15 research outputs found

    Defensive Approaches on SQL Injection and Cross-Site Scripting Attacks

    Get PDF
    SQL Injection attacks are the most common attacks on the web applications Statistical analysis says that so many web sites which interact with the database are prone to SQL Injection XSS attacks Different kinds of vulnerability detection system and attack detection systems exist there is no efficient system for detecting these kinds of attacks SQL Injection attacks are possible due to the design drawbacks of the websites which interact with back-end databases Successful attacks may damage more The state-of-art web application input validation echniques fails to identify the proper SQL XSS Vulnerabilities accurately because of the systems correctness of sanity checking capability proper placement of valuators on the applications The systems fail while processing HTTP Parameter pollution attacks An extensive survey on the SQL Injection attacks is conducted to present various detection and prevension mechanism

    Augmented attack tree modeling of SQL injection attacks

    Get PDF
    The SQL injection attacks (SQLIAs) vulnerability is extremely widespread and poses a serious security threat to web applications with built-in access to databases. The SQLIA adversary intelligently exploits the SQL statement parsing operation by web servers via specially constructed SQL statements that subtly lead to non-explicit executions or modifications of corresponding database tables. In this paper, we present a formal and methodical way of modeling SQLIAs by way of augmented attack trees. This modeling explicitly captures the particular subtle incidents triggered by SQLIA adversaries and corresponding state transitions. To the best of our knowledge, this is the first known attack tree modelling of SQL injection attacks

    Augmented attack tree modeling of SQL injection attacks

    Get PDF
    The SQL injection attacks (SQLIAs) vulnerability is extremely widespread and poses a serious security threat to web applications with built-in access to databases. The SQLIA adversary intelligently exploits the SQL statement parsing operation by web servers via specially constructed SQL statements that subtly lead to non-explicit executions or modifications of corresponding database tables. In this paper, we present a formal and methodical way of modeling SQLIAs by way of augmented attack trees. This modeling explicitly captures the particular subtle incidents triggered by SQLIA adversaries and corresponding state transitions. To the best of our knowledge, this is the first known attack tree modelling of SQL injection attacks

    Toward least-privilege isolation for software

    Get PDF
    Hackers leverage software vulnerabilities to disclose, tamper with, or destroy sensitive data. To protect sensitive data, programmers can adhere to the principle of least-privilege, which entails giving software the minimal privilege it needs to operate, which ensures that sensitive data is only available to software components on a strictly need-to-know basis. Unfortunately, applying this principle in practice is dif- �cult, as current operating systems tend to provide coarse-grained mechanisms for limiting privilege. Thus, most applications today run with greater-than-necessary privileges. We propose sthreads, a set of operating system primitives that allows �ne-grained isolation of software to approximate the least-privilege ideal. sthreads enforce a default-deny model, where software components have no privileges by default, so all privileges must be explicitly granted by the programmer. Experience introducing sthreads into previously monolithic applications|thus, partitioning them|reveals that enumerating privileges for sthreads is di�cult in practice. To ease the introduction of sthreads into existing code, we include Crowbar, a tool that can be used to learn the privileges required by a compartment. We show that only a few changes are necessary to existing code in order to partition applications with sthreads, and that Crowbar can guide the programmer through these changes. We show that applying sthreads to applications successfully narrows the attack surface by reducing the amount of code that can access sensitive data. Finally, we show that applications using sthreads pay only a small performance overhead. We applied sthreads to a range of applications. Most notably, an SSL web server, where we show that sthreads are powerful enough to protect sensitive data even against a strong adversary that can act as a man-in-the-middle in the network, and also exploit most code in the web server; a threat model not addressed to date

    Reality Hackers: The Next Wave of Media Revolutionaries

    Get PDF
    Just as the printing press gave rise to the nation-state, emerging technologies are reshaping collective identities and challenging our understanding of what it means to be human. Should citizens have the right to be truly anonymous on-line? Should we be concerned about the fact that so many people are choosing to migrate to virtual worlds? Are injectible microscopic radio-frequency ID chips a blessing or a curse? Is the use of cognitive enhancing nootropics a human right or an unforgivable transgression? Should genomic data about human beings be hidden away with commercial patents or open-sourced like software? Should hobbyists known as biohackers be allowed to experiment with genetic engineering in their home laboratories? The time-frame for acting on such questions is relatively short, and these decisions are too important to be left up to a small handful of scientists and policymakers. If democracy is to continue as a viable alternative to technocracy, the average citizen must become more involved in these debates. To borrow a line from the computer visionary Ted Nelson, all of us can -- and must -- understand technology now. Challenging the popular stereotype of hackers as ciminal sociopaths, reality hackers uphold the basic tenets of what Steven Levy (1984) terms the hacker ethic. These core principles include a commitment to: sharing, openness, decentralization, public access to information, and the use of new technologies to make the world a better place.https://digitalcommons.trinity.edu/mono/1000/thumbnail.jp
    corecore