Suscripción a Biblioteca: Guest
Portal Digitalde Biblioteca Digital eLibros Revistas Referencias y Libros de Ponencias Colecciones
Journal of Automation and Information Sciences
SJR: 0.275 SNIP: 0.59 CiteScore™: 0.8

ISSN Imprimir: 1064-2315
ISSN En Línea: 2163-9337

Volumes:
Volumen 52, 2020 Volumen 51, 2019 Volumen 50, 2018 Volumen 49, 2017 Volumen 48, 2016 Volumen 47, 2015 Volumen 46, 2014 Volumen 45, 2013 Volumen 44, 2012 Volumen 43, 2011 Volumen 42, 2010 Volumen 41, 2009 Volumen 40, 2008 Volumen 39, 2007 Volumen 38, 2006 Volumen 37, 2005 Volumen 36, 2004 Volumen 35, 2003 Volumen 34, 2002 Volumen 33, 2001 Volumen 32, 2000 Volumen 31, 1999 Volumen 30, 1998 Volumen 29, 1997 Volumen 28, 1996

Journal of Automation and Information Sciences

DOI: 10.1615/JAutomatInfScien.v51.i9.40
pages 32-51

Detection and Avoidance of Input Validation Attacks in Web Application Using Deterministic Push Down Automata

V. Nithya
University College of Engineering Panruti of Anna University, Panruti (India)
S. Senthilkumar
University College of Engineering Pattukkottai of Anna University, Pattukkottai (India)

SINOPSIS

The proper validation of input and sanitization is critical issue in developing web applications. Errors and flaws in validation operations resulting in malicious behavior in web application can be easily exploited by attackers. Since attackers are rapidly developing their skills and abilities they focus on exploring vulnerabilities in the web applications and try to compromise confidentiality, integrity and availability of information system. Input Validation Attacks (IVAs) are the attacks where a hacker sends malicious inputs (cheat codes) to confuse a web application in order to have access or destroy back end of application without knowledge of users. Input validation serves as the first line of defense for such attacks. Examples of input validation attacks include Cross Site Scripting (XSS), SQL Injection Attack (SQLIA), buffer overflow and directory traversal. Using Input validation attacks hackers can steal the sensitive data which decrease organization market value. In this project, we investigate the problem of detection and removal of validation bugs both at the client-side and the server-side code by using our approach. In this paper we proposed new idea that makes it possible to detect and prevent input validation attack using static and dynamic analysis.

REFERENCIAS

  1. RazzaqA., LatifK., Ahmad H.F., HurA., Anwar Z., BloodsworthP.C., Semantic security against web application attacks, Information Sciences, 2013, 254, 19-38, DOI: 10.1016/j.ins.2013.08.007. .

  2. MellerA., SchwarzM., Automated detection of client-state manipulation vulnerabilities, ACM Transactions on Software Engineering and Methodology, 2014, 23, No.4, Article 29, DOI: 10.1145/2531921. .

  3. BishtP., MadhusudanP., Venkatakrishnan V.N., CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks, ACM Transactions on Information and System Security, 2010, 13, No. 2, Article 14, DOI: 10.1145/1698750.1698754. .

  4. Mitropoulos D., Stroggylos K., Spinellis D., Keromytis A.D., How to train your browser: Preventing XSS attacks using contextual script fingerprints, ACM Transactions on Privacy and Security, 2016, 19, No. 1, Article 2, DOI: 10.1145/2939374. .

  5. Halfond W.G.J., Orso A., ManoliosP., WASP: Protecting web applications using positive tainting and syntax-aware evaluation, IEEE Transactions on Software Engineering, 2008, 34, No. 1, 65-81, DOI: 10.1109/TSE.2007.70748. .

  6. MedeirosI., Neves N., CorreiaM., Detecting and removing web application vulnerabilities with static analysis and data mining, IEEE Transactions on Reliability, 2016, 65, No. 1, 54-69, DOI: 10.1109/TR.2015.2457411. .

  7. Lee I., Jeong S., Yeo S., Moon J., A novel method for SQL injection attack detection based on removing SQL query attribute values, Mathematical and Computer Modelling, 2012, 55, No. 1-2, 58-68, DOI: 10.1016/j.mcm.2011.01.050. .

  8. Jang Y.S. , Choi J.Y., Detecting SQL injection attacks using query result size, Computers & Security, 2014, 44, 104-118, DOI: 10.1016/j.cose.2014.04.007. .

  9. Shar L.K., Briand L.C., Tan H.B.K., Web application vulnerability prediction using hybrid program analysis and machine learning, IEEE Transactions on Dependable and Secure Computing, 2015, 12, No. 6, 688-707, DOI: 10.1109/TDSC.2014.2373377. .

