检索结果-内蒙古大学图书馆

Discovering reflected cross-site scripting vulnerabilities using a multiobjective reinforcement learning environment

引用

COMPUTERS & SECURITY 2021年 103卷 102204-102204页

作者： Caturano, Francesco Perrone, Gaetano Romano, Simon Pietro Univ Napoli Federico II Dept Elect Engn & Informat Technol Via Claudio 21 I-80125 Naples Italy

Tools that automate testing of web applications for Cross-Site Scripting (XSS) vulnerabilities perform well when they have a strong knowledge base. Though, they heavily rely on brute force, which is not always an effective choice. On the other hand, expert penetration testers adopt exploit methods that are more accurate, but often not structured. We propose to solve the above mentioned problems, by designing and implementing an intelligent agent, called Suggester, that recommends actions to penetration testers. First, a black-box testing methodology inspired by a penetration tester's behavior, is developed. Such methodology consists of sending a sequence of strings to a web application and observing the responses. Then, an agent is trained to produce attack strings using the framework of a Multi objective Reinforcement Learning environment (MORL), with a parameterized action space. Each complete attack string is identified as a separate objective to reach. Q-Learning is used to train the agent upon separate, unrelated objectives. Then, the learned actions are suggested to a human-in-the-loop, who performs the actions and collects observations. This allows to orchestrate the agent into pursuing the right objective and selecting the next best action to recommend. The final evaluation proves the scalability of the proposed solution, as well as show an increase in accuracy when compared to other automated scanners. (c) 2021 Elsevier Ltd. All rights reserved.

关键词： Penetration testing Network security web application vulnerabilities Multiobjective reinforcement learning Intelligent agent Cross-site scripting

来源：评论

学校读者我要写书评

暂无评论

Towards a Deep Learning Model for Vulnerability Detection on web application Variants 13

Towards a Deep Learning Model for Vulnerability Detection on...

引用

13th IEEE International Conference on Software Testing, Verification and Validation (ICST)

作者： Fidalgo, Ana Medeiros, Iberia Antunes, Paulo Neves, Nuno Univ Lisbon Fac Ciencias LASIGE Lisbon Portugal

ISBN: (纸本)9781728110752

Reported vulnerabilities have grown significantly over the recent years, with SQL injection (SQLi) being one of the most prominent, especially in web applications. For these, such increase can be explained by the integration of multiple software parts (e.g., various plugins and modules), often developed by different organizations, composing thus web application variants. Machine Learning has the potential to be a great ally on finding vulnerabilities, aiding experts by reducing the search space or even by classifying programs on their own. However, previous work usually does not consider SQLi or utilizes techniques hard to scale. Moreover, there is a clear gap in vulnerability detection with machine learning for PHP, the most popular server-side language for web applications. This paper presents a Deep Learning model able to classify PHP slices as vulnerable (or not) to SQLi. As slices can belong to any variant, we propose the use of an intermediate language to represent the slices and interpret them as text, resorting to well-studied Natural Language Processing (NLP) techniques. Preliminary results of the use of the model show that it can discover SQLi, helping programmers and precluding attacks that would eventually cost a lot to repair.

关键词： web application vulnerabilities vulnerability detection natural language processing deep learning software security

来源：评论

学校读者我要写书评

暂无评论

Evaluation and monitoring of XSS defensive solutions: a survey, open research issues and future directions

引用

JOURNAL OF AMBIENT INTELLIGENCE AND HUMANIZED COMPUTING 2019年第11期10卷 4377-4405页

作者： Gupta, Shashank Gupta, B. B. Birla Inst Technol & Sci Dept Comp Sci & Informat Syst Pilani 333031 Rajasthan India Natl Inst Technol Kurukshetra Dept Comp Engn Kurukshetra 136119 Haryana India

XSS is well- thought-out to be an industry-wide problem that is affecting the diverse contemporary web platforms. The collection of most recent web application reports revealed that XSS reserved the topmost position among all other cyber-attacks. This survey article wishes to present the improvements related to XSS worm defensive methodologies. We have enlarged our discussion to different classes of XSS attacks, i. e., non-persistent, persistent, DOM-Based and mutation- based XSS attacks that has recently stated in the state-of-art. This complete survey offers full vision into the classification, avoidance, recognition and alleviation mechanisms of such attacks. In addition, broad solution classification has been designed for the classification of approaches used by numerous contributions. This article discusses the impact of real world XSS worms and the associated recent real world incidents of such worms. Existing client-side, server-side, proxy-enabled and certain other XSS defensive techniques was presented with an aim to recognize their key contributions and the current performance concerns. In the end, we present certain future research guidelines, a complete mechanism and the associated requirements towards the designing of an effective and robust XSS defensive methodology.

