期刊文献+
共找到23篇文章
< 1 2 >
每页显示 20 50 100
Design & Test of an Advanced Web Security Analysis Tool (AWSAT)
1
作者 Meenakshi S. P. Manikandaswamy Vijay Madisetti 《Journal of Software Engineering and Applications》 2024年第5期448-461,共14页
Considering the escalating frequency and sophistication of cyber threats targeting web applications, this paper proposes the development of an automated web security analysis tool to address the accessibility gap for ... Considering the escalating frequency and sophistication of cyber threats targeting web applications, this paper proposes the development of an automated web security analysis tool to address the accessibility gap for non-security professionals. This paper presents the design and implementation of an automated web security analysis tool, AWSAT, aimed at enabling individuals with limited security expertise to effectively assess and mitigate vulnerabilities in web applications. Leveraging advanced scanning techniques, the tool identifies common threats such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF), providing detailed reports with actionable insights. By integrating sample payloads and reference study links, the tool facilitates informed decision-making in enhancing the security posture of web applications. Through its user-friendly interface and robust functionality, the tool aims to democratize web security practices, empowering a wider audience to proactively safeguard against cyber threats. 展开更多
关键词 web security Automated Analysis Vulnerability Assessment web Scanning Cross-Site Scripting SQL Injection Cross-Site Request Forgery
下载PDF
ECC Based Threshold Decryption Scheme and Its Application in Web Security 被引量:2
2
作者 张险峰 张峰 +1 位作者 秦志光 刘锦德 《Journal of Electronic Science and Technology of China》 2004年第4期41-46,共6页
The threshold cryptography provides a new approach to building intrusion tolerance applications. In this paper, a threshold decryption scheme based elliptic curve cryptography is presented. A zero-knowledge test appro... The threshold cryptography provides a new approach to building intrusion tolerance applications. In this paper, a threshold decryption scheme based elliptic curve cryptography is presented. A zero-knowledge test approach based on elliptic curve cryptography is designed. The application of these techniques in Web security is studied. Performance analysis shows that our scheme is characterized by excellent security as well as high efficiency. 展开更多
关键词 intrusion tolerance elliptic curve cryptography threshold decryption web security
下载PDF
Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques
3
作者 Maduhu Mshangi Mlyatu Camilius Sanga 《Journal of Information Security》 2023年第1期1-15,共15页
This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transpo... This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and Permissions-Policy. The study employed a controlled experiment using a security header analysis tool. The web-based applications (websites) were analyzed to determine whether security headers have been correctly implemented. The experiment was iterated for 100 universities in Africa which are ranked high. The purposive sampling technique was employed to understand the status quo of the security headers implementations. The results revealed that 70% of the web-based applications in Africa have not enforced security headers in web-based applications. The study proposes a secure system architecture design for addressing web-based applications’ misconfiguration and insecure design. It presents security techniques for securing web-based applications through hardening security headers using automated threat modelling techniques. Furthermore, it recommends adopting the security headers in web-based applications using the proposed secure system architecture design. 展开更多
关键词 Secure web Applications security Headers Systems security Secure web Architecture Design
下载PDF
A Website Security Risk Assessment Method Based on the I-BAG Model
4
作者 Lin Liu Liang Liu +2 位作者 Cheng Huang Zhao Zhang Yong Fang 《China Communications》 SCIE CSCD 2016年第5期172-181,共10页
In order to protect the website and assess the security risk of website, a novel website security risk assessment method is proposed based on the improved Bayesian attack graph(I-BAG) model. First, the Improved Bayesi... In order to protect the website and assess the security risk of website, a novel website security risk assessment method is proposed based on the improved Bayesian attack graph(I-BAG) model. First, the Improved Bayesian attack graph model is established, which takes attack benefits and threat factors into consideration. Compared with the existing attack graph models, it can better describe the website's security risk. Then, the improved Bayesian attack graph is constructed with optimized website attack graph, attack benefit nodes, threat factor nodes and the local conditional probability distribution of each node, which is calculated accordingly. Finally, website's attack probability and risk value are calculated on the level of nodes, hosts and the whole website separately. The experimental results demonstrate that the risk evaluating method based on I-BAG model proposed is a effective way for assessing the website security risk. 展开更多
关键词 web security risk assessment attack graph Bayesian network
下载PDF
JShellDetector: A Java FilelessWebshell Detector Based on Program Analysis
