Security Vulnerabilities In Web Applications Research Articles

Utilizing Object Capabilities to Improve Web Application Security

Nowadays, more and more applications are built with web technologies like HTML, CSS, and JavaScript, which are then executed in browsers. The web is utilized as an operating system independent application platform. With this change, authorization models change and no longer depend on operating system accounts and underlying access controls and file permissions. Instead, these accounts are now implemented in the applications themselves, including all of the protective measures and security controls that are required for this. Because of the inherent complexity, flaws in the authorization logic are among the most common security vulnerabilities in web applications. Most applications are built on the concept of the Access-Control List (ACLs), a security model that decides who can access what object. Object Capabilities, transferable rights to perform operations on specific objects, have been proposed as an alternative to ACLs, since they are not susceptible to certain attacks prevalent for ACLs. While their use has been investigated for various domains, like smart contracts, they have not been widely applied for web applications. In this paper, we therefore present a general overview of the capability based authorization model and adapt those approaches for use in web applications. Based on a prototype implementation, we show the possibilities of Object Capabilities to enhance security, but also provide insights on existing pitfalls and problems in porting such models to the web domain.

Evaluation of Black-Box Web Application Security Scanners in Detecting Injection Vulnerabilities

With the Internet’s meteoric rise in popularity and usage over the years, there has been a significant increase in the number of web applications. Nearly all organisations use them for various purposes, such as e-commerce, e-banking, e-learning, and social networking. More importantly, web applications have become increasingly vulnerable to malicious attack. To find web vulnerabilities before an attacker, security experts use black-box web application vulnerability scanners to check for security vulnerabilities in web applications. Most studies have evaluated these black-box scanners against various vulnerable web applications. However, most tested applications are traditional (non-dynamic) and do not reflect current web. This study evaluates the detection accuracy of five black-box web application vulnerability scanners against one of the most modern and sophisticated insecure web applications, representing a real-life e-commerce. The tested vulnerabilities are injection vulnerabilities, in particular, structured query language (SQLi) injection, not only SQL (NoSQL), and server-side template injection (SSTI). We also tested the black-box scanners in four modes to identify their limitations. The findings show that the black-box scanners overlook most vulnerabilities in almost all modes and some scanners missed all the vulnerabilities.

Optimization Method of Web Fuzzy Test Cases Based on Genetic Algorithm

In order to solve the problems of low code coverage, few vulnerabilities found, and poor fuzzing effect caused by the small number of test cases and single types in Web fuzzing, on the basis of studying the current Web fuzzing methods, the existing fuzzing Web applications are tested Program research. A genetic algorithm-based method for optimizing fuzzing test cases for Web applications is proposed. It analyzes and counts the traffic of public network website business with Web service attack characteristics, and uses genetic algorithms to generate a large number of test cases with various types to explore the Web service vulnerability that exists. Based on the creation of a Web attack signature database with weights, this method uses genetic algorithms to randomly pre-generate the test cases of the fuzzing test, and uses the response of the Web service to repeatedly iterate the weights of different attack signatures in the Web attack signature database. So as to generate the best test cases. Experimental analysis shows that this method effectively finds security vulnerabilities in Web applications.

Vulnerability Scanning Technology on Web Applications

Modern society is far more dependent on web applications than the previous generations. Even though our dependence is increasing rapidly, the security level is far lower than required. To guarantee the security of the data system in the industry and our daily life, it is especially crucial to find out web application security vulnerabilities quickly and accurately. A vulnerability is a state of being unprotected from the prospect of an attack. It permits an attacker to gain a certain level of command of the site, and possibly the hosting server. One such vulnerability is the cross-site scripting vulnerability. In this exposition, a generic vulnerability scanner is proposed which can be customized to find any number of vulnerabilities. The scanner maps out the website and gives a report of all the vulnerabilities. For the purpose of evaluation, it has been customized to find XSS vulnerability in web applications.

Addressing Web Application Security Issues and Vulnerabilities Assessment Pen Testing

The world relies heavily on the Internet, and every organization uses web applications extensively for information sharing, business purposes such as online sales, money transfer, etc., and Exchange services. Nowadays, providing security for web applications is the greatest challenge in the corporate world because web applications will be the main way for their daily business and if the web application is affected, then daily business and reputation will be affected. As many organizations have been using the web application service to share or store sensitive information about their clients and assets. So, Web Applications are inclined to security attacks and new security vulnerabilities have grown in the last two decades in a web application and have become an important target for attackers. So, it is very vital to secure a web application. The vulnerabilities in web applications will incur due to the security misconfigurations, programming mistakes, improper usage of security measures, etc. So, vulnerability assessment and pen testing will help to figure out the different vulnerabilities present in web applications. The websites are also using to deliver the critical services to its customers so it must run every time without any interception, to do this VAPT will play a crucial role. This paper reviews about vulnerability assessment and pretesting steps and types, website vulnerabilities like SQL Injection, Cross-Site scripting, file inclusion, cross-site request forgery, and broken authentication with types and remediations and also discuss how the effect of these vulnerabilities on a web application.

