Malik Muhammad Nadeem,Yousaf Raza,Ahthasham Sajid,Hamza Razzaq,Rida Malik,Sugandima Vidanagamachchi

DOI: https://doi.org/10.3991/itdaf.v2i2.51015

2024-09-18

Abstract:Web sockets (WS) have revolutionized real-time online communication by enabling twoway communication channels using a single transmission control protocol (TCP) connection, significantly enhancing the user experience in web applications. However, this advancement has also presented certain security challenges that need to be addressed in order to ensure secure and reliable communication. This review paper delves into the security aspects of WSs, analyzing and contrasting various tactics and methodologies proposed for securing WS connections. By conducting a thorough analysis of notable study contributions dating back to 2015, we have found common vulnerabilities and risks, such as cross-site scripting (XSS), cross-site web socket hijacking (CSWSH), and man-in-the-middle (MITM) attacks. This paper evaluates the effectiveness of several security measures, including confirmation, encryption, and different anomaly detection algorithms. Further, this study scrutinizes the deficiencies and constraints that have been shown in these study initiatives, placing emphasis on areas that require further examination. The main objective of our comprehensive examination is to build a robust foundation for future studies on WS security, promoting the development of more resilient and impervious live communication networks.

Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

LI Dai-li,CHEN Rong

DOI: https://doi.org/10.3969/j.issn.1009-3044.2010.28.016

2010-01-01

Abstract:Some schemes and their features are introduced on web real-time communications. More emphasis is put on studying real-time communication mechanism based on HTML5 Web Socket. Then a comparative experiment is made between WebSocket and AJAX to represent the simple method and high efficiency in developing real-time web applications by WebSocket . At last we provide a low latency and low network throughput solution.

Jungwon Lim,Yonghwi Jin,Mansour Alharthi,Xiaokuan Zhang,Jinho Jung,Rajat Gupta,Kuilin Li,Daehee Jang,Taesoo Kim

DOI: https://doi.org/10.48550/arXiv.2112.15561

2022-01-01

Abstract:Web browsers are integral parts of everyone's daily life. They are commonly used for security-critical and privacy sensitive tasks, like banking transactions and checking medical records. Unfortunately, modern web browsers are too complex to be bug free (e.g., 25 million lines of code in Chrome), and their role as an interface to the cyberspace makes them an attractive target for attacks. Accordingly, web browsers naturally become an arena for demonstrating advanced exploitation techniques by attackers and state-of-the-art defenses by browser vendors. Web browsers, arguably, are the most exciting place to learn the latest security issues and techniques, but remain as a black art to most security researchers because of their fast-changing characteristics and complex code bases. To bridge this gap, this paper attempts to systematize the security landscape of modern web browsers by studying the popular classes of security bugs, their exploitation techniques, and deployed defenses. More specifically, we first introduce a unified architecture that faithfully represents the security design of four major web browsers. Second, we share insights from a 10-year longitudinal study on browser bugs. Third, we present a timeline and context of mitigation schemes and their effectiveness. Fourth, we share our lessons from a full-chain exploit used in 2020 Pwn2Own competition. and the implication of bug bounty programs to web browser security. We believe that the key takeaways from this systematization can shed light on how to advance the status quo of modern web browsers, and, importantly, how to create secure yet complex software in the future.

Cryptography and Security

WU Ming-feng,ZHANG Yong-sheng,LI Yuan-yuan,HAN Yan-mei

DOI: https://doi.org/10.3969/j.issn.1673-629x.2012.01.055

2012-01-01

Abstract:Web service is characterized by its platform-independence,dynamic,openness and loose coupling.These characteristics greatly facilitate the application-to-application integration based on heterogeneous platform,that an increasing number of enterprise use it.Along with the development of Web services,its safe problem is more and more important.Web service art is attracting attackers and hackers to attack the Web services and the servers on which they run.Organizations are therefore facing the challenge of implementing adequate security for Web services.It detailedly analyzed the characteristics and principle of various attacks on Web service,and pointed out the corresponding detection and prevention countermeasures.On the basis of current research achievements,also presented a discussion on the future research directions and the challenges of Web service defenses against attacks.

Md. Imtiaz Habib,Abdullah Al Maruf,Md. Jobair Ahmed Nabil

2023-10-15

Abstract:The most common attacks against web sessions are reviewed in this paper, for example, some attacks against web browsers' honest users attempting to create session with trusted web browser application legally. We have assessed with four different ways to judge the viability of a certain solution by reviewing existing security solutions which prevent or halt the different attacks. Then we have pointed out some guidelines that have been taken into account by the designers of the proposals we reviewed. The guidelines we have identified will be helpful for the creative solutions proceeding web security in a more structured and holistic way.