5
作者 Xuyan Song Yiting Qin +2 位作者 Xinyao Liu Baojiang Cui Junsong Fu 《Computers, Materials & Continua》 SCIE EI 2023年第4期2061-2078,共18页
Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. It... Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. Itis widely used in attacks against web applications. In contrast to traditionalfile-based webshells, fileless webshells leave no traces on the hard drive, whichmeans they are invisible to most antivirus software. To make matters worse,although there are some studies on fileless webshells, almost all of themare aimed at web applications developed in the PHP language. The complexmechanism of Java makes researchers face more challenges. To mitigate thisattack, this paper proposes JShellDetector, a fileless webshell detector forJava web applications based on program analysis. JShellDetector uses methodprobes to capture dynamic characteristics of web applications in the JavaVirtual Machine (JVM). When a suspicious class tries to call a specificsensitive method, JShellDetector catches it and converts it from the JVMto a bytecode file. Then, JShellDetector builds a Jimple-based control flowgraph and processes it using taint analysis techniques. A suspicious classis considered malicious if there is a valid path from sources to sinks. Todemonstrate the effectiveness of the proposed approach, we manually collect35 test cases (all open source on GitHub) and test JShellDetector and onlytwo other Java fileless webshell detection tools. The experimental results showthat the detection rate of JShellDetector reaches 77.1%, which is about 11%higher than the other two tools. 展开更多
关键词 web security fileless webshell Java web application MALWARE
下载PDF
The design and implementation of web mining in web sites security 被引量:2
6
作者 LI Jian, ZHANG Guo-yin , GU Guo-chang, LI Jian-li College of Computer Science and Technology, Harbin Engineering University, Harbin 150001China 《Journal of Marine Science and Application》 2003年第1期81-86,共6页
The backdoor or information leak of Web servers can be detected by using Web Mining techniques on some abnormal Web log and Web application log data. The security of Web servers can be enhanced and the damage of illeg... The backdoor or information leak of Web servers can be detected by using Web Mining techniques on some abnormal Web log and Web application log data. The security of Web servers can be enhanced and the damage of illegal access can be avoided. Firstly, the system for discovering the patterns of information leakages in CGI scripts from Web log data was proposed. Secondly, those patterns for system administrators to modify their codes and enhance their Web site security were provided. The following aspects were described: one is to combine web application log with web log to extract more information,so web data mining could be used to mine web log for discovering the information that firewall and Information Detection System cannot find. Another approach is to propose an operation module of web site to enhance Web site security. In cluster server session, Density -Based Clustering technique is used to reduce resource cost and obtain better efficiency. 展开更多
关键词 data mining web log mining web sites security density-based clustering
下载PDF
Design and Implementation of Web Services Security Based on Message Layer 被引量:1
7
作者 WANGCui-ru XUZheng-wei YUANHe-jin MAHui-min 《Wuhan University Journal of Natural Sciences》 CAS 2004年第5期755-759,共5页
Along with the development of Internet, Web Services technology is a new branch of Web application program, and it has become a hotspot in computer science. However, it has not made great progress in research on Web S... Along with the development of Internet, Web Services technology is a new branch of Web application program, and it has become a hotspot in computer science. However, it has not made great progress in research on Web Services security. Traditional security solutions cannot satisfy the Web Services security require of selective protection, end-to-end security and application layer security. Web Services technology needs a solution integrated in Web Services framework to realize end-to-end security. Based on cryptography and Web Services technology and according to W3C, XML encryption specification, XML digital Signature specification and WS-Security, which proposed by IBM and Microsoft, a new Web services security model based on message layer is put forward in this paper. The message layer is composed of message handlers. It is inserted into the message processing sequence and provides transparent security services for Web Services. To verify the model, a Web Services security system is realized on, net platform. The implementation version of the model can provide various security services, and has advantages such as security, scalability, security controllability and end-to-end security in message level. Key words Web services - Web services security - message layer CLC number TP 393.08 Biography: WANG Cui-ru (1954-), female, Professor, research direction: database and information management system. 展开更多
关键词 web services web services security message layer
下载PDF
Detection and defending the XSS attack using novel hybrid stacking ensemble learning-based DNN approach 被引量:1
8
作者 Muralitharan Krishnan Yongdo Lim +1 位作者 Seethalakshmi Perumal Gayathri Palanisamy 《Digital Communications and Networks》 SCIE CSCD 2024年第3期716-727,共12页
