oalib
Search Results: 1 - 10 of 100 matches for " "
All listed articles are free for downloading (OA Articles)
Page 1 /100
Display every page Item
Protection of Web Applications from Cross-Site Scripting Attacks in Browser Side  [PDF]
K. Selvamani,A. Duraisamy,A. Kannan
Computer Science , 2010,
Abstract: Cross Site Scripting (XSS) Flaws are currently the most popular security problems in modern web applications. These Flaws make use of vulnerabilities in the code of web-applications, resulting in serious consequences, such as theft of cookies, passwords and other personal credentials. Cross-Site scripting Flaws occur when accessing information in intermediate trusted sites. Client side solution acts as a web proxy to mitigate Cross Site Scripting Flaws which manually generated rules to mitigate Cross Site Scripting attempts. Client side solution effectively protects against information leakage from the user's environment. Cross Site Scripting Flaws are easy to execute, but difficult to detect and prevent. This paper provides client-side solution to mitigate cross-site scripting Flaws. The existing client-side solutions degrade the performance of client's system resulting in a poor web surfing experience. In this project provides a client side solution that uses a step by step approach to protect cross site scripting, without degrading much the user's web browsing experience.
SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web  [PDF]
Daniel Fett,Ralf Kuesters,Guido Schmitz
Computer Science , 2015,
Abstract: Single sign-on (SSO) systems, such as OpenID and OAuth, allow web sites, so-called relying parties (RPs), to delegate user authentication to identity providers (IdPs), such as Facebook or Google. These systems are very popular, as they provide a convenient means for users to log in at RPs and move much of the burden of user authentication from RPs to IdPs. There is, however, a downside to current systems, as they do not respect users' privacy: IdPs learn at which RP a user logs in. With one exception, namely Mozilla's BrowserID system (a.k.a. Mozilla Persona), current SSO systems were not even designed with user privacy in mind. Unfortunately, recently discovered attacks, which exploit design flaws of BrowserID, show that BrowserID does not provide user privacy either. In this paper, we therefore propose the first privacy-respecting SSO system for the web, called SPRESSO (for Secure Privacy-REspecting Single Sign-On). The system is easy to use, decentralized, and platform independent. It is based solely on standard HTML5 and web features and uses no browser extensions, plug-ins, or other executables. Existing SSO systems and the numerous attacks on such systems illustrate that the design of secure SSO systems is highly non-trivial. We therefore also carry out a formal analysis of SPRESSO based on an expressive model of the web in order to formally prove that SPRESSO enjoys strong authentication and privacy properties.
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web  [PDF]
Daniel Fett,Ralf Küsters,Guido Schmitz
Computer Science , 2014,
Abstract: BrowserID is a complex, real-world Single Sign-On (SSO) System for web applications recently developed by Mozilla. It employs new HTML5 features (such as web messaging and web storage) and cryptographic assertions to provide decentralized login, with the intent to respect users' privacy. It can operate in a primary and a secondary identity provider mode. While in the primary mode BrowserID runs with arbitrary identity providers (IdPs), in the secondary mode there is one IdP only, namely Mozilla's default IdP. We recently proposed an expressive general model for the web infrastructure and, based on this web model, analyzed the security of the secondary IdP mode of BrowserID. The analysis revealed several severe vulnerabilities. In this paper, we complement our prior work by analyzing the even more complex primary IdP mode of BrowserID. We do not only study authentication properties as before, but also privacy properties. During our analysis we discovered new and practical attacks that do not apply to the secondary mode: an identity injection attack, which violates a central authentication property of SSO systems, and attacks that break an important privacy promise of BrowserID and which do not seem to be fixable without a major redesign of the system. Some of our attacks on privacy make use of a browser side channel that has not gained a lot of attention so far. For the authentication bug, we propose a fix and formally prove in a slight extension of our general web model that the fixed system satisfies all the requirements we consider. This constitutes the most complex formal analysis of a web application based on an expressive model of the web infrastructure so far. As another contribution, we identify and prove important security properties of generic web features in the extended web model to facilitate future analysis efforts of web standards and web applications.
Implementing a Web Browser with Phishing Detection Techniques  [cached]
Aanchal Jain,Vineet Richariya
World of Computer Science and Information Technology Journal , 2011,
Abstract: Phishing is the combination of social engineering and technical exploits designed to convince a victim to provide personal information, usually for the monetary gain of the attacker. Phishing has become the most popular practice among the criminals of the Web. Phishing attacks are becoming more frequent and sophisticated. The impact of phishing is drastic and significant since it can involve the risk of identity theft and financial losses. Phishing scams have become a problem for online banking and e-commerce users. In this paper we propose a novel approach to detect phishing attacks. We implemented a prototype web browser which can be used as an agent and processes each arriving email for phishing attacks. Using email data collected over a period time we demonstrate data that our approach is able to detect more phishing attacks than existing schemes.
