TIAN Yu-hong,WANG Ze-bing,FENG Yan

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.24.029

2006-01-01

Abstract:The Java virtual machine(JVM)is used more frequently as the basic engine behind dynamic web services.With the proliferation of network attacks on these network resources,much work are done to provide security for the network environment.Little effort has been placed on securing a Java web server where the attacker has a valid login to the host machine.After describing the vulnerabilities in Java's security mechanisms,an extended security system based on Java 2 security architecture is introduced.It also explains the runtime status of system.The increased assurance of correct system operation and the integrity of Java application server are provided.

Gaoning Pan,Tianxiang Luo,Yiming Tao,Xiao Lei,Shuangxi Chen,Hui Liu,Chunming Wu

DOI: https://doi.org/10.1109/PST58708.2023.10319984

2023-01-01

Abstract:With the popularity of computers and mobile devices and the development of the Internet, browsers (applications used to retrieve and display information resources on the World Wide Web) are often included by default and have become an indispensable software. Therefore, research on browser security issues is essential for protecting information assets. Among many browsers in the industry, Chrome, as a cross-platform web browser developed by Google, occupies a large market share in desktop browsers, and its security risks are further amplified as its kernel is used by many other browsers. Therefore, the research on the security issues of Chrome browser is critical for browser security. This paper focuses on the vulnerability detection of the process communication interface in Chrome browser, and designs and implements a fuzzing framework, auto-mojo-fuzz (AMF). The fuzzing process mainly designs a sample optimization technique to ensure the effectiveness of input samples and improve the efficiency of fuzzing. After implementing the AMF solution, we evaluate the generated test samples to demonstrate the effectiveness of the sample optimization technique. We also prove the possibility of discovering more vulnerabilities with AMF, and tests it with the latest version of Chrome browser, finding five unique crashes, four of which are verified as security vulnerabilities, effectively proving the automatic and efficient ability of this framework to discover vulnerabilities in the process communication interfaces in browsers.

WU Hai-yan,MIAO Chun-yu,LIU Qi-xin,SUN Fang-cheng

DOI: https://doi.org/10.3969/j.issn.1671-0428.2008.04.013

IF: 5.105

2008-01-01

Computers & Security

Abstract:With the development of Web application , its security issue calls more and more attention and becomes a hotspot in the area or information security . It is regrettable that there is little related research work.. This paper discusses web application security testing method , and introduces the principle and function of web security testing tools , using Nikto and Paros as examples.

Ming Huang,Dejian Ye

DOI: https://doi.org/10.3969/j.issn.1007-757X.2017.07.012

2017-01-01

Abstract:With the rapid development of online broadcast,it becomes more important for video 1websites to protect contents from piracy and stealing.In addition,due to the low efficiency and poor performance of Flash player,the mainstream websites are using HTML5 player instead,how to implement the whole live broadcast system using HTML technology becomes one of the problems that need to be solved urgently.This paper designs and implements an encrypted live video system based on HT-ML5 native features ensuring the safety and stability of transmission and play,which fills the HTML5 encryption player market gaps and brings great practical significance in improving safety performance and protecting digital copyrights.

Stefan Kimak,Jeremy Ellman

DOI: https://doi.org/10.1109/icitst.2015.7412126

2015-12-01

Abstract:Over the past 20 years web browsers have changed considerably from being a simple text display to now supporting complex multimedia applications. The client can now enjoy chatting, playing games and Internet banking. All these applications have something in common, they can be run on multiple platforms and in some cases they will run offline. With the introduction of HTML5 this evolution will continue, with browsers offering greater levels of functionality. This paper outlines the background study and the importance of new technologies, such as HTML5's new browser based storage called IndexedDB. We will show how the technology of storing data on the client side has changed over the time and how the technologies for storing data on the client will be used in future when considering known security issues. Further, we propose a solution to IndexedDB's known security issues in form of a security model, which will extend the current model.