Existing web-based security applications have failed in many situations due to the great intelligence of attackers.Among web applications,Cross-Site Scripting(XSS)is one of the dangerous assaults experienced while mod... Existing web-based security applications have failed in many situations due to the great intelligence of attackers.Among web applications,Cross-Site Scripting(XSS)is one of the dangerous assaults experienced while modifying an organization's or user's information.To avoid these security challenges,this article proposes a novel,all-encompassing combination of machine learning(NB,SVM,k-NN)and deep learning(RNN,CNN,LSTM)frameworks for detecting and defending against XSS attacks with high accuracy and efficiency.Based on the representation,a novel idea for merging stacking ensemble with web applications,termed“hybrid stacking”,is proposed.In order to implement the aforementioned methods,four distinct datasets,each of which contains both safe and unsafe content,are considered.The hybrid detection method can adaptively identify the attacks from the URL,and the defense mechanism inherits the advantages of URL encoding with dictionary-based mapping to improve prediction accuracy,accelerate the training process,and effectively remove the unsafe JScript/JavaScript keywords from the URL.The simulation results show that the proposed hybrid model is more efficient than the existing detection methods.It produces more than 99.5%accurate XSS attack classification results(accuracy,precision,recall,f1_score,and Receiver Operating Characteristic(ROC))and is highly resistant to XSS attacks.In order to ensure the security of the server's information,the proposed hybrid approach is demonstrated in a real-time environment. 展开更多
关键词 Machine learning Deep neural networks Classification Stacking ensemble XSS attack URL encoding JScript/JavaScript web security
下载PDF
Implementation of a Comprehensive Information Management Platform for Public Security Based on Java Technology
9
作者 Jin Xue Yali Yuan 《计算机科学与技术汇刊(中英文版)》 2023年第1期11-16,共6页
Due to the rapid development of electronic information technology,the development of Internet technology and system software development technology has become more and more common.Especially,along with the development... Due to the rapid development of electronic information technology,the development of Internet technology and system software development technology has become more and more common.Especially,along with the development of public security,there are more and more provisions for standard administrative department management system,improving office efficiency and enhancing decision encouragement.Therefore,it is of great practical value to design and complete a comprehensive public security business information system.Based on java technology,this paper designs and builds a comprehensive information management platform for public security through the analysis of comprehensive public security business,and also gets good feedback during the actual test,which confirms the feasibility of the system. 展开更多
关键词 Public security Comprehensive Business Information System JAVA WORKFLOW web Information security
下载PDF
A Survey of Web Information System and Applications
10
作者 HAN Yanbo LI Juanzi +3 位作者 YANG Nan LIU Qing XU Baowen MENG Xiaofeng 《Wuhan University Journal of Natural Sciences》 CAS 2007年第5期769-772,共4页
The fourth international conference on Web information systems and applications (WISA 2007) has received 409 submissions and has accepted 37 papers for publication in this issue. The papers cover broad research area... The fourth international conference on Web information systems and applications (WISA 2007) has received 409 submissions and has accepted 37 papers for publication in this issue. The papers cover broad research areas, including Web mining and data warehouse, Deep Web and Web integration, P2P networks, text processing and information retrieval, as well as Web Services and Web infrastructure. After briefly introducing the WISA conference, the survey outlines the current activities and future trends concerning Web information systems and applications based on the papers accepted for publication. 展开更多
关键词 web mining data warehouse Deep web web integration web services P2P computing text processing information retrieval web security
下载PDF
Webpage Matching Based on Visual Similarity
11
作者 Mengmeng Ge Xiangzhan Yu +1 位作者 Lin Ye Jiantao Shi 《Computers, Materials & Continua》 SCIE EI 2022年第5期3393-3405,共13页
With the rapid development of the Internet,the types of webpages are more abundant than in previous decades.However,it becomes severe that people are facing more and more significant network security risks and enormou... With the rapid development of the Internet,the types of webpages are more abundant than in previous decades.However,it becomes severe that people are facing more and more significant network security risks and enormous losses caused by phishing webpages,which imitate the interface of real webpages and deceive the victims.To better identify and distinguish phishing webpages,a visual feature extraction method and a visual similarity algorithm are proposed.First,the visual feature extraction method improves the Visionbased Page Segmentation(VIPS)algorithm to extract the visual block and calculate its signature by perceptual hash technology.Second,the visual similarity algorithm presents a one-to-one correspondence based on the visual blocks’coordinates and thresholds.Then the weights are assigned according to the tree structure,and the similarity of the visual blocks is calculated on the basis of the measurement of the visual features’Hamming distance.Further,the visual similarity of webpages is generated by integrating the similarity and weight of different visual blocks.Finally,multiple pairs of phishing webpages and legitimate webpages are evaluated to verify the feasibility of the algorithm.The experimental results achieve excellent performance and demonstrate that our method can achieve 94%accuracy. 展开更多
