Abonnement à la biblothèque: Guest
Portail numérique Bibliothèque numérique eBooks Revues Références et comptes rendus Collections
Journal of Automation and Information Sciences
SJR: 0.275 SNIP: 0.59 CiteScore™: 0.8

ISSN Imprimer: 1064-2315
ISSN En ligne: 2163-9337

Volumes:
Volume 52, 2020 Volume 51, 2019 Volume 50, 2018 Volume 49, 2017 Volume 48, 2016 Volume 47, 2015 Volume 46, 2014 Volume 45, 2013 Volume 44, 2012 Volume 43, 2011 Volume 42, 2010 Volume 41, 2009 Volume 40, 2008 Volume 39, 2007 Volume 38, 2006 Volume 37, 2005 Volume 36, 2004 Volume 35, 2003 Volume 34, 2002 Volume 33, 2001 Volume 32, 2000 Volume 31, 1999 Volume 30, 1998 Volume 29, 1997 Volume 28, 1996

Journal of Automation and Information Sciences

DOI: 10.1615/JAutomatInfScien.v51.i9.40
pages 32-51

Detection and Avoidance of Input Validation Attacks in Web Application Using Deterministic Push Down Automata

V. Nithya
University College of Engineering Panruti of Anna University, Panruti (India)
S. Senthilkumar
University College of Engineering Pattukkottai of Anna University, Pattukkottai (India)

RÉSUMÉ

The proper validation of input and sanitization is critical issue in developing web applications. Errors and flaws in validation operations resulting in malicious behavior in web application can be easily exploited by attackers. Since attackers are rapidly developing their skills and abilities they focus on exploring vulnerabilities in the web applications and try to compromise confidentiality, integrity and availability of information system. Input Validation Attacks (IVAs) are the attacks where a hacker sends malicious inputs (cheat codes) to confuse a web application in order to have access or destroy back end of application without knowledge of users. Input validation serves as the first line of defense for such attacks. Examples of input validation attacks include Cross Site Scripting (XSS), SQL Injection Attack (SQLIA), buffer overflow and directory traversal. Using Input validation attacks hackers can steal the sensitive data which decrease organization market value. In this project, we investigate the problem of detection and removal of validation bugs both at the client-side and the server-side code by using our approach. In this paper we proposed new idea that makes it possible to detect and prevent input validation attack using static and dynamic analysis.

RÉFÉRENCES

  1. RazzaqA., LatifK., Ahmad H.F., HurA., Anwar Z., BloodsworthP.C., Semantic security against web application attacks, Information Sciences, 2013, 254, 19-38, DOI: 10.1016/j.ins.2013.08.007. .

  2. MellerA., SchwarzM., Automated detection of client-state manipulation vulnerabilities, ACM Transactions on Software Engineering and Methodology, 2014, 23, No.4, Article 29, DOI: 10.1145/2531921. .

  3. BishtP., MadhusudanP., Venkatakrishnan V.N., CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks, ACM Transactions on Information and System Security, 2010, 13, No. 2, Article 14, DOI: 10.1145/1698750.1698754. .

  4. Mitropoulos D., Stroggylos K., Spinellis D., Keromytis A.D., How to train your browser: Preventing XSS attacks using contextual script fingerprints, ACM Transactions on Privacy and Security, 2016, 19, No. 1, Article 2, DOI: 10.1145/2939374. .

  5. Halfond W.G.J., Orso A., ManoliosP., WASP: Protecting web applications using positive tainting and syntax-aware evaluation, IEEE Transactions on Software Engineering, 2008, 34, No. 1, 65-81, DOI: 10.1109/TSE.2007.70748. .

  6. MedeirosI., Neves N., CorreiaM., Detecting and removing web application vulnerabilities with static analysis and data mining, IEEE Transactions on Reliability, 2016, 65, No. 1, 54-69, DOI: 10.1109/TR.2015.2457411. .

  7. Lee I., Jeong S., Yeo S., Moon J., A novel method for SQL injection attack detection based on removing SQL query attribute values, Mathematical and Computer Modelling, 2012, 55, No. 1-2, 58-68, DOI: 10.1016/j.mcm.2011.01.050. .

  8. Jang Y.S. , Choi J.Y., Detecting SQL injection attacks using query result size, Computers & Security, 2014, 44, 104-118, DOI: 10.1016/j.cose.2014.04.007. .

  9. Shar L.K., Briand L.C., Tan H.B.K., Web application vulnerability prediction using hybrid program analysis and machine learning, IEEE Transactions on Dependable and Secure Computing, 2015, 12, No. 6, 688-707, DOI: 10.1109/TDSC.2014.2373377. .

