论文信息 - Web sanitization from malicious code injection attacks

Web sanitization from malicious code injection attacks

We propose a new methodology to sanitize web pages to prevent code injection attacks. One of a common programming error that usually happens in the web application is using of an improper encoding method to sanitize the source code of the web page. Our methodology provides a proper encoding method to the webpages which have an improper encoding of untrusted data, so it can stop and prevent code injection attacks caused by improper encoding of untrusted data from occurring. Our framework is an automatic encoding method to sanitize web browser contains multiple interpreters, such as: JavaScript, CSS, HTML, and URI. In this methodology we also need to detect zero- day attack (XSS vulnerabilities) which may not be detected by detection tools. Our methodology can prevent a many types of code injection vulnerabilities, such as: XSS injection vulnerabilities.

Hussein Alnabulsi | Rafiqul Islam

[1] Miguel Correia,et al. Automatic detection and correction of web application vulnerabilities using data mining to predict false positives , 2014, WWW.

[2] Dawn Xiaodong Song,et al. A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[3] V. N. Venkatakrishnan,et al. XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[4] Prateek Saxena,et al. An Empirical Analysis of XSS Sanitization in Web Application Frameworks , 2011 .

[5] Mazdak Zamani,et al. SQL injection vulnerability general patch using header sanitization , 2014, 2014 International Conference on Computer, Communications, and Control Technology (I4CT).

[6] Bill Chu,et al. Detecting Cross-Site Scripting Vulnerabilities through Automated Unit Testing , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[7] Christopher Krügel,et al. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).