Web Application Security Research Papers (original) (raw)

This report focuses on vulnerabilities on web-applications and web-sites from Cross-Site Scripting attacks (XSS). The different types of XSS attacks are examined: DOM-based, active and passive attacks. The spread of XSS attacks across platforms government and financial institutions, transportation companies, hospitality and entertainment has been analyzed. Research and analysis of the security of corporate websites and their resistance to XSS attacks have been carried out. The basic guidelines for preventing valuable data theft and unauthorized access to websites and applications from XSS attacks are reviewed and systematized.

- by
- •
- Computer Science, Computer Security, Web Application Security, Cross Site Scripting

Obtaining the desired dataset is still a prime challenge faced by researchers while analysing Online Social Network (OSN) sites. Application Programming Interfaces (APIs) provided by OSN service providers for retrieving data impose several unavoidable restrictions which make it difficult to get a desirable dataset. In this paper, we present an iMacros technology-based data crawler called IMcrawler,capable of collecting every piece of information which is accessible through a browser from the Facebook website within the legal framework reauthorized by Facebook.The proposed crawler addresses most of the challenges allied with web data extraction approaches and most of the APIs provided by OSN service providers. Two broad sections have been extracted from Facebook user profiles, namely, Personal Information and Wall Activities. The collected data is pre-processed into two datasets and each data set is statistically analysed to draw semantic knowledge and understand the several behavior...

We propose a log-based analysis tool for evaluating web application computer system. A feature of the tool is an integration software log with infrastructure log. Software engineers alone can resolve system faults in the tool, even if the faults are complicated by both software problems and infrastructure problems. The tool consists of 5 steps: preparation software, preparation infrastructure, collecting logs, replaying the log data, and tracing the log data. The tool was applied to a simple web application system in a small-scale local area network. We confirmed usefulness of the tool when a software engineer detects faults of the system failures such as " 404 " and " no response " errors. In addition, the tool was partially applied to a real large-scale computer system with many web applications and large network environment. Using the replaying and the tracing in the tool, we found causes of a real authentication error. The causes were combined an infrastructure problem with a software problem. Even if the failure is caused by not only a software problem but also an infrastructure problem, we confirmed that software engineers alone could distinguish between a software problem and an infrastructure problem using the tool.

- by William Glisson and +1
- •
- Software Engineering, Web Engineering, Semantic Web, Mass Customization

Today almost all organizations have improved their performance through allowing more information exchange within their organization as well as between their distributers, suppliers, and customers using web support. Databases are central to the modern websites as they provide necessary data as well as stores critical information such as user credentials, financial and payment information, company statistics etc. These websites have

- by Rahul Johari
- •
- Static Analysis, Encryption, Databases, Security Engineering
- by Sanjay Rawat
- •
- Artificial Intelligence, Visualization, Machine Learning, Network Security

In this article, we will discuss keylogger attacks with xss.

- by Ismail Tasdelen
- •
- Information Security, Security in Web Services, Malware, Web Application Security

Abstract-- When an internet user interacts in web environment by surfing the Net, sending electronic mail messages and participating in online forums lot of data is generated which may have user’s private information. If this information is captured by third party tools and techniques; it may cause a breach in end user privacy. In the Web environment, end user privacy is one of the most controversial legal issues. In this paper issues related to information leakage through SQL injection attacks are presented and protection mechanisms are also discussed.

- by Santosh Soni
- •
- Privacy, Security, Vulnerability, Web Application Security
- by Phu Phung
- •
- Language-based security, Web Application Security, JavaScript security

Fuzz testing (also known as fuzzing) is a blackbox testing technique for finding flaws in software by feeding random input into applications and monitoring for crashes.
Programs that generate fuzz data are called fuzzers and they generate input data that test engineers might not think of. There are two categories of fuzzers, unintelligent (UF) and intelligent (IF). The difference lies in the method of input data generation. UF has no prior knowledge of the input format while IF knows the format which enables it to specify semi-valid data for what its attempting to fuzz.
Sources like [21, 20] have indicated that user input in web applications are a huge problem. Fuzzing might prove to be a valuable method for finding flaws in these types of applications. However, the research that has been done on fuzzing web applications [6] have made use of UF. In this thesis we will introduce and evaluate an IF method based on validators.
Many modern web applications are developed using specialized web frame- works that make use of validators that validate incoming input before further actions are taken by the application.
Our hypothesis is that the data generated by a UF will often be evaluated as invalid by validators that are in place and will therefore have superficial code coverage. Intelligent fuzz data that is generated within validator constraints will have better code coverage and will therefore trigger more flaws.
In order evaluate the effectiveness of our IF method we have fuzzed a set of typical web applications using 3 different fuzzing methods: UF, our IF method and fuzzing with manually defined fuzz format specifications.
The results of this experiment indicate that our method of intelligent fuzzing performs marginally better while requiring more manual effort. This manual effort can be further automated, which would make it a valuable addition to fuzzing web applications.

