SQL Injection analysis, Detection and Prevention

Web sites are dynamic, static, and most of the time a combination of both. Web sites need protection in their database to assure security. An SQL injection attacks interactive web applications that provide database services. These applications take user inputs and use them to create an SQL query at run time. In an SQL injection attack, an attacker might insert a malicious SQL query as input to perform an unauthorized database operation. Using SQL injection attacks, an attacker can retrieve or modify confidential and sensitive information from the database. It may jeopardize the confidentiality and security of Web sites which totally depends on databases. This report presents a “code reengineering” that implicitly protects the applications which are written in PHP from SQL injection attacks. It uses an original approach that combines static as well as dynamic analysis. [2] In this report, I mentioned an automated technique for moving out SQL injection vulnerabilities from Java code by converting plain text inputs received from users into prepared statements. [3

Examining audience perceptions and role of cookies in select news websites in Kenya: a case of nation Africa and the standard

This thesis investigates the audience perceptions and the role of cookies in the user experience of selected news websites in Kenya. In an era dominated by digital media consumption, understanding how users interact with online news platforms is crucial for media practitioners and technology developers. The study focuses on the Kenyan context, exploring the unique dynamics that shape user engagement with news content and the impact of cookies on their online experience. The research employed a mixed-methods approach, combining a quantitative survey focused on audience perceptions of cookies and interactions with cookie consent notices and in-depth interviews with commercial website developers. Through in-depth interviews, the study aims to capture the perspectives of commercial website developers on cookie applications on news websites. Concurrently, the analysis of cookies – small pieces of data stored on users\u27 devices provides insights into the technological mechanisms employed by news websites to enhance user experience, personalize content, and facilitate targeted advertising. Key objectives include understanding how users perceive the credibility and trustworthiness of news websites, assessing the role of personalized content in shaping user engagement and examining the implications of cookie usage on privacy concerns. The research also explores the potential trade-offs between personalized content delivery and user privacy within the Kenyan online news landscape. The findings of this study contribute to the fields of media studies, digital journalism, and user experience design. By shedding light on audience perceptions and the impact of cookies on news consumption in Kenya, this research offers practical insights for media organizations, web developers, and policymakers seeking to enhance the online news experience while respecting user privacy. In conclusion, this thesis provides a comprehensive analysis of audience perceptions and the role of cookies in selected news websites in Kenya. The research contributes to a nuanced understanding of the evolving dynamics between media consumption, technology, and user privacy in the digital age by bridging the gap between user perspectives and technological practices

Xcs: Cross channel scripting and its impact on web applications

ABSTRACT We study the security of embedded web servers used in consumer electronic devices, such as security cameras and photo frames, and for IT infrastructure, such as wireless access points and lights-out management systems. All the devices we examine turn out to be vulnerable to a variety of web attacks, including cross site scripting (XSS) and cross site request forgery (CSRF). In addition, we show that consumer electronics are particularly vulnerable to a nasty form of persistent XSS where a non-web channel such as NFS or SNMP is used to inject a malicious script. This script is later used to attack an unsuspecting user who connects to the device's web server. We refer to web attacks which are mounted through a non-web channel as cross channel scripting (XCS). We propose a client-side defense against certain XCS which we implement as a browser extension

Computer Science's Digest Volume 1

This series is dedicated to the students of the Systems Department, to give them reading material related to computer science in a second language. This book covers the Introduction to Computer Science, Computer Communications, Networking and Web Applications

