11 |
On web security: a trusted notification system.January 2011 (has links)
Tse, Kai Shun Scottie. / "December 2010." / Thesis (M.Phil.)--Chinese University of Hong Kong, 2011. / Includes bibliographical references (p. 52-54). / Abstracts in English and Chinese. / Abstract --- p.ii / Acknowledgements --- p.iii / List of Figures --- p.vi / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Web 2.0 --- p.2 / Chapter 1.2 --- Research Motivation --- p.2 / Chapter 2 --- Background Study on Web Attacks --- p.4 / Chapter 2.1 --- Cross Site Scripting (XSS) --- p.5 / Chapter 2.2 --- Cross Channel Scripting (XCS) --- p.6 / Chapter 2.3 --- Cross Site Request Forgery (CSRF) --- p.6 / Chapter 2.4 --- Click Jacking --- p.7 / Chapter 2.5 --- Extension and plugins vulnerabilities --- p.8 / Chapter 2.6 --- Privacy Issue --- p.10 / Chapter 2.7 --- Network security --- p.12 / Chapter 2.8 --- Developer implementation flaw --- p.13 / Chapter 2.9 --- Chapter Summary --- p.15 / Chapter 3 --- Defenses on Web Attacks --- p.17 / Chapter 3.1 --- Same Origin Policy --- p.17 / Chapter 3.2 --- Filtering mechanism --- p.18 / Chapter 3.2.1 --- Client-side filtering --- p.18 / Chapter 3.2.2 --- Server-side filtering --- p.19 / Chapter 3.3 --- XSS Defenses --- p.20 / Chapter 3.4 --- CSRF Defenses --- p.22 / Chapter 3.5 --- Browser warnings --- p.23 / Chapter 3.6 --- Chapter Summary --- p.24 / Chapter 4 --- On web communication --- p.26 / Chapter 4.1 --- On cross domain communication --- p.26 / Chapter 4.1.1 --- HTML5 --- p.26 / Chapter 4.1.2 --- Flash 10 --- p.28 / Chapter 4.1.3 --- Extended studys crossdomain.xml of Flash --- p.29 / Chapter 4.2 --- On cross frame communication --- p.32 / Chapter 4.3 --- Trusted Notification System --- p.35 / Chapter 4.3.1 --- Assumptions --- p.35 / Chapter 4.3.2 --- Implementation Issues --- p.35 / Chapter 4.3.3 --- Information flow --- p.37 / Chapter 4.3.4 --- Features --- p.38 / Chapter 4.3.4.1 --- Counter fake --- p.38 / Chapter 4.3.4.2 --- Plug and play --- p.38 / Chapter 4.3.4.3 --- Mitigate future attacks --- p.39 / Chapter 4.3.4.4 --- Session persist after logout --- p.39 / Chapter 4.3.4.5 --- Follow the standards --- p.40 / Chapter 4.3.5 --- Related works --- p.40 / Chapter 4.4 --- Chapter Summary --- p.41 / Chapter 5 --- Conclusion --- p.43 / Chapter 5.1 --- Contributions --- p.43 / Chapter 5.2 --- Discussions and future work --- p.44 / Chapter A --- Non-persistent XSS attack on Horde --- p.45 / Chapter B --- Data tampering attack on facebook application --- p.50 / Bibliography --- p.52
|
12 |
Dynamic Scoping for Browser Based Access Control SystemNadipelly, Vinaykumar 25 May 2012 (has links)
We have inorganically increased the use of web applications to the point of using them for almost everything and making them an essential part of our everyday lives. As a result, the enhancement of privacy and security policies for the web applications is becoming increasingly essential. The importance and stateless nature of the web infrastructure made the web a preferred target of attacks. The current web access control system is a reason behind the victory of attacks. The current web consists of two major components, the browser and the server, where the effective access control system needs to be implemented. In terms of an access control system, the current web has adopted the inadequate same origin policy and same session policy for the browser and server, respectively. The current web access control system policies are sufficient for the earlier day's web, which became inadequate to address the protection needs of today's web.
In order to protect the web application from un-trusted contents, we provide an enhanced browser based access control system by enabling the dynamic scoping. Our security model for the browser will allow the client and trusted web application contents to share a common library and protect web contents from each other, while they still get executed at different trust levels. We have implemented a working model of an enhanced browser based access control system in Java, under the Lobo browser.
|
13 |
Using Novel Image-based Interactional Proofs and Source Randomization for Prevention of Web BotsShardul Vikram 2011 December 1900 (has links)
This work presents our efforts on preventing the web bots to illegitimately access web resources. As the first technique, we present SEMAGE (SEmantically MAtching imaGEs), a new image-based CAPTCHA that capitalizes on the human ability to define and comprehend image content and to establish semantic relationships between them. As the second technique, we present NOID - a "NOn-Intrusive Web Bot Defense system" that aims at creating a three tiered defence system against web automation programs or web bots. NOID is a server side technique and prevents the web bots from accessing web resources by inherently hiding the HTML elements of interest by randomization and obfuscation in the HTML responses.