- by Michel de Graaf
- •
- Web Development, Web Application Security, Internet and web security, Fuzzing
- by Henrique Madeira
- •
- Web Application Security, Sql Injection, Field Study, Internet

Web Applications security has become
progressively more important these days. Enormous
numbers of attacks are being deployed on the web
application layer. Due to dramatic increase in Web
applications, security gets vulnerable to variety of
threats. Most of these attacks are targeted towards the
web application layer and network firewall alone
cannot prevent these kinds of attacks. The basic reason
behind success of these attacks is the ignorance of
application developers while writing the web
applications and the vulnerabilities in the existing
technologies. Web application attacks are the latest
trend and hackers are trying to exploit the web
application using different techniques. Various
solutions are available as open source and in
commercial market. But the selection of suitable
solution for the security of the organizational systems is
a major issue. This survey paper compared the Web
Application Firewall (WAF) solutions with important
features necessary for the security at application layer.
Critical analysis on WAF solutions is helpful for the
users to select the most suitable solution to their
environments.

- by Muddassar Masood and +1
- •
- Survey Research, Web Application Security, Web Application Firewall, WAF Market, Web Application Firewall Market
- by Elim Chung
- •
- Engineering, Technology, Computer Networks, Software Testing
- by Jemal H . Abawajy
- •
- Web Application Security, Sql Injection, Malware Detection, Vulnerabilities

Aplikasi web biasanya perlu menyimpan informasi yang sensitif seperti password, informasi kartu kredit, dan yang lain. Dikarenakan item-item tersebut bersifat sensitif item-item tersebut perlu dienkripsi untuk menghindari pengaksesan... more

- by Yusuf Riyandi
- •
- Web Application Security
- by Archit Mehta
- •
- Cybercrimes, Network Security, Computer Networks, Database Security

Deep web content cannot be indexed by search engine such as Google, Yahoo and Bing and darknet is lies within the deep web. Dark web has been intentionally hidden and it is not accessible through standard browser. Deep web can be accessed by anyone who has The Onion Router (TOR) browser. TOR is a virtual and encrypted tunnel which allows people to hide their identity and network traffic, and allow them to use internet anonymously. Dark web is virtually online market for anything, including but not limited to drugs, weapons, credit card data, forged documents, hire services for murder, narcotics and indecent pornography etc,. Because of these reasons, it is difficult for law enforcement agencies or digital forensic professionals to pinpoint the origin of traffic, location or ownership of any computer or person on the dark net. There has been lot of buzz around Bitcoin, TOR network and darknet, because most of the darknet sites carried out transactions through anonymous digital currency, pear to peer, distributed and Bitcoin which is based on cryptography principal. In this research paper, I proposed darknet forensics techniques, which is a combination of TOR browser and Bitcoin wallet forensics. I am also proposed and discussed different technique to retrieve evidences from TOR browser and Bitcoin wallet, which helps digital forensics professional to perform darknet forensics.

- by Digvijaysinh M Rathod
- •
- Computer Science, The Internet, Malware Analysis, Mobile Security
- by Alex Q. Chen
- •
- Computer Science, Information Security, User Experience (UX), Wearable Computing

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.
By leveraging SQL injection vulnerability, given the right circumstances, an attacker can use it to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL injection can also be used to add, modify and delete records in a database, affecting data integrity.
To such an extent, SQL injection can provide an attacker with unauthorized access to sensitive data including, customer data, personally identifiable information (PII), trade secrets, intellectual property and other sensitive information.

- by Mohammed S H A I K Imran
- •
- Web Applications, Vulnerability, Web Application Security, OWASP
- by Shritam Bhowmick
- •
- Web Application Security

By taking advantage of vulnerability, Cyber criminals is easily able to steal confidential data of the ICT, results in heavy loss. Vulnerability
Assessment and penetration testing is a special approach to eliminate various security threats from the web application. By focusing high risk vulnerability such as SQL Injection, Cross Site Scripting, Local File Inclusion and Remote File Inclusion, in this paper, we have surveyed literatures to study the general mechanics of VAPT process and gather tools which can be useful during VAPT process.

- by Dr. Divyakant T Meva and +1
- •
- Web Application Security, Cyber Security, Penetration Testing

Today web-based systems are very popular. These systems may have some inherent security vulnerabilities due to the languages they use. It is very important to identify these vulnerabilities for the development of quality and secure web applications. There are many commercial and open source applications that detect security vulnerabilities on the websites application level. However, developers are curious about which tools detected security vulnerabilities, and their performance rates. In this study, it is aimed to analyse the frequently used web vulnerability test tools with sample scenarios and compare these tools.