Detecting Abnormal Behavior in Web Applications

The rapid advance of web technologies has made the Web an essential part of our daily lives. However, network attacks have exploited vulnerabilities of web applications, and caused substantial damages to Internet users. Detecting network attacks is the first and important step in network security. A major branch in this area is anomaly detection. This dissertation concentrates on detecting abnormal behaviors in web applications by employing the following methodology. For a web application, we conduct a set of measurements to reveal the existence of abnormal behaviors in it. We observe the differences between normal and abnormal behaviors. By applying a variety of methods in information extraction, such as heuristics algorithms, machine learning, and information theory, we extract features useful for building a classification system to detect abnormal behaviors.;In particular, we have studied four detection problems in web security. The first is detecting unauthorized hotlinking behavior that plagues hosting servers on the Internet. We analyze a group of common hotlinking attacks and web resources targeted by them. Then we present an anti-hotlinking framework for protecting materials on hosting servers. The second problem is detecting aggressive behavior of automation on Twitter. Our work determines whether a Twitter user is human, bot or cyborg based on the degree of automation. We observe the differences among the three categories in terms of tweeting behavior, tweet content, and account properties. We propose a classification system that uses the combination of features extracted from an unknown user to determine the likelihood of being a human, bot or cyborg. Furthermore, we shift the detection perspective from automation to spam, and introduce the third problem, namely detecting social spam campaigns on Twitter. Evolved from individual spammers, spam campaigns manipulate and coordinate multiple accounts to spread spam on Twitter, and display some collective characteristics. We design an automatic classification system based on machine learning, and apply multiple features to classifying spam campaigns. Complementary to conventional spam detection methods, our work brings efficiency and robustness. Finally, we extend our detection research into the blogosphere to capture blog bots. In this problem, detecting the human presence is an effective defense against the automatic posting ability of blog bots. We introduce behavioral biometrics, mainly mouse and keyboard dynamics, to distinguish between human and bot. By passively monitoring user browsing activities, this detection method does not require any direct user participation, and improves the user experience

Introducing hippocratic log files for personal privacy control

The rapid growth of the Internet has served to intensify existing privacy concerns of the individual, to the point that privacy is the number one concern amongst Internet users today. Tools exist that can provide users with a choice of anonymity or pseudonymity. However, many Web transactions require the release of personally identifying information, thus rendering such tools infeasible in many instances. Since it is then a given that users are often required to release personal information, which could be recorded, it follows that they require a greater degree of control over the information they release. Hippocratic databases, designed by Agrawal, Kiernan, Srikant, and Xu (2002), aim to give users greater control over information stored in a data- base. Their design was inspired by the medical Hippocratic oath, and makes data privacy protection a fundamental responsibility of the database itself. To achieve the privacy of data, Hippocratic databases are governed by 10 key privacy principles. This dissertation argues, that asides from a few challenges, the 10 prin- ciples of Hippocratic databases can be applied to log ¯les. This argument is supported by presenting a high-level functional view of a Hippocratic log file architecture. This architecture focuses on issues that highlight the con- trol users gain over their personal information that is collected in log files. By presenting a layered view of the aforementioned architecture, it was, fur- thermore, possible to provide greater insight into the major processes that would be at work in a Hippocratic log file implementation. An exploratory prototype served to understand and demonstrate certain of the architectural components of Hippocratic log files. This dissertation, thus, makes a contribution to the ideal of providing users with greater control over their personal information, by proposing the use of Hippocratic logfiles

