A major issue while building web applications is proper input validation and sanitization.Attackers can quickly exploit errors and vulnerabilities that lead to malicious behavior in web application validation operatio...A major issue while building web applications is proper input validation and sanitization.Attackers can quickly exploit errors and vulnerabilities that lead to malicious behavior in web application validation operations.Attackers are rapidly improving their capabilities and technologies and now focus on exploiting vulnerabilities in web applications and compromising confidentiality.Cross-site scripting(XSS)and SQL injection attack(SQLIA)are attacks in which a hacker sends malicious inputs(cheat codes)to confuse a web application,to access or disable the application’s back-end without user awareness.In this paper,we explore the problem of detecting and removing bugs from both client-side and server-side code.A new idea that allows assault detection and prevention using the input validation mechanism is introduced.In addition,the project supports web security tests by providing easy-to-use and accurate models of vulnerability prediction and methods for validation.If these attributes imply a program statement that is vulnerable in an SQLIA,this can be evaluated and checked for a set of static code attributes.Additionally,we provide a script whitelisting interception layer built into the browser’s JavaScript engine,where the SQLIA is eventually detected and the XSS attack resolved using the method of input validation and script whitelisting under pushdown automatons.This framework was tested under a scenario of an SQL attack and XSS.It is demonstrated to offer an extensive improvement over the current framework.The framework’s main ability lies in the decrease of bogus positives.It has been demonstrated utilizing new methodologies,nevertheless giving unique access to sites dependent on the peculiarity score related to web demands.Our proposed input validation framework is shown to identify all anomalies and delivers better execution in contrast with the current program.展开更多
Current trusted computing platform only verifies application's static Hash value, it could not prevent application from being dynamic attacked. This paper gives one static analysis-based behavior model building metho...Current trusted computing platform only verifies application's static Hash value, it could not prevent application from being dynamic attacked. This paper gives one static analysis-based behavior model building method for trusted computing dynamic verification, including control flow graph (CFG) building, finite state automata (FSA) constructing, e run cycle removing, e transition removing, deterministic finite state (DFA) constructing, trivial FSA removing, and global push down automata (PDA) constructing. According to experiment, this model built is a reduced model for dynamic verification and covers all possible paths, because it is based on binary file static analysis.展开更多
基金Taif University supported this study through Taif University Researcher Support Project(TURSP-2020/115).
文摘A major issue while building web applications is proper input validation and sanitization.Attackers can quickly exploit errors and vulnerabilities that lead to malicious behavior in web application validation operations.Attackers are rapidly improving their capabilities and technologies and now focus on exploiting vulnerabilities in web applications and compromising confidentiality.Cross-site scripting(XSS)and SQL injection attack(SQLIA)are attacks in which a hacker sends malicious inputs(cheat codes)to confuse a web application,to access or disable the application’s back-end without user awareness.In this paper,we explore the problem of detecting and removing bugs from both client-side and server-side code.A new idea that allows assault detection and prevention using the input validation mechanism is introduced.In addition,the project supports web security tests by providing easy-to-use and accurate models of vulnerability prediction and methods for validation.If these attributes imply a program statement that is vulnerable in an SQLIA,this can be evaluated and checked for a set of static code attributes.Additionally,we provide a script whitelisting interception layer built into the browser’s JavaScript engine,where the SQLIA is eventually detected and the XSS attack resolved using the method of input validation and script whitelisting under pushdown automatons.This framework was tested under a scenario of an SQL attack and XSS.It is demonstrated to offer an extensive improvement over the current framework.The framework’s main ability lies in the decrease of bogus positives.It has been demonstrated utilizing new methodologies,nevertheless giving unique access to sites dependent on the peculiarity score related to web demands.Our proposed input validation framework is shown to identify all anomalies and delivers better execution in contrast with the current program.
基金Supported by the National High Technology Research and Development Program of China (863 Program) (2006AA01Z442, 2007AA01Z411)the National Natural Science Foundation of China (60673071, 60970115)Open Foundation of State Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education in China (AISTC2008Q03)
文摘Current trusted computing platform only verifies application's static Hash value, it could not prevent application from being dynamic attacked. This paper gives one static analysis-based behavior model building method for trusted computing dynamic verification, including control flow graph (CFG) building, finite state automata (FSA) constructing, e run cycle removing, e transition removing, deterministic finite state (DFA) constructing, trivial FSA removing, and global push down automata (PDA) constructing. According to experiment, this model built is a reduced model for dynamic verification and covers all possible paths, because it is based on binary file static analysis.