- by IJCSMC Journal
- •
- Information Systems, Computer Science, Information Technology, Technology

The numbers of security vulnerabilities that are being found today are much higher in applications than in operating systems. This means that the attacks aimed at web applications are exploiting vulnerabilities at the application level and not at the transport or network level like common attacks from the past. At the same time, quantity and impact of security vulnerabilities in such applications has grown as well. Many transactions and confidential data are performed online with various kinds of web applications. SQL Injection and Cross-Site Scripting are the most common and high-risk vulnerabilities on web applications. The free/open source tools that are mainly used for scanning the web application are W3AF, Wapiti and ZAP. This thesis researches these three selected tools in more details. These tools are the best tools for scanning SQL Injection and Cross-Site Scripting. The web application vulnerabilities SQL Injection and Cross-Site Scripting are the high-risk vulnerabilities in PHP based web applications and W3AF is the best scanning tools for these vulnerabilities. Among the tools used W3AF has less false positive and false negative in comparisons to Wapiti and ZAP scanning tools. Also, the number of vulnerabilities detection ability of W3AF is high so it is the best scanning tools for web application based on PHP programming language. Keywords Web application security – Web vulnerability scanning tools – SQL injections – Cross Site Scripting

- by Laxman Chhetri and +1
- •
- Web Applications, Web Application Security

After completing attack, covering tracks is the next step in penetration testing. In tracks covering after completing attack we will return to each exploited system to erase tracks and clean up all footprints we left behind. Tracks covering is important because it gives clue to forensics analyst or
Intrusion Detection System (IDS). Sometimes it’s difficult to hide all tracks but an attacker can manipulate the system to confuse the examiner and make it almost impossible to identify the extent of the attacker.In this research paper we describe all of the methods used in tracks covering and
their future scope.

- by Er Ramesh Narwal and +1
- •
- Information Security, Web Application Security, Web Programming, Cyber Security

Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]

Abstract-Web application security is the hottest issue in the present scenario of e-business environment. Web application attacks can play havoc with the system within no time. More than 80% attacks are at application layer and almost 90%... more

Web applications are becoming a requisite mediator to provide access to the various on-line dynamic web services. As more features add to making interactive and efficient web applications, attackers get more options to bypass those vulnerabilities. According to OWASP Community, the number of web attacks is increasing drastically since last few years. Cross Site Scripting (XSS) is one of the vulnerabilities commonly found on websites which affects both the client and server as well. These types of attack usually take place due to vulnerabilities of User Interface. This paper discusses why the Cross Site Scripting Attack is so threatening and what are the potential consecutions of such kind of attacks. Further, this article provides an approach to user input sanitization techniques to prevent critical XSS attacks.

- by Arjun Choudhary and +1
- •
- Information Security, Web Application Security, Cross Site Scripting, XSS vulnerability

Questo progetto tratta gli attacchi ad iniezione e, in particolare, approfondisce gli attacchi command injection e SQL injection. La scelta è nata in seguito a considerazioni legate al rischio di sicurezza. Nella prima parte definisco che cosa sia il rischio per un sistema informatico e che cosa sia il rischio per un’applicazione web secondo le indicazioni di OWASP, The Open Web Application Security Project. Questa organizzazione no profit pubblica ogni tre anni circa un rapporto sui maggiori rischi di sicurezza per le web application. Dopo aver elencato i 10 peggiori rischi di sicurezza stilati nel rapporto del 2017, ho osservato la costante presenza in prima posizione delle iniezioni come maggiore causa di pericolo per la sfruttabilità e il potenziale danno tecnico ed economico verso la struttura ospitante. Ad accentuare l’attenzione sul problema sono stati anche i dati pubblicati da Imperva relativi alla larga diffusione di queste falle nel web. Le superfici iniettabili sono estese poiché i vettori d’attacco sono molteplici: code injection, CRLF injection, cross-site scripting, email injection, host header injection, LDAP injection, command injection, SQL injection (SQLi), xpath injection. Tra queste differenti forme mi sono concentrato sul command injection e sull’SQL injection, ovvero sui moduli vulnerabili disponibili nella piattaforma formativa di DVWA (Damn Vulnerable Web Application). Nella seconda parte dell’elaborato ho presentato un LAB basato, appunto, su DVWA. In una macchina virtuale ho installato due sistemi operativi distinti, Parrot Security OS e Debian, rappresentanti il primo la macchina Attacker e il secondo la macchina Victim. Su quest’ultima sono stati aggiunti Apache2, MariaDB, phpMyAdmin e DVWA necessari per la fase di white-box testing. Grazie a differenti livelli di sicurezza ho analizzato come proteggersi da attacchi command injection e SQL injection ai danni di una web application.

