Web Application Vulnerabilities Research Articles

RESEARCH OF METHODS OF AUTOMATED SEARCH OF “SQL INJECTION” TYPE VULNERABILITIES IN WEB APPLICATIONS

The article presents the results of a scientific and methodological study of the methods of automated search for SQL vulnerabilities in web applications. An example of an attack using a typical SQL injection is provided. The classification ofweb application security assessment methods based on penetration testing is given. The results of practical studies of the operation of the most widely used web scanners for automated vulnerability testing of web applications are given. Based on the results, a comparison of the effectiveness of penetration testing methods has been made. The possible directions of further research into the methods of automated search for SQL vulnerabilities in web applications are substantiated, taking into ac-count the results obtained, in particular the values of the Youden Index.

Web attack detection using deep learning models

Due to the network access and security vulnerabilities of web applications, web applications are often targets of cyber-attacks. Attacks against web applications can be extremely dangerous. A lot of damage has been done because of the vulnerability of the application, which lets them access the Web Application database. Monitoring web attacks and generating alarms when a challenge to an attack is detected. This work uses deep learning models (ANN, CNN & RNN) to detect web attacks automatically. To identify the time when the attack on the payload occurred, the work first analyses the web log information provided by the user. To make an attack prediction, the log information is pre-processed. Web-log information is pre-processed to remove duplicate values and missing values and to get the payload information. To encode the fields and normalize (Min-Max) that converts into unique format while predicting and the encoding value also applied. To construct the prediction model for the detection of web attacks, the pre-processed dataset is incorporated into the deep learning classifiers. In the performance evaluation, RNN provided 94% accuracy and 6% error rate, higher than other method.

A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners

Web applications have been a significant target for successful security breaches in the last few years. They are currently secured, as a primary method, by searching for their vulnerabilities with specialized tools referred to as Web Application Vulnerability Scanners (WVS’s). Although, these dynamic approaches of testing have some advantages, there is still a scarcity of studies that explore their features and detection capabilities in a systematic way. This article reports findings from a Systematic Literature Review (SLR) to look into the characteristics and effectiveness of the most frequently used WVS’s. A total of 90 research papers were carefully evaluated. Thirty (30) WVS’s were collected and reported, with only 12 having at least one quantitative assessment of effectiveness. These 12 WVS’s were evaluated by 15 original evaluation studies. We found that these evaluations tested mostly only two of the Open Web Application Security Project (OWASP) Top Ten vulnerability types: SQL injection (SQLi) (13/15) and Cross-Site Scripting (XSS) (8/15). Additionally, only one work evaluated six of the OWASP Top Ten vulnerability types and for only one scanner. We also found that the reported detection rates were highly dissimilar between these 15 evaluations. Based on these surprising results we suggest avenues for future directions.

The Study on Assessment of Security Web Applications

Nowadays, technology has an important role of our life, including smart devices, social media due to the importance of security and web for interaction so it has become targeted it by cybercriminal. The growing threat of cybersecurity has prompted the kingdom to pay more attention to its national cybersecurity strategy as the state embarks on a Vision 2030 plan, which aims to diversify the economy and create new jobs. Therefore, Web Applications are always having security threats, which considered as a big problem. Several steps introduced successful analysis of vulnerabilities in web applications. There are no efficient and easy to use tools for the security assessment of such applications. This paves the way for hackers to easily attack. In this paper, we recommend an efficient method to assess the vulnerability using Python, which can used to conduct Vulnerability Assessment on web applications. This work will be useful for organizations and programmers to keep their information and applications more secure and viable for usage in sensitive environments.

