Global ETD Search

1	Amélioration de la sécurité par la conception des logiciels web / Securing web applications by design Scholte, Theodoor 11 May 2012 (has links) L'internet est devenu un environnement omniprésent dans le monde du travail et du loisir. La popularité sans cesse croissante des applications web ainsi que des services associés entraînent l'exécution de nombreuses transactions critiques, qui soulèvent des questions de sécurité. Du fait de cette croissance, des efforts ont été entrepris durant cette dernière décennie pour rendre les applications web plus sûres. Malgré ces efforts, de récents rapports provenant de l'institut SANS estiment que plus de 60 % des attaques commises sur l'Internet ciblent les applications web en se concentrant sur les vulnérabilités inhérentes aux problèmes de validation, comme le Cross-Site Scripting ou les injections SQL. Dans cette thèse, nous avons conduit deux études de recherche empirique, analysant un grand nombre d'application web vulnérables. Nous avons assemblé une base de données contenant plus de 10.000 rapports de vulnérabilités depuis l'an 2000. Ensuite, nous avons analysé ces données pour déterminer si les développeurs ont pris conscience des problématiques de sécurité web de nos jours, comparé à la période où ces applications émergeaient. Puis nous avons analysé l'étroit lien entre le langage de programmation utilisé pour développer l'application web et le nombre de vulnérabilité reporté. Avec ces résultats empiriques comme base, nous présentons notre solution IPAAS qui aide les développeurs novice en termes de sécurité à écrire des applications sécurisées par défaut. Nous montrons par ailleurs que cette technique améliore de manière probante la sécurité des applications web. / The web has become a backbone of our industry and daily life. The growing popularity of web applications and services and the increasing number of critical transactions being performed, has raised security concerns. For this reason, much effort has been spent over the past decade to make web applications more secure. Despite these efforts, recent data from SANS institute estimates that up to 60% of Internet attacks target web applications and critical vulnerabilities such as cross-site scripting and SQL injection are still very common. In this thesis, we conduct two empirical studies on a large number of web applications vulnerabilities with the aim of gaining deeper insights in how input validation flaws have evolved in the past decade and how these common vulnerabilities can be prevented. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Our studies also show that most SQL injection and a significant number of cross-site scripting vulnerabilities can be prevented using straight-forward validation mechanisms based on common data types. With these empirical results as foundation, we present IPAAS which helps developers that are unaware of security issues to write more secure web applications than they otherwise would do. It includes a novel technique for preventing the exploitation of cross-site scripting and SQL injection vulnerabilities based on automated data type detection of input parameters. We show that this technique results in significant and tangible security improvements for real web applications. Sécurité informatique Vulnérabilité Cross-site scripting Injection SQL Computer security Vulnerability Cross-site scripting SQL injection
2	Integrace dat a možnosti automatického zpracování úloh / Data integration and automatic task processing Meisner, Tomáš January 2009 (has links) This diploma thesis deals with automatic task processing, especially with automatic processing of forms on web pages. The thesis throws light on the theoretical and practical matter. At the beginning of this thesis are described the reasons, why this topic were chosen. Also there are mentioned the possible uses of application, realized on this principles. Foremost simplification of retrieval of data with standardized (but general) format from common users, which could be used for data mining process. For creating this kind of application is described concepts of its implementation, including description of problematic parts and their possible solution. In this part is mentioned algorithm, which deals with security limitation of current web browsers -- so-called cross-site scripting. One part of this thesis is description of current commercial and non-commercial solutions, which at least partly fulfills the demands of the application. At the conclusion is analyzed functionality of created application and proposed advancements and improvements for creating new versions of application
3	Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis Kelbley, Steven M. January 2016 (has links) No description available. Computer Science PHP static analysis vulnerability xss cross-site scripting