Xianfeng Li,Zhiqiang Bao

DOI: https://doi.org/10.1504/ijes.2017.083732

2017-01-01

International Journal of Embedded Systems

Abstract:Web applications (WebApps) built on top of HTML standards have the advantage of cross-platform portability. However, the user experience in terms of both functionality and performance provided by current generation WebApps is not comparable to native apps running on iOS or Android. Despite significant functional extensions in the new HTML5 standard, the poor performance of WebApps has not been addressed. To promote the adoption of WebApps, it is important to study their performance comprehensively. In this paper, we take Google Chrome as the target browsing engine, and evaluate its performance with a set of popular web pages and WebApps. We make in-depth analysis on the major performance-contributing aspects in a browser engine. Our study exposes a number of interesting observations, from which we make reasonings and provide suggestions for the optimisation of browser engines, as well as guidelines for developing efficient web-based applications.

Francesco Marcantoni,Michalis Diamantaris,Sotiris Ioannidis,Jason Polakis

DOI: https://doi.org/10.1145/3308558.3313539

2019-01-01

Abstract:Smartphone sensors can be leveraged by malicious apps for a plethora of different attacks, which can also be deployed by malicious websites through the HTML5 WebAPI. In this paper we provide a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users, by conducting a large-scale study of mobile-specific HTML5 WebAPI calls used in the wild. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% of websites accessing at least one mobile sensor. To provide a comprehensive assessment of the potential risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies, and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites could carry out at least one of those attacks. Our findings emphasize the need for a standardized policy across browsers and the ability for users to control what sensor data each website can access.

Yongzhen Li,Gaolong Wang

DOI: https://doi.org/10.1109/ISAIEE57420.2022.00089

2022-12-01

Abstract:With the rapid development of the internet in China, we are dealing with web sites all the time, but with this comes the increasing vulnerability of various web applications. The vulnerability of web applications can be used to steal information, account theft and fraud, threatening the security of web applications. Therefore, the security detection of web applications is particularly important. This paper introduces the background of today's web application scanning technology, analyses the importance of securing web sites, and focuses on the history and future development trends of web application vulnerability scanning at home and abroad. The system is based on the OWASP Top 10 vulnerabilities of SQL injection and XSS, which have a large impact. By analysing the risks and principles of these two vulnerabilities, a scanning system is designed to run on the Windows platform.

Computer Science

FENG Ke-rong,WANG He-xing

DOI: https://doi.org/10.3969/j.issn.1006-4052.2012.24.031

2012-01-01

Abstract:HTML5 standard enhances the ability of the page in the graphics rendering,media playing and messaging.With the promotion of standard and the continued support of major browsers,the innovation of the page is carrying out.HTML5 is a new way to create web game,it may change the development mode and even the technical direction.

Jungwon Lim,Yonghwi Jin,Mansour Alharthi,Xiaokuan Zhang,Jinho Jung,Rajat Gupta,Kuilin Li,Daehee Jang,Taesoo Kim

DOI: https://doi.org/10.48550/arXiv.2112.15561

2022-01-01

Abstract:Web browsers are integral parts of everyone's daily life. They are commonly used for security-critical and privacy sensitive tasks, like banking transactions and checking medical records. Unfortunately, modern web browsers are too complex to be bug free (e.g., 25 million lines of code in Chrome), and their role as an interface to the cyberspace makes them an attractive target for attacks. Accordingly, web browsers naturally become an arena for demonstrating advanced exploitation techniques by attackers and state-of-the-art defenses by browser vendors. Web browsers, arguably, are the most exciting place to learn the latest security issues and techniques, but remain as a black art to most security researchers because of their fast-changing characteristics and complex code bases. To bridge this gap, this paper attempts to systematize the security landscape of modern web browsers by studying the popular classes of security bugs, their exploitation techniques, and deployed defenses. More specifically, we first introduce a unified architecture that faithfully represents the security design of four major web browsers. Second, we share insights from a 10-year longitudinal study on browser bugs. Third, we present a timeline and context of mitigation schemes and their effectiveness. Fourth, we share our lessons from a full-chain exploit used in 2020 Pwn2Own competition. and the implication of bug bounty programs to web browser security. We believe that the key takeaways from this systematization can shed light on how to advance the status quo of modern web browsers, and, importantly, how to create secure yet complex software in the future.