Optimization Method of Web Fuzzy Test Cases Based on Genetic Algorithm

In order to solve the problems of low code coverage, few vulnerabilities found, and poor fuzzing effect caused by the small number of test cases and single types in Web fuzzing, on the basis of studying the current Web fuzzing methods, the existing fuzzing Web applications are tested Program research. A genetic algorithm-based method for optimizing fuzzing test cases for Web applications is proposed. It analyzes and counts the traffic of public network website business with Web service attack characteristics, and uses genetic algorithms to generate a large number of test cases with various types to explore the Web service vulnerability that exists. Based on the creation of a Web attack signature database with weights, this method uses genetic algorithms to randomly pre-generate the test cases of the fuzzing test, and uses the response of the Web service to repeatedly iterate the weights of different attack signatures in the Web attack signature database. So as to generate the best test cases. Experimental analysis shows that this method effectively finds security vulnerabilities in Web applications.

ANALISIS CELAH KEAMANAN APLIKASI WEB E-LEARNING UNIVERSITAS ABC DENGAN VULNERABILITY ASSESMENT

The development of information and communication technology today brings convenience to human life. One of the things that is growing quite rapidly is a web-based application. The proliferation of web-based applications is a challenge for web-based application developers in developing security aspects. Vulnerability Assessment of the E-Learning web application aims to detect vulnerabilities, describe vulnerabilities, assess vulnerabilities based on the Common Vulnerability Scoring System, and provide solutions. The research stages used were the Vulnerability Assessment and Penetration Testing Life Cycle. In looking for vulnerabilities in this study using the Home version of the Nessus Vulnerability Scanning. Based on the results of the vulnerability scanning, it was found low vulnerability, medium vulnerability, high vulnerability, and critical vulnerability. Each vulnerability certainly has a different impact on vulnerability, but on a critical vulnerability, namely the Elasticsearch Transport Protocol Unspecified Remote Code Execution has the most serious impact with a base score of 9.8, so the overall risk level on the Web E-Learning application is High. So it can be concluded that the E-Learning Web application at ABC University is said to be vulnerable, because it has a serious impact that affects Confidentiality, Integrity, and Availability of the E-Learning web application through its vulnerabilities. Therefore, ABC University must immediately make improvements and evaluations of the security of the E-Learning Web Application so that the risk of vulnerability in the E-Learning Web Application can be reduced.

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

Most existing surveys and reviews on web application vulnerability detection (WAVD) approaches focus on comparing and summarizing the approaches’ technical details. Although some studies have analyzed the efficiency and effectiveness of specific methods, there is a lack of a comprehensive and systematic analysis of the efficiency and effectiveness of various WAVD approaches. We conducted a systematic literature review (SLR) of WAVD approaches and analyzed their efficiency and effectiveness. We identified 105 primary studies out of 775 WAVD articles published between January 2008 and June 2019. Our study identified 10 categories of artifacts analyzed by the WAVD approaches and 8 categories of WAVD meta-approaches for analyzing the artifacts. Our study’s results also summarized and compared the effectiveness and efficiency of different WAVD approaches on detecting specific categories of web application vulnerabilities and which web applications and test suites are used to evaluate the WAVD approaches. To our knowledge, this is the first SLR that focuses on summarizing the effectiveness and efficiencies of WAVD approaches. Our study results can help security engineers choose and compare WAVD tools and help researchers identify research gaps.

A Hybrid Machine Learning Model to Detect Reflected XSS Attack

Since web technologies are getting more advanced with longer codes, the number of vulnerabilities has increased considerably. Cross-site scripting (XSS) attacks are one of the most common attacks that use vulnerabilities in web applications. There are three types of cross-site scripting attacks namely, reflected, stored, and DOM-based attacks. Reflected XSS attacks are the most common type that is usually implemented by injecting a malicious code into the URL and then sending the URL to the targeted system by using phishing methods, which is a significant threat for recent web applications. Our motivation is the lack of a high performance detection method of reflected XSS attacks with high accuracy. In this paper, we propose a hybrid machine learning model to detect vulnerabilities related to reflected XSS attacks for a given URL of a website. Our model uses a scanner to discover vulnerabilities in a web site and convolutional neural networks to predict the most common vulnerabilities that may be used for reflected XSS attacks, which makes the proposed model hybrid. We analyzed the model experimentally. Analyses results show that the proposed model is able to detect vulnerable attack surfaces with 99 % accuracy.

