Di Wu,Yabo Dong,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11563952_52

2005-01-01

Abstract:The fast development of E-Commerce and information technology brings much higher requirements for enterprise informationization. Because of the differences in platforms, development languages and standards etc, enterprise application integration (EAI) has become the important form of enterprise informationization to support complex business processes. Web services have emerged as the next generation of integration technology which provides the power to support interoperability. However EAI doesn’t just present new interoperability challenges; it also presents serious privacy and security challenges. This paper presents security architecture of Web Services based EAI which uses distributed Single Sign On authentication and distributed Role-based Access Control authorization. The basic concept and prototype system of the security architecture are described in detail.

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

Zeyi Liao,Lingbo Mo,Chejian Xu,Mintong Kang,Jiawei Zhang,Chaowei Xiao,Yuan Tian,Bo Li,Huan Sun

2024-10-04

Abstract:Generalist web agents have demonstrated remarkable potential in autonomously completing a wide range of tasks on real websites, significantly boosting human productivity. However, web tasks, such as booking flights, usually involve users' PII, which may be exposed to potential privacy risks if web agents accidentally interact with compromised websites, a scenario that remains largely unexplored in the literature. In this work, we narrow this gap by conducting the first study on the privacy risks of generalist web agents in adversarial environments. First, we present a realistic threat model for attacks on the website, where we consider two adversarial targets: stealing users' specific PII or the entire user request. Then, we propose a novel attack method, termed Environmental Injection Attack (EIA). EIA injects malicious content designed to adapt well to environments where the agents operate and our work instantiates EIA specifically for privacy scenarios in web environments. We collect 177 action steps that involve diverse PII categories on realistic websites from the Mind2Web, and conduct experiments using one of the most capable generalist web agent frameworks to date. The results demonstrate that EIA achieves up to 70% ASR in stealing specific PII and 16% ASR for full user request. Additionally, by accessing the stealthiness and experimenting with a defensive system prompt, we indicate that EIA is hard to detect and mitigate. Notably, attacks that are not well adapted for a webpage can be detected via human inspection, leading to our discussion about the trade-off between security and autonomy. However, extra attackers' efforts can make EIA seamlessly adapted, rendering such supervision ineffective. Thus, we further discuss the defenses at the pre- and post-deployment stages of the websites without relying on human supervision and call for more advanced defense strategies.

Cryptography and Security,Artificial Intelligence,Computation and Language,Machine Learning

Jun Zhu,Bill Chu,Heather Richter Lipford

DOI: https://doi.org/10.1145/2914642.2914661

2016-01-01

Abstract:ABSTRACTPrivilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a successful breach of access control is achieved. This paper presents an approach to automatically instrument application source code to report events of failed access attempts that may indicate privilege escalation attacks to a run time application protection mechanism. The focus of this paper is primarily on the problem of instrumenting web application source code to detect access control attack events. We evaluated false positives and negatives of our approach using two open source web applications.

Enze Wang,Jianjun Chen,Wei Xie,Chuhan Wang,Yifei Gao,Zhenhua Wang,Haixin Duan,Yang Liu,Baosheng Wang

DOI: https://doi.org/10.1109/sp54263.2024.00198

2024-01-01

Abstract:Server-Side Request Forgery (SSRF) vulnerability poses significant security risks to web applications, enabling adversaries to exploit web applications as stepping stones for unauthorized access of internal-only services or even performing arbitrary commands. Despite its recent emergence as a distinct category in the 2021 OWASP Top 10 web security risks and its increasing prevalence in modern web applications, there remains a lack of effective approaches to detect SSRF vulnerabilities systematically.We present a novel methodology, SSRFuzz, to effectively identify SSRF vulnerability in PHP web applications. Our methodology consists of three phases. In the initial phase, we designed an SSRF oracle to examine functions in PHP manuals and identify sinks that provide server-side request capabilities. This process yielded a total of 86 sensitive PHP sinks out of 2101 PHP functions. The second stage involves dynamic taint inference and the utilization of the identified sinks to examine the source code of target web applications, pinpointing all feasible input points that could trigger these sinks. The final phase employs fuzzing techniques. We generate testing HTTP requests with SSRF payloads, send them to the previously identified input points within the target web applications, and detect if an SSRF vulnerability is triggered. We implemented a prototype of SSRFuzz and evaluated it on 27 real-world applications, including Joomla and WordPress. In total, we discovered 28 SSRF vulnerabilities, 25 of which were previously unreported. We reported all the vulnerabilities to the affected vendors, and 16 new CVE IDs were assigned.

