotation. The annotation process supports user-defined tagging schema and comprises an automatic mechanism that is built upon clustering techniques, which can automatically group similar HTML DOM nodes into clusters corresponding to the user specification. TYG is a prototype system illustrating the proposed approach. Experiments with TYG show that our approach can achieve both efficiency and effectiveness in real world annotation scenarios.

Download Full-text

Server Side Method to Detect and Prevent Stored XSS Attack

Iraqi Journal for Electrical And Electronic Engineering ◽

10.37917/ijeee.17.2.8 ◽

2021 ◽

Vol 17 (2) ◽

pp. 58-65

Author(s):

Iman Khazal ◽

Mohammed Hussain

Keyword(s):

Open Source ◽

Web Application ◽

Web Applications ◽

User Input ◽

Server Side ◽

Cross Site ◽

The Web

Cross-Site Scripting (XSS) is one of the most common and dangerous attacks. The user is the target of an XSS attack, but the attacker gains access to the user by exploiting an XSS vulnerability in a web application as Bridge. There are three types of XSS attacks: Reflected, Stored, and Dom-based. This paper focuses on the Stored-XSS attack, which is the most dangerous of the three. In Stored-XSS, the attacker injects a malicious script into the web application and saves it in the website repository. The proposed method in this paper has been suggested to detect and prevent the Stored-XSS. The prevent Stored-XSS Server (PSS) was proposed as a server to test and sanitize the input to web applications before saving it in the database. Any user input must be checked to see if it contains a malicious script, and if so, the input must be sanitized and saved in the database instead of the harmful input. The PSS is tested using a vulnerable open-source web application and succeeds in detection by determining the harmful script within the input and prevent the attack by sterilized the input with an average time of 0.3 seconds.

Download Full-text

UOFilter: A Whitelist-Based Filter for Unintended Objects in Web Pages

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.519-520.373 ◽

2014 ◽

Vol 519-520 ◽

pp. 373-376

Author(s):

Yi Tang ◽

Zhao Kai Luo ◽

Ji Zhang

Keyword(s):

List Item ◽

Web Server ◽

Web Pages ◽

Proof Of Concept ◽

Web Page ◽

Sensitive Data ◽

Web Browser ◽

Browser Extension ◽

Foreign Objects ◽

Same Origin Policy

A web page often contains objects that the hosted web server intends a browser to render. Rendering those objects can instruct network requests to foreign origins. Although the same origin policy (SOP) limits the access for foreign objects, web attackers could circumvent the SOP controls through injected unintended objects for sensitive data smuggling. In this paper, we propose UOFilter, a whitelist-based method to filter out unintended objects in web pages. We define a list item structure to describe intended objects with optional integrity guarantees. The UOFilter in a web browser interprets the items and blocks the network requests issued by those unintended objects. We implement a proof of concept UOFilter prototype as a chrome browser extension and validate it with experiments.

Download Full-text

BDS

Application Development and Design ◽

10.4018/978-1-5225-3422-8.ch039 ◽

2018 ◽

pp. 910-927

Author(s):

Shashank Gupta ◽

B. B. Gupta

Keyword(s):

Web Applications ◽

Web Pages ◽

Web Browsers ◽

Security Model ◽

Web Browser ◽

User Input ◽

Defensive Strategies ◽

Client Side ◽

Cross Site ◽

The Web

Cross-Site Scripting (XSS) attack is a vulnerability on the client-side browser that is caused by the improper sanitization of the user input embedded in the Web pages. Researchers in the past had proposed various types of defensive strategies, vulnerability scanners, etc., but still XSS flaws remains in the Web applications due to inadequate understanding and implementation of various defensive tools and strategies. Therefore, in this chapter, the authors propose a security model called Browser Dependent XSS Sanitizer (BDS) on the client-side Web browser for eliminating the effect of XSS vulnerability. Various earlier client-side solutions degrade the performance on the Web browser side. But in this chapter, the authors use a three-step approach to bypass the XSS attack without degrading much of the user's Web browsing experience. While auditing the experiments, this approach is capable of preventing the XSS attacks on various modern Web browsers.