  10. NithyaV., Pandian S.L., Regan R., The SQL injection attack and prevention by classification and analysis, Asian Journal of Information Technology, 2013, 12, No. 4, 131-139, DOI: 10.36478/ajit. 2013.131.139. .

  11. NithyaV., ReganR., Vijayaraghavan J., A survey on SQL injection attacks, their detection and prevention techniques, International Journal of Engineering and Computer Science, 2013, 2, No. 4, 886-905. .

  12. AkroutR., AlataE., KaanicheM., Nicomette V., An automated black box approach for web vulnerability identification and attack scenario generation, Journal of the Brazilian Computer Society, 2014, 20, Article 4, DOI: 10.1186/1678-4804-20-4. .

  13. Kim S.S., Lee D.E., Hong C.S., Vulnerability detection mechanism based on open API for multi-user's convenience, International Conference on Information Networking (ICOIN 2016), Kota Kinabalu, Malaysia, January 13-15, 2016, IEEE, 2016, DOI: 10.1109/ICOIN.2016.7427159. .

  14. MatsudaT., Koizumi D., SonodaM., Cross site scripting attacks detection algorithm based on the appearance position of characters, The 5th International. Conference on Communications, Computers and Applications, Istanbul, Turkey, October 12-14, 2012, 65-70. .

  15. Prokhorenko V., Choo K.K.R., Ashman H., Intent-based extensible real-time PHP supervision framework, IEEE Transactions on Information Forensics and Security, 2016, 11, No. 10, 2215-2226, DOI: 10.1109/TIFS.2016.2569063. .

  16. SharL.K., TanH.B.K., Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns, Information and Software Technology, 2013, 55, No. 10, 1767-1780, DOI: 10.1016/j.infsof.2013.04.002. .

  17. Hydara I., Sultan A.B.M., Zulzalil H., Admodisastro N., Removing cross-site scripting vulnerabilities from web applications using the OWASP ESAPI Security Guidelines, Indian Journal of Science and Technology, 2015, 8, No. 30, DOI: 10.17485/ijst/2015/v8i30/87182. .

  18. Cho S., Kim G., Cho S.J., Choi J., Park M., Han S., Runtime input validation for Java web applications using static bytecode instrumentation, Proceedings of the International Conference on Research in Adaptive and Convergent Systems (RACS '16), Odense, Denmark, October 11-14, 2016, 148-152, DOI: 10.1145/2987386.2987432. .

  19. VaseghipanahM., ModiriN., Jabbehdari S., Detecting input validation attacks of web apps and developing metrics for their ranks, International Journal of Computer Science and Network Security, 2017, 17, No. 6, 191-195. .

  20. AyeniB.K., Sahalu J.B., Adeyanju K.R., Detecting cross-site scripting in web applications using fuzzy inference system, Journal of Computer Networks and Communications, 2018, 2018, Article ID 8159548, DOI: 10.1155/2018/8159548. .

  21. ParkY.J., ParkJ.C., Web application intrusion detection system for input validation attack, 2008 Third International Conference on Convergence and Hybrid Information Technology, Busan, Korea, November 11-13, 2008, IEEE, 2008, DOI: 10.1109/ICCIT.2008.338. .

  22. Nithya V., Pandian S.L., Malarvizhi C., A survey on detection and prevention of cross-site scripting attack, International Journal of Security and Its Applications, 2015, 9, No. 3, 139-152, DOI: 10.14257/ijsia.2015.9.3.14. .


Articles with similar content:

FIELD TRIAL OF A LOW-COST DATA ACQUISITION SYSTEM DEVELOPED FOR ADVANCED DRIVER-ASSISTANCE SYSTEM
Telecommunications and Radio Engineering, Vol.79, 2020, issue 8
R. Bera, Jayanta Baruah, S. Dhar
Method of Developing a Web-Application Firewall
Journal of Automation and Information Sciences, Vol.51, 2019, issue 6
Rustam Kh. Khamdamov , Komil F. Kerimov , Jalol Oybek ugli Ibrahimov
Identification Card Authentication System Based on Watermarking Technique
Telecommunications and Radio Engineering, Vol.67, 2008, issue 20
Mariko Nakano-Miyatake, Hector Manuel Perez-Meana
The Information Analytical Subsystem for Support of Management Decision Making in the Social Sphere of the Region
Telecommunications and Radio Engineering, Vol.64, 2005, issue 1-6
T. I. Lapina, M. V. Artemenko, O. Gudets, M. V. Sokolova
Method of Iterative Identification of Multidimensional Systems by Uncertain Data.
Part I. Theoretical Aspects

Journal of Automation and Information Sciences, Vol.38, 2006, issue 9
Vyacheslav F. Gubarev