Weili Han,Ye Cao,Elisa Bertino,Jianming Yong

DOI: https://doi.org/10.1016/j.eswa.2012.02.020

IF: 8.5

2012-01-01

Expert Systems with Applications

Abstract:The theft attacks of web digital identities, e.g., phishing, and pharming, could result in severe loss to users and vendors, and even hold users back from using online services, e-business services, especially. In this paper, we propose an approach, referred to as automated individual white-list (AIWL), to protect user's web digital identities. AIWL leverages a Naive Bayesian classifier to automatically maintain an individual white-list of a user. If the user tries to submit his or her account information to a web site that does not match the white-list, AIWL will alert the user of the possible attack. Furthermore, AIWL keeps track of the features of login pages (e.g., IP addresses, document object model (DOM) paths of input widgets) in the individual white-list. By checking the legitimacy of these features, AIWL can efficiently defend users against hard attacks, especially pharming, and even dynamic pharming. Our experimental results and user studies show that AIWL is an efficient tool for protecting web digital identities. (C) 2012 Elsevier Ltd. All rights reserved.

Dominik Meißner,Frank Kargl,Benjamin Erb

DOI: https://doi.org/10.48550/arXiv.2104.06136

2021-04-13

Cryptography and Security

Abstract:Modern single page web applications require client-side executions of application logic, including critical functionality such as client-side cryptography. Existing mechanisms such as TLS and Subresource Integrity secure the communication and provide external resource integrity. However, the browser is unaware of modifications to the client-side application as provided by the server and the user remains vulnerable against malicious modifications carried out on the server side. Our solution makes such modifications transparent and empowers the browser to validate the integrity of a web application based on a publicly verifiable log. Our Web Application Integrity Transparency (WAIT) approach requires (1) an extension for browsers for local integrity validations, (2) a custom HTTP header for web servers that host the application, and (3) public log servers that serve the verifiable logs. With WAIT, the browser can disallow the execution of undisclosed application changes. Also, web application providers cannot dispute their authorship for published modifications anymore. Although our approach cannot prevent every conceivable attack on client-side web application integrity, it introduces a novel sense of transparency for users and an increased level of accountability for application providers particularly effective against targeted insider attacks.

Zheng Wen,Liu Renyi,Du Zhenhong,Zhang Feng

DOI: https://doi.org/10.3969/j.issn.1000-386X.2011.05.023

2011-01-01

Abstract:The combination of WebGIS and RIA(Rich Internet Applications) technology can improve system interactivity and user experience.However there lacks an MVC architecture for RIA WebGIS to hierarchize the client system.Based on the research on technological features of WebGIS and analysis on the present RIA MVC framework,the authors propose a four-tier RIA WebGIS framework orienting front-end MVC and dissection its model hierarchy and essential technologies.Experiments with the prototype prove that the application of the framework is both efficient and expandable.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Yingjie Fu,Xiaotie Deng,Liu Wenyin

2005-01-01

Abstract:We anticipate a potential phishing strategy by obfuscation of Web links using Internationalized Resource Identifier (IRI). In the IRI scheme, the glyphs of many characters look very similar while their Unicodes are different. Hence, certain different IRIs may show high similarities. Therefore, it is quite difficult for normal Web users to distinguish them. The potential phishing attacks based on this strategy are very likely to happen in the near future with the boosting utilization of IRI. We invent a detection approach to this phishing strategy. We construct a Unicode character similarity list based on their visual similarity and semantic similarity. We use Nondeterministic Finite Automaton (NFA) model to identify the potential IRI based phishing patterns. We build the phishing IRI pattern generation system, by which, NFA could be further represented with regular expression (RE) to adapt it to anti-phishing systems. A framework is also proposed to build such anti-phishing systems.

