Inscrição na biblioteca: Guest
Journal of Automation and Information Sciences

Publicou 12 edições por ano

ISSN Imprimir: 1064-2315

ISSN On-line: 2163-9337

SJR: 0.173 SNIP: 0.588 CiteScore™:: 2

Indexed in

Detection and Avoidance of Input Validation Attacks in Web Application Using Deterministic Push Down Automata

Volume 51, Edição 9, 2019, pp. 32-51
DOI: 10.1615/JAutomatInfScien.v51.i9.40
Get accessGet access

RESUMO

The proper validation of input and sanitization is critical issue in developing web applications. Errors and flaws in validation operations resulting in malicious behavior in web application can be easily exploited by attackers. Since attackers are rapidly developing their skills and abilities they focus on exploring vulnerabilities in the web applications and try to compromise confidentiality, integrity and availability of information system. Input Validation Attacks (IVAs) are the attacks where a hacker sends malicious inputs (cheat codes) to confuse a web application in order to have access or destroy back end of application without knowledge of users. Input validation serves as the first line of defense for such attacks. Examples of input validation attacks include Cross Site Scripting (XSS), SQL Injection Attack (SQLIA), buffer overflow and directory traversal. Using Input validation attacks hackers can steal the sensitive data which decrease organization market value. In this project, we investigate the problem of detection and removal of validation bugs both at the client-side and the server-side code by using our approach. In this paper we proposed new idea that makes it possible to detect and prevent input validation attack using static and dynamic analysis.

Referências
  1. RazzaqA., LatifK., Ahmad H.F., HurA., Anwar Z., BloodsworthP.C., Semantic security against web application attacks, Information Sciences, 2013, 254, 19-38, DOI: 10.1016/j.ins.2013.08.007. .

  2. MellerA., SchwarzM., Automated detection of client-state manipulation vulnerabilities, ACM Transactions on Software Engineering and Methodology, 2014, 23, No.4, Article 29, DOI: 10.1145/2531921. .

  3. BishtP., MadhusudanP., Venkatakrishnan V.N., CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks, ACM Transactions on Information and System Security, 2010, 13, No. 2, Article 14, DOI: 10.1145/1698750.1698754. .

  4. Mitropoulos D., Stroggylos K., Spinellis D., Keromytis A.D., How to train your browser: Preventing XSS attacks using contextual script fingerprints, ACM Transactions on Privacy and Security, 2016, 19, No. 1, Article 2, DOI: 10.1145/2939374. .

  5. Halfond W.G.J., Orso A., ManoliosP., WASP: Protecting web applications using positive tainting and syntax-aware evaluation, IEEE Transactions on Software Engineering, 2008, 34, No. 1, 65-81, DOI: 10.1109/TSE.2007.70748. .

  6. MedeirosI., Neves N., CorreiaM., Detecting and removing web application vulnerabilities with static analysis and data mining, IEEE Transactions on Reliability, 2016, 65, No. 1, 54-69, DOI: 10.1109/TR.2015.2457411. .

  7. Lee I., Jeong S., Yeo S., Moon J., A novel method for SQL injection attack detection based on removing SQL query attribute values, Mathematical and Computer Modelling, 2012, 55, No. 1-2, 58-68, DOI: 10.1016/j.mcm.2011.01.050. .

  8. Jang Y.S. , Choi J.Y., Detecting SQL injection attacks using query result size, Computers & Security, 2014, 44, 104-118, DOI: 10.1016/j.cose.2014.04.007. .

  9. Shar L.K., Briand L.C., Tan H.B.K., Web application vulnerability prediction using hybrid program analysis and machine learning, IEEE Transactions on Dependable and Secure Computing, 2015, 12, No. 6, 688-707, DOI: 10.1109/TDSC.2014.2373377. .

  10. NithyaV., Pandian S.L., Regan R., The SQL injection attack and prevention by classification and analysis, Asian Journal of Information Technology, 2013, 12, No. 4, 131-139, DOI: 10.36478/ajit. 2013.131.139. .

  11. NithyaV., ReganR., Vijayaraghavan J., A survey on SQL injection attacks, their detection and prevention techniques, International Journal of Engineering and Computer Science, 2013, 2, No. 4, 886-905. .

  12. AkroutR., AlataE., KaanicheM., Nicomette V., An automated black box approach for web vulnerability identification and attack scenario generation, Journal of the Brazilian Computer Society, 2014, 20, Article 4, DOI: 10.1186/1678-4804-20-4. .

  13. Kim S.S., Lee D.E., Hong C.S., Vulnerability detection mechanism based on open API for multi-user's convenience, International Conference on Information Networking (ICOIN 2016), Kota Kinabalu, Malaysia, January 13-15, 2016, IEEE, 2016, DOI: 10.1109/ICOIN.2016.7427159. .

  14. MatsudaT., Koizumi D., SonodaM., Cross site scripting attacks detection algorithm based on the appearance position of characters, The 5th International. Conference on Communications, Computers and Applications, Istanbul, Turkey, October 12-14, 2012, 65-70. .

  15. Prokhorenko V., Choo K.K.R., Ashman H., Intent-based extensible real-time PHP supervision framework, IEEE Transactions on Information Forensics and Security, 2016, 11, No. 10, 2215-2226, DOI: 10.1109/TIFS.2016.2569063. .

  16. SharL.K., TanH.B.K., Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns, Information and Software Technology, 2013, 55, No. 10, 1767-1780, DOI: 10.1016/j.infsof.2013.04.002. .

  17. Hydara I., Sultan A.B.M., Zulzalil H., Admodisastro N., Removing cross-site scripting vulnerabilities from web applications using the OWASP ESAPI Security Guidelines, Indian Journal of Science and Technology, 2015, 8, No. 30, DOI: 10.17485/ijst/2015/v8i30/87182. .

  18. Cho S., Kim G., Cho S.J., Choi J., Park M., Han S., Runtime input validation for Java web applications using static bytecode instrumentation, Proceedings of the International Conference on Research in Adaptive and Convergent Systems (RACS '16), Odense, Denmark, October 11-14, 2016, 148-152, DOI: 10.1145/2987386.2987432. .

  19. VaseghipanahM., ModiriN., Jabbehdari S., Detecting input validation attacks of web apps and developing metrics for their ranks, International Journal of Computer Science and Network Security, 2017, 17, No. 6, 191-195. .

  20. AyeniB.K., Sahalu J.B., Adeyanju K.R., Detecting cross-site scripting in web applications using fuzzy inference system, Journal of Computer Networks and Communications, 2018, 2018, Article ID 8159548, DOI: 10.1155/2018/8159548. .

  21. ParkY.J., ParkJ.C., Web application intrusion detection system for input validation attack, 2008 Third International Conference on Convergence and Hybrid Information Technology, Busan, Korea, November 11-13, 2008, IEEE, 2008, DOI: 10.1109/ICCIT.2008.338. .

  22. Nithya V., Pandian S.L., Malarvizhi C., A survey on detection and prevention of cross-site scripting attack, International Journal of Security and Its Applications, 2015, 9, No. 3, 139-152, DOI: 10.14257/ijsia.2015.9.3.14. .

CITADO POR
  1. Zhou Fangping, Yang Chao, General-Nondeterministic Fuzzy Pushdown Automata and Their Languages, in Theoretical Computer Science, 1693, 2022. Crossref

Portal Digital Begell Biblioteca digital da Begell eBooks Diários Referências e Anais Coleções de pesquisa Políticas de preços e assinaturas Begell House Contato Language English 中文 Русский Português German French Spain