Web-based Secure Application Control

The world wide web today serves as a distributed application platform. Its origins, however, go back to a simple delivery network for static hypertexts. The legacy from these days can still be observed in the communication protocol used by increasingly sophisticated clients and applications. This thesis identifies the actual security requirements of modern web applications and shows that HTTP does not fit them: user and application authentication, message integrity and confidentiality, control-flow integrity, and application-to-application authorization. We explore the other protocols in the web stack and work out why they can not fill the gap. Our analysis shows that the underlying problem is the connectionless property of HTTP. However, history shows that a fresh start with web communication is far from realistic. As a consequence, we come up with approaches that contribute to meet the identified requirements. We first present impersonation attack vectors that begin before the actual user authentication, i.e. when secure web interaction and authentication seem to be unnecessary. Session fixation attacks exploit a responsibility mismatch between the web developer and the used web application framework. We describe and compare three countermeasures on different implementation levels: on the source code level, on the framework level, and on the network level as a reverse proxy. Then, we explain how the authentication credentials that are transmitted for the user login, i.e. the password, and for session tracking, i.e. the session cookie, can be complemented by browser-stored and user-based secrets respectively. This way, an attacker can not hijack user accounts only by phishing the user's password because an additional browser-based secret is required for login. Also, the class of well-known session hijacking attacks is mitigated because a secret only known by the user must be provided in order to perform critical actions. In the next step, we explore alternative approaches to static authentication credentials. Our approach implements a trusted UI and a mutually authenticated session using signatures as a means to authenticate requests. This way, it establishes a trusted path between the user and the web application without exchanging reusable authentication credentials. As a downside, this approach requires support on the client side and on the server side in order to provide maximum protection. Another approach avoids client-side support but can not implement a trusted UI and is thus susceptible to phishing and clickjacking attacks. Our approaches described so far increase the security level of all web communication at all time. This is why we investigate adaptive security policies that fit the actual risk instead of permanently restricting all kinds of communication including non-critical requests. We develop a smart browser extension that detects when the user is authenticated on a website meaning that she can be impersonated because all requests carry her identity proof. Uncritical communication, however, is released from restrictions to enable all intended web features. Finally, we focus on attacks targeting a web application's control-flow integrity. We explain them thoroughly, check whether current web application frameworks provide means for protection, and implement two approaches to protect web applications: The first approach is an extension for a web application framework and provides protection based on its configuration by checking all requests for policy conformity. The second approach generates its own policies ad hoc based on the observed web traffic and assuming that regular users only click on links and buttons and fill forms but do not craft requests to protected resources.Das heutige World Wide Web ist eine verteilte Plattform für Anwendungen aller Art: von einfachen Webseiten über Online Banking, E-Mail, multimediale Unterhaltung bis hin zu intelligenten vernetzten Häusern und Städten. Seine Ursprünge liegen allerdings in einem einfachen Netzwerk zur Übermittlung statischer Inhalte auf der Basis von Hypertexten. Diese Ursprünge lassen sich noch immer im verwendeten Kommunikationsprotokoll HTTP identifizieren. In dieser Arbeit untersuchen wir die Sicherheitsanforderungen moderner Web-Anwendungen und zeigen, dass HTTP diese Anforderungen nicht erfüllen kann. Zu diesen Anforderungen gehören die Authentifikation von Benutzern und Anwendungen, die Integrität und Vertraulichkeit von Nachrichten, Kontrollflussintegrität und die gegenseitige Autorisierung von Anwendungen. Wir untersuchen die Web-Protokolle auf den unteren Netzwerk-Schichten und zeigen, dass auch sie nicht die Sicherheitsanforderungen erfüllen können. Unsere Analyse zeigt, dass das grundlegende Problem in der Verbindungslosigkeit von HTTP zu finden ist. Allerdings hat die Geschichte gezeigt, dass ein Neustart mit einem verbesserten Protokoll keine Option für ein gewachsenes System wie das World Wide Web ist. Aus diesem Grund beschäftigt sich diese Arbeit mit unseren Beiträgen zu sicherer Web-Kommunikation auf der Basis des existierenden verbindungslosen HTTP. Wir beginnen mit der Beschreibung von Session Fixation-Angriffen, die bereits vor der eigentlichen Anmeldung des Benutzers an der Web-Anwendung beginnen und im Erfolgsfall die temporäre Übernahme des Benutzerkontos erlauben. Wir präsentieren drei Gegenmaßnahmen, die je nach Eingriffsmöglichkeiten in die Web-Anwendung umgesetzt werden können. Als nächstes gehen wir auf das Problem ein, dass Zugangsdaten im WWW sowohl zwischen den Teilnehmern zu Authentifikationszwecken kommuniziert werden als auch für jeden, der Kenntnis dieser Daten erlangt, wiederverwendbar sind. Unsere Ansätze binden das Benutzerpasswort an ein im Browser gespeichertes Authentifikationsmerkmal und das sog. Session-Cookie an ein Geheimnis, das nur dem Benutzer und der Web-Anwendung bekannt ist. Auf diese Weise kann ein Angreifer weder ein gestohlenes Passwort noch ein Session-Cookie allein zum Zugriff auf das Benutzerkonto verwenden. Darauffolgend beschreiben wir ein Authentifikationsprotokoll, das vollständig auf die Übermittlung geheimer Zugangsdaten verzichtet. Unser Ansatz implementiert eine vertrauenswürdige Benutzeroberfläche und wirkt so gegen die Manipulation derselben in herkömmlichen Browsern. Während die bisherigen Ansätze die Sicherheit jeglicher Web-Kommunikation erhöhen, widmen wir uns der Frage, inwiefern ein intelligenter Browser den Benutzer - wenn nötig - vor Angriffen bewahren kann und - wenn möglich - eine ungehinderte Kommunikation ermöglichen kann. Damit trägt unser Ansatz zur Akzeptanz von Sicherheitslösungen bei, die ansonsten regelmäßig als lästige Einschränkungen empfunden werden. Schließlich legen wir den Fokus auf die Kontrollflussintegrität von Web-Anwendungen. Bösartige Benutzer können den Zustand von Anwendungen durch speziell präparierte Folgen von Anfragen in ihrem Sinne manipulieren. Unsere Ansätze filtern Benutzeranfragen, die von der Anwendung nicht erwartet wurden, und lassen nur solche Anfragen passieren, die von der Anwendung ordnungsgemäß verarbeitet werden können