A SEMAGE challenge asks a user to select semantically related images from a given image set. SEMAGE has a two-factor design where in order to pass a challenge the user is required to figure out the content of each image and then understand and identify semantic relationship between a subset of them. Most of the current state-of-the-art image-based systems like Assira only require the user to solve the first level, i.e., image recognition. Utilizing the semantic correlation between images to create more secure and user-friendly challenges makes SEMAGE novel. SEMAGE does not suffer from limitations of traditional image-based approaches such as lacking customization and adaptability. SEMAGE unlike the current Text based systems is also very user friendly with a high fun factor. We conduct a first of its kind large-scale user study involving 174 users to gauge and compare accuracy and usability of SEMAGE with existing state-of-the-art CAPTCHA systems like reCAPTCHA (text-based) and Asirra (image-based). The user study further reinstates our points and shows that users achieve high accuracy using our system and consider our system to be fun and easy.
We also design a novel server-side and non-intrusive web bot defense system, NOID, to prevent web bots from accessing web resources by inherently hiding and randomizing HTML elements. Specifically, to prevent web bots uniquely identifying HTML elements for later automation, NOID randomizes name/id parameter values of essential HTML elements such as "input textbox", "textarea" and "submit button" in each HTTP form page. In addition, to prevent powerful web bots from identifying special user-action HTML elements by analyzing the content of their accompanied "label text" HTML tags, we enhance NOID by adding a component, Label Concealer, which hides label indicators by replacing "label text" HTML tags with randomized images. To further prevent more powerful web bots identifying HTML elements by recognizing their relative positions or surrounding elements in the web pages, we enhance NOID by adding another component, Element Trapper, which obfuscates important HTML elements' surroundings by adding decoy elements without compromising usability.
We evaluate NOID against five powerful state-of-the-art web bots including XRumer, SENuke, Magic Submitter, Comment Blaster, and UWCS on several popular open source
web platforms including phpBB, Simple Machine Forums (SMF), and Wordpress. According to our evaluation, NOID can prevent all these web bots automatically sending spam on these web platforms with reasonable overhead.
|
14 |
Designing security policies and frameworks for web applicationsSingh, Kapil 24 May 2011 (has links)
The new developments behind Web 2.0 have increased the complexity of web systems making the task of securing these systems a challenging problem. As a result, end-to-end security for web access has been hindered by the limitations of current web security policies and by the lack of systems that enable effective enforcement of policies. The focus of this dissertation is on how new tools and frameworks may be designed to aid the protection of web systems by acting as policy specification and enforcement points. In particular, we develop a set of policies and frameworks for three web players--the user, the web browser and the web application--that determine the end-to-end security of web content. Our contributions include a framework for users to specify security policies, a platform to enforce user policies for third-party applications, a systematic analysis of browser policy issues, and a mechanism to provide improved end-to-end security/integrity guarantees.
|
15 |
Αναγνώριση επιθέσεων σε δίκτυα εφαρμογών με δίκτυα κατανεμημένων αισθητήρωνΣπανός, Δημήτρης 19 July 2012 (has links)
Η αλματώδης ανάπτυξη του Παγκόσμιου Ιστού και των εφαρμογών του καθιστούν απαραίτητη τη συζήτηση για την ασφάλεια πληροφοριών στα πλαίσιά του. Στην εργασία αυτή παρουσιάζονται τα δομικά κομμάτια που υλοποιούν τον Παγκόσμιο Ιστό, η υποδομή του Διαδικτύου, το περιβάλλον του χρήστη και το περιβάλλον των εξυπηρετητών Ιστού (web browsers). Κάθε ένα από αυτά τα μέρη έχει τις δικές του ευπάθειες ασφάλειας και τις μεθόδους αντιμετώπισης κάθε μιας. Παρουσιάζονται οι κυριότερες απειλές ανά δομικό στοιχείο του Ιστού και κάποιες τεχνικές προφύλαξης από αυτές. Κυρίαρχο ρόλο στις τεχνικές αντιμετώπισης επιθέσεων στον Παγκόσμιο Ιστό παίζουν ο ορθός σχεδιασμός, η ενίσχυση της ασφάλειας των εμπλεκόμενων πρωτοκόλλων, οι τεχνικές κρυπτογράφισης αλλά και η προσωπική ευθύνη κάθε χρήστη του Ιστού. / Rapid growth of World Wide Web leads to a continuous discussion on maintaining information security through it. This essay presents the parts which implement World Wide Web, thus Internet structure, end user environment and web server environment. Each of these parts has different security vulnerabilities and measures of their mitigation. The most important security threats along with mitigation techniques are described. Almost all mitigation techniques come down to use of proper application design, cryptography and personal responsibility of every use and administrator.
|
16 |
Webbsäkerhet och vanliga brister : kunskapsläget bland utvecklare / Web security and common shortfalls : the state of knowledge among developersStrandberg, Jane, Lyckne, Mattias January 2014 (has links)
This bachelor thesis looks at developers knowledge about web security both regarding their own view on their knowledge and their actual knowledge about vulnerabilities and how you mitigate against them. Web developers knowledge regarding web security are becoming more and more important as more applications and services moves to the web and more and more items become connected to the internet. We are doing this by conducting a survey among developers that are currently studying in the field or are working in the field to get a grip on how the knowledge is regarding the most common security concepts. What we saw was that the result varies between the different concepts and many lack much of the knowledge in web security that is getting increasingly more important to have.
