Content Security Policy (CSP) as countermeasure to Cross Site Scripting (XSS) attacks

Dolnak, Ivan

doi:10.1109/iceta.2017.8102476

Cited by 6 publications

(3 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One of the security headers that have raised debates is X-XSS protection [12]. X-XSS protection security header is responsible for protecting against cyber-attacks such as Cross-Site Scripting attacks [11] [13]. The optimal configuration for X-XSS is the protection header has changed from blocking (X-XSS auditor has been removed in modern browsers like Chrome, and Edge); other browsers like Firefox have not implemented X-XSS protection.…”

Section: Related Workmentioning

confidence: 99%

“…The Content Security Policy (CSP) header implements an additional layer to prevent web-based attacks [1]; among these attacks are Cross-Site Scripting (XSS) and code injection attacks [13]. This is achieved by employing a whitelisting method that informs the browser where to fetch the images, scripts, and, CSS.…”

Section: Related Workmentioning

confidence: 99%

“…MIME-type sniffing is the functionality of a web browser to inspect web contents to determine the file type format for uploaded files from users. This functionality can be misused to execute XSS attacks [13] on the given web application. This type of sniffing attack is speculating what content type the server response will be; instead of trusting what the header's content type value states.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

Mlyatu¹,

Sanga²

2023

JIS

View full text Add to dashboard Cite

This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and Permissions-Policy. The study employed a controlled experiment using a security header analysis tool. The web-based applications (websites) were analyzed to determine whether security headers have been correctly implemented. The experiment was iterated for 100 universities in Africa which are ranked high. The purposive sampling technique was employed to understand the status quo of the security headers implementations. The results revealed that 70% of the web-based applications in Africa have not enforced security headers in web-based applications. The study proposes a secure system architecture design for addressing web-based applications' misconfiguration and insecure design. It presents security techniques for securing web-based applications through hardening security headers using automated threat modelling techniques. Furthermore, it recommends adopting the security headers in web-based applications using the proposed secure system architecture design.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

Mlyatu¹,

Sanga²

2023

JIS

View full text Add to dashboard Cite

show abstract

DPLOOP: Detection and Prevention of Loopholes in Web Application Security

Monika

Tiwari

2020

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

An Exploration of shared code execution for malware analysis

Ashawa,

Owoh,

Riley

et al. 2024

2024 International Conference on Artificial Intelligence, Computer, Data Sciences and Applications (ACDSA)

View full text Add to dashboard Cite

In today's ever evolving technology, malware is one of the most significant threats faced by individuals and corporate organizations. With the increasing sophistication of malware attacks, detecting malware becomes harder as many malware variants use different techniques, such as obfuscation, to evade detection. Even though advanced techniques, such as use of deep learning, prove to be of great success in classifying malware, the high computational resources needed for training and deploying deep learning models may not be feasible for all organizations or individuals. It is therefore essential to use fewer computational techniques to understand how malware can be analysed using shared code execution, which uses less computational resources. In this paper, we explored shared code execution as a novel approach for analyzing and understanding the behavior of malware. We dynamically analysed the shared code execution of the malicious payloads by looking at the dynamic link library found in NTDLL.dll. We demonstrated how samples make use of the LoadLibrary function using inline hooking techniques to overwrite the actual function code to create service execution and persistence using shared code execution. We identified functions that address the problem of encoding routine and domain obfuscation when malware uses seDebug Privilege to escalate privileg. Through realistic experiments, we found that executables such as Mod_77D4 Module, change at different instances using XOR encoding operations for each payload byte with a predefined key. This helps sophisticated malware to create and bind address structures for remote control. Our proposed technique shows high analytical accuracy for sophisticated samples that use encoding and obfuscation methods to evade detection.

show abstract

Content Security Policy (CSP) as countermeasure to Cross Site Scripting (XSS) attacks

Cited by 6 publications

References 0 publications

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

DPLOOP: Detection and Prevention of Loopholes in Web Application Security

An Exploration of shared code execution for malware analysis

Contact Info

Product

Resources

About