Server Side Method to Detect and Prevent Stored XSS Attack

2021 ◽  
Vol 17 (2) ◽  
pp. 58-65
Author(s):  
Iman Khazal ◽  
Mohammed Hussain
Keyword(s):  
Open Source ◽  
Web Application ◽  
Web Applications ◽  
User Input ◽  
Server Side ◽  
Cross Site ◽  
The Web

Cross-Site Scripting (XSS) is one of the most common and dangerous attacks. The user is the target of an XSS attack, but the attacker gains access to the user by exploiting an XSS vulnerability in a web application as Bridge. There are three types of XSS attacks: Reflected, Stored, and Dom-based. This paper focuses on the Stored-XSS attack, which is the most dangerous of the three. In Stored-XSS, the attacker injects a malicious script into the web application and saves it in the website repository. The proposed method in this paper has been suggested to detect and prevent the Stored-XSS. The prevent Stored-XSS Server (PSS) was proposed as a server to test and sanitize the input to web applications before saving it in the database. Any user input must be checked to see if it contains a malicious script, and if so, the input must be sanitized and saved in the database instead of the harmful input. The PSS is tested using a vulnerable open-source web application and succeeds in detection by determining the harmful script within the input and prevent the attack by sterilized the input with an average time of 0.3 seconds.

scholarly journals Cross Site Scripting Attacks in Web-Based Applications

2018 ◽  
Vol 1 (2) ◽  
pp. 25-35
Author(s):  
Aliga Paul Aliga ◽  
Adetokunbo MacGregor John-Otumu ◽  
Rebecca E Imhanhahimi ◽  
Atuegbelo Confidence Akpe
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Learning Ability ◽  
Security Risk ◽  
Web Application Security ◽  
Web Based ◽  
Architectural Framework ◽  
Self Learning ◽  
Cross Site ◽  
The Web

Web-based applications has turn out to be very prevalent due to the ubiquity of web browsers to deliver service oriented application on-demand to diverse client over the Internet and cross site scripting (XSS) attack is a foremost security risk that has continuously ravage the web applications over the years. This paper critically examines the concept of XSS and some recent approaches for detecting and preventing XSS attacks in terms of architectural framework, algorithm used, solution location, and so on. The techniques were analysed and results showed that most of the available recognition and avoidance solutions to XSS attacks are more on the client end than the server end because of the peculiar nature of web application vulnerability and they also lack support for self-learning ability in order to detect new XSS attacks. Few researchers as cited in this paper inculcated the self-learning ability to detect and prevent XSS attacks in their design architecture using artificial neural networks and soft computing approach; a lot of improvement is still needed to effectively and efficiently handle the web application security menace as recommended.

scholarly journals Making the Web 2.0 Faster for Next Generation

2019 ◽  
Vol 9 (1) ◽  
pp. 2922-2924
Keyword(s):  
Web 2.0 ◽  
Programming Language ◽  
User Experience ◽  
Web Application ◽  
Web Applications ◽  
Digital Content ◽  
Server Side ◽  
Application Systems ◽  
Scripting Language ◽  
The Web

Undeniably the most favored web scripting language is PHP. Almost 80% of the internet’s server-side web applications are written in PHP which includes big giants like WordPress, Wikipedia, and Facebook. In present-day, at an accelerating pace, the quantity of digital content is burgeoning. A heterogeneous set of users' devices is being amassed by these contents and administering these contents manually is an infeasible solution engendering an increasing set of problems. A solution to this problem would be to switch to a web programming language, which can be compiled. We are describing an easy to deploy and a continuous conversion mechanism for converting existing Web 2.0 PHP application systems into Facebook’s HHVM supported Hack server-side application systems. We are trying to use the power of Hack language and amplify the performance of existing PHP server-side applications. Instead of interpreting all of your code Hack translates it to assembly and runs that instead, which can lead to an immense amount of increase in performance. We are using Hacktificator, a tool developed by Facebook Developers and our demo web application running on HHVM to test and convert user’s existing PHP codebase to Hack language. With this proposed methodology we do not have to make any change to existing codebase manually or hire new engineers for the conversion, nor do we have to take down our live systems. Conversion can be done on the fly and will result in approximately 2x to 20x better performance. The availability of this tool can save costs for manual conversion, save time as well as improve the user experience of websites with better performance

Web Server Hacking

2019 ◽  
pp. 209-243
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Web Server ◽  
Dos Attacks ◽  
Web Servers ◽  
Server Software ◽  
Session Hijacking ◽  
High Level ◽  
Cross Site ◽  
The Web