Software Engineering,Cryptography and Security

Yossi Gilad,Amir Herzberg

DOI: https://doi.org/10.48550/arXiv.1204.6623

2012-04-30

Abstract:We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server and circumventing known defenses. Attacker can also launch devastating denial of service (DoS) attacks, even when the connection between the client and the server is secured with SSL/TLS. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a the victim client machine, and attacker capable of IP-spoofing on the Internet. Our attacks use a technique allowing an off-path attacker to learn the sequence numbers of both client and server in a TCP connection. The technique exploits the fact that many computers, in particular those running Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. Finally, we present practical defenses that can be deployed at the firewall level; no changes to existing TCP/IP stacks are required.

Cryptography and Security

Ben Feher,Lior Sidi,Asaf Shabtai,Rami Puzis

DOI: https://doi.org/10.48550/arXiv.1601.00184

2016-01-02

Abstract:WebRTC is an API that allows users to share streaming information, whether it is text, sound, video or files. It is supported by all major browsers and has a flexible underlying infrastructure. In this study we review current WebRTC structure and security in the contexts of communication disruption, modification and eavesdropping. In addition, we examine WebRTC security in a few representative scenarios, setting up and simulating real WebRTC environments and attacks.

Cryptography and Security

ZHAO Guofeng,CHEN Yong,WANG Xinheng

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.03.003

2016-01-01

Abstract:This paper discusses the HTTPS protocol communication process, analyzes the basic principles and methods in detail based on forged certiifcates and man in the middle session hijacking. Then it points out that conventional hijacking method through the backend to manipulate the original data lfow and defects, and puts forward a front-end scripting XSS based on injection of more efifcient and more perfect HTTPS session hijacking method, which can realize the hijacking of the form submission, dynamic elements, the script window, and the page frame. Finally it expounds the priciple and process the Web front-end hijacking, builds a prototype system to validate, and makes a further analysis of the HTTPS communication security risks. According to the present situation, it also puts forward feasible preventive measures.

Muhammad Saad,Jeffrey Spaulding,Laurent Njilla,Charles Kamhoua,Sachin Shetty,DaeHun Nyang,Aziz Mohaisen

DOI: https://doi.org/10.48550/arXiv.1904.03487

2019-04-07

Abstract:In this paper, we systematically explore the attack surface of the Blockchain technology, with an emphasis on public Blockchains. Towards this goal, we attribute attack viability in the attack surface to 1) the Blockchain cryptographic constructs, 2) the distributed architecture of the systems using Blockchain, and 3) the Blockchain application context. To each of those contributing factors, we outline several attacks, including selfish mining, the 51% attack, Domain Name System (DNS) attacks, distributed denial-of-service (DDoS) attacks, consensus delay (due to selfish behavior or distributed denial-of-service attacks), Blockchain forks, orphaned and stale blocks, block ingestion, wallet thefts, smart contract attacks, and privacy attacks. We also explore the causal relationships between these attacks to demonstrate how various attack vectors are connected to one another. A secondary contribution of this work is outlining effective defense measures taken by the Blockchain technology or proposed by researchers to mitigate the effects of these attacks and patch associated vulnerabilities

Cryptography and Security

Theodore Longtchi,Rosana Montañez Rodriguez,Laith Al-Shawaf,Adham Atyabi,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2203.08302

2022-03-15

Cryptography and Security

Abstract:Social engineering attacks are a major cyber threat because they often serve as a first step for an attacker to break into an otherwise well-defended network, steal victims' credentials, and cause financial losses. The problem has received due amount of attention with many publications proposing defenses against them. Despite this, the situation has not improved. In this paper, we aim to understand and explain this phenomenon by looking into the root cause of the problem. To this end, we examine the literature on attacks and defenses through a unique lens we propose -- {\em psychological factors (PFs) and techniques (PTs)}. We find that there is a big discrepancy between attacks and defenses: Attacks have deliberately exploited PFs by leveraging PTs, but defenses rarely take either of these into consideration, preferring technical solutions. This explains why existing defenses have achieved limited success. This prompts us to propose a roadmap for a more systematic approach towards designing effective defenses against social engineering attacks.

Gabriel L. Muller

DOI: https://doi.org/10.48550/arXiv.1409.3367

2014-09-11

Distributed, Parallel, and Cluster Computing

Abstract:HTML5 WebSocket protocol brings real time communication in web browsers to a new level. Daily, new products are designed to stay permanently connected to the web. WebSocket is the technology enabling this revolution. WebSockets are supported by all current browsers, but it is still a new technology in constant evolution. WebSockets are slowly replacing older client-server communication technologies. As opposed to comet-like technologies WebSockets' remarkable performances is a result of the protocol's fully duplex nature and because it doesn't rely on HTTP communications. To begin with this paper studies the WebSocket protocol and different WebSocket servers implementations. This first theoretic part focuses more deeply on heterogeneous implementations and OpenCL. The second part is a benchmark of a new promising library. The real-time engine used for testing purposes is SocketCluster. SocketCluster provides a highly scalable WebSocket server that makes use of all available cpu cores on an instance. The scope of this work is reduced to vertical scaling of SocketCluster.