Web Security Aware by using Naive Baye’s ML Technique

Web applications support many of our daily activities, but they often have security issues, and their accessibility makes them easy to use. This paper presents an analysis for finding vulnerabilities that directly address weak or absent of input validation. We present the techniques for finding security vulnerabilities in Web applications. We implement our proposed system with a machine learning technique (ML technique) to measure the accuracy and provide an extensive evaluation that finds all vulnerabilities in web applications. SQL injection, Cross-Site Scripting (XSS), HTTP and command inj1ection vulnerabilities are addressed in the proposed system and also Naive Bayes ML technique is used to calculate the accurateness. The experimental result shows the technique is more efficient and accurate.

New Attack Potential Measurement Method to Kaizen Event for Web Application Security Vulnerabilities

With recognition of the importance of web application security, there is a need for research on an action program for measurement and improvement of web application security. Therefore, the main purpose of this study was to formulate a Kaizen program suitable for measurement and improvement of web application security vulnerabilities. An improvement working procedure is introduced to implement the Kaizen program. Further, an augmented attack potential measurement method is proposed to measure the effectiveness of the formulated Kaizen program. The proposed new attack potential measurement method is considered to be an umbrella under which several novel techniques and methods are included, such as OWASP’s web application security vulnerabilities assessment method, ISO/IEC 18045 attack potential ratings method and fuzzy evaluation method. The numerical results of an example are presented to show that the augmented attack potential measurement method is not only comparable but also distinguishable. It is more reasonable and effective than that of the traditional method for measuring web application security improvement. Finally, conclusions are made and suggestions for future work are proposed. To cite this document: Kuo-Sui Lin, New Attack Potential Measurement Method to Kaizen Event for Web Application Security Vulnerabilities, International Journal of Electronic Commerce Studies, Vol.10, No.2, pp.89-112, 2019. Permanent link to this document: http://dx.doi.org/10.7903/ijecs.1536

XSS Attack Detection and Prevention System Based on Instruction Set Randomization

As one of the most popular security vulnerabilities in Web applications, XSS has been widely researched and applied. This paper presents a XSS detection and prevention system aimed at solving the problem of website being attacked by increasingly sophisticated and severe XSS. The method proposed in this paper encodes the HTML/JavaScript keyword in the Web application by randomization and distinguishes the malicious attacks. The results show that this method not only can effectively detect and defend reflective and storage XSS attacks, but also it has better system response.

An Integrated Approach for Detecting Security Vulnerabilities in Web Applications: A Theoretical Perspective

An Integrated Approach for Detecting Security Vulnerabilities in Web Applications: A Theoretical Perspective

Systematic Review of Web Application Security Vulnerabilities Detection Methods

In recent years, web security has been viewed in the context of securing the web application layer from attacks by unauthorized users. The vulnerabilities existing in the web application layer have been attributed either to using an inappropriate software development model to guide the development process, or the use of a software development model that does not consider security as a key factor. Therefore, this systematic literature review is conducted to investigate the various security vulnerabilities used to secure the web application layer, the security approaches or techniques used in the process, the stages in the software development in which the approaches or techniques are emphasized, and the tools and mechanisms used to detect vulnerabilities. The study extracted 519 publications from respectable scientific sources, i.e. the IEEE Computer Society, ACM Digital Library, Science Direct, Springer Link. After detailed review process, only 56 key primary studies were considered for this review based on defined inclusion and exclusion criteria. From the review, it appears that no one software is referred to as a standard or preferred software product for web application development. In our SLR, we have performed a deep analysis on web application security vulnerabilities detection methods which help us to identify the scope of SLR for comprehensively investigation in the future research. Further in this SLR considering OWASP Top 10 web application vulnerabilities discovered in 2012, we will attempt to categories the accessible vulnerabilities. OWASP is major source to construct and validate web security processes and standards.