A Flexible Vulnerability Reduction System Using Machine Learning

The human system have an ability to adapt dynamically and protect against biological viruses is amazing. Computer security faces an ever-increasing threat and a system which can prevent any viruses coming in, is an open research problem. We propose a new model, called (RI Secure Web), whic h can be resilient and immune to web application vulnerability for injection and URL manipulation for injection methods using an agent based machine learning system The ability of human immune system to survive and maintain body from different damages and its self curing capabi lity inspires the development of a resilient and adaptive cyber security system. Such system functions proactive and defends itself against viruses as human immune system does. In this paper, an architectural view of a system for reducing application level vulnerabilities to protect cyber attacks, particularly injection method is proposed.

Common Attacks and Trends in Web Application

This aim of this paper is to review the available literature on the recent trends in web application vulnerabilities. Google Scholar was used as the main search database for the review. Studies from the last few decades to analyse the trends in web application vulnerabilities over the years, especially since they are a relatively recent phenomenon. Using a set of criteria, approximately 400 scholarly works were initially selected and then reduced to a smaller number which was then explored in detail. It was found that there are a variety of forms in which attacks on web applications may take place. These attacks are becoming increasingly sophisticated with advancements in technology. Additionally, novel ways of attacking users have been developed in order to do so without tricking the user. Given the influx of technology and web applications in every aspect of life, this makes the user especially vulnerable. This means that web application developers must treat security as a priority rather than solely focus on usability.

SQL Injection Attacks Prevention System Technology: Review

The vulnerabilities in most web applications enable hackers to gain access to confidential and private information. Structured query injection poses a significant threat to web applications and is one of the most common and widely used information theft mechanisms. Where hackers benefit from errors in the design of systems or existing gaps by not filtering the user's input for some special characters and symbols contained within the structural query sentences or the quality of the information is not checked, whether it is text or numerical, which causes unpredictability of the outcome of its implementation. In this paper, we review PHP techniques and other techniques for protecting SQL from the injection, methods for detecting SQL attacks, types of SQL injection, causes of SQL injection via getting and Post, and prevention technology for SQL vulnerabilities.

Vulnerability Scanning Technology on Web Applications

Modern society is far more dependent on web applications than the previous generations. Even though our dependence is increasing rapidly, the security level is far lower than required. To guarantee the security of the data system in the industry and our daily life, it is especially crucial to find out web application security vulnerabilities quickly and accurately. A vulnerability is a state of being unprotected from the prospect of an attack. It permits an attacker to gain a certain level of command of the site, and possibly the hosting server. One such vulnerability is the cross-site scripting vulnerability. In this exposition, a generic vulnerability scanner is proposed which can be customized to find any number of vulnerabilities. The scanner maps out the website and gives a report of all the vulnerabilities. For the purpose of evaluation, it has been customized to find XSS vulnerability in web applications.

Development of a browser extension for web application vulnerability detection, avoidance, and secure browsing (VDAS)

Development of a browser extension for web application vulnerability detection, avoidance, and secure browsing (VDAS)

The Limitations of Cross-Site Scripting Vulnerabilities Detection and Removal Techniques

Web applications have become very important tools in our daily activities as we use them to share and get information, conduct businesses, and interact with family and friends on social media through the Internet. Despite their importance, web applications are plagued with many security vulnerabilities that enable hackers to attack them and compromise user information and privacy. Cross-site scripting vulnerabilities are a type of injection vulnerabilities existing in web applications. They can lead to attacks in web applications due to the lack of proper validation of input data in the affected web pages of an application. Many approaches and techniques have been proposed to mitigate this type of vulnerabilities. However, these solutions have some limitations and cross-site scripting vulnerabilities still remain as a major security problem for web applications. This paper explores and presents the existing techniques for detecting and for removing cross-site scripting vulnerabilities in web application. It gives an overview of cross-site scripting as a security issue in web application and its different types. The advantages as well as the limitations of each techniques are highlighted and discussed. Based on the limitations, some possible future research directions are identified, and recommendations are given as reference for researchers interested in this topic.