关键词 web security visual feature perceptual hash visual similarity
下载PDF
Injections Attacks Efficient and Secure Techniques Based on Bidirectional Long Short Time Memory Model 被引量:1
12
作者 Abdulgbar A.R.Farea Gehad Abdullah Amran +4 位作者 Ebraheem Farea Amerah Alabrah Ahmed A.Abdulraheem Muhammad Mursil Mohammed A.A.Al-qaness 《Computers, Materials & Continua》 SCIE EI 2023年第9期3605-3622,共18页
E-commerce,online ticketing,online banking,and other web-based applications that handle sensitive data,such as passwords,payment information,and financial information,are widely used.Various web developers may have va... E-commerce,online ticketing,online banking,and other web-based applications that handle sensitive data,such as passwords,payment information,and financial information,are widely used.Various web developers may have varying levels of understanding when it comes to securing an online application.Structured Query language SQL injection and cross-site scripting are the two vulnerabilities defined by the OpenWeb Application Security Project(OWASP)for its 2017 Top Ten List Cross Site Scripting(XSS).An attacker can exploit these two flaws and launch malicious web-based actions as a result of these flaws.Many published articles focused on these attacks’binary classification.This article described a novel deep-learning approach for detecting SQL injection and XSS attacks.The datasets for SQL injection and XSS payloads are combined into a single dataset.The dataset is labeledmanually into three labels,each representing a kind of attack.This work implements some pre-processing algorithms,including Porter stemming,one-hot encoding,and the word-embedding method to convert a word’s text into a vector.Our model used bidirectional long short-term memory(BiLSTM)to extract features automatically,train,and test the payload dataset.The payloads were classified into three types by BiLSTM:XSS,SQL injection attacks,and normal.The outcomes demonstrated excellent performance in classifying payloads into XSS attacks,injection attacks,and non-malicious payloads.BiLSTM’s high performance was demonstrated by its accuracy of 99.26%. 展开更多
关键词 web security SQL injection XSS deep learning RNN LSTM BiLSTM
下载PDF
SmartEagleEye:A Cloud-Oriented Webshell Detection System Based on Dynamic Gray-Box and Deep Learning
13
作者 Xin Liu Yingli Zhang +4 位作者 Qingchen Yu Jiajun Min Jun Shen Rui Zhou Qingguo Zhou 《Tsinghua Science and Technology》 SCIE EI CAS CSCD 2024年第3期766-783,共18页
Compared with traditional environments,the cloud environment exposes online services to additional vulnerabilities and threats of cyber attacks,and the cyber security of cloud platforms is becoming increasingly promin... Compared with traditional environments,the cloud environment exposes online services to additional vulnerabilities and threats of cyber attacks,and the cyber security of cloud platforms is becoming increasingly prominent.A piece of code,known as a Webshell,is usually uploaded to the target servers to achieve multiple attacks.Preventing Webshell attacks has become a hot spot in current research.Moreover,the traditional Webshell detectors are not built for the cloud,making it highly difficult to play a defensive role in the cloud environment.SmartEagleEye,a Webshell detection system based on deep learning that is successfully applied in various scenarios,is proposed in this paper.This system contains two important components:gray-box and neural network analyzers.The gray-box analyzer defines a series of rules and algorithms for extracting static and dynamic behaviors from the code to make the decision jointly.The neural network analyzer transforms suspicious code into Operation Code(OPCODE)sequences,turning the detection task into a classification problem.Comprehensive experiment results show that SmartEagleEye achieves an encouraging high detection rate and an acceptable false-positive rate,which indicate its capability to provide good protection for the cloud environment. 展开更多
关键词 webSHELL detection CLOUD web security deep learning
原文传递
Efficient Certificateless Authenticated Key Agreement Protocol from Pairings 被引量:24
14
作者 WANG Shengbao CAO Zhenfu WANG Licheng 《Wuhan University Journal of Natural Sciences》 CAS 2006年第5期1278-1282,共5页
In the area of secure Web information system, mutual authentication and key agreement are essential between Web clients and servers. An efficient certificateless authenticated key agreement protocol for Web client/ser... In the area of secure Web information system, mutual authentication and key agreement are essential between Web clients and servers. An efficient certificateless authenticated key agreement protocol for Web client/server setting is proposed, which uses pairings on certain elliptic curves. We show that the newly proposed key agreement protocol is practical and of great efficiency, meanwhile, it satisfies every desired security require ments for key agreement protocols. 展开更多
