Abstract
With the increase in human-web interaction, vulnerabilities has surfaced the various networks. With the rapidly growing technology, the ease of accessibility through web applications has revolutionized the traditional view of an office or a company completely. Web application carries sensitive data and they are accessible 24 × 7. Web site hacking continue to gain popularity as hackers are exploiting vulnerabilities across all geographies and across various types of web technologies. Hackers are constantly experimenting with a wide range of attacking techniques to compromise websites and hack sensitive data such as credit card number, social security number and other personal information. The three most commonly used attacks, according to Open Web Application Security Project (2012) vulnerability list have been discussed in this paper, namely SQL injection attack (SQLIA), cross-site scripting (XSS) and Cross site request forgery (CSRF) attack. In this paper, we present a security engine to counter SQLIA, XSS attack and CSRF attack.
Similar content being viewed by others
References
Barth A, Jackson C, Mitchell J (2008) Robust defenses for cross-site request forgery. In: CCS’08 proceedings of 15th ACM conference on Computer and communications security. New York, pp 75–88
Gupta S, Gupta BB (2015a) Cross-site scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int J Syst Assur Eng Manag 6:1–19
Gupta BB, Gupta S (2015b) XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code. Arab J Sci Eng 41(3):897–920
Gupta BB, Gupta S, Gangwar S, Kumar M, Meena PK (2015) Cross-site scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense. J Inf Priv Sec 11(2):118–136
Halfond W, Orso A (2005) AMNESIA: analysis and monitoring for neutralizing SQL—injection attacks. In: Proceedings of 20th IEEE and ACM international conference on automated software engineering, pp 174–183. ACM, New York
Jovanovic N, Kirda E, Kruegel C (2006) Preventing cross-site request forgery attacks. In: Proceedings of IEEE international conference on Securecomm and workshops. Baltimore, MD, pp 1–10
Junjin M (2009) An approach for SQL injection vulnerability detection. In: Proceedings of 6th IEEE international conference on information technology: new generations. Las Vegas, pp 1411–1414
Kiezun A, Guo PJ, Jayaraman K, Ernst MD (2009) Automatic Creation of SQL injection and cross-site scripting attacks. ARDILLA proceedings of the 31st international conference on software engineering. ICSE, Vancouver, pp 199–209
Kunal S, Mohan Das R, Pais AR (2011) Model based hybrid approach to prevent SQL injection attacks in PHP. InfoSecHiComNet’11 proceeding of the first international conference on security aspects of information technology. Springer, Berlin, pp 3–15
Lin X, Zavarsky P, Ruhl R, Lindskog D (2009) Threat modeling for CSRF attacks. CSE’09 proceedings of IEEE international conference on computational science and engineering, vol 3. Vancover, BC, pp 486–491
Louw MT, Venkatakrishnan VN (2009) BLUEPRINT: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of 30th IEEE international symposium on security and privacy. Berkeley, CA, pp 331–346
Maes W, Heyman T, Desmet L, Joosen W (2009) Browser protection against cross-site request forgery. In: Secu Code’09 proceedings of the first ACM workshop on secure execution of untrusted code. New York, pp 3–10
Prithvi B, Madhusudan P, Venkatakrishnan VN (2010) CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans Inf Syst Secur 13(2):1–39
Qianjie Z, Chen H, San J (2007) An execution-flow based method for detecting cross-site scripting attacks. In: SEDM proceedings of international conference on software engineering and data mining. Shanghai, pp 160–165
Raju H, Cortesi A (2010) Obfuscation-based analysis of SQL injection attacks. In: ISCC’10 proceedings of the IEEE symposium on computers and communications. Riccione, pp 931–938
Rattipong P, Bunyatnoparat P (2011) Protecting cookies from cross site script attacks using dynamic cookies rewriting technique. In: ICACT proceedings of 13th IEEE international conference on advanced communication technology, pp 1090–1094
Salas MIP, Martins E (2014) Security testing methodology for vulnerabilities detection of XSS in Web services and WS-security. Electron Notes Theor Comput Sci 302:133–154. ISSN:1571-0661
Saleh AZM, Rozali NA, Buja AG, Jalil KA, Ali FHM, Rahman TFA (2015) A method for Web application vulnerabilities detection by using Boyer–Moore string matching algorithm. Proc Comput Sci 72:112–121. ISSN:1877-0509
Shahriar H, Zulkernine M (2010) Client-side detection of cross-site request forgery attacks. In: ISSRE proceedings of 21st IEEE international symposium on software reliability engineering. San Jose, CA, pp 358–367
Shar LK, Tan HBK (2012) Defending against cross-site scripting attacks. IEEE Comput Soc 45(3):55–62
Sharma P, Johari R, Sarma SS (2012) Integrated approach to prevent SQL injection attack and reflected cross site scripting attack. Int J Syst Assur Eng Manag 3(4):343–351
The Open Web Application Security Project (OWASP) (2012) TOP 10 2010—main. https://www.owasp.org/index.php/Top_10_2010 Main. Accessed 13 Jan 2012
Zhang K-X, Lin C-H, Chen S-J, Hwang YL, Huang H-L, Hsu F-H (2011) TransSQL: a translation and validation—based solution for SQL—injection attacks. In: RVSP proceedings of 1st IEEE international conference on robot, vision and signal processing. Kaohsiung, pp 248–251
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Nagpal, B., Chauhan, N. & Singh, N. SECSIX: security engine for CSRF, SQL injection and XSS attacks. Int J Syst Assur Eng Manag 8 (Suppl 2), 631–644 (2017). https://doi.org/10.1007/s13198-016-0489-0
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13198-016-0489-0