4	Detecção automática de ataques de Cross-Site Scripting em páginas Web Rocha, Thiago de Souza 05 April 2013 (has links) Made available in DSpace on 2015-04-11T14:02:46Z (GMT). No. of bitstreams: 1 thiago.pdf: 2481710 bytes, checksum: b6ca68e9c8339ffcfd02dd0cdae775ae (MD5) Previous issue date: 2013-04-05 / The evolution in web applications development favored the emergence of dynamic pages. This development was made possible through the creation of new technologies like script functions and web browser advanced features that provided the insertion of new features and creation of interactive services, such as Internet banking, social networks, e-commerce, blogs and forums. The use of these new resources and features has gradually improved the interactivity and usability of web applications. Moreover, the inappropriate use of these features resulted in the emergence of several attacks, including, Cross-Site Scripting (XSS) that is highlighted at the top of lists and reports of the greatest threats to web applications in recent years. This works demonstrates the feasibility of using a methodology that is capable to detect XSS attacks by analyzing the information contained in applications. A prototype of the methodology, called ETSSDetector, was developed and compared with similar tools. The results show that by analyzing the input fields, it is possible to generate more effective tests, decreasing the amount of requests made in the application. Furthermore, the ability to fill the fields with only valid information ensures the submission of forms on pages, increasing the detection rate of XSS attacks. / A evolução no desenvolvimento para aplicações web favoreceu o surgimento de páginas dinâmicas. Tal evolução foi possível através da criação de novas tecnologias como funções de script e recursos avançados em navegadores web que proporcionaram a inserção de novas funcionalidades e criação de serviços interativos, tais como Internet banking, redes sociais, e-commerce, blogs e fóruns. A utilização desses recursos e funcionalidades tem melhorado gradativamente a interatividade e usabilidade das aplicações web. Por outro lado, o uso inadequado dessas funcionalidades acarretou no surgimento de diversos ataques, entre eles, o Cross-Site Scripting (XSS). Este ataque tem recebido muito destaque nos últimos anos, por estar no topo de listas e relatórios das maiores ameaças para aplicações web nos últimos anos. Este trabalho demonstra a viabilidade de uso de uma metodologia capaz de detectar ataques XSS em aplicações web através da análise de informações contidas nas aplicações. Um protótipo da metodologia, denominado de ETSSDetector, foi desenvolvido e comparado com outras ferramentas similares. Os resultados obtidos mostram que, através da análise dos campos de entrada, é possível a geração de testes mais efetivos, diminuindo a quantidade de requisições realizadas na aplicação. Além disso, a habilidade de preenchimento dos campos da aplicação apenas com informações válidas garante a submissão dos formulários das páginas, aumentando a taxa de detecção de ataques XSS. Aplicações web Cross-site scripting Testes de vulnerabilidades Web applications Cross-site scripting Vulnerability tests
5	MITIGATION OF WEB-BASED PROGRAM SECURITY VULNERABILITY EXPLOITATIONS Shahriar, HOSSAIN 30 November 2011 (has links) Over the last few years, web-based attacks have caused significant harm to users. Many of these attacks occur through the exploitations of common security vulnerabilities in web-based programs. Given that, mitigation of these attacks is extremely crucial to reduce some of the harmful consequences. Web-based applications contain vulnerabilities that can be exploited by attackers at a client-side (browser) without the victim’s (browser user’s) knowledge. This thesis is intended to mitigate some exploitations due to the presence of security vulnerabilities in web applications while performing seemingly benign functionalities at the client-side. For example, visiting a webpage might result in JavaScript code execution (cross-site scripting), downloading a file might lead to the execution of JavaScript code (content sniffing), clicking on a hyperlink might result in sending unwanted legitimate requests to a trusted website (cross-site request forgery), and filling out a seemingly legitimate form may eventually lead to stealing of credential information (phishing). Existing web-based attack detection approaches suffer from several limitations such as (i) modification of both server and client-side environments, (ii) exchange of sensitive information between the server and client, and (iii) lack of detection of some attack types. This thesis addresses these limitations by mitigating four security vulnerabilities in web applications: cross-site scripting, content sniffing, cross-site request forgery, and phishing. We mitigate the exploitations of these vulnerabilities by developing automatic attack detection approaches at both server and client-sides. We develop server-side attack detection frameworks to detect attack symptoms within response pages before sending them to the client. The approaches are designed based on the assumption that the server-side program source is available for analysis, but we are not allowed to alter the program code and the runtime environments. Moreover, we develop client-side attack detection frameworks so that some level of protection is present when the source code of server