Addressing Web Application Security Issues and Vulnerabilities Assessment Pen Testing

The world relies heavily on the Internet, and every organization uses web applications extensively for information sharing, business purposes such as online sales, money transfer, etc., and Exchange services. Nowadays, providing security for web applications is the greatest challenge in the corporate world because web applications will be the main way for their daily business and if the web application is affected, then daily business and reputation will be affected. As many organizations have been using the web application service to share or store sensitive information about their clients and assets. So, Web Applications are inclined to security attacks and new security vulnerabilities have grown in the last two decades in a web application and have become an important target for attackers. So, it is very vital to secure a web application. The vulnerabilities in web applications will incur due to the security misconfigurations, programming mistakes, improper usage of security measures, etc. So, vulnerability assessment and pen testing will help to figure out the different vulnerabilities present in web applications. The websites are also using to deliver the critical services to its customers so it must run every time without any interception, to do this VAPT will play a crucial role. This paper reviews about vulnerability assessment and pretesting steps and types, website vulnerabilities like SQL Injection, Cross-Site scripting, file inclusion, cross-site request forgery, and broken authentication with types and remediations and also discuss how the effect of these vulnerabilities on a web application.

Download Full-text

Cross Site Scripting Attacks in Web-Based Applications

Journal of Advances in Science and Engineering ◽

10.37121/jase.v1i2.19 ◽

2018 ◽

Vol 1 (2) ◽

pp. 25-35

Author(s):

Aliga Paul Aliga ◽

Adetokunbo MacGregor John-Otumu ◽

Rebecca E Imhanhahimi ◽

Atuegbelo Confidence Akpe

Keyword(s):

Web Application ◽

Web Applications ◽

Learning Ability ◽

Security Risk ◽

Web Application Security ◽

Web Based ◽

Architectural Framework ◽

Self Learning ◽

Cross Site ◽

The Web

Web-based applications has turn out to be very prevalent due to the ubiquity of web browsers to deliver service oriented application on-demand to diverse client over the Internet and cross site scripting (XSS) attack is a foremost security risk that has continuously ravage the web applications over the years. This paper critically examines the concept of XSS and some recent approaches for detecting and preventing XSS attacks in terms of architectural framework, algorithm used, solution location, and so on. The techniques were analysed and results showed that most of the available recognition and avoidance solutions to XSS attacks are more on the client end than the server end because of the peculiar nature of web application vulnerability and they also lack support for self-learning ability in order to detect new XSS attacks. Few researchers as cited in this paper inculcated the self-learning ability to detect and prevent XSS attacks in their design architecture using artificial neural networks and soft computing approach; a lot of improvement is still needed to effectively and efficiently handle the web application security menace as recommended.

Download Full-text

Web Server Hacking

Constructing an Ethical Hacking Knowledge Base for Threat Awareness and Prevention ◽

10.4018/978-1-5225-7628-0.ch008 ◽

2019 ◽

pp. 209-243

Keyword(s):

Web Application ◽

Web Applications ◽

Web Server ◽

Dos Attacks ◽

Web Servers ◽

Server Software ◽

Session Hijacking ◽

High Level ◽

Cross Site ◽

The Web

Organizational web servers reflect the public image of an organization and serve web pages/information to organizational clients via web browsers using HTTP protocol. Some of the web server software may contain web applications that enable users to perform high-level tasks, such as querying a database and delivering the output through the web server to the client browser as an HTML file. Hackers always try to exploit the different vulnerabilities or flaws existing in web servers and web applications, which can pose a big threat for an organization. This chapter provides the importance of protecting web servers and applications along with the different tools used for analyzing the security of web servers and web applications. The chapter also introduces different web attacks that are carried out by an attacker either to gain illegal access to the web server data or reduce the availability of web services. The web server attacks includes denial of service (DOS) attacks, buffer overflow exploits, website defacement with sql injection (SQLi) attacks, cross site scripting (XSS) attacks, remote file inclusion (RFI) attacks, directory traversal attacks, phishing attacks, brute force attacks, source code disclosure attacks, session hijacking, parameter form tampering, man-in-the-middle (MITM) attacks, HTTP response splitting attacks, cross-site request forgery (XSRF), lightweight directory access protocol (LDAP) attacks, and hidden field manipulation attacks. The chapter explains different web server and web application testing tools and vulnerability scanners including Nikto, BurpSuite, Paros, IBM AppScan, Fortify, Accunetix, and ZAP. Finally, the chapter also discusses countermeasures to be implemented while designing any web application for any organization in order to reduce the risk.