Download Full-text

BDS

Handbook of Research on Securing Cloud-Based Databases with Biometric Applications - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-4666-6559-0.ch008 ◽

2015 ◽

pp. 174-191 ◽

Cited By ~ 17

Author(s):

Shashank Gupta ◽

B. B. Gupta

Keyword(s):

Web Applications ◽

Web Pages ◽

Web Browsers ◽

Security Model ◽

Web Browser ◽

User Input ◽

Defensive Strategies ◽

Client Side ◽

Cross Site ◽

The Web

Download Full-text

Security system testing on electronic integrated antenatal care (e-iANC)

International Journal of Electrical and Computer Engineering (IJECE) ◽

10.11591/ijece.v10i1.pp346-352 ◽

2020 ◽

Vol 10 (1) ◽

pp. 346

Author(s):

Hosizah Hosizah ◽

Fachmi Tamzil

Keyword(s):

Antenatal Care ◽

Web Application ◽

Security System ◽

Risk Level ◽

System Testing ◽

Sensitive Data ◽

Computer Laboratory ◽

Patient Disposition ◽

Risk Pregnancy ◽

Cross Site

Electronic Integrated Antenatal Care (e-iANC) was built as a web-based application to assist midwives in recording Antenatal Care (ANC) data including Patient Registration; Anamnesis; Physical Examination; Laboratory Test, Screening of Risk Pregnancy; Communication, Information and Education; Treatment and follow-up; Patient Disposition. To ensure e-iANC becomes a safe system, security system testing was needed. Our goals were to test the security system by using the Open Web Application Security Project (OWASP). It was conducted in computer laboratory at Universitas Esa Unggul Jakarta in August 2017. The OWASP detect include Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Level Access Control, Cross Site Request Forgery (CSRF), Using Known Vulnerable Components, Unvalidated Redirects and Forwards. The results indicated the risk level of e-iANC was the low category in the aspect of Cross-Domain JavaScript Source File Inclusion, Private IP Disclosure, XSS Protection Not Enabled Web Browser.

Download Full-text

Mobile Software Assurance Informed through Knowledge Graph Construction: The OWASP Threat of Insecure Data Storage

Journal of Computer Science Research ◽

10.30564/jcsr.v2i2.1765 ◽

2020 ◽

Vol 2 (2) ◽

Author(s):

Suzanna Schmeelk ◽

Lixin Tao

Keyword(s):

Data Storage ◽

Program Analysis ◽

Web Application ◽

Security Analysis ◽

Knowledge Graph ◽

Healthcare Applications ◽

Sensitive Data ◽

Knowledge Graphs ◽

Mobile Malware Detection ◽

Software Assurance

Many organizations, to save costs, are movinheg to t Bring Your Own Mobile Device (BYOD) model and adopting applications built by third-parties at an unprecedented rate. Our research examines software assurance methodologies specifically focusing on security analysis coverage of the program analysis for mobile malware detection, mitigation, and prevention. This research focuses on secure software development of Android applications by developing knowledge graphs for threats reported by the Open Web Application Security Project (OWASP). OWASP maintains lists of the top ten security threats to web and mobile applications. We develop knowledge graphs based on the two most recent top ten threat years and show how the knowledge graph relationships can be discovered in mobile application source code. We analyze 200+ healthcare applications from GitHub to gain an understanding of their software assurance of their developed software for one of the OWASP top ten moble threats, the threat of “Insecure Data Storage.” We find that many of the applications are storing personally identifying information (PII) in potentially vulnerable places leaving users exposed to higher risks for the loss of their sensitive data.

Download Full-text

A Sign of Things to Come: Predicting the Perception of Above-the-Fold Time in Web Browsing

Future Internet ◽

10.3390/fi13020050 ◽

2021 ◽

Vol 13 (2) ◽

pp. 50

Author(s):

Hamed Z. Jahromi ◽

Declan Delaney ◽

Andrew Hines

Keyword(s):

