Web Application Security, Attacks and Mitigation
Authors: Ayush Chugh, Gaurav Gupta
Abstract:
Today’s technology is heavily dependent on web applications. Web applications are being accepted by users at a very rapid pace. These have made our work efficient. These include webmail, online retail sale, online gaming, wikis, departure and arrival of trains and flights and list is very long. These are developed in different languages like PHP, Python, C#, ASP.NET and many more by using scripts such as HTML and JavaScript. Attackers develop tools and techniques to exploit web applications and legitimate websites. This has led to rise of web application security; which can be broadly classified into Declarative Security and Program Security. The most common attacks on the applications are by SQL Injection and XSS which give access to unauthorized users who totally damage or destroy the system. This paper presents a detailed literature description and analysis on Web Application Security, examples of attacks and steps to mitigate the vulnerabilities.
Keywords: Attacks, Injection, JavaScript, SQL, Vulnerability, XSS.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1088882
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 4972References:
[1] Diallo Abdoulaye Kindy and Al-Sakib Khan Pathan, A Detailed Survey on Various Aspects of SQL Injection: Vulnerabilities, Innovative Attacks, and Remedies.
[2] http://en.wikipedia.org/wiki/Web_application.
[3] Tajpour, A., Masrom, M., Heydari, M.Z., and Ibrahim, S., “SQL injection detection and prevention tools assessment,” in Proc. 3rd IEEE International Conference on Computer Science and Information Technology, China, 2010, pp. 518-522.
[4] http://www.youtube.com/watch?v=M2N-uDMCot4&feature=pyv
[5] Junjin, M., “An Approach for SQL Injection Vulnerability Detection. Sixth International Conference on Information Technology,” in Proc. New Generations, 27-29 April (2009), pp. 1411-1414.
[6] http://stackoverflow.com/questions/10981191/create-a-sample-login-page-using-servlet-and-jsp.
[7] Kindy, D.A. and Pathan, A.-S.K., “A Survey on SQL Injection: Vulnerabilities, Attacks, and Prevention Techniques” in Proc. 15th IEEE Symposium on ConsumerElectronics,Singapore, 2011, pp. 468-471.
[8] http://www.youtube.com/watch?v=PB7hWlqTSqs.
[9] https://www.owasp.org/index.php/SQL_Injection.
[10] http://www.tanzilo.com/2008/11/14/sql-injection-prevention-protection-in-php-mysql-with-example/.
[11] Boyd S.W. and Keromytis, A.D., “SQLrand: Preventing SQL Injection Attacks,” in Proc. 2nd Applied Cryptography and Network Security Conference, China, 2004, pp. 292–302.
[12] https://it.ucsb.edu/system/files/websecurity.ppt.
[13] Halfond W. G., Viegas, J., and Orso, A., “A Classification of SQL-Injection Attacks and Countermeasures” in Proc. of the Intl. Symposium on Secure Software Engineering,U.SA, 2006, pp.
[14] Roichman, A., and Gudes, E., DIWeDa - Detecting Intrusions in Web Databases. Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, Springer, Heidelberg (2008), pp. 313-329.
[15] http://www.applicure.com/solutions/web-application-security.
[16] https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
[17] McClure, R.A. and Kruger, I.H., “SQL DOM: Compile time checking of dynamic SQL statements,”in Proc. 27th International Conference on Software Engineering, St. Louis, MO, U.S.A, 2005, pp. 88- 96.
[18] http://en.wikipedia.org/wiki/SQL_Injection.
[19] Buehrer, G., Weide, B.W., and Sivilotti, P.A.G., “Using Parse Tree Validation to PreventSQL Injection Attacks” in Proc. 5th International Workshop on Software Engineering and Middleware, Portugal, 2005,pp. 106–113.
[20] http://en.wikipedia.org/wiki/Cross-site_scripting.
[21] Ruse, M., Sarkar, T., and Basu. S., “Analysis & Detection of SQL Injection Vulnerabilitiesvia Automatic Test Case Generation of Programs” in Proc. 10th Annual International Symposium on Applications and the Internet, Seoul, Korea,2010, pp.31-37.
[22] Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y., “Securing Web Application Code by Static Analysis and Runtime Protection,”inProc. 13th International Conference on World Wide Web, New York,2004, pp. 40-52.
[23] http://www.pssuk.com/AdvantagesWebApplications.htm.
[24] http://www.helpspot.com/helpdesk/index.php?pg=kb.page&id=186
[25] http://www.cs.cityu.edu.hk/~jia/cs4273/L10_SecurityProgramming.ppt
[26] Ali, S., Shahzad, S.K., and Javed, H., “SQLIPA: An Authentication Mechanism AgainstSQL Injection,” European Journal of Scientific Research, vol. 38, no. 4,pp. 604-611, 2009.