Risks induced by Web applications on smart cards

The evolution of new smart cards with improved processing power and memory size makes it possible to integrate a web server. This provides a way to simplify the integration of smart card to all existing equipments using standard protocols. However it opens up the possibilities to existing Web attacks that exploit Web application vulnerabilities. In this paper, we focus on the most common and dangerous attack named cross site scripting (XSS) and we propose solutions to prevent and check if the Web application is well developed by applying secured development methodology.

[1]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[2]  Jean-Louis Lanet,et al.  Analysis of HTTP Protocol Implementation in Smart Card Embedded Web Server , 2013 .

[3]  C. M. Frenz,et al.  XSSmon: A Perl based IDS for the detection of potential XSS attacks , 2012, 2012 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[4]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[5]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[6]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[7]  Michael Backes,et al.  A Local Cross-Site Scripting Attack against Android Phones , 2011 .

[8]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[9]  Benjamin Morin,et al.  Policy-based intrusion detection in web applications by monitoring Java information flows , 2009, Int. J. Inf. Comput. Secur..

[10]  Lwin Khin Shar,et al.  Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[11]  Zhenfu Cao,et al.  L-WMxD: Lexical based Webmail XSS Discoverer , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).