- by Andrea Guerini
- •
- Risk and Vulnerability, Web Applications, Hacking, Computer Hacking
- by Ammar Alazab
- •
- Computer Science, Web Application Security, Sql Injection, Malware Detection

Serious weaknesses were discovered in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected WPA2-Wi-Fi networks. Depending on the handshake mechanism, it is also possible to inject and manipulate data. A solution is proposed to provide the secure handshake by capturing and analyzing the EAPOL packets to prevent nonce reuse which happens while reinstallation of Pairwise Trasient Key(PTK) which happens in case if there is an attack. Our patches blocks access to the victim system via rogue AP created by the KRACK and alerts the client about the suspicious activity and blocks the attacker from further attacking.

The web is absolutely necessary part of our lives. It is wide platform which is used for information sharing and service over internet. They are used for the financial, government, healthcare, education and many critical services. Everyday billions of user purchase items, transfer money, retrieve information and communicate over web with each other. Although the web is best friend of users because it provide anytime anywhere access to information and services at the same time. All things are created by human in the world so its reality that the things created by man are little bit problematic. So web applications are also created by human so it contains too many loopholes. The popularity of applications allure hackers towards them. Now a Days Securing and maintaining the websites against attack is very hard and challenging task. Finding loopholes in Web application, Computer system or network and exploiting them called hacking. New approaches for web attacks are invented day to day so the study of detect and prevent against web application attack and finding solution is important part in internet world. In this paper we introduced all web application based attack including two major attacks like XSS (Cross Site Scripting) and SQLI.

Modern web applications have higher user expectations and greater demands than ever before. The security of these applications is no longer optional; it has become an absolute necessity. Web applications contain vulnerabilities, which may lead to serious security flaws such as stealing of confidential information. To protect against security flaws, it is important to understand the detailed steps of attacks and the pros and cons of existing possible solutions. The goal of this paper is to research modern web application security flaws and vulnerabilities. It then describes steps by steps possible approaches to mitigate them.

- by Shahriat Hossain and +1
- •
- Web Applications, Web Application Security, Internet and web security, Web Application Security Testing

Abstract. Many companies are deploying their business on the Internet using web applications while the question of what is the risk to business operations of cyber-attacks remains unanswered. Risk awareness allows to identify and act upon the security risk of these applications. This paper analyzes different security frameworks commonly used by companies in order to evaluate the benefits of honeypots in responding to each framework's requirements and, consequently, mitigating the risk.

- by Miguel Correia
- •
- Web Application Security, Honeypot, IT Risks

Teknologi website pada awalnya hanya menggunakan HTML yang digunakan untuk menampilkan konten-konten yang bersifat statis (web 1.0). Pada perkembangannya terutama pada era website modern (web 2.0), penggunaan bahasa HTML dikombinasikan dengan bahasa-bahasa pemrograman web yang dinamis seperti PHP, ASP.Net, dan JSP. Untuk dapat membuat halaman website menjadi lebih interaktif dan responsif, penggunaan bahasa-bahasa pemrograman tersebut belum cukup. Oleh karena itu, muncul teknologi AJAX yang dapat menghasilkan halaman website yang lebih responsif dan interaktif. Penggunaan teknologi AJAX pada aplikasi website modern juga membuat halaman website dapat di-load dengan lebih cepat dan menghemat penggunaan bandwith koneksi jaringan internet karena proses transfer data yang terjadi secara asynchronous antara klien dengan server. Tujuan utama yang ingin dicapai pada penelitian ini adalah untuk melihat mekanisme proses transfer data yang terjadi dan juga perbandingan tingkat kecepatan akses antara komputer klien dengan server (web dan database server) terutama pada halaman website yang menggunakan teknologi AJAX. Metode penelitian yang digunakan adalah studi kasus (case study) dan juga studi analisis literature review dari beberapa penelitian yang terkait dengan penggunaan teknologi AJAX. Melalui penelitian ini, model engine AJAX yang merupakan fungsi dalam JavaScript dapat dipelajari dengan baik untuk menghasilkan model halaman website yang memiliki tingkat konektifi tas yang baik antara komputer klien yang terhubung dengan server.
Kata kunci: AJAX, pemrograman web, web 2.0, website interaktif

- by Himawan Wijaya and +1
- •
- Semantic Web Technologies, Database Systems, Web Technologies, Computer Programming

This paper talks about the nuisances of HTTP Parameter Pollution - a web application based attack used by penetration testers to pollute the parameters and use these same techniques for significant bypasses which could trigger or support... more

- by Shritam Bhowmick
- •
- Web 2.0, Web Technologies, Web Applications, Web Application Security