Emerging digital banking service quality dimensions and their impact on elderly customer satisfaction and engagement: a study in Sri Lankan context

This research is based on the impact of emerging digital banking service quality dimensions on elderly customer satisfaction and engagement in Sri Lankan context. Security and privacy, perceived usefulness, perceived ease of use, perceived personalization and web aesthetics have been identified as the emerging service qualities in this new age of digital banking. Research on emerging service quality dimensions has become very crucial to both academics and practitioners; however, very little scholarly research has directed service marketers as to how they can influence on elderly customer satisfaction and engagement. In recognition of these current gaps of knowledge, this thesis investigates three research gaps that are addressed through three research questions. First, the research explores how security and privacy, perceived usefulness, perceived ease of use, perceived personalization and web aesthetics influence the elderly customer satisfaction (RQ1). Second, the research investigates the influence of perceived personalization on elderly customer engagement (RQ2). Third, it investigates the impact of in-person engagement and digital engagement on elderly customer satisfaction (RQ3). To address the three research questions, research in this thesis employed a theory building study, followed by a theory-testing study, using a mixed-method approach. Study one used convergent interview method to collect data from 30 elderly customers who are engaged with a digital banking service provider for more than 6 months. The study qualitatively explored the interviewees’ perceptions of the security and privacy, perceived usefulness, perceived ease of use, perceived personalization, web aesthetics, in-person engagement and digital engagement. Study two collected data from digital banking customers (above the age of 60) of two leading retail banks in Sri Lanka, resulting in a sample of n=275. The data was collected using a web-based survey that contained 28 items. The factors contained in the conceptual model were drawn from both the literature and the theory-building study. The measurement items were drawn from prior research and thematic findings. Five-point Likert scale was used to measure the items. Structural equation modelling (SEM) was then used to analyse the hypothesized relationships in the model. Four out of nine hypothesized relationships were supported by the results of this theory-testing studyThe results of the study confirm that, all the five service quality dimensions identified (security and privacy, perceived usefulness, perceived ease of use, web aesthetics and perceived personalisation) are distinct constructs. The results also indicate that all five service quality dimensions have appropriate reliability and each dimension has a significant correlation with other dimensions and make a significant influence on digital banking habits of elderly customers on digital platform. Findings suggest that the perceived usefulness is the key driver of elderly customer satisfaction on digital banking, followed by in-person engagement, perceived personalization, security and privacy, perceived ease of use and web aesthetics respectively. It means that elderly customers are more satisfied and engaged if the digital banking service provider augment the value proposition of digital banking with a clear understanding of the special needs they have. In other words, elderly customers are willing to engage and learn more on digital banking and have a much better and fully fledged customer experience on digital platform. Key words: Service quality dimensions, digital banking, perceived - personalization, engagement and usefulness, customer satisfaction, in-person and digital engagement