Pen Testing for Web Applications

As many Web applications are developed daily and used extensively, it becomes important for developers and testers to improve these application securities. Pen testing is a technique that helps these developers and testers to ensure that the security levels of their Web application are at acceptable level to be used safely. Different tools are available for Pen testing Web applications; in this paper the authors compared six Pen testing tools for Web applications. The main goal of these tests is to check whether there are any security vulnerabilities in Web applications. A list of faults injected into set of Web pages is used in order to check if tools can find them as they are claimed. Test results showed that these tools are not efficient and developers should not depend solely on them.

Download Full-text

The Limitations of Cross-Site Scripting Vulnerabilities Detection and Removal Techniques

Turkish Journal of Computer and Mathematics Education (TURCOMAT) ◽

10.17762/turcomat.v12i3.1033 ◽

2021 ◽

Vol 12 (3) ◽

pp. 1975-1980

Author(s):

Isatou Hydara Et.al

Keyword(s):

Web Application ◽

Web Applications ◽

Future Research ◽

Web Pages ◽

Security Issue ◽

Security Vulnerabilities ◽

Research Directions ◽

Security Problem ◽

Future Research Directions ◽

Cross Site

Web applications have become very important tools in our daily activities as we use them to share and get information, conduct businesses, and interact with family and friends on social media through the Internet. Despite their importance, web applications are plagued with many security vulnerabilities that enable hackers to attack them and compromise user information and privacy. Cross-site scripting vulnerabilities are a type of injection vulnerabilities existing in web applications. They can lead to attacks in web applications due to the lack of proper validation of input data in the affected web pages of an application. Many approaches and techniques have been proposed to mitigate this type of vulnerabilities. However, these solutions have some limitations and cross-site scripting vulnerabilities still remain as a major security problem for web applications. This paper explores and presents the existing techniques for detecting and for removing cross-site scripting vulnerabilities in web application. It gives an overview of cross-site scripting as a security issue in web application and its different types. The advantages as well as the limitations of each techniques are highlighted and discussed. Based on the limitations, some possible future research directions are identified, and recommendations are given as reference for researchers interested in this topic.

Download Full-text

Designing a XSS Defensive Framework for Web Servers Deployed in the Existing Smart City Infrastructure

Journal of Organizational and End User Computing ◽

10.4018/joeuc.2020100105 ◽

2020 ◽

Vol 32 (4) ◽

pp. 85-111

Author(s):

Brij B. Gupta ◽

Pooja Chaudhary ◽

Shashank Gupta

Keyword(s):

Smart City ◽

Web Application ◽

Web Applications ◽

Web Pages ◽

Web Servers ◽

City Environment ◽

Dynamic Web ◽

Attack Mitigation ◽

The Impact ◽

The Internet Of Things

Cross-site scripting is one of the notable exceptions effecting almost every web application. Hence, this article proposed a framework to negate the impact of the XSS attack on web servers deployed in one of the major applications of the Internet of Things (IoT) i.e. the smart city environment. The proposed framework implements 2 approaches: first, it executes vulnerable flow tracking for filtering injected malicious scripting code in dynamic web pages. Second, it accomplished trusted remark generation and validation for unveiling any suspicious activity in static web pages. Finally, the filtered and modified webpage is interfaced to the user. The prototype of the framework has been evaluated on a suite of real-world web applications to detect XSS attack mitigation capability. The performance analysis of the framework has revealed that this framework recognizes the XSS worms with very low false positives, false negatives and acceptable performance overhead as compared to existent XSS defensive methodologies.

Download Full-text

A Protection Mechanism against Malicious HTML and JavaScript Code in Vulnerable Web Applications

Mathematical Problems in Engineering ◽

10.1155/2016/7107042 ◽

2016 ◽

Vol 2016 ◽

pp. 1-14

Author(s):

Shukai Liu ◽

Xuexiong Yan ◽

Qingxian Wang ◽

Xu Zhao ◽

Chuansen Chai ◽

...

Keyword(s):

High Risk ◽

Real World ◽

Web Applications ◽

Web Pages ◽

Web Browsers ◽

Test Results ◽

Code Size ◽

Protection Mechanism ◽

High Profile ◽

Content Security

The high-profile attacks of malicious HTML and JavaScript code have seen a dramatic increase in both awareness and exploitation in recent years. Unfortunately, exiting security mechanisms provide no enough protection. We propose a new protection mechanism named PMHJ based on the support of both web applications and web browsers against malicious HTML and JavaScript code in vulnerable web applications. PMHJ prevents the injection attack of HTML elements with a random attribute value and the node-split attack by an attribute with the hash value of the HTML element. PMHJ ensures the content security in web pages by verifying HTML elements, confining the insecure HTML usages which can be exploited by attackers, and disabling the JavaScript APIs which may incur injection vulnerabilities. PMHJ provides a flexible way to rein the high-risk JavaScript APIs with powerful ability according to the principle of least authority. The PMHJ policy is easy to be deployed into real-world web applications. The test results show that PMHJ has little influence on the run time and code size of web pages.