Anthony Y. Fu,Xiaotie Deng,Liu Wenyin

DOI: https://doi.org/10.1080/15567280600995501

2006-01-01

Journal of Digital Forensic Practice

Abstract:ABSTRACT We anticipate the widespread usage of an internationalized resource identifier (IRI) 1 1. IRI is a generalization of the uniform resource identifier (URI), which is in turn a generalization of the uniform resource locator (URL). While URIs are limited to a subset of the ASCII character set, IRIs may contain characters from the universal character set (Unicode/ISO 10646). Basically, an IRI is the internationalized version of a URI or internationalized domain name (IDN) 2 2. IDN is an Internet domain name that (potentially) contains non-ASCII characters. Such domain names could contain letters with diacritics, as required by many European languages, or characters from non-Latin scripts such as Arabic or Chinese. on the web as complement to universal resource identifier (URI). IRI/IDN is composed of characters in a subset of Unicode, such that a Unicode attack 3 3. Unicode attack is caused by the coexistence of a large number of visual/semantically similar Unicode strings. On the character level, the visually similar Unicode attack is homograph attack. to IRI/IDN could happen. Hence, visually or semantically, certain phishing IRI/IDNs may show high similarity to the real ones. The potential phishing attacks based on this strategy are very likely to happen in the near future with the boosting utilization of IRI/IDN. We invented a method to detect such phishing attack. We constructed a unicode character similarity list (UC-SimList) based on char-char visual and semantic similarities and use a nondeterministic finite automaton (NFA) 4 4. NFA is a finite state machine where for each pair of state and input symbol there may be several possible next states. We can use it to recognize a string of a certain pattern. When the last input symbol is consumed the NFA accepts if and only if there is some set of transitions it could make that will take it to an accepting state. Equivalently, it rejects if no matter what choices it makes it would not end in an accepting state. to identify the potential IRI/IDN-based phishing patterns. We implemented a phishing IRI/IDN pattern generation tool, REGAP, by which phishing IRI/IDN patterns can be generated into regular expressions (RE) for phishing IRI/IDN detection. We also address how such a tool can be applied to investigations.

Chen Haopeng

2008-01-01

Abstract:The complexity and mass-transfer of XML documents of Rich Intemtet Application(RIA)technology become its development obstacle. By improving the transfer mode called asynchronous XML-RPC of traditional RIA,a new transfer framework for RIA is proposed according to the compression and encryption XML.This framework makes the information transfer more efficient and secure.It is also extendable.

Heyan Chai,Shuqiang Yang,Zoe L. Jiang,Xuan Wang,Yiqun Chen,Hengyu Luo

DOI: https://doi.org/10.1007/978-3-030-38991-8_11

2019-01-01

Abstract:With the growth of Information and Communication Technology, data sharing plays a pivotal role in all parts of the Internet. A major issue that needs to be tackled urgently is to protect the ownership of data during the sharing process. Digital watermarking technology is a major solution to ownership protection. Many reversible watermarking approaches are proposed to achieve the function of ownership protection, but most methods can only resist malicious attacks to a certain extent and can not regenerate the complete watermarks in case part of watermarks are destroyed. In this paper, a robust and reversible watermarking technique (RRWEC) applied in relational database has been proposed, which utilizes the Erasure Codes Technique and watermarking in groups. The watermarks embedded into data come from meaningful characters of identification information of a database owner. The grouping method based on clustering, without dependent primary keys, is utilized to group the data, which can resist attacks on the data structure. The erasure code technique is devised to regenerate the complete watermarking information when some sub-watermarks embedded into data are maliciously modified or removed. The results of experiments verify the effectiveness and robustness of RRWEC against malicious attacks, such as data structure attack, subset addition attack, subset alteration and deletion attack, and show that when half of the watermarks are destroyed, the watermark regeneration algorithm can still recover the complete watermarking information.

