Web Security

Application-level web security refers to vulnerabilities inher-ent in the code of a web-application itself (irrespective of the technologies in which it is implemented or the security of the web-server/back-end database on which it is built). In the last few months ...

Abstract—The Internet and web applications are playing very important role in our today‘s modern day life. Several activities of our daily life like browsing, online shopping and booking of travel tickets are becoming easier by the use of web applications. Most of the web applications use the database as a back-end to store critical information such as user credentials, financial and payment information, company statistics etc. An SQL injection attack targets web applications that are database-driven. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database. Multiple client side and server side vulnerabilities like SQL injection and cross site scripting are discovered and exploited by malicious users. The principle of basic SQL injection is to take advantage of insecure code on a system connected to the internet in order to pass commands directly to a database and to then ...

JavaScript-based applications are very popular on the web today. However, the lack of effective protection makes various kinds of privacy violation attack possible, including cookie stealing, history sniffing and behavior tracking. There have been studies of the prevalence of such attacks, but the dynamic nature of the JavaScript language makes reasoning about the information flows in a web application a challenging task. Previous small-scale studies do not present a complete picture of privacy violations of today's web, especially in the ...

— Application-level web security refers to obligation inherent in the code of a web-application itself. few months ago application-level vulnerabilities have been exploited with serious consequences: hackers have good knowledge of e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested and confidential information has been leaked. In this paper we introduce new tools and techniques which address the problem of application-level web security. (i) We describe a scalable structuring mechanism facilitating the abstraction of security policies from large web-applications developed in heterogeneous multi-platform environments. (ii) In that present a tool which assists programmers develop secure applications which are resilient to a wide range of common attacks. (iii) The report results and experience arising from our implementation of these techniques.

Unsafely coded browser extensions can compromise the security of a browser, making them attractive targets for attackers as a primary vehicle for conducting cyber-attacks. Among others, the three factors making vulnerable extensions a high-risk security threat for browsers include: i) the wide popularity of browser extensions, ii) the similarity of browser extensions with web applications, and iii) the high privilege of browser extension scripts. Furthermore, mechanisms that specifically target to mitigate browser extension-related attacks have received less attention as opposed to solutions that have been deployed for common web security problems (such as SQL injection, XSS, logic flaws, client-side vulnerabilities, drive-by-download, etc.). To address these challenges, recently some techniques have been proposed to defend extension-related attacks. These techniques mainly focus on information flow analysis to capture suspicious data flows, impose privilege restriction on API calls by malicious extensions, apply digital signatures to monitor process and memory level activities, and allow browser users to specify policies in order to restrict the operations of extensions.

This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that attackers can abuse multiple cryptographic design flaws to compromise ASP.NET web applications. We describe practical and highly efficient attacks

The interaction of consumers and marketers within the Web environment, particularly for retailing/purchasing is a growing area of importance. This paper focuses on examining Internet users adoption of the Web for retail usage. It uses the Technology Acceptance Model Davis (Int. J. Man-Mach. Studies 38 (1993) 475) as a theoretical foundation to explore adoption of this technology for retail usage. The study also adds what are argued to

Cross Site Scripting (XSS) attacks are most common vulnerability issues in the digital era for the Web applications. These attacks occur, when an attacker uses a web application to send malicious code in the form of client side script. These scripts exploit the vulnerabilities in the code and resulting in a serious consequence like theft of cookies, passwords and any confidential user data. In extreme cases, the user may have lost his/her control on the browser. In this paper, we explained detection, and prevention of Cross Site Scripting (XSS) vulnerability attacks through a systematic review process. Vamsi Mohan | Dr. Sandeep Malik"Secure Web Applications Against Cross Site Scripting (XSS): A Review" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-1 , December 2017, URL: http://www.ijtsrd.com/papers/ijtsrd7135.pdf

Cyber Civilization has become an important source of information sharing and professional activities like business, banking transactions, shopping, services and advertisement. With the exponentially increase in usage of cyberspace, cybercriminal actives are also increase exponentially. The basic reasons is that with the inception of world wide web, the web applications were also getting popularity for data storing and data sharing, irrespective of the user. With the passage of time web applications were getting more complex with rapid increase in their design faults, creating the surfing of internet totally unsafe. More than 90 percent web applications have some kind of design or development fault which can be easily exploited by the cyber criminals. These faults in web application can help criminals in getting the illegal access to trade secrets of any business. Sometime the web application may not be posing threat but the technology used in these applications become the root cause and put the application to the risk of illegal access. Presently the social networks, Internet connected mobile devices, individual privacy, and the online connectivity of entities such as banks are the most enticing targets for cyber criminals. In this survey we highlight the common cyber threats and detailed analysis of existing system and methodology used for its industrial solutions. Some important some industrial application also analyzed this paper.