关键词 web security authenticated key agreement certificateless public key cryptography bilinear pairings
下载PDF
A Convolution-Based System for Malicious URLs Detection 被引量:3
15
作者 Chaochao Luo Shen Su +3 位作者 Yanbin Sun Qingji Tan Meng Han Zhihong Tian 《Computers, Materials & Continua》 SCIE EI 2020年第1期399-411,共13页
Since the web service is essential in daily lives,cyber security becomes more and more important in this digital world.Malicious Uniform Resource Locator(URL)is a common and serious threat to cybersecurity.It hosts un... Since the web service is essential in daily lives,cyber security becomes more and more important in this digital world.Malicious Uniform Resource Locator(URL)is a common and serious threat to cybersecurity.It hosts unsolicited content and lure unsuspecting users to become victim of scams,such as theft of private information,monetary loss,and malware installation.Thus,it is imperative to detect such threats.However,traditional approaches for malicious URLs detection that based on the blacklists are easy to be bypassed and lack the ability to detect newly generated malicious URLs.In this paper,we propose a novel malicious URL detection method based on deep learning model to protect against web attacks.Specifically,we firstly use auto-encoder to represent URLs.Then,the represented URLs will be input into a proposed composite neural network for detection.In order to evaluate the proposed system,we made extensive experiments on HTTP CSIC2010 dataset and a dataset we collected,and the experimental results show the effectiveness of the proposed approach. 展开更多
关键词 CNN anomaly detection web security auto-encoder deep learning
下载PDF
Adversarial Attacks on Featureless Deep Learning Malicious URLs Detection
16
作者 Bader Rasheed Adil Khan +3 位作者 S.M.Ahsan Kazmi Rasheed Hussain Md.Jalil Piran Doug Young Suh 《Computers, Materials & Continua》 SCIE EI 2021年第7期921-939,共19页
Detecting malicious Uniform Resource Locators(URLs)is crucially important to prevent attackers from committing cybercrimes.Recent researches have investigated the role of machine learning(ML)models to detect malicious... Detecting malicious Uniform Resource Locators(URLs)is crucially important to prevent attackers from committing cybercrimes.Recent researches have investigated the role of machine learning(ML)models to detect malicious URLs.By using ML algorithms,rst,the features of URLs are extracted,and then different ML models are trained.The limitation of this approach is that it requires manual feature engineering and it does not consider the sequential patterns in the URL.Therefore,deep learning(DL)models are used to solve these issues since they are able to perform featureless detection.Furthermore,DL models give better accuracy and generalization to newly designed URLs;however,the results of our study show that these models,such as any other DL models,can be susceptible to adversarial attacks.In this paper,we examine the robustness of these models and demonstrate the importance of considering this susceptibility before applying such detection systems in real-world solutions.We propose and demonstrate a black-box attack based on scoring functions with greedy search for the minimum number of perturbations leading to a misclassication.The attack is examined against different types of convolutional neural networks(CNN)-based URL classiers and it causes a tangible decrease in the accuracy with more than 56%reduction in the accuracy of the best classier(among the selected classiers for this work).Moreover,adversarial training shows promising results in reducing the inuence of the attack on the robustness of the model to less than 7%on average. 展开更多
关键词 Malicious URLs DETECTION deep learning adversarial attack web security
下载PDF
Performance Analysis of Cross⁃Site Scripting Based on Natural Language Processing
17
作者 Mengda Xu Luqun Li 《Journal of Harbin Institute of Technology(New Series)》 CAS 2022年第4期19-25,共7页
With the acceleration of network communication in the 5G era,the volume of data communication in cyberspace has increased unprecedentedly.The speed of data transmission will accelerate.Subsequently,the security of net... With the acceleration of network communication in the 5G era,the volume of data communication in cyberspace has increased unprecedentedly.The speed of data transmission will accelerate.Subsequently,the security of network communication data becomes more and more serious.Among them,malicious cross⁃site scripting leading to the leakage of user information is very serious.This article uses URL attribute analysis method and YARA rule to process data for cross⁃site scripting based on the long short⁃term memory(LSTM)characteristics of LSTM model.The results show that the LSTM classification model adopted in this paper has higher recall rate and F1⁃score than other machine learning methods,which proves that the method adopted in this paper is feasible. 展开更多
关键词 cross⁃site scripting network communication web security natural language processing
下载PDF
Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey* 被引量:1
18
作者 Sonkarlay J. Y. Weamie 《International Journal of Communications, Network and System Sciences》 2022年第8期126-148,共23页