Download Full-text

Taxonomy of Login Attacks in Web Applications and Their Security Techniques Using Behavioral Biometrics

Modern Theories and Practices for Cyber Ethics and Security Compliance - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-3149-5.ch008 ◽

2020 ◽

pp. 122-139

Author(s):

Rizwan Ur Rahman ◽

Deepak Singh Tomar

Keyword(s):

Web Application ◽

Initial Phase ◽

Web Applications ◽

Application Development ◽

Web Application Security ◽

Application Security ◽

Security Issues ◽

Large Numbers ◽

Web Application Development ◽

The Web

Research into web application security is still in its initial phase. In spite of enhancements in web application development, large numbers of security issues remain unresolved. Login attacks are the most malevolent threats to the web application. Authentication is the method of confirming the stated identity of a user. Conventional authentication systems suffer from a weakness that can compromise the defense of the system. An example of such vulnerabilities is login attack. An attacker may exploit a pre-saved password or an authentication credential to log into web applications. An added problem with current authentication systems is that the authentication process is done only at the start of a session. Once the user is authenticated in the web application, the user's identity is assumed to remain the same during the lifetime of the session. This chapter examines the level login attacks that could be a threat to websites. The chapter provides a review of vulnerabilities, threats of login attacks associated with websites, and effective measures to counter them.

Download Full-text

Server Side Method to Detect and Prevent Stored XSS Attack

Iraqi Journal for Electrical And Electronic Engineering ◽

10.37917/ijeee.17.2.8 ◽

2021 ◽

Vol 17 (2) ◽

pp. 58-65

Author(s):

Iman Khazal ◽

Mohammed Hussain

Keyword(s):

Open Source ◽

Web Application ◽

Web Applications ◽

User Input ◽

Server Side ◽

Cross Site ◽

The Web

Cross-Site Scripting (XSS) is one of the most common and dangerous attacks. The user is the target of an XSS attack, but the attacker gains access to the user by exploiting an XSS vulnerability in a web application as Bridge. There are three types of XSS attacks: Reflected, Stored, and Dom-based. This paper focuses on the Stored-XSS attack, which is the most dangerous of the three. In Stored-XSS, the attacker injects a malicious script into the web application and saves it in the website repository. The proposed method in this paper has been suggested to detect and prevent the Stored-XSS. The prevent Stored-XSS Server (PSS) was proposed as a server to test and sanitize the input to web applications before saving it in the database. Any user input must be checked to see if it contains a malicious script, and if so, the input must be sanitized and saved in the database instead of the harmful input. The PSS is tested using a vulnerable open-source web application and succeeds in detection by determining the harmful script within the input and prevent the attack by sterilized the input with an average time of 0.3 seconds.

Download Full-text

Keamanan Aplikasi Web Melalui Penerapan Cross Site Request Forgery(CSRF)

ITEJ (Information Technology Engineering Journals) ◽

10.24235/itej.v1i2.10 ◽

2016 ◽

Vol 1 (2) ◽

pp. 46-62

Author(s):

Taufik Ramadan Firdaus

Keyword(s):

Web Application ◽

Web Applications ◽

Treatment Method ◽

The Internet ◽

Wide Range ◽

The Media ◽

Cross Site Request Forgery ◽

Cross Site ◽

The Web

Currently the Internet became one of the media that can not be separated, as well as a wide variety of applications supplied her. As the development of technologies, reliance on Web applications also increased. However, web applications have a wide range of threats, one of it is a CSRF (Cross-Site Request Forgery). This study uses CSRF (Cross-Site Request Forgery) Protection. CSRF (Cross-Site Request Forgery) Protection is a treatment method that has a variety of ways, one of which uses a token in the session when the user login. Token generated at login will be used as a user id that the system of web applications to identify where the request originated. The results of this study are expected in order to increase web application defenses against CSRF (Cross-Site Request Forgery), so that web application users will be able to feel safe in using the Internet and its various feature. Reduced level of attacks on web applications. So that visitor traffic on the web application can be increased.

Download Full-text

Security Issues in Web Services

Handbook of Research on Network Forensics and Analysis Techniques - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-5225-4100-4.ch004 ◽

2018 ◽

pp. 57-64

Author(s):

Priyanka Dixit

Keyword(s):

Web Application ◽

Web Applications ◽

Future Research ◽

The Internet ◽

Web Application Security ◽

Web Based ◽

Security Issues ◽

Digital World ◽

Important Region ◽

The Web

This chapter describes how security is an important aspect in today's digital world. Every day technology grows with new advancements in various areas, especially in the development of web-based applications. All most all of the web applications are on the internet, hence there is a large probability of attacks on those applications and threads. This makes security necessary while developing any web application. Lots of techniques have been developed for mitigating and defending against threats to the web based applications over the internet. This chapter overviews the important region of web application security, by sequencing the current strategies into a major picture to further the future research and advancement. Firstly, this chapter explains the major problem and obstacles that makes efforts unsuccessful for developing secure web applications. Next, this chapter distinguishes three basic security properties that a web application should possess: validation, integrity, accuracy and portray the comparing vulnerabilities that damage these properties alongside the assault vectors that contain these vulnerabilities.