关键词： web application vulnerabilities JavaScript (JS) code injection attacks Cross-site scripting (XSS) worms Online social network (OSN) security Context-aware sanitization

来源：评论

学校读者我要写书评

暂无评论

Exploring Defense of SQL Injection Attack in Penetration Testing

引用

INTERNATIONAL JOURNAL OF DIGITAL CRIME AND FORENSICS 2017年第4期9卷 62-71页

作者： Zhu, Alex Yan, Wei Qi Auckland Univ Technol Auckland New Zealand Auckland Univ Technol Sch Comp & Math Sci Auckland New Zealand

SQLIA is adopted to attack websites with and without confidential information. Hackers utilized the compromised website as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed Denial of Service Attack (DDoS). The DDoS is that hackers maliciously turn down a website and make network resources unavailable to web users. It is extremely difficult to effectively detect and prevent SQLIA because hackers adopt various evading SQLIA Intrusion Detection System techniques. Victims may not be even aware of that their confidential data has been compromised for a long time. In this paper, our contribution is that we evaluate several most popular open source SQLIA tools and SQLIA prevention tools with both qualitative and quantitative assessments.

关键词： Database Protection Hacking Information Security SQL Injection Attack web application vulnerabilities

来源：评论

学校读者我要写书评

暂无评论

web application Security Tools Analysis 3

Web Application Security Tools Analysis

引用

IEEE 3rd International Conference on Big Data Security on Cloud (BigDataSecurity) / 3rd IEEE International Conference on High Performance and Smart Computing (HPSC) / 2nd IEEE International Conference on Intelligent Data and Security (IDS)

作者： Alzahrani, Abdulrahman Alqazzaz, Ali Fu, Huirong Almashfi, Nabil Zhu, Ye Oakland Univ Dept Comp Sci & Engn Rochester MI 48309 USA Cleveland State Univ Elect & Comp Engn Dept Cleveland OH 44115 USA

ISBN: (纸本)9781509062966

Strong security in web applications is critical to the success of your online presence. Security importance has grown massively, especially among web applications. Dealing with web application or website security issues requires deep insight and planning, not only because of the many tools that are available but also because of the industry immaturity. Thus, finding the proper tools requires deep understanding and several steps, including analyzing the development environment, business needs, and the web applications' complexity. In this paper, we demonstrate the architecture of web applications then list and evaluate the widespread security vulnerabilities. Those vulnerabilities are: Insufficient Transport Layer Protection, Information Leakage, Cross-Site Scripting, and SQL Injection. In addition, this paper analyzes the tools that are used to scan for these widespread vulnerabilities in web applications. Finally, it evaluates tools due to security vulnerabilities and gives recommendations to the web applications' users and administrators aiming to educate them.

关键词： web application web application security web application vulnerabilities

来源：评论

学校读者我要写书评

暂无评论

web application SECURITY: SHELL ACCESS

WEB APPLICATION SECURITY: SHELL ACCESS

引用

作者： Koponen, Kalle LAPPEENRANTA UNIVERSITY OF TECHNOLOGY

学位级别：硕士

This study presents how it is possible to get a shell access to the target system using common web application vulnerabilities. Both the client and server side are breached. Attacks are described step by step and results are presented using a real web application. The attacks are analyzed and described why they were successful. Successful attacks require that insufficient user input validation and unsafe coding standards are practiced. Also, environments need to be misconfigured, for example, a MySQL user has unneeded write access to a folder which is accessible by the web server.

关键词： OWASP penetration testing shell access web application vulnerabilities

来源：评论

学校读者我要写书评

暂无评论

XSS-immune: a Google chrome extension-based XSS defensive framework for contemporary platforms of web applications

引用

SECURITY AND COMMUNICATION NETWORKS 2016年第17期9卷 3966-3986页

作者： Gupta, Shashank Gupta, Brij Bhooshan Natl Inst Technol Dept Comp Engn Kurukshetra Haryana India

In this paper, the authors analyzed and discussed the performance issues in the existing cross-site scripting (XSS) filters and based on that, proposed a JavaScript string comparison and context-aware sanitization-based framework, XSS-immune. It is a browser-resident framework that compares the set of scripts embedded in hypertext transfer protocol request (H-REQ) and hypertext transfer protocol response (H-RES) for discovering any similar untrusted/malicious JavaScript code. This similar code points towards the untrusted JavaScript code that will be utilized by an attacker to exploit the vulnerabilities of XSS worms. In addition, our technique determines the context of such worms and performs the sanitization on them accordingly for alleviating the effect of such XSS worms from the real world web applications. We have also introduced a mechanism that can detect the injection of malicious parameter values by modifying the existing JavaScript code, that is, partial script injections. The prototype of XSS-immune was developed in Java and installed as an extension on the Google Chrome. In addition, we have verified the implementation of our design of prototype against five open-source XSS attack vector repositories, and very few XSS attack worms were able to evade our proposed design. Experimental evaluation and testing of XSS-immune were performed by adding support from the tested suite of real world web applications. The performance evaluation results revealed that our framework is able to detect the XSS worms with acceptable low false positive and false negative rate in comparison with the performance of existing XSS filters. Experimental results also incurred acceptable runtime overhead because of minor alterations on client-side browser and computationally fast execution of modules deployed in our browser-resident framework. Copyright (C) 2016 John Wiley & Sons, Ltd.

