Fig 7 - uploaded by Saoudi Lalia
Content may be subject to copyright.
Context in source publication
Similar publications
SQL injection attacks are critical security vulnerability exploitation in web applications, posing risks to data, if successfully executed, allowing attackers to gain unauthorised access to sensitive data. Due to the absence of a standardised structure, traditional signature-based detection methods face challenges in effectively detecting SQL injec...
Among the various types of software vulnerabilities, command injection is the most common type of threat in web applications. In command injection, SQL injection type of attacks areextremely prevalent, and ranked as the second most common form of attack on web. SQL injection attacks involve the construction of application’s input data that will res...
Citations
... In addition to the computational experiments conducted above, the time taken for each algorithm, including the proposed approach, is also observed. Also, to evaluate the effectiveness of the proposed approach, two algorithms Alg5 [38], and Alg6 [39] have been considered for further evaluation. The performance measurements are shown in Table 2. Table 2 summarizes the performance evaluation of the approaches considered in this study. ...
p> Almost every web-based application is managed and operated through a number of websites, each of which is vulnerable to cyber-attacks that are mounted across the same networks used by the applications, with much less risk to the attacker than physical attacks. Such web-based attacks make use of a range of modern techniques-such as structured query language injection (SQLi), cross-site scripting, and data tampering-to achieve their aims. Among them, SQLi is the most popular and vulnerable attack, which can be performed in one of two ways; either by an outsider of an organization (known as the outside attacker) or by an insider with a good knowledge of the system with proper administrative rights (known as the inside attacker). An inside attacker, in contrast to an outsider, can take down the system easily and pose a significant challenge to any organization, and therefore needs to be identified in advance to mitigate the possible consequences. Blockchain-based technique is an efficient approach to detect and mitigate SQLi attacks and is widely used these days. Thus, in this study, a hybrid method is proposed that combines a SQL query matching technique (SQLMT) and a standard blockchain framework to detect SQLi attacks created by insiders. The results obtained by the proposed hybrid method through computational experiments are further validated using standard web validation tools. </p
... В статье [5] был предложен следующий пример для определения используемой СУБД. Предположим, что у нас есть некий URL-адрес http://www.site.com/show.php?id=6. ...
To facilitate the detection of various vulnerabilities, there are many different tools (scanners) that can help analyze the security of web applications and facilitate the development of their protection. But these tools for the most part can only identify problems, and they are not capable of fixing them. Therefore, the knowledge of the security developer is a key factor in building a secure Web resource. To resolve application security problems, developers must know all the ways and vectors of various attacks in order to be able to develop various protection mechanisms. This review discusses two of the most dangerous vulnerabilities in the field of Web technologies: SQL injections and XSS attacks (cross-site scripting – XSS), as well as specific cases and examples of their application, as well as various approaches to identifying vulnerabilities in applications and threat prevention. Cross-site scripting as well as SQL-injection attacks are related to validating input data. The mechanisms of these attacks are very similar, but in the XSS attacks the user is the victim, and in the SQL injection attacks, the database server of the Web application. In XSS attacks, malicious content is delivered to users by means of a client-side programming language such as JavaScript, while using SQL injection, the SQL database query language is used. At the same time, XSS attacks, unlike SQL injections, harm only the client side leaving the application server operational. Developers should develop security for both server components and the client part of the web application.
... Hence, state pruning algorithms are proposed to prevent state explosion by reducing the size of an abstract model, by distinguishing previously visited states from those newly discovered. Classification of web application states is computed by calculates string distances or tree structures of visited DOM documents, using string distance calculation algorithms such as Levenshtein's algorithm or SimHash [37], [38]. A new state is deemed existed if DOM documents of visited web pages are found different, with a new node is added to the generated abstract model. ...
Automated web application penetration testing has emerged as a trend. The computer was assigned the task of penetrating web application security with penetration testing technique. Relevant computer program reduces time, cost, and resources required for assessing a web application security. At the same time, scaling down tester reliance on human knowledge. Web application security scanner is such kind of program that is designed to assess web application security automatically with penetration testing technique. The downside is that computer is not well-formed as human. Consequently, web application security scanner often found generating the false alarms, especially in a testing environment, which web application source codes are unreachable. Thus, in this paper, the state-of-the-art of black box web application security scanner is systematically reviewed, to investigate the approaches for detecting web application vulnerability in an ambiguous testing environment. This survey is critical in providing insights on how to design efficient algorithms for assessing web application security with penetration testing technique in the ambiguous environment.
... In the meanwhile, [50][51][52][53][54][55][56][57][58][59][60]"s experimental results showed leveraging of searchbased testing technique, mutation testing technique, and genetic algorithm are effective in improving the attack coverage. Moreover, anomaly detection and information flow analysis by [8,9,27,28,31], and [61][62][63][64][65][66][67][68][69][70][71][72][73][74][75][76][77][78][79] are proven effective in detecting the web application vulnerability in either black box or white box testing environment. Besides this, the developed prototypes are validated in [5,20,25,29], and [80− 99]. ...