The web is absolutely necessary part of our lives. It is wide platform which is used for information sharing and service over internet. They are used for the financial, government, healthcare, education and many critical services. Everyday billions of user purchase items, transfer money, retrieve information and communicate over web with each other. Although the web is best friend of users because it provide anytime anywhere access to information and services at the same time. All things are created by human in the world so its reality that the things created by man are little bit problematic. So web applications are also created by human so it contains too many loopholes. The popularity of applications allure hackers towards them. Now a Days Securing and maintaining the websites against attack is very hard and challenging task. Finding loopholes in Web application, Computer system or network and exploiting them called hacking. New approaches for web attacks are invented day to day so the study of detect and prevent against web application attack and finding solution is important part in internet world. In this paper we introduced all web application based attack including two major attacks like XSS (Cross Site Scripting) and SQLI.

Abstract: The malaise of electronic spam mail that solicit illicit partnership using bogus business proposals (popularly called 419 mails) remained unabated on the internet despite concerted efforts. In addition to these are the emergence and prevalence of phishing scams that use social engineering tactics to obtain online access codes such as credit card number, ATM pin numbers, bank account details, social security number and other personal information (22). In an age where dependence on electronic transaction is on the increase ...

The web is absolutely necessary part of our lives. It is wide platform which is used for information sharing and service over internet. They are used for the financial, government, healthcare, education and many critical services. Everyday billions of user purchase items, transfer money, retrieve information and communicate over web with each other. Although the web is best friend of users because it provide anytime anywhere access to information and services at the same time. All things are created by human in the world so its reality that the things created by man are little bit problematic. So web applications are also created by human so it contains too many loopholes. The popularity of applications allure hackers towards them. Now a Days Securing and maintaining the websites against attack is very hard and challenging task. Finding loopholes in Web application, Computer system or network and exploiting them called hacking. New approaches for web attacks are invented day to day so the study of detect and prevent against web application attack and finding solution is important part in internet world. In this paper we introduced all web application based attack including two major attacks like XSS (Cross Site Scripting) and SQLI.

Abstract: The malaise of electronic spam mail that solicit illicit partnership using bogus business proposals (popularly called 419 mails) remained unabated on the internet despite concerted efforts. In addition to these are the emergence and prevalence of phishing scams that use social engineering tactics to obtain online access codes such as credit card number, ATM pin numbers, bank account details, social security number and other personal information (22). In an age where dependence on electronic transaction is on the increase ...

Authentication on the Web is a challenge that can have a negative effect on user experience if it becomes overly complicated and cumbersome. This experience is even more crucial for older and visually impaired users due to their functional abilities. Web applications typically authenticate users by requesting for information that only the user knows (e.g. password). To enhance security, two-factor authentication (2FA) are increasingly implemented, which require the user to manually transfer information between 2FA devices and the Web application. This process can impose usability barriers and stress on human's memory. This paper proposes a technique to mitigate such issues by using wearables as the 2FA device, and to allow authentication information to be transferred seamlessly and automatically from the device to the Web application. From our preliminary results, older users found our approach less stressful on the human's memory and easier to use.

Web applications are typically developed with hard time constraints and are often deployed with critical software bugs, making them vulnerable to attacks. The classification and knowledge of the typical software bugs that lead to security vulnerabilities is of utmost importance. This paper presents a field study analyzing 655 security patches ofsix widely used web applications. Results are compared against other field studies on general software faults (i.e., faults not specifically related to security), showing that only a small subset of software fault types is related to security. Furthermore, the detailed analysis of the code of the patches has shown that web application vulnerabilities result from software bugs affecting a restricted collection of statements.

