CSSXC: Context-sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Environments

AbstractThis paper presents a context-sensitive sanitization based XSS defensive framework for the cloud environment. It discovers all the hidden injection points in HTML5-based web applications deployed on the platforms of cloud and sanitizes the XSS attack payloads injected in such points in a context sensitive manner. The identification of such injection points permits our technique to retrieve each possible web page of application, allowing a wider exploration and accelerating the process of applying the sanitizers on the untrusted variables of web application. The XSS attack mitigation capability of our framework was evaluated on web applications deployed for the cloud users in the cloud environment. The experimental results reveal that this technique detects the XSS attack payloads with minimum rate of false negatives and less runtime overhead

Securing Web Applications from malware attacks using hybrid feature extraction

In this technological era, many of the applications are taking the utilization of services of internet in order to cater to the needs of its users. With the rise in number of internet users, there's a substantial inflation within the internet attacks. Because of this hike, Web Services give rise to new security threats. One among the major concerns is the susceptibility of the internet services for cross site scripting (XSS). More than three fourths of the malicious attacks are contributed by XSS. This article primarily focuses on detection and exploiting XSS vulnerabilities. Generally, improper sanitization of input results in these type of susceptibilities. This article primarily focuses on fuzzing, and brute forcing parameters for XSS vulnerability. In addition, we've mentioned the planned framework for contradicting XSS vulnerability

Análisis de vulnerabilidades de sistemas web en desarrollo y en producción

La realización de pruebas de penetración permiten detectar las vulnerabilidades de los sistemas de información, en el caso particular del proyecto de investigación y desarrollo que se lleva a cabo en UTN FRC, se han realizado acciones de esta metodología en sistemas web que desarrollan los estudiantes del último año de la carrera de Ingeniería en Sistemas de Información y con acciones similares que se realizaron en Sistemas web en producción de empresas privadas nacionales e internacionales. Se presentará el abordaje teórico, la metodología utilizada y las técnicas con las que se llevan a cabo diversas pruebas manuales, se muestran los resultados obtenidos de aplicar la metodología para luego sentar las bases en búsqueda de la repetición de dichas pruebas ante un mismo sistema objetivo generando su automatización.Eje: Seguridad Informática.Red de Universidades con Carreras en Informátic

Securing Web Applications from malware attacks using hybrid feature extraction

In this technological era, many of the applications are taking the utilization of services of internet in order to cater to the needs of its users. With the rise in number of internet users, there's a substantial inflation within the internet attacks. Because of this hike, Web Services give rise to new security threats. One among the major concerns is the susceptibility of the internet services for cross site scripting (XSS). More than three fourths of the malicious attacks are contributed by XSS. This article primarily focuses on detection and exploiting XSS vulnerabilities. Generally, improper sanitization of input results in these type of susceptibilities. This article primarily focuses on fuzzing, and brute forcing parameters for XSS vulnerability. In addition, we've mentioned the planned framework for contradicting XSS vulnerability

Análisis de vulnerabilidades de sistemas web en desarrollo y en producción

La realización de pruebas de penetración permiten detectar las vulnerabilidades de los sistemas de información, en el caso particular del proyecto de investigación y desarrollo que se lleva a cabo en UTN FRC, se han realizado acciones de esta metodología en sistemas web que desarrollan los estudiantes del último año de la carrera de Ingeniería en Sistemas de Información y con acciones similares que se realizaron en Sistemas web en producción de empresas privadas nacionales e internacionales. Se presentará el abordaje teórico, la metodología utilizada y las técnicas con las que se llevan a cabo diversas pruebas manuales, se muestran los resultados obtenidos de aplicar la metodología para luego sentar las bases en búsqueda de la repetición de dichas pruebas ante un mismo sistema objetivo generando su automatización.Eje: Seguridad Informática.Red de Universidades con Carreras en Informátic

Análisis de vulnerabilidades de sistemas web en desarrollo y en producción

La realización de pruebas de penetración permiten detectar las vulnerabilidades de los sistemas de información, en el caso particular del proyecto de investigación y desarrollo que se lleva a cabo en UTN FRC, se han realizado acciones de esta metodología en sistemas web que desarrollan los estudiantes del último año de la carrera de Ingeniería en Sistemas de Información y con acciones similares que se realizaron en Sistemas web en producción de empresas privadas nacionales e internacionales. Se presentará el abordaje teórico, la metodología utilizada y las técnicas con las que se llevan a cabo diversas pruebas manuales, se muestran los resultados obtenidos de aplicar la metodología para luego sentar las bases en búsqueda de la repetición de dichas pruebas ante un mismo sistema objetivo generando su automatización.Eje: Seguridad Informática.Red de Universidades con Carreras en Informátic

Regular expressions considered harmful in client-side xss filters

Cross-site scripting flaws have now surpassed buffer overflows as the world’s most common publicly-reported security vulnerability. In recent years, browser vendors and researchers have tried to develop client-side filters to mitigate these attacks. We analyze the best existing filters and find them to be either unacceptably slow or easily circumvented. Worse, some of these filters could introduce vulnerabilities into sites that were previously bug-free. We propose a new filter design that achieves both high performance and high precision by blocking scripts after HTML parsing but before execution. Compared to previous approaches, our approach is faster, protects against more vulnerabilities, and is harder for attackers to abuse. We have contributed an implementation of our filter design to the WebKit open source rendering engine, and the filter is now enabled by default in the Google Chrome browser

On web security: a trusted notification system.