The web application security scanner is a computer program that assessed web application security with penetration testing technique. The benefit of automated web application penetration testing is huge, which web application security scanner not only reduced the time, cost, and resource required for web application penetration testing but also eliminate test engineer reliance on human knowledge. Nevertheless, web application security scanners are possessing weaknesses of low test coverage, and the scanners are generating inaccurate test results. Consequently, experimentations are frequently held to quantitatively quantify web application security scanner's quality to investigate the web application security scanner's strengths and limitations. However, there is a discovery that neither a standard methodology nor criterion is available for quantifying the web application security scanner's quality. Hence, in this paper systematic review is conducted and analysed the methodology and criterion used for quantifying web application security scanners' quality. In this survey, the experiment methodologies and criterions that had been used to quantify web application security scanner's quality is classified and review using the preferred reporting items for systematic reviews and meta-analyses (PRISMA) protocol. The objectives are to provide practitioners with the understanding of methodologies and criterions that available for measuring web application security scanners' test coverage, attack coverage, and vulnerability detection rate, while provides the critical hint for development of the next testing framework, model, methodology, or criterions, to measure web application security scanner quality.
... Their claim for the other tools, they detect less than 85% of the vulnerabilities but their tool finds all of it. Lounis et al. [10] propose a method that was built in a perception to enhance the logic reflected in modeling WASAPY [11] which web vulnerability scanner tool. They claim that their proposed method can precisely identify successful injection requests that the WASAPY approach cannot detect. ...
Penetration testing plays an important role in the development of secure software products and electronic systems. Sustainability of commercial systems is ensured through the regular scans of vulnerability. In this era where quality assurance and testing organizations become increasingly widespread, the effectiveness of the used tools and methods are critical. This article describes the architecture of the software named VinJect, which is developed for efficient penetration testing and vulnerability scanning. The primary goal of this application is to detect vulnerable locations in a shorter time with running in a multi-threaded structure. Our proposed application uses Wapiti and SQLmap applications' services in the background. With user-friendly interfaces, it is also aimed to remove the bad user experience (UX) that these applications running on the command line have. In the tests we performed, WinJect was found to be more efficient in completing the vulnerability scans in a much shorter time.
... There are many different studies to ensure security of information systems. It is aimed to provide security through these studies which can be achieved in both hardware and software [1][2][3][4][5][6][7]. The security software used for this purpose is very important for the protection of systems belong to individuals and institutions. ...
The importance of information security systems is increasing in parallel with the rapid developments in information technology. The development of new technologies brings new security weaknesses in corporate and personal meaning can lead to unavoidable losses. For this reason, much researchers have been performed in order to ensure the security of information systems. In today's world, the concept of information has been moved to the digital size from conventional size. Protection of the data stored in the digital archive and is easy accessibility at any time have become a quite important phenomenon. In this concept, intrusion detection and prevention systems as security tools are widely used today. In this paper, a hybrid real-time intrusion and prevention system approach has been proposed for web application security. The proposed system uses rule-based misuse detection and anomaly detection as intrusion detection methods and uses network packets as the data source. The system is real-time with accordance to data process time, centralized with accordance to architecture, and server-based with accordance to system it protects. The developed system has been tested on the current web attacks determined by OWASP (The Open Web Application Security Project) and provides a very high success rate.
Güvenilir
yazılım ürünleri ve elektronik sistemlerin geliştirilmesinde sızma testi önemli
rol oynamaktadır. Zaafiyet taramalarının düzenli olarak yapılması sayesinde, ticari
sistemlerin sürdürülebilirliği sağlanmaktadır. Kalite güvence ve test firmalarının
günümüzde yaygınlıklarını arttırdıkları bu dönemde, kullanılan araç ve yöntemlerin etkinlikleri
çok kritiktir. Bu makalede etkin bir sızma testi ve güvenlik açığı taraması
için geliştirilmiş VinJect ismindeki yazılımın mimarisi anlatılmaktadır. Amaç, çok
işparçacıklı yapıda çalışan bu uygulama ile zaafiyet barındıran yerlerin
tespitinin daha kısa sürede yapılmasıdır. Önerdiğimiz uygulama, arka planında
Wapiti ve SQLmap uygulamalarına ait servisleri kullanmaktadır. Kullanıcı dostu
arayüzler ile çoğunlukla komut satırında çalışşan uygulamaların verdiği olumsuz
kullanıcı tecrübesinin ortadan kaldırılması hedeflenmiştir. Yaptığımız
testlerde, WinJect'in daha etkin bir kullanım sunduğu ve zaafiyet taramaları
çok daha kısa sürede tamamladığı görüldü.