Download Full-text

Research on Combine White-Box Testing and Black-Box Testing of Web Applications Security

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.989-994.4542 ◽

2014 ◽

Vol 989-994 ◽

pp. 4542-4546 ◽

Cited By ~ 2

Author(s):

Jie Fan ◽

Peng Gao ◽

Cong Cong Shi ◽

Ni Ge Li

Keyword(s):

Web Application ◽

Web Applications ◽

New Technology ◽

Black Box ◽

Web Application Security ◽

Testing Tools ◽

Black Box Testing ◽

Code Security ◽

White Box Testing ◽

Test Result

Contrary to high false positives rate of use White-box testing tools for Web application source code security and unable to locate vulnerabilities of use Black-box testing tools for Web application security, propose an effective method for combine White-box and Black-box testing tools of Web applications. This method will put the new technology of “Associated Files Matching Engine” into White-box testing tools, this test result and Black-box test result will be statistical analyzed and combined. Argumentation show, this method reduce the positives rate of White-box test result and be able to locate vulnerabilities where it is in file.

Download Full-text

Detecção Automática de Incompatibilidades Cross-Browser utilizando Redes Neurais Artificiais

Journal on Advances in Theoretical and Applied Informatics ◽

10.26729/jadi.v2i2.2109 ◽

2016 ◽

Vol 2 (2) ◽

pp. 55

Author(s):

Fagner Christian Paes ◽

Willian Massami Watanabe

Keyword(s):

Web Application ◽

Web Applications ◽

Automatic Detection ◽

False Positives ◽

Web Pages ◽

Inspection Process ◽

Cascading Style Sheets ◽

Mozilla Firefox ◽

Web Developers ◽

The Web

Cross-Browser Incompatibilities (XBIs) represent inconsistencies in Web Application when introduced in different browsers. The growing number of implementation of browsers (Internet Explorer, Microsoft Edge, Mozilla Firefox, Google Chrome) and the constant evolution of the specifications of Web technologies provided differences in the way that the browsers behave and render the web pages. The web applications must behave consistently among browsers. Therefore, the web developers should overcome the differences that happen during the rendering in different environments by detecting and avoiding XBIs during the development process. Many web developers depend on manual inspection of web pages in several environments to detect the XBIs, independently of the cost and time that the manual tests represent to the process of development. The tools for the automatic detection of the XBIs accelerate the inspection process in the web pages, but the current tools have little precision, and their evaluations report a large percentage of false positives. This search aims to evaluate the use of Artificial Neural Networks for reducing the numbers of false positives in the automatic detection of the XBIs through the CSS (Cascading Style Sheets) and the relative comparison of the element in the web page.

Download Full-text

FTT

International Journal of Systems and Service-Oriented Engineering ◽

10.4018/jssoe.2011100101 ◽

2011 ◽

Vol 2 (4) ◽

pp. 1-20 ◽

Cited By ~ 1

Author(s):

Ming Ying ◽

James Miller

Keyword(s):

Web Application ◽

Web Applications ◽

Web Pages ◽

Web Development ◽

Common Part ◽

Before And After ◽

Form Transformation ◽

The Web

Forms are a common part of web applications. They provide a method for the user to interact with the web application. However, forms in traditional applications require entire web pages to be refreshed every time they are submitted. This model is inefficient and should be replaced with Ajax-enabled forms. Ajax is a set of web development technologies that enables web applications to behave more like desktop applications, thus allowing a richer, more interactive and more efficient model for interactions between the user and the web application. This paper presents a refactoring system called Form Transformation Tool (FTT) to assist web programmers refactor traditional forms into Ajax-enabled forms while ensuring that functionality before and after refactoring is preserved.

