A major issue while building web applications is proper input validation and sanitization.Attackers can quickly exploit errors and vulnerabilities that lead to malicious behavior in web application validation operatio...A major issue while building web applications is proper input validation and sanitization.Attackers can quickly exploit errors and vulnerabilities that lead to malicious behavior in web application validation operations.Attackers are rapidly improving their capabilities and technologies and now focus on exploiting vulnerabilities in web applications and compromising confidentiality.Cross-site scripting(XSS)and SQL injection attack(SQLIA)are attacks in which a hacker sends malicious inputs(cheat codes)to confuse a web application,to access or disable the application’s back-end without user awareness.In this paper,we explore the problem of detecting and removing bugs from both client-side and server-side code.A new idea that allows assault detection and prevention using the input validation mechanism is introduced.In addition,the project supports web security tests by providing easy-to-use and accurate models of vulnerability prediction and methods for validation.If these attributes imply a program statement that is vulnerable in an SQLIA,this can be evaluated and checked for a set of static code attributes.Additionally,we provide a script whitelisting interception layer built into the browser’s JavaScript engine,where the SQLIA is eventually detected and the XSS attack resolved using the method of input validation and script whitelisting under pushdown automatons.This framework was tested under a scenario of an SQL attack and XSS.It is demonstrated to offer an extensive improvement over the current framework.The framework’s main ability lies in the decrease of bogus positives.It has been demonstrated utilizing new methodologies,nevertheless giving unique access to sites dependent on the peculiarity score related to web demands.Our proposed input validation framework is shown to identify all anomalies and delivers better execution in contrast with the current program.展开更多
Context-aware systems(a.k.a.CASs)integrate cyber and physical space to provide adaptive functionalities in response to changes in context.Building context-aware systems is challenging due to the uncertain running envi...Context-aware systems(a.k.a.CASs)integrate cyber and physical space to provide adaptive functionalities in response to changes in context.Building context-aware systems is challenging due to the uncertain running environment.Therefore,many input validation approaches have been proposed to protect context-aware systems from uncertainty and keep them executing safely.However,in contrast to context-aware systems'prevailing in physical environments,most of those academic solutions(83%)are purely evaluated in simulated environments.In this article,we study whether this evaluation setting could lead to biased conclusions.We build a testing platform,RM-Testing,based on DJI RoboMaster robot car,to conduct the physical-environment based experiments.We select three up-to-date input validation approaches,and compare their performance in the simulated environment and in the physical environment.The experimental results show that all three approaches'performance in simulated environments(improving task success rate by 82%compared with the system without the support of input validation)does differ from their performance in a physical environment(improving the task success rate by 50%).We also recognize three factors(scenario setting,physical platform and environmental model)that affect the performance of input validation approaches,based on an execution model of the context-aware system.展开更多
基金Taif University supported this study through Taif University Researcher Support Project(TURSP-2020/115).
文摘A major issue while building web applications is proper input validation and sanitization.Attackers can quickly exploit errors and vulnerabilities that lead to malicious behavior in web application validation operations.Attackers are rapidly improving their capabilities and technologies and now focus on exploiting vulnerabilities in web applications and compromising confidentiality.Cross-site scripting(XSS)and SQL injection attack(SQLIA)are attacks in which a hacker sends malicious inputs(cheat codes)to confuse a web application,to access or disable the application’s back-end without user awareness.In this paper,we explore the problem of detecting and removing bugs from both client-side and server-side code.A new idea that allows assault detection and prevention using the input validation mechanism is introduced.In addition,the project supports web security tests by providing easy-to-use and accurate models of vulnerability prediction and methods for validation.If these attributes imply a program statement that is vulnerable in an SQLIA,this can be evaluated and checked for a set of static code attributes.Additionally,we provide a script whitelisting interception layer built into the browser’s JavaScript engine,where the SQLIA is eventually detected and the XSS attack resolved using the method of input validation and script whitelisting under pushdown automatons.This framework was tested under a scenario of an SQL attack and XSS.It is demonstrated to offer an extensive improvement over the current framework.The framework’s main ability lies in the decrease of bogus positives.It has been demonstrated utilizing new methodologies,nevertheless giving unique access to sites dependent on the peculiarity score related to web demands.Our proposed input validation framework is shown to identify all anomalies and delivers better execution in contrast with the current program.
基金supported by the National Natural Science Foundation of China under Grant No.61932021the Leading-Edge Technology Program of Jiangsu Natural Science Foundation of China under Grant No.BK20202001+1 种基金the National Natural Science Foundation of China under Grant No.61902173the Natural Science Foundation of Jiangsu Province of China under Grant No.BK20190299.
文摘Context-aware systems(a.k.a.CASs)integrate cyber and physical space to provide adaptive functionalities in response to changes in context.Building context-aware systems is challenging due to the uncertain running environment.Therefore,many input validation approaches have been proposed to protect context-aware systems from uncertainty and keep them executing safely.However,in contrast to context-aware systems'prevailing in physical environments,most of those academic solutions(83%)are purely evaluated in simulated environments.In this article,we study whether this evaluation setting could lead to biased conclusions.We build a testing platform,RM-Testing,based on DJI RoboMaster robot car,to conduct the physical-environment based experiments.We select three up-to-date input validation approaches,and compare their performance in the simulated environment and in the physical environment.The experimental results show that all three approaches'performance in simulated environments(improving task success rate by 82%compared with the system without the support of input validation)does differ from their performance in a physical environment(improving the task success rate by 50%).We also recognize three factors(scenario setting,physical platform and environmental model)that affect the performance of input validation approaches,based on an execution model of the context-aware system.