Web Application ◽

Web Applications ◽

State Of The Art ◽

Influencing Factor ◽

The State ◽

Experimental Result ◽

Web Page ◽

To Come ◽

Web Quality ◽

The Web

Content is a key influencing factor in Web Quality of Experience (QoE) estimation. A web user’s satisfaction can be influenced by how long it takes to render and visualize the visible parts of the web page in the browser. This is referred to as the Above-the-fold (ATF) time. SpeedIndex (SI) has been widely used to estimate perceived web page loading speed of ATF content and a proxy metric for Web QoE estimation. Web application developers have been actively introducing innovative interactive features, such as animated and multimedia content, aiming to capture the users’ attention and improve the functionality and utility of the web applications. However, the literature shows that, for the websites with animated content, the estimated ATF time using the state-of-the-art metrics may not accurately match completed ATF time as perceived by users. This study introduces a new metric, Plausibly Complete Time (PCT), that estimates ATF time for a user’s perception of websites with and without animations. PCT can be integrated with SI and web QoE models. The accuracy of the proposed metric is evaluated based on two publicly available datasets. The proposed metric holds a high positive Spearman’s correlation (rs=0.89) with the Perceived ATF reported by the users for websites with and without animated content. This study demonstrates that using PCT as a KPI in QoE estimation models can improve the robustness of QoE estimation in comparison to using the state-of-the-art ATF time metric. Furthermore, experimental result showed that the estimation of SI using PCT improves the robustness of SI for websites with animated content. The PCT estimation allows web application designers to identify where poor design has significantly increased ATF time and refactor their implementation before it impacts end-user experience.

Download Full-text

Implementation of Web Application for Disease Prediction Using AI

10.54646/bijdmbd.002 ◽

2020 ◽

pp. 5-9

Author(s):

Manasvi Srivastava ◽

◽

Vikas Yadav ◽

Swati Singh ◽

◽

...

Keyword(s):

Web Application ◽

Ad Hoc ◽

Data Extraction ◽

Extraction Methods ◽

Web Page ◽

Web Based ◽

Web Extraction ◽

Web Scraping ◽

Audio Video ◽

Manual Extraction

The Internet is the largest source of information created by humanity. It contains a variety of materials available in various formats such as text, audio, video and much more. In all web scraping is one way. It is a set of strategies here in which we get information from the website instead of copying the data manually. Many Web-based data extraction methods are designed to solve specific problems and work on ad-hoc domains. Various tools and technologies have been developed to facilitate Web Scraping. Unfortunately, the appropriateness and ethics of using these Web Scraping tools are often overlooked. There are hundreds of web scraping software available today, most of them designed for Java, Python and Ruby. There is also open source software and commercial software. Web-based software such as YahooPipes, Google Web Scrapers and Firefox extensions for Outwit are the best tools for beginners in web cutting. Web extraction is basically used to cut this manual extraction and editing process and provide an easy and better way to collect data from a web page and convert it into the desired format and save it to a local or archive directory. In this paper, among others the kind of scrub, we focus on those techniques that extract the content of a Web page. In particular, we use scrubbing techniques for a variety of diseases with their own symptoms and precautions.

Download Full-text

A Cloud Database based on AES 256 GCM Encryption Through Devolving Web application of Accounting Information System

International Journal of Recent Technology and Engineering - 2 ◽

10.35940/ijrte.e5269.019521 ◽

2021 ◽

Vol 9 (5) ◽

pp. 216-221

Author(s):

Alameen Abdalrahman

Keyword(s):

Information System ◽

Web Application ◽

Accounting Information ◽

Cloud Service ◽

Cloud Environment ◽

Sensitive Data ◽

Privacy And Security ◽

Accounting Information System ◽

Accounting Data ◽

Encryption And Decryption

The main objective of this research is to use AES 256 GCM encryption and decryption of a web application system database called Accounting Information System (AIS) for achieving more privacy and security in a cloud environment. A cloud environment provides many services such as software, platform, and infrastructure. AIS can use the cloud to store data to achieve accounting with more performance, efficiency, convenience, and cost reduction. On the other hand, cloud environment is not secure because data is kept away from the organization. This paper focuses on how we deal with secure sensitive data such as accounting data AIS web application at web level encryption by using AES 256 GCM encryption to store data as encrypted data at cloud in a secure manner? Accounting Information System (AIS) has very sensitive data and its need to be more secure and safe specially in cloud because it’s not saved at local servers but at another cloud service provider. The storage of encryption and decryption keys are stored in locations and devices different from those in which the database is stored in the cloud for ensuring more safety.

Download Full-text