Most of the recent work on Web security focuses on preventing attacks that directly harm the browser's host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attack- ing third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and se- curity policies) can be exploited

—In Today's Digital World, the continuous interruption of users has affected Web Servers (WSVRs), through Distributed Denial-of-Service (DDoS) attacks. These attacks always remain a massive warning to the World Wide Web (WWW). These warnings can interrupt the accessibility of WSVRs, completely by disturbing each data processing before intercommunication properties over pure dimensions of Data-Driven Networks (DDN), management and cooperative communities on the Internet technology. The purpose of this research is to find, describe and test existing tools and features available in Linux-based solution lab design Availability Protection System (Linux-APS), for filtering malicious traffic flow of DDoS attacks. As source of malicious traffic flow takes most widely used DDoS attacks, targeting WSVRs. Synchronize (SYN), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) Flooding attacks are described and different variants of the mitigation techniques are explained. Available cooperative tools for manipulating with network traffic, like; Ebtables and Iptables tools are compared, based on each type of attacks. Specially created experimental network was used for testing purposes, configured filters servers and bridge. Inspected packets flow through Linux-kernel network stack along with tuning options serving for increasing filter server traffic throughput. In the part of contribution as an outcomes, Ebtables tool appears to be most productive, due to less resources it needed to process each packet (frame). It is pointed out that separate detecting system is needed for this tool, in order to provide further filtering methods with data. As main conclusion, Linux-APS, solutions provide full functionality for filtering malicious traffic flow of DDoS attacks either in stand-alone state or combined with detecting systems.

Although web services are becoming businesscritical components, they are often deployed with critical software bugs that can be maliciously explored. Web vulnerability scanners allow detecting security vulnerabilities in web services by stressing the service from the point of view of an attacker. However, research and practice show that different scanners have different performance on vulnerabilities detection. In this paper we present an experimental evaluation of security vulnerabilities in 300 publicly available web services. Four well know vulnerability scanners have been used to identify security flaws in web services implementations. A large number of vulnerabilities has been observed (177), which confirms that many services are deployed without proper security testing. Additionally, the differences in the vulnerabilities detected and the high number of false-positives (35% and 40% in two cases) and low coverage (less than 20% for two of the scanners) observed highlight the limitations of web vulnerability scanners on detecting security vulnerabilities in web services.

Application-level web security refers to vulnerabilities inherent in the code of a web-application itself (irrespective of the technologies in which it is implemented or the security of the web-server/back-end database on which it is built). In the last few months application-level vulnerabilities have been exploited with serious consequences: hackers have tricked e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested and confidential information (such as addresses and credit-card numbers) has been leaked.

Most web applications contain security vulnerabilities. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks (among other less common vulnerabilities). In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Existing techniques either require effort from the site developer or are prone to false positives. This paper presents a fully automated approach to securely hardening web applications. It is based on precisely tracking taintedness of data and checking specifically for dangerous content in only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values. We describe our results and prototype implementation on the predominant LAMP (Linux, Apache, MySQL, PHP) platform.

With data theft and computer break-ins becoming increasingly common, there is a great need for secondary authentication to reduce automated attacks while posing a minimal hindrance to legitimate users. CAPTCHA is one of the possible ways to classify human users and automated scripts. Though textbased CAPTCHAs are used in many applications, they pose a challenge due to language dependency. In this paper, we propose a face image-based CAPTCHA as a potential solution. To solve the CAPTCHA, users must correctly identify visually-distorted human faces embedded in a complex background without selecting any non-human faces. The proposed algorithm generates a CAPTCHA that offers better human accuracy and lower machine attack rates compared to existing approaches. include CAPTCHA based security, computational intelligence, biometrics, software reliability modeling, machine learning, hardware description languages and quantum computing. He has over 100 publications in refereed journals, book chapters and conferences. He has received several outstanding teacher and outstanding researcher awards. He is a Senior Member of the IEEE and member of Phi Kappa Phi, Sigma Xi, Eta Kappa Nu and Tau Beta Pi honor societies. He is the recipient of seven best paper and best poster awards in international conferences.

