Cross Site Scripting: Removing Approaches in Web Application

Marashdih, Abdalla Wasef; Zaaba, Zarul Fitri

doi:10.1016/j.procs.2017.12.201

Cited by 13 publications

(5 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…e novelty of the research results lies in the statistical validation for the empirical property of the proposed code pattern and providing the basis for employing suitable techniques according to the character of program to be analysed. Some researchers define the infeasible path as any path that is not executable under any test cases [45] and remove infeasible paths from the entire path of the control flow graph [46]. Balakrishnan et al [47,48] stated that developers need to distinguish these infeasible paths from the other paths of the entire control flow graph.…”

Section: Discussionmentioning

confidence: 99%

Infeasible Path Detection Based on Code Pattern and Backward Symbolic Execution

Yang

Zhang

Gong

2020

Mathematical Problems in Engineering

View full text Add to dashboard Cite

This paper sets out to reveal the relationship between code pattern and infeasible paths and gives advices to the selection of infeasible path detection techniques. Lots of program paths are proved to be infeasible, which leads to imprecision and low efficiency of program analysis. Detection of infeasible paths is required in many areas of software engineering including test coverage analysis, test case generation, and security vulnerability analysis. The immediate cause of path infeasibility is the contradiction of path constraints, whose distribution will affect the performance of different program analysis techniques. But there is a lack of research on the distribution of contradict constraints currently. We propose a code pattern based on the empirical study of infeasible paths; the statistical result proves the correlation of the pattern with contradict constraints. We then develop a path feasibility detection method based on backward symbolic execution. Performance of the proposed technique is evaluated from two aspects: the efficiency of detecting infeasibility paths for specific program element and the improvement of applying the technique on code coverage testing.

show abstract

Section: Discussionmentioning

confidence: 99%

Infeasible Path Detection Based on Code Pattern and Backward Symbolic Execution

Yang

Zhang

Gong

2020

Mathematical Problems in Engineering

View full text Add to dashboard Cite

show abstract

“…Melepaskan karakter atau escape character adalah sebuah fungsi tag HTML yang dapat membuang karakter-karakter yang menyebabkan terjadinya serangan SQLI sehingga jika pada input variabel dari URL atau dari form input dengan menyisipkan perintah SQL, maka sistem website tidak akan mengeksekusi karena akan terbaca sebagai input variabel bukan query SQL [7]. Fungsi htmlentities merupakan salah satu dari tag HTML dimana fungsi ini akan merubah karakter spesial pada string menjadi entity sedangkan fungsi strip_tags juga termasuk bagian dari tag HTML dimana fungsi ini akan menghapus semua tag HTML yang dapat dianggap berbahaya serta merubah tag tersebut menjadi input biasa yang tidak memiliki dampak terhadap website [8].…”

Section: Pendahuluanunclassified

Optimalisasi dalam Penetrasi Testing Keamanan Website Menggunakan Teknik SQL Injection dan XSS

Risky

Yuhandri

2021

JSisfotek

View full text Add to dashboard Cite

SQLI (SQL Injection) and XSS are hacking techniques that are often used by hackers. This technique can find out the contents of the database by inserting a script on the website. This technique can be a threat if a website does not have security that can ward off such attacks. Hackers will look for loopholes using this technique in a login menu, searching, upload menu, input menu and URLs that have parameters ending in numbers, but not all websites that can be attacked use this technique if you don't limit the use of characters. This research was conducted to find out the gaps in a website that can be attacked with SQLI and XSS techniques and help optimize website security to avoid these attacks. Penetration testing will be carried out on a CV car rental website. Merdeka Auto Rental which is located in Padang City. This penetration testing uses SQLI and XSS techniques to find security holes in a website. The result of this test is that on the car rental website there are 12 gaps that are vulnerable to SQLI and XSS attacks, based on the results of these tests, a PHP script function is made that can remove all dangerous special characters. The script function is inserted in the PHP input, process and output files. The use of this script function does not apply to attacks other than SQLI and XSS so that if hackers use attack techniques other than that, this website is vulnerable to these attacks. After the script is inserted in the source code of the website, it can be concluded that the 12 known loopholes in the previous test without using the script function have changed status to not vuln or not vulnerable to SQLI and XSS attacks.

show abstract

“…XSS ialah serangan dengan menyuntikan atau menyisipkan code-code jahat berbentuk javascript melalui form input yang bertujuan untuk mencuri cookie lalu menggunakan cookie tesebut untuk masuk kedalam web secara sah [1]. XSS memiliki 3 kategori diantaranya, DOM-Based XSS cara kerja dengan memanfaatkan javascript untuk memanipulasi objek model, yang berikutnya Stored On Presistent XSS bekerja dengan menyintikan javascript ke server dan disimpan permanen dalam database dan yang terakhir mengunakan teknik memantulkan kode berbahaya ke browser yang digunakan korban, cara ini disebut dengan Refected Non-Persisent XSS [2], [3]. Apabila hal ini dibiarkan maka akan mendapatkan masalah besar karena bocornya data sekolah ke pihak yang tidak bertanggung jawab.…”

Section: Pendahuluanunclassified

Meningkatkan Keamanan Web Menggunakan Algoritma Advanced Encryption Standard (AES) terhadap Seragan Cross Site Scripting

2021

View full text Add to dashboard Cite

In the millennial era, the internet has become a very basic need to support community activities in various fields, one of which is education. SMK Maritim Nusantara in supporting the learning process uses a web-based application called e-learning which is used by teachers and students. The school website has several documents in digital form that must be kept confidential, such as student data, teacher data, student grades. After scanning using the Acunetix WVS 10.5 application, information was obtained about the security holes found on the website https://www.e-learning.smkmn.sch.id, with the results of which there were 8 (eight) attacks with details, 2 (two). ) a hight category with the name Cross site scripting (XSS) attack, 4 (four) medium categories with the name HTML form attack without CSRF protection and 2 (two) low categories with the name Password type input attack with auto-complete enabled. The most dangerous attack category / hight is XSS. XSS attack is an attack that inserts malicious code in the form of javascript through an input form that aims to steal cookies and then uses the cookie to enter the web legally so that data can be manipulated and even deleted. For this reason, a strong system is needed to maintain security, confidentiality of school data, one way that can be used is by implementing the Standard Advance Encryption Algorithm (AES), this algorithm has a high level of security and uses little memory in its operation so that it does not burdensome to process and easy to implement. The results of research conducted by applying the AES Algorithm explain that previously there were 2 (two) high category vulnerabilities called XSS attacks, after the implementation of the AES Algorithm, the XSS attack vulnerability was no longer found. Based on the results obtained in the study, it can be concluded that the implementation of the AES Algorithm in tokens can improve the security of the https://www.e-learning.smkmn.sch.id website from XSS attacks.

show abstract

Cross Site Scripting: Removing Approaches in Web Application

Cited by 13 publications

References 10 publications

Infeasible Path Detection Based on Code Pattern and Backward Symbolic Execution

Infeasible Path Detection Based on Code Pattern and Backward Symbolic Execution

Optimalisasi dalam Penetrasi Testing Keamanan Website Menggunakan Teknik SQL Injection dan XSS

Meningkatkan Keamanan Web Menggunakan Algoritma Advanced Encryption Standard (AES) terhadap Seragan Cross Site Scripting

Contact Info

Product

Resources

About