Implementation of Pattern Matching Algorithm to Defend SQLIA

SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database. SQL injection is one of the technique by which a malicious user alters SQL statements to serve a different purpose than what was originally intended. In network security pattern matching is used to detect malicious packets. Most of the pattern based techniques use static analysis and patterns are generated from the attacked statements. In the existing system the algorithm which they have used is not memory efficient. We have proposed a detection and prevention technique for SQL Injection Attack (SQLIA) using modified Aho–Corasick pattern matching algorithm. In proposed system the user generated SQL Queries are checked whether they are SQL injected or not using SQLMAP tool and AIIDA-sql techniques. Then the user generated SQL queries are checked by applying static pattern matching algorithm. In the new system, if any form of new anomaly occurs, then a new anomaly pattern will be updated to the existing static pattern list. In addition, the repeated keywords are stored only once which optimizes overall memory consumption.

Programmer Protocol for Identification and Defense of Latest Web Application Security Threats using Open Source Tools

has been an exponential increase in the number of attacks on web applications during the recent years. This paper presents a guideline for programmers to develop robust web applications in terms of security by identification of latest web application security vulnerabilities and devising their control using open source dynamic and static web application security assessment tools. A highly vulnerable web application is taken as a sample and it is projected to dynamic tools which lookup for security loopholes in it according to its behavior in the actual working environment and static tools lookup for security loopholes in the programming logics by static analysis of the actual source code. Finally, the concept of a static analysis monitoring tool is given which can serve a fool proof solution for one of the most encountered attack namely, Cross Site Scripting (XSS).

Pen Testing for Web Applications

As many Web applications are developed daily and used extensively, it becomes important for developers and testers to improve these application securities. Pen testing is a technique that helps these developers and testers to ensure that the security levels of their Web application are at acceptable level to be used safely. Different tools are available for Pen testing Web applications; in this paper the authors compared six Pen testing tools for Web applications. The main goal of these tests is to check whether there are any security vulnerabilities in Web applications. A list of faults injected into set of Web pages is used in order to check if tools can find them as they are claimed. Test results showed that these tools are not efficient and developers should not depend solely on them.

WEB APPLICATION VULNERABILITY DETECTION BASED ON REINFORCEMENT LEARNING

To solve the problem of low crawling yield and low detection efficiency in web applications security detection, we propose a web application security vulnerability detection method based on Q-learning. We present a strategy of form focused crawling (QLC) which uses Q-learning algorithm to increase the crawling yield and detection efficiency. In the learning algorithm, we present the method of combining immediate rewards and future rewards to evaluate and optimize the learning rules. Simulating web attacking and analyzing the data of response are used to detect security vulnerabilities, and rich attacking vectors ensure the improvement of detection accuracy. Finally, through effective training of the reinforcement learning the rules, a series of experimental results verify the effectiveness of the method we proposed in this paper.

Towards an Understanding of Web Application Security Threats and Incidents

AbstractThis paper examines a variety of sources that provide web application security vulnerabilities and incident data. In particular, the research tracks the impact of SQL Injection, Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities. A comparison of vulnerability data versus attacks that have actually resulted in data compromises is studied to determine how the type of vulnerabilities relate to actual methods used to steal data. The paper concludes with recommendations for more secure web applications.

Web vulnerability study of online pharmacy sites

Consumers are increasingly using online pharmacies, but these sites may not provide an adequate level of security with the consumers’ personal data. There is a gap in this research addressing the problems of security vulnerabilities in this industry. The objective is to identify the level of web application security vulnerabilities in online pharmacies and the common types of flaws, thus expanding on prior studies. Technical, managerial and legal recommendations on how to mitigate security issues are presented. The proposed four-step method first consists of choosing an online testing tool. The next steps involve choosing a list of 60 online pharmacy sites to test, and then running the software analysis to compile a list of flaws. Finally, an in-depth analysis is performed on the types of web application vulnerabilities. The majority of sites had serious vulnerabilities, with the majority of flaws being cross-site scripting or old versions of software that have not been updated. A method is proposed for the securing of web pharmacy sites, using a multi-phased approach of technical and managerial techniques together with a thorough understanding of national legal requirements for securing systems.

An empirical investigation into open source web applications’ implementation vulnerabilities

Current web applications have many inherent vulnerabilities; in fact, in 2008, over 63% of all documented vulnerabilities are for web applications. While many approaches have been proposed to address various web application vulnerability issues, there has not been a study to investigate whether these vulnerabilities share any common properties. In this paper, we use an approach similar to the Goal-Question-Metric approach to empirically investigate four questions regarding open source web applications vulnerabilities: What proportion of security vulnerabilities in web applications can be considered as implementation vulnerabilities? Are these vulnerabilities the result of interactions between web applications and external systems? What is the proportion of vulnerable lines of code within a web application? Are implementation vulnerabilities caused by implicit or explicit data flows? The results from the investigation show that implementation vulnerabilities dominate. They are caused through interactions between web applications and external systems. Furthermore, these vulnerabilities only contain explicit data flows, and are limited to relatively small sections of the source code.