Browser designers create security mechanisms to help web developers protect web applications, but web developers are usually slow to use these features in web-based applications (web apps). In this paper we introduce Zan 1 , a browserbased system for applying new browser security mechanisms to legacy web apps automatically. Our key insight is that web apps often contain enough information, via web developer source-code patterns or key properties of web-app objects, to allow the browser to infer opportunities for applying new security mechanisms to existing web apps. We apply this new concept to protect authentication cookies, prevent web apps from being framed unwittingly, and perform JavaScript object deserialization safely. We evaluate Zan on up to the 1000 most popular websites for each of the three cases. We find that Zan can provide complimentary protection for the majority of potentially applicable websites automatically without requiring additional code from the web developers and with negligible incompatibility impact.

Although web services are becoming businesscritical components, they are often deployed with critical software bugs that can be maliciously explored. Web vulnerability scanners allow detecting security vulnerabilities in web services by stressing the service from the point of view of an attacker. However, research and practice show that different scanners have different performance on vulnerabilities detection. In this paper we present an experimental evaluation of security vulnerabilities in 300 publicly available web services. Four well know vulnerability scanners have been used to identify security flaws in web services implementations. A large number of vulnerabilities has been observed (177), which confirms that many services are deployed without proper security testing. Additionally, the differences in the vulnerabilities detected and the high number of false-positives (35% and 40% in two cases) and low coverage (less than 20% for two of the scanners) observed highlight the limitations of web vulnerability scanners on detecting security vulnerabilities in web services.

This paper presents a new algorithm aimed at the vulnerability assessment of web applications following a blackbox approach. The objective is to improve the detection efficiency of existing vulnerability scanners and to move a step forward toward the automation of this process. Our approach covers various types of vulnerabilities but this paper mainly focuses on SQL injections. The proposed algorithm is based on the automatic classification of the responses returned by the web servers using data clustering techniques and provides especially crafted inputs that lead to successful attacks when vulnerabilities are present. Experimental results on several vulnerable applications and comparative analysis with some existing tools confirm the effectiveness of our approach.

The study presents the major factors for Internet banking adoption and compares the levels of adoption across countries, in order to identify more easily what factors to consider most while providing banking services over the Internet. Based on prior studies, web security, Internet usage, economy status, high branch intensity, competition, government prioritization regulations, and literacy level were identified as the major factors affecting Internet banking adoption. This study uses fuzzy inference systems (FIS) to define the adoption rate. Our experimental results show that security is the most important factor because no matter how high government prioritization, literacy level, Internet users, and competition among Internet service providers are, as long as there are low security levels, the adoption rate will be at the lowest level. We conclude that, overall, the banks-specific factors are the main drivers for Internet banking adoption.

Web altyapısına artan sayıda saldırı girişimi yaşanmaktadır, bu nedenle web ve web uygulaması güvenliği her geçen gün daha hayati hale gelmektedir. Nüfuz veya saldırı yaşanmadan saldırıları saptayacak ve saldırıya açıklıkları engelleyecek güvenlik düzeneklerine ihtiyaç duyulmaktadır. Bu çalışmada, güvenliği daha iyi sağlamak için değişik tekniklerin birlikte çalıştığı bir Kurumsal Web Güvenlik Altyapısı modeli tanımlanmıştır. Bu modelde, ağ farkındalığı ve eğitim konularına yoğunlaşılmıştır.


English Abstract:There is increasing number of intrusion attempts to the web infrastructure, so web and web application security are becoming more vital everyday. There is need for security measures, which will detect and prevent vulnerabilities before intrusion and attack occur. In this work, an Enterprise-wide Web Security Infrastructure model where different techniques work cooperatively to achieve better security is defined. Network awareness and training are focused on.


Note: Downloadable document is in Turkish.

Decision support for 24/7 enterprises requires 24/7 available Data Warehouses (DWs). In this context, web-based connections to DWs are used by business management applications demanding continuous availability. Given that DWs store highly sensitive business data, a web-based connection provides a door for outside attackers and thus, creates a main security issue. Database Intrusion Detection Systems (DIDS) deal with intrusions in databases. However, given the distinct features of DW environments most DIDS either generate too many false alarms or too low intrusion detection rates. This paper proposes a real-time DIDS explicitly tailored for web-access DWs, functioning at the SQL command level as an extension of the DataBase Management System, using an SQL-like rule set and predefined checkups on well-defined DW features, which enable wide security coverage. We also propose a risk exposure method for ranking alerts which is much more effective than alert correlation techniques.

