Detecting and Preventing Common Web Application Vulnerabilities: A Comprehensive Approach

Автор: Najla Odeh, Sherin Hijazi

Журнал: International Journal of Information Technology and Computer Science @ijitcs

Статья в выпуске: 3 Vol. 15, 2023 года.

Бесплатный доступ

Web applications are becoming very important in our lives as many sensitive processes depend on them. Therefore, it is critical for safety and invulnerability against malicious attacks. Most studies focus on ways to detect these attacks individually. In this study, we develop a new vulnerability system to detect and prevent vulnerabilities in web applications. It has multiple functions to deal with some recurring vulnerabilities. The proposed system provided the detection and prevention of four types of vulnerabilities, including SQL injection, cross-site scripting attacks, remote code execution, and fingerprinting of backend technologies. We investigated the way worked for every type of vulnerability; then the process of detecting each type of vulnerability; finally, we provided prevention for each type of vulnerability. Which achieved three goals: reduce testing costs, increase efficiency, and safety. The proposed system has been validated through a practical application on a website, and experimental results demonstrate its effectiveness in detecting and preventing security threats. Our study contributes to the field of security by presenting an innovative approach to addressing security concerns, and our results highlight the importance of implementing advanced detection and prevention methods to protect against potential cyberattacks. The significance and research value of this survey lies in its potential to enhance the security of online systems and reduce the risk of data breaches.

Еще

Security System, Websites Attacks, Application Security, SQL Injection, XSS

Короткий адрес: https://sciup.org/15018934

IDR: 15018934   |   DOI: 10.5815/ijitcs.2023.03.03

Список литературы Detecting and Preventing Common Web Application Vulnerabilities: A Comprehensive Approach

  • OWASP, OWASP Top 10 - 2021: Top 10 Web Application Security Risk. [Online]. Available: https://owasp.org/Top10/, Accessed on: Nov. 20, 2021.
  • EdgeScan, Edgescan’s 2020 Vulnerability Stats Report Released. [Online]. Available: https://www.edgescan.com/edgescans-2020-vulnerability-stats-report-released/, Accessed on: Nov. 22, 2021.
  • Socradar, Top 5 Remote Code Execution (RCE) Attacks in 2020. [Online]. Available: https://socradar.io/top-5-remote- code-execution-rce-attacks-in-2020/, Accessed on: Nov. 20, 2021.
  • C.Tankard, "Advanced persistent threats and how to monitor and deter them", Network security, Vol.2011, No.8, pp.16-19, 2011. DOI: 10.1016/S1353-4858(11)70086-1.
  • N.Laranjeiro, M. Vieira, and H. Madeira, "A learning-based approach to secure web services from SQL/XPath Injection attacks," 2010 IEEE 16th Pacific Rim International Symposium on Dependable Computing, pp.191-198, 2010. DOI: 10.1109/PRDC.2010.24.
  • L.Erdodi, Å.Å. Sommervoll, and F.M. Zennaro, "Simulating SQL Injection Vulnerability Exploitation Using Q-Learning Reinforcement Learning Agents", Journal of Information Security and Applications, Vol.61, No.102903, 2021, DOI: 10.1016/j.jisa.2021.102903
  • H.Alsobhi and R. Alshareef, "SQL Injection Countermeasures Methods", 2020 International Conference on Computing and Information Technology (ICCIT-1441), pp.1-4, IEEE, 2020. DOI: 10.1109/ICCIT-144147971.2020.9213748.
  • SymantecCorporation, Threat Report 2018. [Online]. Available: https://docs.broadcom.com/doc/istr-23-2018-en, Accessed on: Dec 12, 2021.
  • M.Liu et al., "A survey of exploitation and detection methods of XSS vulnerabilities", IEEE Access, Vol.2019, No.7, pp.182004-182016, 2019. DOI: 10.1109/ACCESS.2019.2960449.
  • Y.Zheng and X. Zhang, "Path sensitive static analysis of web applications for remote code execution vulnerability detection", 2013 35th International Conference on Software Engineering (ICSE), pp.652-661, IEEE, 2013. DOI: 10.1109/ICSE.2013.6606611.
  • S.Bier et al., "Mitigating Remote Code Execution Vulnerabilities: A Study on Tomcat and Android Security Updates", 2021 IEEE International IOT, Electronics and Mechatronics Conference (IEMTRONICS), pp.1-6, IEEE, 2021. DOI: 10.1109/iemtronics52119.2021.9422666.
  • S.Biswas et al., "A study on remote code execution vulnerability in web applications", International Conference on Cyber Security and Computer Science (ICONCS 2018), pp.50-57, 2018.
  • OWASP, Fingerprint Web Server. [Online]. Available: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server, Accessed on: Dec. 11, 2021.
  • R.Abirami, D. J. W.Wise, R.Jeeva, and S.Sanjay, "Detecting Security Vulnerabilities in Website using Python", 2020 International Conference on Electronics and Sustainable Communication Systems (ICESC), pp.844-846, IEEE, 2020. DOI: 10.1109/ICESC48915.2020.9155908.
  • K. J.Koswara and Y. D. W. Asnar, "Improving Vulnerability Scanner Performance in Detecting AJAX Application Vulnerabilities", 2019 International Conference on Data and Software Engineering (ICoDSE), pp.1-5, IEEE, 2019. DOI: 10.1109/ICoDSE48700.2019.9092613.
  • W.H.Rankothge, M. Randeniya, and V. Samaranayaka, "Identification and Mitigation Tool for Sql Injection Attacks (SQLIA)", 2020 IEEE 15th International Conference on Industrial and Information Systems (ICIIS), pp.591-595, IEEE, 2020. DOI: 10.1109/ICIIS51140.2020.9342703.
  • A.B.M.Ali, M.S. Abdullah, and J. Alostad, "SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks", Procedia Computer Science, Vol.2011, No.3, pp.453-458, 2011. DOI: 10.1016/j.procs.2010.12.076.
  • X.Zhang et al., "An Automated Composite Scanning Tool with Multiple Vulnerabilities", 2019 IEEE 3rd Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC), pp.1060-1064, IEEE, 2019. DOI: 10.1109/IMCEC46724.2019.8983828.
  • I.Alsmadi and F. Mira, "Website security analysis: variation of detection methods and decisions", 2018 21st Saudi Computer Society National Computer Conference (NCC), pp.1-5, IEEE, 2018. DOI: 10.1109/NCG.2018.8592962.
  • T.S.Rocha and E. Souto, "ETSSDetector: a tool to automatically detect Cross-Site Scripting vulnerabilities", 2014 IEEE 13th International Symposium on Network Computing and Applications, pp.306-309, IEEE, 2014. DOI: 10.1109/NCA.2014.53.
  • S.Kals, E.Kirda, C.Kruegel, and N.Jovanovic, "Secubat: a web vulnerability scanner", in Proceedings of the 15th international conference on World Wide Web, pp.247-256, 2006. DOI: 10.1145/1135777.1135817.
  • KirstenS. Cross Site Scripting (XSS). [Online]. Available: https://owasp.org/www-community/attacks/xss/, Accessed on: Dec. 5,2021.
  • Cyware, What Is Cybersecurity Fingerprinting?. [Online]. Available: https://cyware.com/news/what-is-cybersecurity-fingerprinting-de718f94, Accessed on: Dec. 11,2021.
Еще
Статья научная