Download Full-text

Threats and Attacks on E-Commerce Sites

Cryptographic Solutions for Secure Online Banking and Commerce - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-5225-0273-9.ch006 ◽

2016 ◽

pp. 70-89

Author(s):

Kannan Balasubramanian

Keyword(s):

United States ◽

Vulnerability Assessment ◽

Web Application ◽

Web Applications ◽

Target System ◽

Detailed Knowledge ◽

Web Application Security ◽

Threat Analysis ◽

Many Sources ◽

The Web

In this chapter, a detailed knowledge of some of the most devastating attacks against Web applications and common tools in the attacker's arsenal is discussed. There are many ways of categorizing and classifying attacks: based on the complexity to mount them, the effect they have on the target system, the type of vulnerability that they exploit, the assets that they expose, the difficulty of detecting and fixing them, and so on. There are different methodologies for Vulnerability Assessment and Threat Analysis (VATA) and many sources to consult for assessing the risk of each attack. Among other sources, in this chapter we pay special attention to the methodology of Open Web Application Security Project (OWASP) because OWASP is one of the most active security communities on the Web. Other good resources to follow the attack and vulnerability trends are Common Vulnerabilities and Exposures (CVE), National Vulnerability Database (NVD), United States CERT Bulletins (US-CERT), and SANS.

Download Full-text

Web Application Security Tools Analysis

Studies in Media and Communication ◽

10.11114/smc.v5i2.2663 ◽

2017 ◽

Vol 5 (2) ◽

pp. 118

Author(s):

Abdulrahman Alzahrani ◽

Ali Alqazzaz ◽

Nabil Almashfi ◽

Huirong Fu ◽

Ye Zhu

Keyword(s):

Web Application ◽

Web Applications ◽

Information Leakage ◽

Deep Understanding ◽

Transport Layer ◽

Development Environment ◽

Security Vulnerabilities ◽

Security Issues ◽

The Many ◽

The Web

Strong security in web applications is critical to the success of your online presence. Security importance has grown massively, especially among web applications. Dealing with web application or website security issues requires deep insight and planning, not only because of the many tools that are available but also because of the industry immaturity. Thus, finding the proper tools requires deep understanding and several steps, including analyzing the development environment, business needs, and the web applications’ complexity. In this paper, we demonstrate the architecture of web applications then list and evaluate the widespread security vulnerabilities. Those vulnerabilities are: Fingerprinting, Insufficient Transport Layer Protection, Information Leakage, Cross-Site Scripting, SQL Injection, and HTTP Splitting. In addition, this paper analyzes the tools that are used to scan for these widespread vulnerabilities in web applications. Finally, it evaluates tools due to security vulnerabilities and gives recommendations to the web applications’ users and administrators aiming to educate them.

Download Full-text

ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting attacks

International Journal of Electrical and Computer Engineering (IJECE) ◽

10.11591/ijece.v9i2.pp1393-1398 ◽

2019 ◽

Vol 9 (2) ◽

pp. 1393

Author(s):

PMD Nagarjun ◽

Shaik Shakeel Ahamad

Keyword(s):

Web Application ◽

Web Applications ◽

Human Life ◽

Single Line ◽

Sensitive Information ◽

Server Side ◽

Client Side ◽

Application Execution ◽

Cross Site

Cross-Site Scripting (XSS) is one of serious web application attack. Web applications are involved in every activity of human life. JavaScript plays a major role in these web applications. In XSS attacks hacker inject malicious JavaScript into a trusted web application, execution of that malicious script may steal sensitive information from the user. Previous solutions to prevent XSS attacks require a lot of effort to integrate into existing web applications, some solutions works at client-side and some solutions works based on filter list which needs to be updated regularly. In this paper, we propose an Image Substitute technique (ImageSubXSS) to prevent Cross-Site Scripting attacks which works at the server-side. The proposed solution is implemented and evaluated on a number of XSS attacks. With a single line, developers can integrate ImageSubXSS into their applications and the proposed solution is able to prevent XSS attacks effectively.

Download Full-text

A hybrid of CNN and LSTM methods for securing web application against cross-site scripting attack

Indonesian Journal of Electrical Engineering and Computer Science ◽

10.11591/ijeecs.v21.i2.pp1022-1029 ◽

2021 ◽

Vol 21 (2) ◽

pp. 1022

Author(s):

Raed Waheed Kadhim ◽

Methaq Talib Gaata

Keyword(s):

Neural Network ◽

Web Application ◽

Web Applications ◽

Excellent Result ◽

Test Word ◽

Short Term ◽

Data Set ◽

Proposed Model ◽

Cross Site ◽

The Web

Cross-site scripting (XSS) is today one of the biggest threatthat could targeting the Web application. Based on study published by the open web applications security project (OWASP), XSS vulnerability has been present among the TOP 10 Web application vulnerabilities.Still,an important security-related issue remains how to effectively protect web applications from XSS attacks.In first part of this paper, a method for detecting XSS attack was proposed by combining convolutional neural network (CNN) with long short term memories (LSTM), Initially, pre-processing was applied to XSS Data Set by decoding, generalization and tokanization, and then word2vec was applied to convert words into word vectors in XSS payloads. And then we use the combination CNN with LSTM to train and test word vectors to produce a model that can be used in a web application. Based on the obtaned results, it is observed that the proposed model achevied an excellent result with accuracy of 99.4%.

Download Full-text