In spite of the use of standard web security measures (SSL/TLS), users enter sensitive information such as passwords into scam web sites. Such scam sites cause substantial damages to individuals and corporations. In this work, we analyze these attacks, and find they often exploit usability failures of browsers.

This study investigates how customers perceive and adopt Internet Banking (IB) in Hong Kong. We developed a theoretical model based on the Technology Acceptance Model (TAM) with an added construct Perceived Web Security, and empirically tested its ability in predicting customers' behavioral intention of adopting IB. We designed a questionnaire and used it to survey a randomly selected sample of customers of IB from the Yellow Pages, and obtained 203 usable responses. We analyzed the data using Structured Equation Modeling (SEM) to evaluate the strength of the hypothesized relationships, if any, among the constructs, which include Perceived Ease of Use and Perceived Web Security as independent variables, Perceived Usefulness and Attitude as intervening variables, and Intention to Use as the dependent variable. The results provide support of the extended TAM model and confirm its robustness in predicting customers' intention of adoption of IB. This study contributes to the literature by formulating and validating TAM to predict IB adoption, and its findings provide useful information for bank management in formulating IB marketing strategies.

Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious or subverted websites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.

Cross Site Scripting (XSS) attacks are most common vulnerability issues in the digital era for the Web applications. These attacks occur, when an attacker uses a web application to send malicious code in the form of client side script. These scripts exploit the vulnerabilities in the code and resulting in a serious consequence like theft of cookies, passwords and any confidential user data. In extreme cases, the user may have lost his/her control on the browser. In this paper, we explained detection, and prevention of Cross Site Scripting (XSS) vulnerability attacks through a systematic review process.

Security is a major concern for the modern age systems, network, and database administrators. Recently there has been a remarkable interest by both professional and scientific committee about identifying and detecting tacks while also making all possible actions to enhance security. Many models and frameworks are proposed in literature, however few have updated list of actions adapted to types of attacks. This paper presents an effective framework that classifies and detects the different types of attacks along with their symptoms and features. Such a researcher has clearly tested and evaluated a common twelve types of attacks the research has covered and analyzed a survey which spanned over 25 Web developers working with dynamic websites. Numbers of important observation and results were validated which are centered on the weakness of the applied protection mechanisms. The research presents a logical framework a long with guideline criteria that enable fast detection of the common attacks and detective a set of actions that enhance protection and security of dynamic websites.

Research data shows that, about 80% of the web applications are vulnerable to cross site scripting attacks. This is because of the fact that the users are allowed to enter tags in the input control for increasing the flexibility in handling web applications input. This increases the threat to the web application by allowing the hackers to plant worms in the web applications through the features like tags. Further, there are billions of web pages that are developed in different languages like PHP, ASP, JSP, HTML, CGI-PERL, .Net etc. There is no single solution available that can be applied for the web application to prevent XSS that are developed in different languages and deployed in different platforms. This paper presents a new solution to block Cross Site Scripting (XSS) attacks that is independent of the languages in which the web applications are developed and addresses XSS vulnerabilities arise from other interfaces. The solution is modularized, configured, and developed in .Net, XML and XSD. This approach is evaluated in a web application developed in JSP/Servlets deployed in JBOSS application server and is found effective as it provides the flexibility to be used across languages with a very minimal configuration to prevent XSS.

Risk analysis is the basis of proactive security requirements. To effectively protect security in the web environment, analyzing risks of web sites is an essential and important process for identifying known and potential vulnerabilities, threats and its impact losses. In fact, it is relatively difficult for users to collect adequate data to estimate the full vulnerabilities and probability of threats

We live in a period of time where Information
Security has gained much attention. The core
purpose of the paper is to critically study and
analyze the trends in information security as far as
the Internet is concerned. To counter the ever rising
rates of cyber-crimes, the researcher has come up
with a system that scans any target website for the
most highly exploited security loophole. The system
is a web application that is mainly targeted towards
web developers so as to reduce the burden of
security mechanism enforcement on them, while
developing web content. This, in turn, makes the
web a much safer and secure place to exist.