Cryptography and Security

B. B. Gupta,Shashank Gupta,Pooja Chaudhary

DOI: https://doi.org/10.4018/978-1-5225-3422-8.ch009

2018-01-01

Abstract:This article presents a cloud-based framework that thwarts the DOM-based XSS vulnerabilities caused due to the injection of advanced HTML5 attack vectors in the HTML5 web applications. Initially, the framework collects the key modules of web application, extracts the suspicious HTML5 strings from the latent injection points and performs the clustering on such strings based on their level of similarity. Further, it detects the injection of malicious HTML5 code in the script nodes of DOM tree by detecting the variation in the HTML5 code embedded in the HTTP response generated. Any variation observed will simply indicate the injection of suspicious script code. The prototype of our framework was developed in Java and installed in the virtual machines of cloud environment on the Google Chrome extension. The experimental evaluation of our framework was performed on the platform of real world HTML5 web applications deployed in the cloud platform.

Yanpeng Cui,Junjie Cui,Jianwei Hu

DOI: https://doi.org/10.1145/3383972.3384027

2020-02-15

Abstract:With the popularity of web technology, web applications become more increasingly vulnerable and are exposed to malicious attacks. Cross Site Scripting(XSS) is a typical attack in web applications. When a vulnerability is exploited, an attacker may perform session-hijacking, cookie-stealing, malicious redirection and malware spreading. It is essential to implement detect and defend against XSS attacks. In this paper, we focus on XSS attacks and give an introduction of its injection, detection and prevention. Firstly, we introduced the attack principle of different types of XSS, and then investigated and introduced some existing XSS detection and defense methods. In addition, we compared existing XSS detection and defense methods. Finally, we discuss existing issues and estimate future research trends.

Li Wang

DOI: https://doi.org/10.2991/icsste-16.2016.154

2016-01-01

Abstract:In this paper, we conduct research on the UI and UE design techniques and the status in the HTML5 website development. With the continuous development of science and technology, the user demand for computer software design level enhances unceasingly, the software development workers must deep going research analysis of the target group, to truly understand...

Xiao Xi,Yan Ruibo,Ye Runguo,Li Qing,Peng Sancheng,Jiang Yong

DOI: https://doi.org/10.1109/CBD.2015.48

2015-01-01

Abstract:Security on mobile devices is becoming increasingly important. HTML5 are widely used to develop mobile applications due to its portability on multi platforms. However it is allowed to mix data and code together in web technology. HTML5-based applications are prone to suffer from code injection attacks that are similar to XSS. In this paper, at first, we introduce a more hidden type of code injection attacks, coding-based attacks. In the new type of code injection attacks, JavaScript code is encoded in a human-unreadable form. Then we use classification algorithms of machine learning to determine whether an app suffers from the code injection attack or not. The experimental result shows that the Precision of our detection method reaches 95.3%. Compare with the other method, our approach improves a lot in detection speed with the precision nearly unchanged. Furthermore, an improved access control model is proposed to mitigate the attack damage. In addition, filters are adopted to remove JavaScript code from data to prevent the attacks. The effectiveness and rationality have been validated through extensive simulations.

Hui Yuan,Lei Zheng,Liang Dong,Xiangli Peng,Yan Zhuang,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_66

2019-04-25

Abstract:With the rapid development of Internet technology, Web applications are widely used in all walks of life, and their security requirements are increasing. Unfortunately, at present, the development of Web security technology still lags behind the development of Web application technology itself. The Web application itself and its operating environment are still relatively fragile, and its operating environment is easily forged or modified, making Web applications gradually become malicious. The object of the attack is frequently attacked. This paper investigates and analyzes the common vulnerabilities in web applications, deeply studies the basic characteristics of these vulnerabilities, and understands the principles and solutions of vulnerabilities. The static analysis method is used to analyze the vulnerabilities, and the static analysis methods are used to solve the security vulnerabilities in the Java web project.