Download Full-text

Visual Environment for DOM-Based Wrapping and Client-Side Linkage of Web Applications

Intellectual Property Protection for Multimedia Information Technology ◽

10.4018/978-1-59904-762-1.ch010 ◽

2011 ◽

pp. 219-240

Author(s):

Kimihito Ito ◽

Yuzuru Tanaka

Keyword(s):

Web Application ◽

Web Applications ◽

End Users ◽

Web Pages ◽

Web Based ◽

Visual Component ◽

Basic Infrastructure ◽

Legacy Applications ◽

Client Side ◽

The Web

Web applications, which are computer programs ported to the Web, allow end-users to use various remote services and tools through their Web browsers. There are an enormous number of Web applications on the Web, and they are becoming the basic infrastructure of everyday life. In spite of the remarkable development of Web-based infrastructure, it is still difficult for end-users to compose new integrated tools of both existing Web applications and legacy local applications, such as spreadsheets, chart tools, and database. In this chapter, the authors propose a new framework where end-users can wrap remote Web applications into visual components, called pads, and functionally combine them together through drag-and-drop operations. The authors use, as the basis, a meme media architecture IntelligentPad that was proposed by the second author. In the IntelligentPad architecture, each visual component, called a pad, has slots as data I/O ports. By pasting a pad onto another pad, users can integrate their functionalities. The framework presented in this chapter allows users to visually create a wrapper pad for any Web application by defining HTML nodes within the Web application to work as slots. Examples of such a node include input-forms and text strings on Web pages. Users can directly manipulate both wrapped Web applications and wrapped local legacy tools on their desktop screen to define application linkages among them. Since no programming expertise is required to wrap Web applications or to functionally combine them together, end-users can build new integrated tools of both wrapped Web applications and local legacy applications.

Download Full-text

Image-Based Approach to Determining Regression Test Results of Dynamic Web Applications

International Journal of Software Engineering and Knowledge Engineering ◽

10.1142/s0218194018500286 ◽

2018 ◽

Vol 28 (07) ◽

pp. 1001-1025 ◽

Cited By ~ 1

Author(s):

Akihiro Hori ◽

Shingo Takada ◽

Toshiyuki Kurabayashi ◽

Haruto Tanno

Keyword(s):

Web Application ◽

Web Applications ◽

Regression Testing ◽

Test Case ◽

Test Cases ◽

Test Results ◽

Test Execution ◽

Dynamic Web ◽

Regression Test ◽

Post Modification

Much work has been done on automating regression testing for applications. But most of them focus on test execution. Little work has been done on automatically determining if a test case passes or fails. This decision is often made by comparing the results of executing test cases on a base version of the application and post-modification version of the application. If the two results match, the test case passes, otherwise fails. However, to the best of our knowledge, there is no regression testing method for automatically deciding pass/fail of dynamic Web applications which use JavaScript or CSS. We propose a method that automatically decides if a dynamic Web application passes a regression test case. The basic idea is to obtain a screenshot each time the GUI of the Web application (i.e. Web page) changes its state, and then compare each corresponding screenshot to see if they match. The evaluation results showed that the accuracy rate of our approach is high and our approach can be considered as fast enough for practical use.

Download Full-text

Static analysis for discovering IoT vulnerabilities

International Journal on Software Tools for Technology Transfer ◽

10.1007/s10009-020-00592-x ◽

2020 ◽

Author(s):

Pietro Ferrara ◽

Amit Kr Mandal ◽

Agostino Cortesi ◽

Fausto Spoto

Keyword(s):

Static Analysis ◽

Web Application ◽

Web Applications ◽

Security Vulnerabilities ◽

Web Application Security ◽

Robust Solution ◽

Representative Case ◽

Application Security ◽

Industrial Analyzer ◽

The Relationship

AbstractThe Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia’s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies.

Download Full-text

A Method for Automated User Interaction Testing of Web Applications

Research and Development on Information and Communication Technology ◽

10.32913/mic-ict-research.v3.n12.315 ◽

2015 ◽

pp. 28

Author(s):

Le Khanh Trinh ◽

Vo Dinh Hieu ◽

Pham Ngoc Hung

Keyword(s):

Web Application ◽

Web Applications ◽

User Interaction ◽

Finite State Automaton ◽

Web Pages ◽

User Interactions ◽

Compositional Model ◽

Finite State ◽

Interaction Testing ◽

The Web

Automated user interaction testing of Web applications has been received great attentions from the research community and industry. Currently, several available tools are proposed to partly deal withthe problem. However, how to perform the automated user interaction testing of whole Web applications effectively is still an open problem. This research proposes a method and develops a tool supporting automated user interaction testing of whole Web applications. In this method, the model of each Web page of the Web application under testing which describes the user interaction (UI) is represented by a finite state automaton. The whole model that describes the behaviors of the whole Web application then is constructed by composing the models of all Web pages. After that, test paths are generated automatically based on the compositional model of the Web application so that these test paths cover all possible user interactions of the application. A tool supporting the proposed method has been developed and applied to test on some simple Web applications. The experimental results show the potential application of this tool for automated user interaction testing of Webapplications in practice

Download Full-text