Spelling suggestions: "subject:"crossbite scripting"" "subject:"crossbite scriptings""
1 |
Amélioration de la sécurité par la conception des logiciels web / Securing web applications by designScholte, Theodoor 11 May 2012 (has links)
L'internet est devenu un environnement omniprésent dans le monde du travail et du loisir. La popularité sans cesse croissante des applications web ainsi que des services associés entraînent l'exécution de nombreuses transactions critiques, qui soulèvent des questions de sécurité. Du fait de cette croissance, des efforts ont été entrepris durant cette dernière décennie pour rendre les applications web plus sûres. Malgré ces efforts, de récents rapports provenant de l'institut SANS estiment que plus de 60 % des attaques commises sur l'Internet ciblent les applications web en se concentrant sur les vulnérabilités inhérentes aux problèmes de validation, comme le Cross-Site Scripting ou les injections SQL. Dans cette thèse, nous avons conduit deux études de recherche empirique, analysant un grand nombre d'application web vulnérables. Nous avons assemblé une base de données contenant plus de 10.000 rapports de vulnérabilités depuis l'an 2000. Ensuite, nous avons analysé ces données pour déterminer si les développeurs ont pris conscience des problématiques de sécurité web de nos jours, comparé à la période où ces applications émergeaient. Puis nous avons analysé l'étroit lien entre le langage de programmation utilisé pour développer l'application web et le nombre de vulnérabilité reporté. Avec ces résultats empiriques comme base, nous présentons notre solution IPAAS qui aide les développeurs novice en termes de sécurité à écrire des applications sécurisées par défaut. Nous montrons par ailleurs que cette technique améliore de manière probante la sécurité des applications web. / The web has become a backbone of our industry and daily life. The growing popularity of web applications and services and the increasing number of critical transactions being performed, has raised security concerns. For this reason, much effort has been spent over the past decade to make web applications more secure. Despite these efforts, recent data from SANS institute estimates that up to 60% of Internet attacks target web applications and critical vulnerabilities such as cross-site scripting and SQL injection are still very common. In this thesis, we conduct two empirical studies on a large number of web applications vulnerabilities with the aim of gaining deeper insights in how input validation flaws have evolved in the past decade and how these common vulnerabilities can be prevented. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Our studies also show that most SQL injection and a significant number of cross-site scripting vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. With these empirical results as foundation, we present IPAAS which helps developers that are unaware of security issues to write more secure web applications than they otherwise would do. It includes a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. We show that this technique results in significant and tangible security improvements for real web applications.
|
2 |
Integrace dat a možnosti automatického zpracování úloh / Data integration and automatic task processingMeisner, Tomáš January 2009 (has links)
This diploma thesis deals with automatic task processing, especially with automatic processing of forms on web pages. The thesis throws light on the theoretical and practical matter. At the beginning of this thesis are described the reasons, why this topic were chosen. Also there are mentioned the possible uses of application, realized on this principles. Foremost simplification of retrieval of data with standardized (but general) format from common users, which could be used for data mining process. For creating this kind of application is described concepts of its implementation, including description of problematic parts and their possible solution. In this part is mentioned algorithm, which deals with security limitation of current web browsers -- so-called cross-site scripting. One part of this thesis is description of current commercial and non-commercial solutions, which at least partly fulfills the demands of the application. At the conclusion is analyzed functionality of created application and proposed advancements and improvements for creating new versions of application
|
3 |
Detecção automática de ataques de Cross-Site Scripting em páginas WebRocha, Thiago de Souza 05 April 2013 (has links)
Made available in DSpace on 2015-04-11T14:02:46Z (GMT). No. of bitstreams: 1
thiago.pdf: 2481710 bytes, checksum: b6ca68e9c8339ffcfd02dd0cdae775ae (MD5)
Previous issue date: 2013-04-05 / The evolution in web applications development favored the emergence of dynamic pages. This development was made possible through the creation of new technologies like script functions and web browser advanced features that provided the insertion of new features and creation of interactive services, such as Internet banking, social networks, e-commerce, blogs and forums. The use of these new resources and features has gradually improved the interactivity and usability of web applications. Moreover, the inappropriate use of these features resulted in the emergence of several attacks, including, Cross-Site Scripting (XSS) that is highlighted at the top of lists and reports of the greatest threats to web applications in recent years. This works demonstrates the feasibility of using a methodology that is capable to detect XSS attacks by analyzing the information
contained in applications. A prototype of the methodology, called ETSSDetector, was developed and compared with similar tools. The results show that by analyzing the input fields, it is possible to generate more effective tests, decreasing the amount of requests made in the application. Furthermore, the ability to fill the fields with only valid information ensures the submission of forms on pages, increasing the detection rate of XSS attacks. / A evolução no desenvolvimento para aplicações web favoreceu o surgimento de páginas dinâmicas. Tal evolução foi possível através da criação de novas tecnologias como funções de script e recursos avançados em navegadores web que proporcionaram a inserção de novas funcionalidades e criação
de serviços interativos, tais como Internet banking, redes sociais, e-commerce, blogs e fóruns. A utilização desses recursos e funcionalidades tem melhorado gradativamente a
interatividade e usabilidade das aplicações web. Por outro lado, o uso inadequado dessas funcionalidades acarretou no surgimento de diversos ataques, entre eles, o Cross-Site Scripting (XSS). Este ataque tem recebido muito destaque nos últimos anos, por estar no topo de listas e relatórios das maiores ameaças para aplicações web nos últimos anos.