关键词： XSS worms XSS filters web browser web application vulnerabilities JavaScript code injection attacks HTTP

来源：评论

学校读者我要写书评

暂无评论

Context-oriented web application protection model

引用

APPLIED MATHEMATICS AND COMPUTATION 2016年 285卷 59-78页

作者： Prokhorenko, Victor Choo, Kim-Kwang Raymond Ashman, Helen Univ S Australia Sch Informat Technol & Math Sci Adelaide SA 5095 Australia

Due to growing user demand, web application development is becoming increasingly complicated. Multiple programming languages along with the complex multi-tier architecture commonly involved in web application development contribute to the probability of programming mistakes. Such mistakes may cause serious security vulnerabilities, which can then be exploited by malicious users. Current classifications include a wide variety of web application vulnerabilities, such as SQL injections, Cross-Site Scripting and File Inclusion. Various different protections exist against attacks associated with these vulnerabilities making it difficult to apply a single universal solution. This paper takes an alternative view of the core root of the vulnerabilities. Based on the discovered common traits, a unified extensible context-based model of web applications is proposed. A concept of context is introduced and different attacks are reformulated in terms of context boundary violation. The proposed model can be used to implement a more universal web application protection suitable against different types of attacks. (C) 2016 Elsevier Inc. All rights reserved.

关键词： Context-based protection web application attacks web application protection web application vulnerabilities

来源：评论

学校读者我要写书评

暂无评论

Towards a Taxonomy for Security Threats on the web Ecosystem

Towards a Taxonomy for Security Threats on the Web Ecosystem

引用

IEEE/IFIP Network Operations and Management Symposium (NOMS)

作者： Silva, Carlo Batista, Ricardo Queiroz, Ruy Garcia, Vinicius Silva, Jose Gatti, Daniel Assad, Rodrigo Nascimento, Leandro Brito, Kellyton Miranda, Pericles Univ Fed Pernambuco CIn Recife PE Brazil PUC SP TiDD Sao Paulo SP Brazil Univ Fed Rural Pernambuco DEINFO Recife PE Brazil

ISBN: (纸本)9781509002238

The aim of this paper is to present a taxonomy for security threats on the web ecosystem. We proposes a classification model based on 21 vectors divided into 8 distinct security threats, making use of levels of abstraction and criteria for discrimination which consider propagation and similarity in vulnerabilities. We also propose to estimate the risk factor and impacts on assets, considering data breaches, human aspects and service reliability. In addition, we validate the taxonomic model proposed through the catalogues of attacks facing the public. Thus, it was possible to observe its applicability for most of the attacks which appear before the public.

关键词： web application vulnerabilities web Browser vulnerabilities Social Engineering Taxonomy for Security Threats

来源：评论

学校读者我要写书评

暂无评论

Exploring Defense of SQL Injection Attack in Penetration Testing

Exploring Defense of SQL Injection Attack in Penetration Tes...

引用

作者： Yao Chu Zhu Auckland University of Technology

学位级别：硕士

SQLIA is adopted to attack websites with and without confidential information. Hackers utilize the compromisedwebsite as intermediate proxy to attack others for avoiding being committed of cyber-criminal and also enlarging the scale of Distributed Denial of Service Attack (DDoS). TheDDoS is that hackers maliciously turn down a website and make network resources unavailable to web users. It is extremely difficult to effectivelydetect and prevent SQLIA because hackers adopt various evading SQLIA Intrusion Detection System techniques. Victims always are not aware of that their confidential information has beencompromised for a long time. The contributions of this thesis are: (1) systematically exploreSQLIA, SQLIA preventionin theory; (2) demonstrate, evaluate imitative SQLIA with open source SQLIA tools andSQLIA preventiontools in practice; (3) new filters for eliminating SQLIA evadingIDS/IPS detectiontechniques to improve SQLIA prevention. The achievements of this thesis are to successfully obtain637 copies replied questionaire of surveying open source SQLIA tools and open source SQLIA prevention tools inquantitative research. Up to 76 virtual websites which have not been installed any SQLIA prevention tools have been successfully compromised in 500 penetration tests by SQLIA experiments in virtual environment of qualitative research. Furthermore, 27compromised virtual websites that are installed with SQLIA prevention tools have experiences600 times penetration tests. The open source SQLIA prevention toolssuccessfully prevent total 573 times out of 600 times SQLIA penetration tests. To conduct 100 times penetration tests for each new filters of eliminating SQL injection evading IDS/IPSdetection and testing result shows that all new filters can successfully prevent evading techniques with a high percentage, but with some side effect.

关键词： SQL injection attack database protection web application vulnerabilities hacking cyber-attack

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：