websites (either trusted or untrusted) is not available. Our proposed solutions explore several techniques such as response page parsing and file content analysis, browser-level checking of requests and responses, and finite state machine-based behavior monitoring. The thesis evaluates the proposed attack detection approaches with real-world vulnerable programs. The evaluation results indicate that our approaches are effective and perform better than the related work. We also contribute to the development of benchmark suites for evaluating attack detection techniques. / Thesis (Ph.D, Computing) -- Queen's University, 2011-11-29 09:44:24.465 Security vulnerability Cross-site request forgery Phishing Content sniffing Parser-based analysis Browser-based checking Cross-site scripting Trustworthiness testing Web-based program
6	Μέθοδοι προστασίας ιστοσελίδων στο διαδίκτυο Μπαλαφούτης, Χρήστος 19 October 2012 (has links) Στην παρούσα διπλωματική εργασία παρουσιάζονται βασικές έννοιες και μέθοδοι για την ασφάλεια ιστοσελίδων και ιδιαίτερα των site με web application προσανατολισμό, χωρίς αυτό να σημαίνει ότι αρκετές τεχνικές προστασίας και σφάλματα που θα εντοπίσουμε δεν μπορούν να συναντηθούν και σε άλλου σκοπού ιστοσελίδες. Αρχικά, γίνεται αναφορά στο τι είναι μια εφαρμογή ιστού (web app) και ποια είναι τα στοιχεία που την αποτελούν. Στη συνέχεια, χρησιμοποιώντας έρευνες, παρουσιάζονται κάποιες από τις πιο “δημοφιλείς” επιθέσεις που γίνονται σε ιστοσελίδες και περιγράφεται πιο διεξοδικά ποια αδύνατα σημεία της δομής των ιστοσελίδων εκμεταλλεύονται. Παράλληλα, γίνεται αναφορά στο πως και με ποια εργαλεία μπορούμε να εντοπίσουμε και να κλείσουμε τα κενά ασφαλείας που τυχόν έχει μία εφαρμογή ιστού. Τέλος, παρουσιάζεται η εφαρμογή που αναπτύχθηκε στα πλαίσια της εργασίας με σκοπό να γίνει επίδειξη συγκεκριμένων επιθέσεων και σφαλμάτων που παρατηρούνται στο διαδίκτυο. / In the following pages basic principals and methods are presented in order to secure websites and web applications. I begin by mentioning what is a web application. Moreover, by using statistics and recent researches from various sources i mention the most common web app attack methods and which vulnerabilities can be found in a web app and how to prevent exploiting, something we can accomplish by using various penetration testing tools. Finally, by using a basic web app some web attacks are shown so that it will become more clear how these attacks work. Ασφάλεια ιστοσελίδων Εφαρμογές ιστού Διαδίκτυο 005.8 Web application security Site attacks Web applications Penetration testing Cross-site scripting (XSS) Cross-site request forgeries (CSRF) SQL injection
7	Detecção de Cross-Site Scripting em páginas Web Nunan, Angelo Eduardo 14 May 2012 (has links) Made available in DSpace on 2015-04-11T14:03:18Z (GMT). No. of bitstreams: 1 Angelo Eduardo Nunan.pdf: 2892243 bytes, checksum: 5653024cae1270242c7b4f8228cf0d2c (MD5) Previous issue date: 2012-05-14 / CAPES - Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / Web applications are currently an important environment for access to services available on the Internet. However, the security assurance of these resources has become an elementary task. The structure of dynamic websites composed by a set of objects such as HTML tags, script functions, hyperlinks and advanced features in web browsers may provide numerous resources and interactive services, for instance e-commerce, Internet banking, social networking, blogs, forums, among others. On the other hand, these features helped to increase the potential security risks and attacks, which are the results of malicious codes injection. In this context, Cross-Site Scripting (XSS) is highlighted at the top of the lists of the greatest threats to web applications in recent years. This work presents a method based on supervised machine learning techniques to detect XSS in web pages. A set of features extracted from URL contents and web document are employed in order to discriminate XSS patterns and to successfully classify both malicious and non-malicious pages / As aplicações web atualmente representam um importante ambiente de acesso aos serviços oferecidos na Internet. Garantir a segurança desses recursos se tornou uma tarefa elementar. A estrutura de sites dinâmicos constituída por um conjunto de objetos, tais como tags de HTML, funções de script, hiperlinks e recursos avançados em navegadores web levou a inúmeras funcionalidades e à interatividade de serviços, tais como e-commerce, Internet banking, redes sociais, blogs, fóruns, entre outros. No entanto, esses recursos têm aumentado potencialmente os riscos de segurança e os ataques resultantes da injeção de códigos maliciosos, onde o Cross-Site Scripting aparece em destaque, no topo das listas das maiores ameaças para aplicações web nos últimos anos. Este trabalho apresenta um método baseado em técnicas de aprendizagem de máquina supervisionada para detectar XSS em páginas web, a partir de um conjunto de características extraídas da URL e do documento web, capazes de discriminar padrões de ataques XSS e distinguir páginas web maliciosas das páginas web normais ou benignas Cross-site Scripting Segurança de aplicações web Detecção de anomalia Aprendizagem de máquina Cross-site scripting Web application security Anomaly detection Machine learning