Organizational web servers reflect the public image of an organization and serve web pages/information to organizational clients via web browsers using HTTP protocol. Some of the web server software may contain web applications that enable users to perform high-level tasks, such as querying a database and delivering the output through the web server to the client browser as an HTML file. Hackers always try to exploit the different vulnerabilities or flaws existing in web servers and web applications, which can pose a big threat for an organization. This chapter provides the importance of protecting web servers and applications along with the different tools used for analyzing the security of web servers and web applications. The chapter also introduces different web attacks that are carried out by an attacker either to gain illegal access to the web server data or reduce the availability of web services. The web server attacks includes denial of service (DOS) attacks, buffer overflow exploits, website defacement with sql injection (SQLi) attacks, cross site scripting (XSS) attacks, remote file inclusion (RFI) attacks, directory traversal attacks, phishing attacks, brute force attacks, source code disclosure attacks, session hijacking, parameter form tampering, man-in-the-middle (MITM) attacks, HTTP response splitting attacks, cross-site request forgery (XSRF), lightweight directory access protocol (LDAP) attacks, and hidden field manipulation attacks. The chapter explains different web server and web application testing tools and vulnerability scanners including Nikto, BurpSuite, Paros, IBM AppScan, Fortify, Accunetix, and ZAP. Finally, the chapter also discusses countermeasures to be implemented while designing any web application for any organization in order to reduce the risk.

scholarly journals Web application firewall using XSS

2018 ◽  
Vol 7 (2.7) ◽  
pp. 941 ◽  
Author(s):  
M Surekha ◽  
K Kiran Kumar ◽  
M V.S.Prasanth ◽  
P S.G.Aruna Sri
Keyword(s):  
Open Source ◽  
Web Application ◽  
Web Applications ◽  
Application Layer ◽  
The Web ◽  
Basic Examination

Web Applications security has turned out to be logically more essential nowadays. Tremendous quantities of assaults are being sent on the web application layer. Because of emotional increment in Web applications, security gets helpless against assortment of dangers. The ma-jority of these assaults are focused towards the web application layer and system firewall alone can't keep these sorts of assaults. The essen-tial explanation for achievement of these assaults is the numbness of utilization designers while composing the web applications and the vulnerabilities in the current advancements. Web application assaults are the most recent pattern and programmers are attempting to abuse the web application utilizing diverse strategies. Different arrangements are accessible as open source and in business showcase. Be that as it may, the choice of appropriate answer for the security of the authoritative frameworks is a noteworthy issue. This overview paper looked at the Web Application Firewall (WAF) arrangements with critical highlights essential for the security at application layer. Basic examination on WAF arrangements is useful for the clients to choose the most appropriate answer for their surroundings.  

Prevention of SQL Injection Attacks in Web Browsers

2016 ◽  
pp. 174-208
Author(s):  
Kannan Balasubramanian
Keyword(s):  
Web Application ◽  
Credit Card ◽  
Web Applications ◽  
Query Language ◽  
User Input ◽  
Server Side ◽  
Injection Attacks ◽  
Structured Query Language ◽  
User Data ◽  
Sql Injection Attacks

Applications that operate on the Web often interact with a database to persistently store data. For example, if an e-commerce application needs to store a user's credit card number, they typically retrieve the data from a Web form (filled out by the customer) and pass that data to some application or script running on the company's server. The dominant language that these database queries are written in is SQL, the Structured Query Language. Web applications can be vulnerable to a malicious user crafting input that gets executed on the server. One instance of this is an attacker entering Structured Query Language (SQL) commands into input fields, and then this data being used directly on the server by a Web application to construct a database query. The result could be an attacker's gaining control over the database and possibly the server. Care should be taken to validate user input on the server side before user data is used.

scholarly journals Keamanan Aplikasi Web Melalui Penerapan Cross Site Request Forgery(CSRF)

2016 ◽  
Vol 1 (2) ◽  
pp. 46-62
Author(s):  
Taufik Ramadan Firdaus
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Treatment Method ◽  
The Internet ◽  
Wide Range ◽  
The Media ◽  
Cross Site Request Forgery ◽  
Cross Site ◽  
The Web

Currently the Internet became one of the media that can not be separated, as well as a wide variety of applications supplied her. As the development of technologies, reliance on Web applications also increased. However, web applications have a wide range of threats, one of it is a CSRF (Cross-Site Request Forgery). This study uses CSRF (Cross-Site Request Forgery) Protection. CSRF (Cross-Site Request Forgery) Protection is a treatment method that has a variety of ways, one of which uses a token in the session when the user login. Token generated at login will be used as a user id that the system of web applications to identify where the request originated.  The results of this study are expected in order to increase web application defenses against CSRF (Cross-Site Request Forgery), so that web application users will be able to feel safe in using the Internet and its various feature. Reduced level of attacks on web applications. So that visitor traffic on the web application can be increased.