Web application vulnerability detection method based on machine learning

In order to solve the security problems caused by network vulnerabilities, a web application vulnerability detection method based on machine learning is proposed to effectively prevent cross site scripting attacks of web applications and reduce the occurrence of network security incidents. Through the in-depth study of the existing security vulnerability detection technology, combined with the development process of machine learning security vulnerability detection technology, the requirements of security vulnerability detection model are analyzed in detail, and a cross site scripting security vulnerability detection model for web application is designed and implemented. Based on the existing network vulnerability detection technology and tools, the verification code identification function is added, which solves the problem that the data can be submitted to the server only by inputting the verification code. According to the server filtering rules, the network code bypassing the server filtering is constructed. Experimental results show that the model has a low rate of missed detection and false alarm, and the improved model is more efficient.

Performance Evaluation of Open Source Web Application Vulnerability Scanners based on OWASP Benchmark

Performance Evaluation of Open Source Web Application Vulnerability Scanners based on OWASP Benchmark

Holistic Web Application Security Visualization for Multi-Project and Multi-Phase Dynamic Application Security Test Results

As the number of web applications and the corresponding number and sophistication of the threats increases, creating new tools that are efficient and accessible becomes essential. Although there is much research concentrating on network security visualizations, there are only a few studies considering the web application vulnerabilities' possible visualization options. Consequently, to fill this gap, this research centers around a novel perception configuration to improve web application vulnerability monitoring. This study forms a generic data structure based on data sources that might be readily associated and commonly available for the majority of the web applications. The primary contribution of this study is a new dashboard tool for visualizing dynamic application security test results. Another contribution is the metrics/measures that the tool presents. The paper also describes a validation study in which participants answered quiz questions upon using the tool prototype. For the case study, sample data has been generated using the OWASP ZAP scanner tool and a prototype has been implemented to be used for validation purposes. This study allows the investigation of fifty metrics/measures for the multi-project/phase environment that enhances its benefits if the user aims to monitor a series of analyses' results and the changes between them for more than one web project.

Fault-based testing for discovering SQL injection vulnerabilities in web applications

In this paper we proposed a model to investigate the behaviour of websites when dealing with invalid inputs. Many vulnerabilities rise from invalid inputs. An invalid input is considered as a form ...

Black-box Fuzzing Approaches to Secure Web Applications: Survey

Web applications are increasingly important tools in our modern daily lives, such as in education, business transac-tions, and social media. Because of their prevalence, they are becoming more susceptible to different types of attacks that exploit security vulnerabilities. Exploiting these vulnerabilities may cause damage to the web applications as well as the end-users. Thus, web apps’ developers should identify vulnerabilities and fix them before an attacker exploits them. Using black-box fuzzing techniques for vulnerability identification is very popular during the web apps’ development life cycle. These techniques pledge to find vulnerabilities in web applications by constructing attacks without accessing their source codes. This survey explores the research that has been done in the black-box vulnerability finding and exploits construction in web applications and proposes future directions.

Fault-based testing for discovering SQL injection vulnerabilities in web applications

In this paper we proposed a model to investigate the behaviour of websites when dealing with invalid inputs. Many vulnerabilities rise from invalid inputs. An invalid input is considered as a form of a successful attack if it is processed by the website code or back-end database. Based on this assumption, we proposed a list of indicators that tested and processed invalid inputs. A tool is developed to implement this model. We tested the model through evaluating several websites selected randomly. Our tool has no special credentials or access to any of the tested websites. We found many SQL injection vulnerabilities based on our proposed model. Upon the manual investigation of the web pages that showed such vulnerabilities, we found few instances of false positives. We believe that this can provide a systematic and automated approach to test websites for vulnerabilities related to improper input validation.