8	Generating web applications containing XSS and CSRF vulnerabilities Ahlberg, Gustav January 2014 (has links) Most of the people in the industrial world are using several web applications every day. Many of those web applications contain vulnerabilities that can allow attackers to steal sensitive data from the web application's users. One way to detect these vulnerabilities is to have a penetration tester examine the web application. A common way to train penetration testers to find vulnerabilities is to challenge them with realistic web applications that contain vulnerabilities. The penetration tester's assignment is to try to locate and exploit the vulnerabilities in the web application. Training on the same web application twice will not provide any new challenges to the penetration tester, because the penetration tester already knows how to exploit all the vulnerabilities in the web application. Therefore, a vast number of web applications and variants of web applications are needed to train on. This thesis describes a tool designed and developed to automatically generate vulnerable web applications. First a web application is prepared, so that the tool can generate a vulnerable version of the web application. The tool injects Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) vulnerabilities in prepared web applications. Different variations of the same vulnerability can also be injected, so that different methods are needed to exploit the vulnerability depending on the variation. A purpose of the tool is that it should generate web applications which shall be used to train penetration testers, and some of the vulnerabilities the tool can inject, cannot be detected by current free web application vulnerability scanners, and would thus need to be detected by a penetration tester. To inject the vulnerabilities, the tool uses abstract syntax trees and taint analysis to detect where vulnerabilities can be injected in the prepared web applications. Tests confirm that web application vulnerability scanners cannot find all the vulnerabilities on the web applications which have been generated by the tool. Web security CSRF XSS Cross Site Request Forgery Cross Site Scripting Taint analysis vulnerability generating web applications Computer Sciences Datavetenskap (datalogi)
9	Investigating the current state of securityfor small sized web applications Lundberg, Karl Johan January 2012 (has links) It is not uncommon to read about hacker attacks in the newspaper today. The hackers are targeting governments and enterprises, and motives vary. It may be political or economic reasons, or just to gain reputation. News about smaller systems is, unsurprisingly, not as common. Does this mean that security is less relevant of smaller systems? This report investigates the threat model of smaller web applications, to answer that very question.Different attacks are described in the detail needed for explaining their threat but the intention is not to teach the reader to write secure code. The report does, however, provide the reader with a rich source of references for that purpose. After describing some of the worst threats, the general cloud threat model is analyzed. This is followed by a practical analysis of a cloud system, and the report is closed with general strategies for countering threats.The severe destruction that a successful attack may cause and the high prevalence of those attacks motivates some security practices to be performed whenever software is produced. Attacks against smaller companies are more common now than ever before security internet cloud threat xss xsrf cross site sql injection cookie
10	On the different "worlds" of intra-organizational knowledge management: Understanding idiosyncratic variation in MNC cross-site knowledge-sharing practices Kasper, Helmut, Lehrer, Mark, Mühlbacher, Jürgen, Müller, Barbara January 2013 (has links) (PDF) This qualitative field study investigated cross-site knowledge sharing in a small sample of multinational corporations in three different MNC business contexts (global, multidomestic, transnational). The results disclose heterogeneous "worlds" of MNC knowledge sharing, ultimately raising the question as to whether the whole concept of MNC knowledge sharing covers a sufficiently unitary phenomenon to be meaningful. We derive a non-exhaustive typology of MNC knowledge-sharing practices: self-organizing knowledge sharing, technocratic knowledge sharing, and best practice knowledge sharing. Despite its limitations, this typology helps to elucidate a number of issues, including the latent conflict between two disparate theories of MNC knowledge sharing, namely "sender-receiver" and "social learning" theories (Noorderhaven & Harzing, 2009). More generally, we develop the term "knowledge contextualization" to highlight the way that firm-specific organizational features pre-define which knowledge is considered to be of special relevance for intra-organizational sharing. (authors' abstract)

Search results