Karthika Subramani,Jordan Jueckstock,Alexandros Kapravelos,Roberto Perdisci

DOI: https://doi.org/10.1109/EuroSP53844.2022.00041

2021-11-14

Abstract:Service Workers (SWs) are a powerful feature at the core of Progressive Web Apps, namely web applications that can continue to function when the user's device is offline and that have access to device sensors and capabilities previously accessible only by native applications. During the past few years, researchers have found a number of ways in which SWs may be abused to achieve different malicious purposes. For instance, SWs may be abused to build a web-based botnet, launch DDoS attacks, or perform cryptomining; they may be hijacked to create persistent cross-site scripting (XSS) attacks; they may be leveraged in the context of side-channel attacks to compromise users' privacy; or they may be abused for phishing or social engineering attacks using web push notifications-based malvertising. In this paper, we reproduce and analyze known attack vectors related to SWs and explore new abuse paths that have not previously been considered. We systematize the attacks into different categories, and then analyze whether, how, and estimate when these attacks have been published and mitigated by different browser vendors. Then, we discuss a number of open SW security problems that are currently unmitigated, and propose SW behavior monitoring approaches and new browser policies that we believe should be implemented by browsers to further improve SW security. Furthermore, we implement a proof-of-concept version of several policies in the Chromium code base, and also measure the behavior of SWs used by highly popular web applications with respect to these new policies. Our measurements show that it should be feasible to implement and enforce stricter SW security policies without a significant impact on most legitimate production SWs.

Cryptography and Security

Xuewei Feng,Qi Li,Kun Sun,Ke Xu,Jianping Wu

2024-11-19

Abstract:After more than 40 years of development, the fundamental TCP/IP protocol suite, serving as the backbone of the Internet, is widely recognized for having achieved an elevated level of robustness and security. Distinctively, we take a new perspective to investigate the security implications of cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages. Through a comprehensive analysis of interactions among Wi-Fi, IP, ICMP, UDP, and TCP due to ICMP errors, we uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing. These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks, thus posing risks to the Internet. By responsibly disclosing these vulnerabilities to affected vendors and proposing effective countermeasures, we enhance the robustness of the TCP/IP protocol suite, receiving acknowledgments from well-known organizations such as the Linux community, the OpenWrt community, the FreeBSD community, Wi-Fi Alliance, Qualcomm, HUAWEI, China Telecom, Alibaba, and H3C.

Cryptography and Security

宋琦,施勇,薛质

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.10.039

2009-01-01

Abstract:With the development of internet and popularity of various Web services, Web security is becoming more and more important.As a usual Web service, Web mail plays an important role as carrier for transporting information in internet, and thus its security attracts more and more attention.Based on research of client-oriented Web attacking meth-ods such as phishing and XSS, this paper proposes a modified attacking method aiming at Web Email services.It also makes a detail analysis of its implementation, gives comparison of these methods and suggests some defending measures for avoiding this attacking method.

Ismail Butun,Patrik Österberg,Houbing Song

DOI: https://doi.org/10.1109/COMST.2019.2953364

2019-10-29

Abstract:Wireless Sensor Networks (WSNs) constitute one of the most promising third-millennium technologies and have a wide range of applications in our surrounding environment. The reason behind the vast adoption of WSNs in various applications is that they have tremendously appealing features, e.g., low production cost, low installation cost, unattended network operation, autonomous and longtime operation. WSNs have started to merge with the Internet of Things (IoT) through the introduction of Internet access capability in sensor nodes and sensing ability in Internet-connected devices. Thereby, the IoT is providing access to huge amount of data, collected by the WSNs, over the Internet. However, owing to the absence of a physical line-of-defense, i.e. there is no dedicated infrastructure such as gateways to watch and observe the flowing information in the network, security of WSNs along with IoT is of a big concern to the scientific community. Besides, recent integration and collaboration of WSNs with IoT will open new challenges and problems in terms of security. Hence, this would be a nightmare for the individuals using these systems as well as the security administrators who are managing those networks. Therefore, a detailed review of security attacks towards WSNs and IoT, along with the techniques for prevention, detection, and mitigation of those attacks are provided in this paper. In this text, attacks are categorized and treated into mainly two parts, most or all types of attacks towards WSNs and IoT are investigated under that umbrella: "Passive Attacks" and "Active Attacks". Understanding these attacks and their associated defense mechanisms will help to pave a secure path towards the proliferation and public acceptance of IoT technology.