  10. NithyaV., Pandian S.L., Regan R., The SQL injection attack and prevention by classification and analysis, Asian Journal of Information Technology, 2013, 12, No. 4, 131-139, DOI: 10.36478/ajit. 2013.131.139. .

  11. NithyaV., ReganR., Vijayaraghavan J., A survey on SQL injection attacks, their detection and prevention techniques, International Journal of Engineering and Computer Science, 2013, 2, No. 4, 886-905. .

  12. AkroutR., AlataE., KaanicheM., Nicomette V., An automated black box approach for web vulnerability identification and attack scenario generation, Journal of the Brazilian Computer Society, 2014, 20, Article 4, DOI: 10.1186/1678-4804-20-4. .

  13. Kim S.S., Lee D.E., Hong C.S., Vulnerability detection mechanism based on open API for multi-user's convenience, International Conference on Information Networking (ICOIN 2016), Kota Kinabalu, Malaysia, January 13-15, 2016, IEEE, 2016, DOI: 10.1109/ICOIN.2016.7427159. .

  14. MatsudaT., Koizumi D., SonodaM., Cross site scripting attacks detection algorithm based on the appearance position of characters, The 5th International. Conference on Communications, Computers and Applications, Istanbul, Turkey, October 12-14, 2012, 65-70. .

  15. Prokhorenko V., Choo K.K.R., Ashman H., Intent-based extensible real-time PHP supervision framework, IEEE Transactions on Information Forensics and Security, 2016, 11, No. 10, 2215-2226, DOI: 10.1109/TIFS.2016.2569063. .

  16. SharL.K., TanH.B.K., Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns, Information and Software Technology, 2013, 55, No. 10, 1767-1780, DOI: 10.1016/j.infsof.2013.04.002. .

  17. Hydara I., Sultan A.B.M., Zulzalil H., Admodisastro N., Removing cross-site scripting vulnerabilities from web applications using the OWASP ESAPI Security Guidelines, Indian Journal of Science and Technology, 2015, 8, No. 30, DOI: 10.17485/ijst/2015/v8i30/87182. .

  18. Cho S., Kim G., Cho S.J., Choi J., Park M., Han S., Runtime input validation for Java web applications using static bytecode instrumentation, Proceedings of the International Conference on Research in Adaptive and Convergent Systems (RACS '16), Odense, Denmark, October 11-14, 2016, 148-152, DOI: 10.1145/2987386.2987432. .

  19. VaseghipanahM., ModiriN., Jabbehdari S., Detecting input validation attacks of web apps and developing metrics for their ranks, International Journal of Computer Science and Network Security, 2017, 17, No. 6, 191-195. .

  20. AyeniB.K., Sahalu J.B., Adeyanju K.R., Detecting cross-site scripting in web applications using fuzzy inference system, Journal of Computer Networks and Communications, 2018, 2018, Article ID 8159548, DOI: 10.1155/2018/8159548. .

  21. ParkY.J., ParkJ.C., Web application intrusion detection system for input validation attack, 2008 Third International Conference on Convergence and Hybrid Information Technology, Busan, Korea, November 11-13, 2008, IEEE, 2008, DOI: 10.1109/ICCIT.2008.338. .

  22. Nithya V., Pandian S.L., Malarvizhi C., A survey on detection and prevention of cross-site scripting attack, International Journal of Security and Its Applications, 2015, 9, No. 3, 139-152, DOI: 10.14257/ijsia.2015.9.3.14. .


Articles with similar content:

Automatic Vulnerability Detection Algorithm for the SQL-Injection
Journal of Automation and Information Sciences, Vol.51, 2019, issue 7
Shukhrat K. Kamalov , Askar T. Rakhmanov , Rustam Kh. Khamdamov , Komil F. Kerimov
ADVANCE REMOTE USER AUTHENTICATION SCHEME USING SMART CARD
Telecommunications and Radio Engineering, Vol.78, 2019, issue 11
S. Kumar, V. Singh, V. Sharma, Vijay Singh
Multilayer and Multiagent Automated Email Filtration System
Telecommunications and Radio Engineering, Vol.67, 2008, issue 12
Rasim Magamed ogly Alguliev, S. A. Nazirova
Use of Treated Woods in Roof Assembly
Journal of Long-Term Effects of Medical Implants, Vol.15, 2005, issue 4
William B. Long III, Richard Edlich, Kathryne L. Winters, L. D. Britt
Web-Based Three-Layer Protection Mechanism Against Distributed Denial of Service
Journal of Automation and Information Sciences, Vol.51, 2019, issue 9
Shukhrat K. Kamalov , Askar T. Rakhmanov , Komil F. Kerimov