Li Xianfeng,Bao Zhiqiang

DOI: https://doi.org/10.1109/DASC.2014.52

2014-01-01

Abstract:In the age of Mobile Internet, web browsing has become more fundamental, and a number of applications are built on top of popular browser engines such as WebKit [1]. In latest developments, HTML5 has been proposed to enable more powerful web applications. HTML5 based operating systems, like Chrome OS and Firefox OS, are also emerging as alternatives to current generation mobile platforms. However, web-based platforms still have a long way to catch up with iOS/Android and their native apps in terms of performance and user experiences. Therefore, understanding and optimizing the performance of HTML5 based applications/systems are invaluable work for speeding up their adoption. As a first step, we make an in-depth analysis on the performance of a popular web browsing engine, WebKit. Our work covers a set of important aspects of both the traditional web browsing, and new features of the HTML5 standard. This study exposes some interesting observations, from which we make reasonings and provide guidelines for developing efficient web-based applications. The analysis in this work can also serve as a basis for the optimization of HTML5 based operating system design.

SONG Hai-Ling,WEN Wei-Ping

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.08.024

2011-01-01

Abstract:This paper makes a comprehensive analysis and summary of the existing Web loophole mining technology and tools, to open source Web vulnerability scanning tool Paros Proxy as the research object, the Paros Proxy crawler module and a detection module for in-depth research and analysis, and its improvement. After the test, the improved Paros crawler module supports the JavaScript URLs analytical and crawling, can extract more webpage link, and the improved detection module, the vulnerability detection performance and efficiency can be improved significantly.

Urvashi Kishnani,Sanchari Das

2024-10-19

Abstract:The surge in website attacks, including Denial of Service (DoS), Cross-Site Scripting (XSS), and Clickjacking, underscores the critical need for robust HTTPS implementation-a practice that, alarmingly, remains inadequately adopted. Regarding this, we analyzed HTTP security headers across N=3,195 globally popular websites. Initially, we employed automated categorization using Google NLP to organize these websites into functional categories and validated this categorization through manual verification using Symantec Sitereview. Subsequently, we assessed HTTPS implementation across these websites by analyzing security factors, including compliance with HTTP Strict Transport Security (HSTS) policies, Certificate Pinning practices, and other security postures using the Mozilla Observatory. Our analysis revealed over half of the websites examined (55.66%) received a dismal security grade of 'F' and most websites scored low for various metrics, which is indicative of weak HTTP header implementation. These low scores expose multiple issues such as weak implementation of Content Security Policies (CSP), neglect of HSTS guidelines, and insufficient application of Subresource Integrity (SRI). Alarmingly, healthcare websites (n=59) are particularly concerning; despite being entrusted with sensitive patient data and obligations to comply with data regulations, these sites recorded the lowest average score (18.14). We conclude by recommending that developers should prioritize secure redirection strategies and use implementation ease as a guide when deciding where to focus their development efforts.

Cryptography and Security,Computers and Society

Zihao Jin,Shuo Chen,Yang Chen,Haixin Duan,Jianjun Chen,Jianping Wu

DOI: https://doi.org/10.14722/ndss.2023.24305

2023-01-01

Abstract:The Electron platform represents a paradigm to develop modern desktop apps using HTML and JavaScript.Microsoft Teams, Visual Studio Code and other flagship products are examples of Electron apps.This new paradigm inherits the security challenges in web programming into the desktop-app realm, thus opens a new way for local-machine exploitation.We conducted a security study about real-world Electron apps, and discovered many vulnerabilities that are now confirmed by the app vendors.The conventional wisdom is to view these bugs as sanitization errors.Accordingly, secure programming requires programmers to explicitly enumerate all kinds of unexpected inputs to sanitize.We believe that secure programming should focus on specifying programmers' intentions as opposed to their non-intentions.We introduce a concept called DOM-tree type, which expresses the set of DOM trees that an app expects to see during execution, so an exploit will be caught as a type violation.With insights into the HTML standard and the Chromium engine, we build the DOM-tree type mechanism into the Electron platform.The evaluations show that the methodology is practical, and it secures all vulnerable apps that we found in the study.

Cheng Zhan,Xie Li

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.10.007

2008-01-01

Abstract:Web Service security problem is one of the highlighted topics in information security area recently.This article presents two security mechanisms for Web Services,transport-level security and message-level security.Then the security technology used to implement message-level security is introduces in detail.Finally,it gives a conclusion to Web Service security and proposes a new Web Service layered security model.