A Secure Framework for Communication and Data Processing in Web Applications †
Abstract
:1. Introduction
2. Literature Review
3. The Common Attacks on the Web Applications
3.1. Thread Modelling
- Application Overview:
- Threads:
3.2. Injection Attacks
3.3. Broken Authentication
3.4. Broken Access Control
3.5. Cross Site Scripting (XSS)
4. The Proposed Framework for Web Security
4.1. JS Module
4.2. PHP Module
Listing 1. Policy enforced under the framework. |
Enable SSL/TLS for the site Ensure HTTPS access alone Add HSTS for additional enforcement of security layer Allow content from same domain alone by ensuring Access-Control-Allow-Origin: https://mydomain Allow only the required methods on the site. Most recommended with POST Access-Control-Allow-Methods: POST Configure the referrer policy Referrer-Policy: no-referrer Configure the embedded objects and iframes to access same domain/deny access X-Frame-Options: DENY (or) SAMEORIGIN Configure directory browsing restrictions, proper redirects for HTTP error pages Configure URL Management Data Sanitization |
5. Results and Discussion
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Cova, M.; Balzarotti, D.; Felmetsger, V.; Vigna, G. Swaddler: An approach for the anomaly-based detection of state violations in web applications. In International Workshop on Recent Advances in Intrusion Detection; Springer: Berlin/Heidelberg, Germany, 2007; pp. 63–86. [Google Scholar]
- Abidi, S.; Essafi, M.; Guegan, C.G.; Fakhri, M.; Witti, H.; Ghezala, H.H.B. A Web Service Security Governance Approach Based on Dedicated Micro-services. Procedia Comput. Sci. 2019, 159, 372–386. [Google Scholar] [CrossRef]
- Marashdih, A.W.; Zaaba, Z.F.; Suwais, K.; Mohd, N.A. Web Application Security: An Investigation on Static Analysis with other Algorithms to Detect Cross Site Scripting. Procedia Comput. Sci. 2019, 161, 1173–1181. [Google Scholar] [CrossRef]
- Zhou, B.; Zhang, Q.; Shi, Q.; Yang, Q.; Yang, P.; Yu, Y. Measuring web service security in the era of Internet of Things. Comput. Electr. Eng. 2018, 66, 305–315. [Google Scholar] [CrossRef]
- Oliveira, R.A.; Raga, M.M.; Laranjeiro, N.; Vieira, M. An approach for benchmarking the security of web service frameworks. Future Gener. Comput. Syst. 2020, 110, 833–848. [Google Scholar] [CrossRef]
- Deepa, G.; Thilagam, P.S.; Praseed, A.; Pais, A.R. DetLogic: A black-box approach for detecting logic vulnerabilities in web applications. J. Netw. Comput. Appl. 2018, 109, 89–109. [Google Scholar] [CrossRef]
- Thomé, J.; Shar, L.K.; Bianculli, D.; Briand, L. Security slicing for auditing common injection vulnerabilities. J. Syst. Softw. 2018, 137, 766–783. [Google Scholar] [CrossRef]
- Said, N.B.; Cristescu, I. End-to-end information flow security for web services orchestration. Sci. Comput. Program. 2020, 187, 102376. [Google Scholar] [CrossRef]
- Asra, K.; Jha, C.K.; Deepak, S.T.; Sahu, D.R. A Framework for Web Application Vulnerability Detection. Int. J. Eng. Adv. Technol. 2020, 9, 543–549. [Google Scholar]
- Jana, I.; Oprea, A. AppMine: Behavioral Analytics for Web Application Vulnerability Detection. In Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop, London, UK, 11 November 2019; pp. 69–80. [Google Scholar]
- OWASP. Available online: https://owasp.org/www-project-top-ten/ (accessed on 17 April 2023).
- Arachni Web Application Security Scanner. Available online: http://www.arachni-scanner.com/ (accessed on 26 November 2021).
- XSS Cheatsheets. Available online: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat (accessed on 17 April 2023).
- Kritikos, K.; Magoutis, K.; Papoutsakis, M.; Ioannidis, S. A survey on vulnerability assessment tools and databases for cloud-based web applications. Array 2019, 3, 100011. [Google Scholar] [CrossRef]
- Esposito, D.; Rennhard, M.; Ruf, L.; Wagner, A. Exploiting the potential of web application vulnerability scanning. In Proceedings of the ICIMP 2018 the Thirteenth International Conference on Internet Monitoring and Protection, Barcelona, Spain, 22–26 July 2018; pp. 22–29. [Google Scholar]
- Alsaleh, M.; Alomar, N.; Alshreef, M.; Alarifi, A.; Al-Salman, A. Performance-based comparative assessment of open source web vulnerability scanners. Secur. Commun. Netw. 2017, 2017, 6158107. [Google Scholar] [CrossRef]
- Suprakash, S.; Balakannan, S.P. Utilization of customers idle resources: An architectural model for data center power and load reduction. J. Adv. Res. Dyn. Control Syst. 2019, 11, 1181–1187. [Google Scholar]
- Suprakash, S.; Balakannan, S.P. Service Level Agreement Based Catalogue Management and Resource Provisioning in Cloud for Optimal Resource Utilization. Mob. Netw. Appl. 2019, 24, 1853–1861. [Google Scholar]
- Kaur, D.; Kaur, P. Empirical analysis of web attacks. Procedia Comput. Sci. 2016, 78, 298–306. [Google Scholar] [CrossRef]
- Jahanshahi, R.; Doupé, A.; Egele, M. You shall not pass: Mitigating sql injection attacks on legacy web applications. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, Taipei, Taiwan, 5–9 October 2020; pp. 445–457. [Google Scholar]
- Invicti. The Invicti AppSec Indicator, Spring 2021 Edition: Acunetix Web Vulnerability Report; Spring: Austin, TX, USA, 2021; Available online: https://www.acunetix.com/white-papers/acunetix-web-application-vulnerability-report-2021 (accessed on 17 May 2022).
Users | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Data Protection | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Broken Authentication | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Broken Access Control | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
SQL Injection | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
XSS | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Sudarsanan Nair, S.; Mariappan, K. A Secure Framework for Communication and Data Processing in Web Applications. Eng. Proc. 2023, 59, 1. https://doi.org/10.3390/engproc2023059001
Sudarsanan Nair S, Mariappan K. A Secure Framework for Communication and Data Processing in Web Applications. Engineering Proceedings. 2023; 59(1):1. https://doi.org/10.3390/engproc2023059001
Chicago/Turabian StyleSudarsanan Nair, Suprakash, and Karuppasamy Mariappan. 2023. "A Secure Framework for Communication and Data Processing in Web Applications" Engineering Proceedings 59, no. 1: 1. https://doi.org/10.3390/engproc2023059001