Tse, Kai Shun Scottie."December 2010."Thesis (M.Phil.)--Chinese University of Hong Kong, 2011.Includes bibliographical references (p. 52-54).Abstracts in English and Chinese.Abstract --- p.iiAcknowledgements --- p.iiiList of Figures --- p.viChapter 1 --- Introduction --- p.1Chapter 1.1 --- Web 2.0 --- p.2Chapter 1.2 --- Research Motivation --- p.2Chapter 2 --- Background Study on Web Attacks --- p.4Chapter 2.1 --- Cross Site Scripting (XSS) --- p.5Chapter 2.2 --- Cross Channel Scripting (XCS) --- p.6Chapter 2.3 --- Cross Site Request Forgery (CSRF) --- p.6Chapter 2.4 --- Click Jacking --- p.7Chapter 2.5 --- Extension and plugins vulnerabilities --- p.8Chapter 2.6 --- Privacy Issue --- p.10Chapter 2.7 --- Network security --- p.12Chapter 2.8 --- Developer implementation flaw --- p.13Chapter 2.9 --- Chapter Summary --- p.15Chapter 3 --- Defenses on Web Attacks --- p.17Chapter 3.1 --- Same Origin Policy --- p.17Chapter 3.2 --- Filtering mechanism --- p.18Chapter 3.2.1 --- Client-side filtering --- p.18Chapter 3.2.2 --- Server-side filtering --- p.19Chapter 3.3 --- XSS Defenses --- p.20Chapter 3.4 --- CSRF Defenses --- p.22Chapter 3.5 --- Browser warnings --- p.23Chapter 3.6 --- Chapter Summary --- p.24Chapter 4 --- On web communication --- p.26Chapter 4.1 --- On cross domain communication --- p.26Chapter 4.1.1 --- HTML5 --- p.26Chapter 4.1.2 --- Flash 10 --- p.28Chapter 4.1.3 --- Extended studys crossdomain.xml of Flash --- p.29Chapter 4.2 --- On cross frame communication --- p.32Chapter 4.3 --- Trusted Notification System --- p.35Chapter 4.3.1 --- Assumptions --- p.35Chapter 4.3.2 --- Implementation Issues --- p.35Chapter 4.3.3 --- Information flow --- p.37Chapter 4.3.4 --- Features --- p.38Chapter 4.3.4.1 --- Counter fake --- p.38Chapter 4.3.4.2 --- Plug and play --- p.38Chapter 4.3.4.3 --- Mitigate future attacks --- p.39Chapter 4.3.4.4 --- Session persist after logout --- p.39Chapter 4.3.4.5 --- Follow the standards --- p.40Chapter 4.3.5 --- Related works --- p.40Chapter 4.4 --- Chapter Summary --- p.41Chapter 5 --- Conclusion --- p.43Chapter 5.1 --- Contributions --- p.43Chapter 5.2 --- Discussions and future work --- p.44Chapter A --- Non-persistent XSS attack on Horde --- p.45Chapter B --- Data tampering attack on facebook application --- p.50Bibliography --- p.5

Analysis of attacks on content security policies

Cross-site scripting attacks are a major threat to web applications. Such attacks are used to inject undesirable content into web pages. The Content Security Policy is an approach to mitigate content injection and secure websites. The security mechanism is added to the HTTP header and prohibits the execution of inline scripts, whitelists resources and bans dangerous JavaScript functions. CSP is a client side protection and is enforced by the browser. The real-world adoption of the Content Security Policy is investigated due to the promising protection of CSP against cross-site scripting, having an adoption rate of 2.5% for the one million most popular sites in 2018. Unfortunately, the effort to make websites CSP compatible is high and results in a trade-off between security and functionality. Additionally, the security of CSP against content injection cannot keep its promises. In literature 94.72% of all investigated real-world policies are bypassed due to unsafe endpoints in the whitelist and other vulnerabilities. Finally, these numbers require changes in the use and concept of CSP.Cross-Site-Scripting Attacken sind eine große Bedrohung für Webapplikationen. Solche Angriffe werden genutzt, um unerwünschte Inhalte in Webseiten einzuschleusen. Die Content Security Policy ist ein Ansatz um die Auswirkung von Content Injection abzuschwächen und Website sicherer zu machen. Der Sicherheitsmechanismus wird dem HTTP Header hinzugefügt und blockiert die Ausführung von Inlineskripten, fügt Ressourcen einer Whitelist hinzu und verbietet gefährliche JavaScript Funktionen. CSP ist ein Schutz auf Seite des Clients und wird vom Browser ausgeführt. Die Adaptionsrate der Content Security Policy wird anhand echter Zahlen untersucht, da der Schutz von CSP gegenüber Cross-Site-Scripting als vielversprechend gilt und bereits von 2.5% von den ein Million meistbesuchtesten Websites in 2018 implementiert ist. Leider führt der hohe Aufwand eine Website CSP kompatibel zu machen zu einem Kompromiss zwischen Sicherheit und Funktionalität. Zusätzlich kann das Sicherheitsversprechen, das CSP als Schutz gegen Content Injection bietet, nicht eingehalten werden. In der Fachliteratur werden 94.72% aller untersuchten Policies durch unsichere Endpunkte in der Whitelist und andere Lücken ausgehebelt. Schlussendlich fordern solche Zahlen Veränderungen in der Anwendung und im Konzept von CSP