|
17 |
Leveraging Scalable Data Analysis to Proactively Bolster the Anti-Phishing EcosystemJanuary 2020 (has links)
abstract: Despite an abundance of defenses that work to protect Internet users from online threats, malicious actors continue deploying relentless large-scale phishing attacks that target these users. Effectively mitigating phishing attacks remains a challenge for the security community due to attackers' ability to evolve and adapt to defenses, the cross-organizational nature of the infrastructure abused for phishing, and discrepancies between theoretical and realistic anti-phishing systems. Although technical countermeasures cannot always compensate for the human weakness exploited by social engineers, maintaining a clear and up-to-date understanding of the motivation behind---and execution of---modern phishing attacks is essential to optimizing such countermeasures.
In this dissertation, I analyze the state of the anti-phishing ecosystem and show that phishers use evasion techniques, including cloaking, to bypass anti-phishing mitigations in hopes of maximizing the return-on-investment of their attacks. I develop three novel, scalable data-collection and analysis frameworks to pinpoint the ecosystem vulnerabilities that sophisticated phishing websites exploit. The frameworks, which operate on real-world data and are designed for continuous deployment by anti-phishing organizations, empirically measure the robustness of industry-standard anti-phishing blacklists (PhishFarm and PhishTime) and proactively detect and map phishing attacks prior to launch (Golden Hour). Using these frameworks, I conduct a longitudinal study of blacklist performance and the first large-scale end-to-end analysis of phishing attacks (from spamming through monetization). As a result, I thoroughly characterize modern phishing websites and identify desirable characteristics for enhanced anti-phishing systems, such as more reliable methods for the ecosystem to collectively detect phishing websites and meaningfully share the corresponding intelligence. In addition, findings from these studies led to actionable security recommendations that were implemented by key organizations within the ecosystem to help improve the security of Internet users worldwide. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2020
|
18 |
Framework pro bezpečný vývoj webových aplikací / Secure Development Framework for Web ApplicationsMazura, František January 2017 (has links)
This thesis deals with the theoretical analysis of vulnerabilities in web applications, especially the most frequent vulnerabilities of OWAST TOP 10 are examined. These vulnerabilities are subsequently analyzed for the design of a web application development framework and practically implemented in this framework to prevent the vulnerabilities or, if necessary, defend itself. The main goal of the implementation is to achieve such a framework so that the programmer of the resulting web application is protected to the utmost.
|
19 |
Datasäkerhet för webbaserade systemIngverud, Patrik, Ryrstedt, Emmy January 2015 (has links)
Webbattacker är i dagens läge ett välkänt problem. Syftet med en attack kan vara allt från att enbart förstöra, till att komma åt sekretessklassad information eller drivas av organiserad brottslighet för ekonomisk vinning. Ett stort behov hos många företag är därför att skydda sig mot attacker. Ett system måste garantera att information som finns i systemet enbart kan kommas åt av autentiserade användare. Information som skickas och lagras i systemet får inte avlyssnas eller gå att förändra. Denna rapport redogör för ett projekt där ett webbaserat system, som ett företag ska utveckla, undersöks. För att detta system ska bli säkert mot attacker görs en bedömning av vilken nivå av säkerhet som krävs, samt en riskanalys av systemet och en analys av säkerhetslösningar som täcker dessa risker. Projektet resulterade i en beskrivning av de säkerhetslösningar som skyddar mot systemets risker och som täcker företagets krav på säkerhetsnivå. Resultatet är informativt och ska kunna användas som grund vid utveckling av säkerheten i webbaserade system. / Web attacks are today a well-known problem. The purpose of an attack can vary from only destroying, to access confidential information or be operated by criminal activities for financial gain. Many businesses therefore have a great need to protect themselves against attacks. A system must ensure that only authenticated users can access the information contained in the system. I should not be possible to intercept or change the information that is sent and stored in the system. This report describes a project where a web-based system, that a company is going to develop, will be analyzed. An assessment of the level of security that the system require, a risk analysis of the system and an analysis of security solutions that cover these risks, are made to make the system secure against attacks. The project resulted in a description of the security solutions that protects against the systems risks, and that covers the company's requirements of security. The result is informative and can be used as a basis for the development of the security in web-based systems.
|
20 |
Prevention of Input Validation Vulnerabilities on the Client-Side : A Comparison Between Validating in AngularJS and React ApplicationsStrålberg, Linda January 2019 (has links)
The aim of this research was to test the JavaScript library React and framework AngularJS against each other in regard of the response time of the validation and validation robustness. The experiments in this work were performed to support developers in their decision making regarding which library or framework to use. There are many other aspects to consider when choosing which library or framework to develop in other than the security and response time related aspects mentioned in this work, but this work can, amongst other information, give yet another viewpoint to the developers. The results showed that there is no difference amongst them security wise, but that it was somewhat faster to validate in a React application than in an AngularJS application.
|
Page generated in 0.1797 seconds