Faculty Publications

Permanent URI for this communityhttps://idr.nitk.ac.in/handle/123456789/18736

Publications by NITK Faculty

Browse

Subject: search.filters.subject.Web application security

Search Results

Now showing 1 - 6 of 6
  • No Thumbnail Available
    Item
    Cross Channel Scripting (XCS) Attacks in Web Applications: Detection and Mitigation Approaches
    (Institute of Electrical and Electronics Engineers Inc., 2019) Madhusudhan, R.; Shashidhara
    XCS (Cross Channel Scripting) is a dangerous web application vulnerability, in which injection of the malicious code and attack execution is performed through network protocols. This vulnerability is the variant and sophistication concept of XSS (Cross-Site Scripting). We disclose a range of XCS attacks on embedded servers, which make use of electronic devices such as photo frames, cameras, wireless routers and wireless access points. All these devices have web interfaces, which permits an admin to perform various tasks on the device that is connecting from a web browser to the web server. An attack execution is carried by inserting malevolent code in the device, which is executed in the context of a legitimate user when he/she opens the page containing injected malicious code. This malevolent code can be inserted in the device through non web channels like SNMP (Simple Network Management Protocol), FTP (File Transfer Protocol) or NFS (Network File System). Unfortunately, the injected malicious code can fully compromise the security of devices, which are embedded in web servers. In this paper, a comprehensive analysis of the XCS exploitation and mitigation techniques have been presented. © 2018 IEEE.
  • No Thumbnail Available
    Item
    Prevention of SQL Injection Attacks Using Cryptography and Pattern Matching
    (Springer Science and Business Media Deutschland GmbH, 2022) Madhusudhan, R.; Ahsan, M.
    The internet is rapidly expanding that allow easy access to information, thus attackers develop different methodologies to access it and hence the security related to it becomes priority for all. SQL injection attack (SQLIA) has consistently posed serious threat since its existence. SQLIA is a web security vulnerability through which attackers can give specifically designed input to steal or manipulate sensitive information by interacting with the database. The objective of the research is to provide a defensive mechanism to protect a particular web application against such attacks. The paper acknowledged some existing models and give special attention to models based on encryption and pattern matching techniques. Encryption based models have proven themselves to be very effective against SQLIA by preventing attackers from authentication access. But such model will undermine the integrity of the tables if used in places other than the authentication form. Thus, we employ an additional layer of security based on pattern matching techniques. Our idea differs in a way that it compares a temporary structure generated from the user’s query with all defined benign structures created from the benign queries that are usually expected by the web application. The proposed model uses Blowfish algorithm in authentication form which upon simulation is preventing all kind of SQLIA from authentication access and upon the implementation of Knuth-Morris-Pratt pattern matching technique, the model will ensure the prevention of any new and existing kind of SQLIA. The model is under development and is believed to provide a robust environment in preventing all kind of SQLI attacks with overall reduced complexity. © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.
  • No Thumbnail Available
    Item
    Securing web applications from injection and logic vulnerabilities: Approaches and challenges
    (Elsevier B.V., 2016) Deepa, G.; Santhi Thilagam, P.S.
    Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the application could allow an attacker to steal sensitive information and perform adversary actions, and hence it is important to secure web applications from attacks. Defensive mechanisms for securing web applications from the flaws have received attention from both academia and industry. Objective: The objective of this literature review is to summarize the current state of the art for securing web applications from major flaws such as injection and logic flaws. Though different kinds of injection flaws exist, the scope is restricted to SQL Injection (SQLI) and Cross-site scripting (XSS), since they are rated as the top most threats by different security consortiums. Method: The relevant articles recently published are identified from well-known digital libraries, and a total of 86 primary studies are considered. A total of 17 articles related to SQLI, 35 related to XSS and 34 related to logic flaws are discussed. Results: The articles are categorized based on the phase of software development life cycle where the defense mechanism is put into place. Most of the articles focus on detecting the flaws and preventing the attacks against web applications. Conclusion: Even though various approaches are available for securing web applications from SQLI and XSS, they are still prevalent due to their impact and severity. Logic flaws are gaining attention of the researchers since they violate the business specifications of applications. There is no single solution to mitigate all the flaws. More research is needed in the area of fixing flaws in the source code of applications. © 2016 Elsevier B.V. All rights reserved.
  • No Thumbnail Available
    Item
    Securing native XML database-driven web applications from XQuery injection vulnerabilities
    (Elsevier Inc. usjcs@elsevier.com, 2016) Palsetia, N.; Deepa, G.; Ahmed Khan, F.; Santhi Thilagam, P.S.; Pais, A.R.
    Database-driven web applications today are XML-based as they handle highly diverse information and favor integration of data with other applications. Web applications have become the most popular way to deliver essential services to customers, and the increasing dependency of individuals on web applications makes them an attractive target for adversaries. The adversaries exploit vulnerabilities in the database-driven applications to craft injection attacks which include SQL, XQuery and XPath injections. A large amount of work has been done on identification of SQL injection vulnerabilities resulting in several tools available for the purpose. However, a limited work has been done so far for the identification of XML injection vulnerabilities and the existing tools only identify XML injection vulnerabilities which could lead to a specific type of attack. Hence, this work proposes a black-box fuzzing approach to detect different types of XQuery injection vulnerabilities in web applications driven by native XML databases. A prototype XQueryFuzzer is developed and tested on various vulnerable applications developed with BaseX as the native XML database. An experimental evaluation demonstrates that the prototype is effective against detection of XQuery injection vulnerabilities. Three new categories of attacks specific to XQuery, but not listed in OWASP are identified during testing. © 2016 Elsevier Inc.
  • No Thumbnail Available
    Item
    Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications
    (Springer Verlag service@springer.de, 2018) Deepa, G.; Santhi Thilagam, P.S.; Ahmed Khan, F.A.; Praseed, A.; Pais, A.R.; Palsetia, N.
    As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities. © 2017, Springer-Verlag Berlin Heidelberg.
  • No Thumbnail Available
    Item
    DetLogic: A black-box approach for detecting logic vulnerabilities in web applications
    (Academic Press, 2018) Deepa, G.; Santhi Thilagam, P.S.; Praseed, A.; Pais, A.R.
    Web applications are subject to attacks by malicious users owing to the fact that the applications are implemented by software developers with insufficient knowledge about secure programming. The implementation flaws arising due to insecure coding practices allow attackers to exploit the application in order to perform adverse actions leading to undesirable consequences. These flaws can be categorized into injection and logic flaws. As large number of tools and solutions are available for addressing injection flaws, the focus of the attackers is shifting towards exploitation of logic flaws. The logic flaws allow attackers to compromise the application-specific functionality against the expectations of the stakeholders, and hence it is important to identify these flaws in order to avoid exploitation. Therefore, a prototype called DetLogic is developed for detecting different types of logic vulnerabilities such as parameter manipulation, access-control, and workflow bypass vulnerabilities in web applications. DetLogic employs black-box approach, and models the intended behavior of the application as an annotated finite state machine, which is subsequently used for deriving constraints related to input parameters, access-control, and workflows. The derived constraints are violated for simulating attack vectors to identify the vulnerabilities. DetLogic is evaluated against benchmark applications and is found to work effectively. © 2018 Elsevier Ltd