Cryptography and Security,Networking and Internet Architecture

Bharat Bhushan,Gadadhar Sahoo

DOI: https://doi.org/10.1007/s11277-017-4962-0

IF: 2.017

2017-09-08

Wireless Personal Communications

Abstract:Abstract Advances in hardware manufacturing technology, wireless communications, micro electro-mechanical devices and information processing technologies enabled the development of WSNs. These consist of numerous, low cost, small sensor nodes powered by energy constrained batteries. WSNs have attracted much interest from both industry and academia due to its wide range of applications such as environment monitoring, battlefield awareness, medical healthcare, military investigation and home appliances management. Thus information in sensor network needs to be protected against various attacks. Attackers may employ various security threats making the WSN systems vulnerable and unstable. This paper examines the security threats and vulnerabilities imposed by the distinctive open nature of WSNs. We first summarize the requirements in WSNs that includes both the survivality and security issues. Next, a comprehensive survey of various routing and middleware challenges for wireless networks is presented. Next, paper explores the potential security threats at different protocol layers. Here various security attacks are identified along with their countermeasures that were investigated by different researchers in recent years. We also provide a detailed survey of data aggregation and the energy-efficient routing protocols for WSNS. And finally, few unsolved technical challenges and the future scope for WSN security has been outlined.

telecommunications

Kaif Qureshi,Aditya Choudhary,Aakash Sharma,Anant Singh,Kinjal Singh

DOI: https://doi.org/10.56025/ijaresm.2023.1205242072

2024-01-01

Abstract:Cyber Security plays an important role in the field of information technology. As more business activities are being automated and an increasing number of computers are being used to store sensitive information, the need for secure computer systems becomes more apparent. Securing the information have become one of the biggest challenges in the present day. Whenever we think about the cyber security the first thing that comes to our mind is ‘cyber crimes’ which are increasing immensely day by day. Various Governments and companies are taking many measures in order to prevent these cyber-crimes. The Internet itself has become critical for governments, companies, financial institutions, and millions of everyday users. Besides various measures cyber security is still a very big concern to many. This paper mainly focuses on challenges faced by cyber security on the latest technologies. It also focuses on latest about the cyber security techniques, ethics and the trends changing the face of cyber. Threats to the integrity, security and dependability of the World Wide Web (WWW) are ever-evolving. Conventional security solutions sometimes find it difficult to keep up with the ever-evolving strategies used by hackers. By combining adaptive security mechanisms designed especially for protecting the WWW with dynamic threat analysis approaches, our research offers a unique way to handle this difficulty.

Phakpoom Chinprutthiwong,Raj Vardhan,Guangliang Yang,Yangyong Zhang,Guofei Gu

DOI: https://doi.org/10.1145/3471621.3471845

2021-01-01

Abstract:In recent years, service workers are gaining attention from both web developers and attackers due to the unique features they provide. Recent findings have shown that an attacker can register a malicious service worker to take advantage of the victim such as by turning the victim’s device into a crypto-currency miner. However, the possibility of benign service workers being leveraged is not well studied. To bridge this gap, we systematically analyze the security of service workers from a new perspective. Specifically, we consider how an attacker can leverage a benign service worker installed in popular websites. To this end, we uncover two attack channels – IndexedDB and Push notification. Through IndexedDB, an attacker can compromise a benign service worker and persistently control the vulnerable website. Likewise, push subscription can also be easily hijacked and used to track a user’s location. To understand the prevalence and security impacts of these attack channels, we conduct a measurement study on popular websites that deploy a service worker. Our results show 200 websites that are vulnerable to XSS attacks are also susceptible to push hijacking. We estimate the number of potential victims, who visit these susceptible websites and could be exposed to location tracking, to be up to 1.75 million users per month. Finally, we discuss potential defenses to prevent this problem from growing further.

Phakpoom Chinprutthiwong,Raj Vardhan,Guangliang Yang,Guofei Gu

DOI: https://doi.org/10.1145/3427228.3427290

2020-01-01

Abstract:Nowadays, modern websites are utilizing service workers to provide users with app-like functionalities such as offline mode and push notifications. To handle such features, the service worker is equipped with special privileges including HTTP traffic manipulation. Thus, it is designed with security as a priority. However, we find that many websites introduce a questionable practice that can jeopardize the security of a service worker. In this work, we demonstrate how this practice can result in a cross-site scripting (XSS) attack inside a service worker, allowing an attacker to obtain and leverage service worker privileges. Due to the uniqueness of these privileges, such attacks can lead to more severe consequences compared to a typical XSS attack. We term this type of vulnerability as Service Worker based Cross-Site Scripting (SW-XSS). To assess the real-world security impact, we develop a tool called SW-Scanner and use it to analyze top websites in the wild. Our findings reveal a worrisome trend. In total, we find 40 websites vulnerable to this attack including several popular and high ranking websites. Finally, we discuss potential defense solutions to mitigate the SW-XSS vulnerability.