Xin Zhang,Yifan Zhang

DOI: https://doi.org/10.1016/j.hcc.2022.100073

2022-01-01

High-Confidence Computing

Abstract:The capability of interacting with web content has become increasingly common among mobile apps. While web-app interaction can facilitate many new functionalities and improve app user experience, they also cause various notable security attacks on mobile apps or web content. The root cause is lack of proper access control mechanisms for web-app interactions on mobile OSes. Existing solutions usually adopt either an origin-centric design or a code-centric deign, and suffer from one or several of the following limitations: coarse protection granularity, poor flexibility in terms of access control policy establishment, and incompatibility with existing apps/OSes due to the need of modifying the apps and/or the underlying OS. More importantly, none of the existing works can organically deal with all the five web-app interaction mechanisms. In this paper, we first identify and survey five mechanisms through which web content interacts with mobile apps. We then propose ReACt, a novel Resource-centric Access Control design that can coherently work with all the web-app interaction mechanisms while addressing the above-mentioned limitations. We have implemented a prototype system on Android, and performed extensive evaluation on it. The evaluation results show that our system works well with existing commercial off-the-shelf Android apps and different versions of Android OS, and it can achieve the design goals with small overhead.

Giancarlo Pellegrino,Martin Johns,Simon Koch,Michael Backes,Christian Rossow

DOI: https://doi.org/10.48550/arXiv.1708.08786

2017-08-29

Abstract:Cross-Site Request Forgery (CSRF) vulnerabilities are a severe class of web vulnerabilities that have received only marginal attention from the research and security testing communities. While much effort has been spent on countermeasures and detection of XSS and SQLi, to date, the detection of CSRF vulnerabilities is still performed predominantly manually. In this paper, we present Deemon, to the best of our knowledge the first automated security testing framework to discover CSRF vulnerabilities. Our approach is based on a new modeling paradigm which captures multiple aspects of web applications, including execution traces, data flows, and architecture tiers in a unified, comprehensive property graph. We present the paradigm and show how a concrete model can be built automatically using dynamic traces. Then, using graph traversals, we mine for potentially vulnerable operations. Using the information captured in the model, our approach then automatically creates and conducts security tests, to practically validate the found CSRF issues. We evaluate the effectiveness of Deemon with 10 popular open source web applications. Our experiments uncovered 14 previously unknown CSRF vulnerabilities that can be exploited, for instance, to take over user accounts or entire websites.

Cryptography and Security

ZHAO Guofeng,CHEN Yong,WANG Xinheng

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.03.003

2016-01-01

Abstract:This paper discusses the HTTPS protocol communication process, analyzes the basic principles and methods in detail based on forged certiifcates and man in the middle session hijacking. Then it points out that conventional hijacking method through the backend to manipulate the original data lfow and defects, and puts forward a front-end scripting XSS based on injection of more efifcient and more perfect HTTPS session hijacking method, which can realize the hijacking of the form submission, dynamic elements, the script window, and the page frame. Finally it expounds the priciple and process the Web front-end hijacking, builds a prototype system to validate, and makes a further analysis of the HTTPS communication security risks. According to the present situation, it also puts forward feasible preventive measures.