Este trabalho demonstra a viabilidade de uso de uma metodologia capaz de detectar ataques XSS em aplicações web através da análise de informações contidas nas aplicações. Um protótipo da metodologia, denominado de ETSSDetector, foi desenvolvido e comparado com outras ferramentas similares. Os resultados obtidos mostram que, através da análise dos campos de entrada, é possível
a geração de testes mais efetivos, diminuindo a quantidade de requisições realizadas na aplicação. Além disso, a habilidade de preenchimento dos campos da aplicação apenas com informações válidas garante a submissão dos formulários das páginas, aumentando a taxa de detecção de ataques
XSS.
|
4 |
Detecção de Cross-Site Scripting em páginas WebNunan, Angelo Eduardo 14 May 2012 (has links)
Made available in DSpace on 2015-04-11T14:03:18Z (GMT). No. of bitstreams: 1
Angelo Eduardo Nunan.pdf: 2892243 bytes, checksum: 5653024cae1270242c7b4f8228cf0d2c (MD5)
Previous issue date: 2012-05-14 / CAPES - Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / Web applications are currently an important environment for access to services available on the Internet. However, the security assurance of these resources has become an elementary task. The structure of dynamic websites composed by a set of objects such as HTML tags, script functions, hyperlinks and advanced features in web browsers may provide numerous resources and interactive services, for instance e-commerce, Internet banking, social networking, blogs, forums, among
others. On the other hand, these features helped to increase the potential security risks and attacks, which are the results of malicious codes injection. In this context, Cross-Site Scripting (XSS) is highlighted at the top of the lists of the greatest threats to web applications in recent years. This work presents a method based on supervised machine learning techniques to detect XSS in web pages. A set of features extracted from URL contents and web document are employed in order to discriminate XSS patterns and to successfully classify both malicious and non-malicious pages / As aplicações web atualmente representam um importante ambiente de acesso aos serviços oferecidos na Internet. Garantir a segurança desses recursos se tornou uma tarefa elementar. A estrutura de sites dinâmicos constituída por um conjunto de objetos, tais como tags de HTML, funções de script, hiperlinks e recursos avançados em navegadores web levou a inúmeras funcionalidades e à interatividade de serviços, tais como e-commerce, Internet banking, redes sociais, blogs, fóruns, entre outros. No entanto, esses recursos têm aumentado potencialmente os riscos de segurança e os ataques resultantes da injeção de códigos maliciosos, onde o Cross-Site
Scripting aparece em destaque, no topo das listas das maiores ameaças para aplicações web nos últimos anos. Este trabalho apresenta um método baseado em técnicas de aprendizagem de máquina supervisionada para detectar XSS em páginas web, a partir de um conjunto de características extraídas da URL e do documento web, capazes de discriminar padrões de ataques XSS e distinguir páginas web maliciosas das páginas web normais ou benignas
|
5 |
DESERVE: A FRAMEWORK FOR DETECTING PROGRAM SECURITY VULNERABILITY EXPLOITATIONSMOHOSINA, AMATUL 20 September 2011 (has links)
It is difficult to develop a program that is completely free from vulnerabilities. Despite the applications of many approaches to secure programs, vulnerability exploitations occur in real world in large numbers. Exploitations of vulnerabilities may corrupt memory spaces and program states, lead to denial of services and authorization bypassing, provide attackers the access to authorization information, and leak sensitive information. Monitoring at the program code level can be a way of vulnerability exploitation detection at runtime. In this work, we propose a monitor embedding framework DESERVE (a framework for DEtecting program SEcuRity Vulnerability Exploitations). DESERVE identifies exploitable statements from source code based on static backward slicing and embeds necessary code to detect attacks. During the deployment stage, the enhanced programs execute exploitable statements in a separate test environment. Unlike traditional monitors that extract and store program state information to compare with vulnerable free program states to detect exploitation, our approach does not need to save state information. Moreover, the slicing technique allows us to avoid the tracking of fine grained level of information about runtime program environments such as input flow and memory state. We implement DESERVE for detecting buffer overflow, SQL injection, and cross-site scripting attacks. We evaluate our approach for real world programs implemented in C and PHP languages. The results show that the approach can detect some of the well-known attacks. Moreover, the approach imposes negligible runtime overhead. / Thesis (Master, Electrical & Computer Engineering) -- Queen's University, 2011-09-19 19:04:28.423
|
6 |
Next Generation Black-Box Web Application Vulnerability Analysis FrameworkJanuary 2017 (has links)
abstract: Web applications are an incredibly important aspect of our modern lives. Organizations
and developers use automated vulnerability analysis tools, also known as
scanners, to automatically find vulnerabilities in their web applications during development.