The advancement of technology and the digitization of organizational functions and services have propelled the world into a new era of computing capability and sophistication. The proliferation and usability of such c... The advancement of technology and the digitization of organizational functions and services have propelled the world into a new era of computing capability and sophistication. The proliferation and usability of such complex technological services raise several security concerns. One of the most critical concerns is cross-site scripting (XSS) attacks. This paper has concentrated on revealing and comprehensively analyzing XSS injection attacks, detection, and prevention concisely and accurately. I have done a thorough study and reviewed several research papers and publications with a specific focus on the researchers’ defensive techniques for preventing XSS attacks and subdivided them into five categories: machine learning techniques, server-side techniques, client-side techniques, proxy-based techniques, and combined approaches. The majority of existing cutting-edge XSS defensive approaches carefully analyzed in this paper offer protection against the traditional XSS attacks, such as stored and reflected XSS. There is currently no reliable solution to provide adequate protection against the newly discovered XSS attack known as DOM-based and mutation-based XSS attacks. After reading all of the proposed models and identifying their drawbacks, I recommend a combination of static, dynamic, and code auditing in conjunction with secure coding and continuous user awareness campaigns about XSS emerging attacks. 展开更多
关键词 XSS Attacks Defensive Techniques VULNERABILITIES web Application security
下载PDF
Electrolint and security of electron applications
19
作者 Ksenia Peguero Xiuzhen Cheng 《High-Confidence Computing》 2021年第2期14-25,共12页
JavaScript applications today are not limited to just client-side web applications and server-side code powered by Node.js.They became the standard for desktop application development with the emergence and popularity... JavaScript applications today are not limited to just client-side web applications and server-side code powered by Node.js.They became the standard for desktop application development with the emergence and popularity of the Electron framework.Combining the features of client-side and server-side applications,the Electron applications possess a completely different security posture.The attacks typical for front-end applications can now be escalated to the back-end attacks,for example,making a cross-site scripting result in a remote code execution on the user’s machine.The goal of our study is to analyze the typical security vulnerabilities of an Electron application,study common mitigation controls,and propose new remediation solutions that are easy to implement for developers.In this study we analyze security vulnerabilities in over a hundred open source Electron applications using automated and manual static analysis.We explore the mitigation controls existing in the Electron framework,and propose changes to the framework that will prevent many of the common vulnerabilities.Based on these results,we develop an IDE plugin for Electron applications that automatically suggests remediations to common security defects within a developer’s work environment,thus shifting the fixing of a vulnerability to earlier in the software development life cycle.We show the effectiveness of the IDE plugin by applying the plugin’s suggestions to the analyzed open source applications and demonstrating that they stop being exploitable after the applied fix. 展开更多
关键词 JavaScript security web security Desktop security Framework analysis Electron framework Static analysis
下载PDF
CSRF protection in JavaScript frameworks and the security of JavaScript applications
20
作者 Ksenia Peguero Xiuzhen Cheng 《High-Confidence Computing》 2021年第2期7-13,共7页
With JavaScript being the most popular programming language on the web,several new JavaScript frameworks are released every year.A well designed framework may help developers create secure applications.The goal of our... With JavaScript being the most popular programming language on the web,several new JavaScript frameworks are released every year.A well designed framework may help developers create secure applications.The goal of our study is to understand how framework developers can best protect applications developed using their framework.In this work we studied how cross-site request forgery vulnerability is mitigated in several server-side JavaScript frameworks:Express.js,Koa.js,Hapi.js,Sails.js,and Meteor.js.We then analyzed open source applications developed with these frameworks using open source and custom written tools for automated static analysis and identified the percentage of protected applications for each framework.We correlated our analysis results to the implementation levels of mitigating controls in each framework and performed statistical analysis of our results to ensure no other confounding factors were involved.Based on the received outcomes we provide recommendations for framework developers on how to create frameworks that produce secure applications. 展开更多
关键词 JavaScript security web security web frameworks Framework analysis Cross-site request forgery
下载PDF
上一页 1 2 下一页 到第
使用帮助 返回顶部