Daniel Guamán,Franco Guamán,Danilo Jaramillo,Roddy Correa

DOI: https://doi.org/10.1007/978-3-319-31232-3_65

2016-01-01

Abstract:There are recommendations and tools, given by OWASP that suggest basic techniques of prevention and protection of computer attacks over web applications where the common types of attacks are XSS and SQL Injection; for that reasons, we apply recommendations and good practice to minimize this kind of attacks; used some tools to validate automatically attacks and built some expressions to validate manually the intrusions in web applications. Therefore, this study was based on the development of a prototype under REST, design pattern Facade, Java EE and Glassfish [13]. With the development of the prototype it was found that by the use of standards and norms recommend by OWASP the security in terms of overall design and source code in web applications can be greatly improved.

Luca Aceto,Duncan Paul Attard,Adrian Francalanza,Anna Ingólfsdóttir

2024-06-28

Abstract:Reactive software calls for instrumentation methods that uphold the reactive attributes of systems. Runtime verification imposes another demand on the instrumentation, namely that the trace event sequences it reports to monitors are sound -- that is, they reflect actual executions of the system under scrutiny. This paper presents RIARC, a novel decentralised instrumentation algorithm for outline monitors meeting these two demands. The asynchronous setting of reactive software complicates the instrumentation due to potential trace event loss or reordering. RIARC overcomes these challenges using a next-hop IP routing approach to rearrange and report events soundly to monitors. RIARC is validated in two ways. We subject its corresponding implementation to rigorous systematic testing to confirm its correctness. In addition, we assess this implementation via extensive empirical experiments, subjecting it to large realistic workloads to ascertain its reactiveness. Our results show that RIARC optimises its memory and scheduler usage to maintain latency feasible for soft real-time applications. We also compare RIARC to inline and centralised monitoring, revealing that it induces comparable latency to inline monitoring in moderate concurrency settings, where software performs long-running, computationally-intensive tasks, such as in Big Data stream processing.

Software Engineering,Distributed, Parallel, and Cluster Computing

Rui Wu,Ping Chen,Bing Mao,Li Xie

DOI: https://doi.org/10.1109/ARES.2012.11

2012-01-01

Abstract:As a code reuse technique, JIT spraying attack becomes popular on the JITed VM (Virtual Machine) (e.g., Javascript Engine, Flash Engine). Using a bug in web applications, an attacker can reuse the code generated by the JIT (Just-In-Time) compiler, which is used to optimize the performance of web applications. JIT spraying attacks can circumvent DEP and ASLR -- protection mechanisms of modern operating systems. Based on the observation that JIT spraying attack mostly uses the immediate operand of the arithmetic instruction to build a shellcode, we propose RIM, a technique that obfuscates the arithmetic operations in the JITed code and prevents attackers from reusing the native code to construct a malicious code. We implement a prototype on Tamarin flash engine and demonstrate the effectiveness of RIM. Experimental results show that RIM's overhead is very low (less than 1%). And RIM greatly improves the security functionality of JIT compilers.

Marc Rennhard,Malte Kushnir,Olivier Favre,Damiano Esposito,Valentin Zahnd

DOI: https://doi.org/10.1007/s42979-022-01271-1

2022-07-16

SN Computer Science

Abstract:The importance of automated and reproducible security testing of web applications is growing, driven by increasing security requirements, short software development cycles, and constraints with respect to time and budget. Existing automated security testing tools are already well suited to detect some types of vulnerabilities, e.g., SQL injection or cross-site scripting vulnerabilities. However, other vulnerability types are much harder to uncover in an automated way. One important representative of this type are access control vulnerabilities, which are highly relevant in practice as they can grant unauthorized users access to security-critical data or functions in web applications. In this paper, a practical solution to automatically detect HTTP GET request-based access control vulnerabilities in web applications is presented. The solution is based on previously proposed ideas, which are extended with novel approaches to enable completely automated access control testing with minimal configuration effort, which in turn enables frequent and reproducible testing. An evaluation with seven web applications based on different technologies demonstrates the general applicability of the solution and that it can automatically uncover most access control vulnerabilities while keeping the number of false positives low.