Scanners have traditionally fallen into two types of approaches: black-box
and white-box. In the black-box approaches, the scanner does not have access to the
source code of the web application whereas a white-box approach has access to the
source code. Today’s state-of-the-art black-box vulnerability scanners employ various
methods to fuzz and detect vulnerabilities in a web application. However, these
scanners attempt to fuzz the web application with a number of known payloads and
to try to trigger a vulnerability. This technique is simple but does not understand
the web application that it is testing. This thesis, presents a new approach to vulnerability
analysis. The vulnerability analysis module presented uses a novel approach
of Inductive Reverse Engineering (IRE) to understand and model the web application.
IRE first attempts to understand the behavior of the web application by giving
certain number of input/output pairs to the web application. Then, the IRE module
hypothesizes a set of programs (in a limited language specific to web applications,
called AWL) that satisfy the input/output pairs. These hypotheses takes the form of
a directed acyclic graph (DAG). AWL vulnerability analysis module can then attempt
to detect vulnerabilities in this DAG. Further, it generates the payload based on the
DAG, and therefore this payload will be a precise payload to trigger the potential vulnerability
(based on our understanding of the program). It then tests this potential
vulnerability using the generated payload on the actual web application, and creates
a verification procedure to see if the potential vulnerability is actually vulnerable,
based on the web application’s response. / Dissertation/Thesis / Masters Thesis Computer Science 2017
|
7 |
Study of the techniques used by OWASP ZAP for analysis of vulnerabilities in web applications / En studie av de tekniker OWASP ZAP använder för att analysera sårbarheter i webbapplikationerJakobsson, Adam, Häggström, Isak January 2022 (has links)
Today, new web applications are made every single day with increasingly more sensitive data to manage. To ensure that no security vulnerabilities such as data leakage in web applications exist, developers are using tools such as a web vulnerability scanner. This type of tool can detect vulnerabilities by automatically finding input fields where data can be injected and performing different attacks on these fields. One of the most common web vulnerability scanners is OWASP ZAP. Web vulnerability scanners were first developed during a time when traditional multi-page applications were prominent. Nowadays, when modern single-page applications have become the de facto standard, new challenges for web vulnerability scanners have arisen. These problems include identifying dynamically updated web pages. This thesis aims to evaluate the techniques used by OWASP ZAP and several other web vulnerability scanners for identifying two of the most common vulnerabilities, SQL injections and cross-site scripting. This issue is approached by testing the selected web vulnerability scanners on deliberately vulnerable web applications, to assess the performance and techniques used, and to determine if the performance of OWASP ZAP could be improved. If an identified technique in another web vulnerability scanner performed better than the counterpart in OWASP ZAP, it will be implemented in OWASP ZAP and evaluated. From the tests performed, it could be concluded that the performance of OWASP ZAP was lacking in the search for input fields, where a depth-first search algorithm was used. The breadth-first search algorithm used by other scanners was shown to be more effective in specific cases and was therefore implemented in OWASP ZAP. The result shows that the use case for the two algorithms differs between web applications and by using both of the algorithms to find vulnerabilities, better performance is achieved.
|
8 |
Domain-Driven Security : Injection & Cross-site scripting / Domändriven säkerhet : Injection & Cross-site scriptingStendahl, Jonas January 2016 (has links)
Many web applications are vulnerable to Injection and Cross-site scripting. These attacks are often focused on infrastructural parts of the application. This thesis investigates if Domain-Driven Design can unify existing technical protection mechanisms as well as provide protection for attacks aimed at the business logic of an application. The performance of data validation and transformation performed with components from Domain-Driven Design is evaluated. The evaluation is performed by exposing an E-commerce application to dangerous injection and cross-site scripting strings. The data validation was found to be accurate and flexible and context mapping aided the understanding of correct data treatment depending on where in the application it is located or travelling to.
