Two for the price of one: A combined browser defense against XSS and clickjacking

Rao, Kanpata Sudhakara; Jain, Naman; Limaje, Nikhil; Gupta, Abhilash; Jain, Mridul; Menezes, Bernard

doi:10.1109/iccnc.2016.7440629

Cited by 10 publications

(3 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…X-Frame-Options security header has three options values which can be set: DENY, SAMEORIGIN, or ALLOW-FROM URI. DENY: stops any web-based domain application from enclosing the content; this is recommended setting for mitigating cyber-attacks such as clickjacking attacks [18] [26]. SAMEORIGIN allows only the current web application to frame its content.…”

Section: Proposed Secure Web-based Architecture Designmentioning

confidence: 99%

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

Mlyatu¹,

Sanga²

2023

JIS

View full text Add to dashboard Cite

This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and Permissions-Policy. The study employed a controlled experiment using a security header analysis tool. The web-based applications (websites) were analyzed to determine whether security headers have been correctly implemented. The experiment was iterated for 100 universities in Africa which are ranked high. The purposive sampling technique was employed to understand the status quo of the security headers implementations. The results revealed that 70% of the web-based applications in Africa have not enforced security headers in web-based applications. The study proposes a secure system architecture design for addressing web-based applications' misconfiguration and insecure design. It presents security techniques for securing web-based applications through hardening security headers using automated threat modelling techniques. Furthermore, it recommends adopting the security headers in web-based applications using the proposed secure system architecture design.

show abstract

Section: Proposed Secure Web-based Architecture Designmentioning

confidence: 99%

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

Mlyatu¹,

Sanga²

2023

JIS

View full text Add to dashboard Cite

show abstract

“…al. [2] presented an extension of Mozilla Firefox browser and named as XBuster. It prevents end user from the attacks including XSS, clickjacking, partial script injection, attribute injection, and HTML injection.…”

Section: Literature Reviewmentioning

confidence: 99%

A Framework for Web Application Vulnerability Detection

Kalim¹,

Jha²,

Tomar³

et al. 2020

IJEAT

View full text Add to dashboard Cite

Hardly a facet of human life is not influenced by theInternet due to the continuous proliferation in the Internet facilities, usage, speed, user friendly browsing, global access, etc. At flip side, hackers are also attacking this digital world with new tactics and techniques through exploiting the web application vulnerabilities. The analysis of these vulnerabilities is of paramount importance in direction to secure social digital world. It can be carried out in two ways. First, manual analysis which is error prone due to the human nature of forgiveness, dynamic change in technology and fraudulence attack techniques. Second, through the existing web application vulnerability scanners that sometime may suffer from generating false alarm rate. Hence, there is a need to develop a framework that can detect different levels of vulnerabilities, ranging from client side vulnerabilities, communication side vulnerabilities to server side vulnerabilities. This paper has carried out the literature survey in direction of identifying the new attack vectors, vulnerabilities, detection mechanism, research gaps and new working areas in same field. Continuous improvement in framework is easy.Hence, a framework is proposed to overcome the identified research gap.

show abstract

“…This study shows that research in the server-side approach area with the static analysis method is the most studied. Reflected XSS detection has been widely studied using regular expression and string-matching methods (Bates et al, 2010;Pelizzi & Sekar, 2012;Rao et al, 2016;Wang & Zhou, 2016) Most injection attacks research only focuses on how to detect these injection attacks, filtering input as a defense mechanism, or also preventing the entry of injection attacks code by utilizing third-party software such as intrusion detection system (Bisht & Venkatakrishnan, 2008;Bozic & Wotawa, 2013;Gupta & Gupta, 2017;Kumar Singh & Roy, 2012). However, no research discusses how to assess the ability of malicious hackers to exploit injection vulnerabilities of the complexity of the injection attacks.…”

Section: Introductionmentioning

confidence: 99%

Automation of Quantifying Security Risk Level on Injection Attacks Based on Common Vulnerability Scoring System Metric

Kurniawan¹,

Darus²,

Ariffin³

et al. 2023

JST

View full text Add to dashboard Cite

An injection attack is a cyber-attack that is one of The Open Web Application Security Project Top 10 Vulnerabilities. These attacks take advantage of insufficient user input validation into the system through the input surface of a Web application as that user in the browser. The company’s cyber security team must filter thousands of attacks to prioritize which attacks are considered the most dangerous to be mitigated first. This activity of filtering thousands of attacks takes much time because you have to check these attacks one by one. Therefore, a method is needed to assess how dangerous a cyber-attack is that enters an organization’s or company’s server. Injection attack detection can be done by analyzing the request data in the web server log. Our research attempts to perform quantification modeling of the variations of two types of injection attacks, SQL Injection (SQLi) and Cross-Site Scripting (XSS), using Common Vulnerability Scoring System Metrics (CVSS). CVSS metrics are generally used to calculate the level of dangerous weakness in the system. This metric is never used to calculate the level of how dangerous an attack is. The modeling that we have made shows that SQLi and XSS attacks have many variations in levels ranging from low to high levels. We discovered that when classified with Common Weakness Enumeration Database, SQLi and XSS attacks CVE values would have high-level congruence with almost 94% value between one another vector on CVSS.

show abstract

Two for the price of one: A combined browser defense against XSS and clickjacking

Cited by 10 publications

References 8 publications

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

A Framework for Web Application Vulnerability Detection

Automation of Quantifying Security Risk Level on Injection Attacks Based on Common Vulnerability Scoring System Metric

Contact Info

Product

Resources

About