Implementing a Web Browser with Phishing Detection Techniques  [PDF]
Aanchal Jain,Vineet Richariya
Computer Science , 2011,
Abstract: Phishing is the combination of social engineering and technical exploits designed to convince a victim to provide personal information, usually for the monetary gain of the attacker. Phishing has become the most popular practice among the criminals of the Web. Phishing attacks are becoming more frequent and sophisticated. The impact of phishing is drastic and significant since it can involve the risk of identity theft and financial losses. Phishing scams have become a problem for online banking and e-commerce users. In this paper we propose a novel approach to detect phishing attacks. We implemented a prototype web browser which can be used as an agent and processes each arriving email for phishing attacks. Using email data collected over a period time we demonstrate data that our approach is able to detect more phishing attacks than existing schemes.
A Holistic Approach to Securing Web Applications  [PDF]
Srdjan Stankovic,Dejan Simic
Computer Science , 2010,
Abstract: Protection of Web applications is an activity that requires constant monitoring of security threats as well as looking for solutions in this field. Since protection has moved from the lower layers of OSI models to the application layer and having in mind the fact that 75% of all the attacks are performed at the application layer, special attention should be paid to the application layer. It is possible to improve protection of Web application on the level of the system architecture by introducing new components which will realize protection on higher levels of OSI models. This paper deals with Intrusion Detection Systems, Intrusion Prevention Systems, Web Application Firewall and gives a holistic approach to securing Web applications using aforementioned components.
MITIGATING MAN-IN-THE-BROWSER ATTACKS WITH HARDWARE-BASED AUTHENTICATION SCHEME  [PDF]
Fazli Bin Mat Nor,Kamarularifin Abd Jalil,Jamalul-lail Ab Manan
International Journal of Cyber-Security and Digital Forensics , 2012,
Abstract: Lack of security awareness amongst end users when dealing with online banking and electronic commerce leave many client side application vulnerabilities open. Thus, this is enables attackers to exploit the vulnerabilities and launch client-side attacks such as man-in-the-browser attack. The attack is designed to manipulate sensitive information via clienta€ s application such as internet browser by taking advantage of the browsera€ s extension vulnerabilities. This attack exists due to lack of preventive measurement to detect any malicious changes on the client side platform. Therefore, in this paper we are proposing an enhanced remote authentication protocol with hardware based attestation and pseudonym identity enhancement to mitigate man-in-the-browser attacks as well as improving user identity privacy.
INTERNET: WEB BROWSER  [cached]
Zainul Bakri,Puti Sari Hidayaningsih
Media of Health Research and Development , 2012,
Abstract: Web browser merupakan alat bagi pengguna untuk melakukan penelusuran di lingkungan Internet baik berupa teks (hypertext) maupun gambar, suara atau video (hypermedia) yang tersusun secara sistematis dalam suatu Web. Dokumen/teks tersebut sering terdiri dari beberapa halarnan atau bahkan hanya 1 halaman, saling berhubungan dengan dokumen lain melalui tanda tertentu (hyperlink yang biasanya berbentuk huruf-huruf yang berwama lain dan lebih bercahaya atau 'highlighted'). Pengguna yang tertarik untuk mengetahui informasi dari dunia hiburan sampai dengan ilmu pengetahuan, cukup menunjuk dan menekan tombol mouse pada bagian tersebut dalam Web browser, sehingga tampilan akan berpindah dari dokumen satu ke dokumen lain.
Composition Attacks and Auxiliary Information in Data Privacy  [PDF]
Srivatsava Ranjit Ganta,Shiva Prasad Kasiviswanathan,Adam Smith
Computer Science , 2008,
Abstract: Privacy is an increasingly important aspect of data publishing. Reasoning about privacy, however, is fraught with pitfalls. One of the most significant is the auxiliary information (also called external knowledge, background knowledge, or side information) that an adversary gleans from other channels such as the web, public records, or domain knowledge. This paper explores how one can reason about privacy in the face of rich, realistic sources of auxiliary information. Specifically, we investigate the effectiveness of current anonymization schemes in preserving privacy when multiple organizations independently release anonymized data about overlapping populations. 1. We investigate composition attacks, in which an adversary uses independent anonymized releases to breach privacy. We explain why recently proposed models of limited auxiliary information fail to capture composition attacks. Our experiments demonstrate that even a simple instance of a composition attack can breach privacy in practice, for a large class of currently proposed techniques. The class includes k-anonymity and several recent variants. 2. On a more positive note, certain randomization-based notions of privacy (such as differential privacy) provably resist composition attacks and, in fact, the use of arbitrary side information. This resistance enables stand-alone design of anonymization schemes, without the need for explicitly keeping track of other releases. We provide a precise formulation of this property, and prove that an important class of relaxations of differential privacy also satisfy the property. This significantly enlarges the class of protocols known to enable modular design.
Techniques for Securing Web Content  [cached]
Cristian Ursu
Journal of Mobile, Embedded and Distributed Systems , 2012,
Abstract: This paper analyzes the dangers to which web content is exposed, demonstrates how data from the Internet can be gathered and used to obtain profit, how an application can stealthily make use of complicated processing without implementing them and how a website can be cloned in real time. For the considered attacks and vulnerabilities I present, explain, group and evaluate the existing solutions to secure content and last but not least, I suggest a new solution: a library for link encryption.
Page 1 /100
Display every page Item


Home
Copyright © 2008-2017 Open Access Library. All rights reserved.