|
9 |
MITIGATION OF WEB-BASED PROGRAM SECURITY VULNERABILITY EXPLOITATIONSShahriar, HOSSAIN 30 November 2011 (has links)
Over the last few years, web-based attacks have caused significant harm to users. Many of these attacks occur through the exploitations of common security vulnerabilities in web-based programs. Given that, mitigation of these attacks is extremely crucial to reduce some of the harmful consequences. Web-based applications contain vulnerabilities that can be exploited by attackers at a client-side (browser) without the victim’s (browser user’s) knowledge. This thesis is intended to mitigate some exploitations due to the presence of security vulnerabilities in web applications while performing seemingly benign functionalities at the client-side. For example, visiting a webpage might result in JavaScript code execution (cross-site scripting), downloading a file might lead to the execution of JavaScript code (content sniffing), clicking on a hyperlink might result in sending unwanted legitimate requests to a trusted website (cross-site request forgery), and filling out a seemingly legitimate form may eventually lead to stealing of credential information (phishing). Existing web-based attack detection approaches suffer from several limitations such as (i) modification of both server and client-side environments, (ii) exchange of sensitive information between the server and client, and (iii) lack of detection of some attack types. This thesis addresses these limitations by mitigating four security vulnerabilities in web applications: cross-site scripting, content sniffing, cross-site request forgery, and phishing. We mitigate the exploitations of these vulnerabilities by developing automatic attack detection approaches at both server and client-sides. We develop server-side attack detection frameworks to detect attack symptoms within response pages before sending them to the client. The approaches are designed based on the assumption that the server-side program source is available for analysis, but we are not allowed to alter the program code and the runtime environments. Moreover, we develop client-side attack detection frameworks so that some level of protection is present when the source code of server websites (either trusted or untrusted) is not available. Our proposed solutions explore several techniques such as response page parsing and file content analysis, browser-level checking of requests and responses, and finite state machine-based behavior monitoring. The thesis evaluates the proposed attack detection approaches with real-world vulnerable programs. The evaluation results indicate that our approaches are effective and perform better than the related work. We also contribute to the development of benchmark suites for evaluating attack detection techniques. / Thesis (Ph.D, Computing) -- Queen's University, 2011-11-29 09:44:24.465
|
10 |
Μέθοδοι προστασίας ιστοσελίδων στο διαδίκτυοΜπαλαφούτης, Χρήστος 19 October 2012 (has links)
Στην παρούσα διπλωματική εργασία παρουσιάζονται βασικές έννοιες και μέθοδοι για την ασφάλεια ιστοσελίδων και ιδιαίτερα των site με web application προσανατολισμό, χωρίς αυτό να σημαίνει ότι αρκετές τεχνικές προστασίας και σφάλματα που θα εντοπίσουμε δεν μπορούν να συναντηθούν και σε άλλου σκοπού ιστοσελίδες. Αρχικά, γίνεται αναφορά στο τι είναι μια εφαρμογή ιστού (web app) και ποια είναι τα στοιχεία που την αποτελούν. Στη συνέχεια, χρησιμοποιώντας έρευνες, παρουσιάζονται κάποιες από τις πιο “δημοφιλείς” επιθέσεις που γίνονται σε ιστοσελίδες και περιγράφεται πιο διεξοδικά ποια αδύνατα σημεία της δομής των ιστοσελίδων εκμεταλλεύονται. Παράλληλα, γίνεται αναφορά στο πως και με ποια εργαλεία μπορούμε να εντοπίσουμε και να κλείσουμε τα κενά ασφαλείας που τυχόν έχει μία εφαρμογή ιστού. Τέλος, παρουσιάζεται η εφαρμογή που αναπτύχθηκε στα πλαίσια της εργασίας με σκοπό να γίνει επίδειξη συγκεκριμένων επιθέσεων και σφαλμάτων που παρατηρούνται στο διαδίκτυο. / In the following pages basic principals and methods are presented in order to secure websites and web applications. I begin by mentioning what is a web application. Moreover, by using statistics and recent researches from various sources i mention the most common web app attack methods and which vulnerabilities can be found in a web app and how to prevent exploiting, something we can accomplish by using various penetration testing tools. Finally, by using a basic web app some web attacks are shown so that it will become more clear how these attacks work.
|
Page generated in 0.0456 seconds