Prevention of SQL Injection Attacks in Web Browsers

2018 ◽  
pp. 1240-1274
Author(s):  
Kannan Balasubramanian
Keyword(s):  
Web Application ◽  
Credit Card ◽  
Web Applications ◽  
Query Language ◽  
User Input ◽  
Server Side ◽  
Injection Attacks ◽  
Structured Query Language ◽  
User Data ◽  
Sql Injection Attacks

Applications that operate on the Web often interact with a database to persistently store data. For example, if an e-commerce application needs to store a user's credit card number, they typically retrieve the data from a Web form (filled out by the customer) and pass that data to some application or script running on the company's server. The dominant language that these database queries are written in is SQL, the Structured Query Language. Web applications can be vulnerable to a malicious user crafting input that gets executed on the server. One instance of this is an attacker entering Structured Query Language (SQL) commands into input fields, and then this data being used directly on the server by a Web application to construct a database query. The result could be an attacker's gaining control over the database and possibly the server. Care should be taken to validate user input on the server side before user data is used.

BDS

2018 ◽  
pp. 910-927
Author(s):  
Shashank Gupta ◽  
B. B. Gupta
Keyword(s):  
Web Applications ◽  
Web Pages ◽  
Web Browsers ◽  
Security Model ◽  
Web Browser ◽  
User Input ◽  
Defensive Strategies ◽  
Client Side ◽  
Cross Site ◽  
The Web

Cross-Site Scripting (XSS) attack is a vulnerability on the client-side browser that is caused by the improper sanitization of the user input embedded in the Web pages. Researchers in the past had proposed various types of defensive strategies, vulnerability scanners, etc., but still XSS flaws remains in the Web applications due to inadequate understanding and implementation of various defensive tools and strategies. Therefore, in this chapter, the authors propose a security model called Browser Dependent XSS Sanitizer (BDS) on the client-side Web browser for eliminating the effect of XSS vulnerability. Various earlier client-side solutions degrade the performance on the Web browser side. But in this chapter, the authors use a three-step approach to bypass the XSS attack without degrading much of the user's Web browsing experience. While auditing the experiments, this approach is capable of preventing the XSS attacks on various modern Web browsers.

BDS

2015 ◽  
pp. 174-191 ◽  
Author(s):  
Shashank Gupta ◽  
B. B. Gupta
Keyword(s):  
Web Applications ◽  
Web Pages ◽  
Web Browsers ◽  
Security Model ◽  
Web Browser ◽  
User Input ◽  
Defensive Strategies ◽  
Client Side ◽  
Cross Site ◽  
The Web

Cross-Site Scripting (XSS) attack is a vulnerability on the client-side browser that is caused by the improper sanitization of the user input embedded in the Web pages. Researchers in the past had proposed various types of defensive strategies, vulnerability scanners, etc., but still XSS flaws remains in the Web applications due to inadequate understanding and implementation of various defensive tools and strategies. Therefore, in this chapter, the authors propose a security model called Browser Dependent XSS Sanitizer (BDS) on the client-side Web browser for eliminating the effect of XSS vulnerability. Various earlier client-side solutions degrade the performance on the Web browser side. But in this chapter, the authors use a three-step approach to bypass the XSS attack without degrading much of the user's Web browsing experience. While auditing the experiments, this approach is capable of preventing the XSS attacks on various modern Web browsers.

Evolving Web Application Architectures

2011 ◽  
pp. 138-159
Author(s):  
David Parsons
Keyword(s):  
Web 2.0 ◽  
Web Application ◽  
Web Applications ◽  
New Technologies ◽  
Mobile Web ◽  
Client Server ◽  
Server Side ◽  
Web Environment ◽  
The Impact ◽  
The Web

This chapter explores how Web application software architecture has evolved from the simple beginnings of static content, through dynamic content, to adaptive content and the integrated client-server technologies of the Web 2.0. It reviews how various technologies and standards have developed in a repeating cycle of innovation, which tends to fragment the Web environment, followed by standardisation, which enables the wider reach of new technologies. It examines the impact of the Web 2.0, XML, Ajax and mobile Web clients on Web application architectures, and how server side processes can support increasingly rich, diverse and interactive clients. It provides an overview of a server-side Java-based architecture for contemporary Web applications that demonstrates some of the key concepts under discussion. By outlining the various forces that influence architectural decisions, this chapter should help developers to take advantage of the potential of innovative technologies without sacrificing the broad reach of standards based development.

Sign in / Sign up

Export Citation Format

Share Document