16,960 research outputs found
Analyzing Android Browser Apps for file:// Vulnerabilities
Securing browsers in mobile devices is very challenging, because these
browser apps usually provide browsing services to other apps in the same
device. A malicious app installed in a device can potentially obtain sensitive
information through a browser app. In this paper, we identify four types of
attacks in Android, collectively known as FileCross, that exploits the
vulnerable file:// to obtain users' private files, such as cookies, bookmarks,
and browsing histories. We design an automated system to dynamically test 115
browser apps collected from Google Play and find that 64 of them are vulnerable
to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers,
and the more application-specific ones, including UC Browser HD for tablet
users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these
browsers further shows that 26 browsers (23%) expose their browsing interfaces
unintentionally. In response to our reports, the developers concerned promptly
patched their browsers by forbidding file:// access to private file zones,
disabling JavaScript execution in file:// URLs, or even blocking external
file:// URLs. We employ the same system to validate the ten patches received
from the developers and find one still failing to block the vulnerability.Comment: The paper has been accepted by ISC'14 as a regular paper (see
https://daoyuan14.github.io/). This is a Technical Report version for
referenc
How to design browser security and privacy alerts
Browser security and privacy alerts must be designed to ensure they are of value to the end-user, and communicate risks efficiently. We performed a systematic literature review, producing a list of guidelines from the research. Papers were analysed quantitatively and qualitatively to formulate a comprehensive set of guidelines. Our findings seek to provide developers and designers with guidance as to how to construct security and privacy alerts. We conclude by providing an alert template, highlighting its adherence to the derived guidelines
Blocking Java Applets at the Firewall
This paper explores the problem of protecting a site on the Internet against hostile external Java applets while allowing trusted internal applets to run. With careful implementation, a site can be made resistant to current Java security weaknesses as well as those yet to be discovered. In addition, we describe a new attack on certain sophisticated firewalls that is most effectively realized as a Java applet
Reducing risky security behaviours:utilising affective feedback to educate users
Despite the number of tools created to help end-users reduce risky security behaviours, users are still falling victim to online attacks. This paper proposes a browser extension utilising affective feedback to provide warnings on detection of risky behaviour. The paper provides an overview of behaviour considered to be risky, explaining potential threats users may face online. Existing tools developed to reduce risky security behaviours in end-users have been compared, discussing the success rate of various methodologies. Ongoing research is described which attempts to educate users regarding the risks and consequences of poor security behaviour by providing the appropriate feedback on the automatic recognition of risky behaviour. The paper concludes that a solution utilising a browser extension is a suitable method of monitoring potentially risky security behaviour. Ultimately, future work seeks to implement an affective feedback mechanism within the browser extension with the aim of improving security awareness
Reverse Proxy Framework using Sanitization Technique for Intrusion Prevention in Database
With the increasing importance of the internet in our day to day life, data
security in web application has become very crucial. Ever increasing on line
and real time transaction services have led to manifold rise in the problems
associated with the database security. Attacker uses illegal and unauthorized
approaches to hijack the confidential information like username, password and
other vital details. Hence the real time transaction requires security against
web based attacks. SQL injection and cross site scripting attack are the most
common application layer attack. The SQL injection attacker pass SQL statement
through a web applications input fields, URL or hidden parameters and get
access to the database or update it. The attacker take a benefit from user
provided data in such a way that the users input is handled as a SQL code.
Using this vulnerability an attacker can execute SQL commands directly on the
database. SQL injection attacks are most serious threats which take users input
and integrate it into SQL query. Reverse Proxy is a technique which is used to
sanitize the users inputs that may transform into a database attack. In this
technique a data redirector program redirects the users input to the proxy
server before it is sent to the application server. At the proxy server, data
cleaning algorithm is triggered using a sanitizing application. In this
framework we include detection and sanitization of the tainted information
being sent to the database and innovate a new prototype.Comment: 9 pages, 6 figures, 3 tables; CIIT 2013 International Conference,
Mumba
Some security issues for web based frameworks
This report investigates whether a vulnerability found in one web framework may be used to find a vulnerability in a different web framework. To test this hypothesis, several open source applications were installed in a secure test environment together with security analysis tools. Each one of the applications were developed using a different software framework. The results show that a vulnerability identified in one framework can often be used to find similar vulnerabilities in other frameworks. Crosssite scripting security issues are the most likely to succeed when being applied to more than one framework
- ā¦